This post was written together with Emily Leidy People can have some strong preferences about how their files are laid out in Explorer. Some like the compact Details view. Others like the descriptive Content view with the Details pane. Some insane people even use Small Icons 😱. …

Most teams I have worked with rely heavily on anecdotal evidence when it comes to evasion. If an operator is asked why they chose a technique over another, the most common response I have heard is “ because it worked last time.” …

A few weeks ago, I reported a Local Privilege Escalation (LPE)affecting version <1.0.7 of EVGA’s Precision X1 performance software. This vulnerability was patched in version 1.0.7. Vulnerability Details While looking at the services created by the application, I noticed that a driver service, “WinRing0_1_2_0,” was started on the system and correlated to…

Introduction Attacks against Windows kernel mode software drivers, especially those published by third parties, have been popular with many threat groups for a number of years. Popular and well-documented examples of these vulnerabilities are the CAPCOM.sys arbitrary function execution, Win32k.sys local privilege escalation, and the EternalBlue pool corruption. …

Mimikatz provides the opportunity to leverage kernel mode functions through the included driver, Mimidrv. Mimidrv is a signed Windows Driver Model (WDM) kernel mode software driver meant to be used with the standard Mimikatz executable by prefixing relevant commands with an exclamation point (!). …

Sysmon is an incredibly powerful tool to aide in data collection beyond Windows’ standard event logging capabilities. …

With the rise in offensive .NET, particularly C#, tooling, we are seeing a great expansion in operational capability, especially with regards to running our code in memory (e.g. Cobalt Strike’s execute-assembly). While C# provides a great deal of functionality on the surface, sometimes we need to leverage functions of the…

Imported from my old blog at matterpreter.com I’m really only writing this to save someone some time on an engagement and since there’s nothing detailed on the topic out there. Today I was working and came across TCP port 8192, which I’ve seen a million times, and decided to poke…