Most teams I have worked with rely heavily on anecdotal evidence when it comes to evasion. If an operator is asked why they chose a technique over another, the most common response I have heard is “ because it worked last time.” In situations where we are encountering a new defensive solution, we use our past experiences combined with best practices and hope we land, but ultimately it is a shot in the dark.

Even some pretty prolific groups are using this same tactic. Source:

While this is a valid approach to solving the problem, there is definitely room for improvement. For example, if our process is to rely heavily on…

A few weeks ago, I reported a Local Privilege Escalation (LPE)affecting version <1.0.7 of EVGA’s Precision X1 performance software. This vulnerability was patched in version 1.0.7.

Vulnerability Details

While looking at the services created by the application, I noticed that a driver service, “WinRing0_1_2_0,” was started on the system and correlated to the driver file C:\Program Files\EVGA\WinRing0\WinRing0x64.sys. This driver is a third party component developed by OpenLibSys and is included in the OpenHardwareMonitor library. This driver is signed by EVGA to allow loading on modern Windows systems.

This driver creates a device object on the system which all users can access due…


Attacks against Windows kernel mode software drivers, especially those published by third parties, have been popular with many threat groups for a number of years. Popular and well-documented examples of these vulnerabilities are the CAPCOM.sys arbitrary function execution, Win32k.sys local privilege escalation, and the EternalBlue pool corruption. Exploiting drivers offers interesting new perspectives not available to us in user mode, both through traditional exploit primitives and abusing legitimate driver functionalities.

As Windows security continues to evolve, exploits in kernel mode drivers will become more important to our offensive tradecraft. To aid in the research of these vulnerabilities, I felt it…

Mimikatz provides the opportunity to leverage kernel mode functions through the included driver, Mimidrv. Mimidrv is a signed Windows Driver Model (WDM) kernel mode software driver meant to be used with the standard Mimikatz executable by prefixing relevant commands with an exclamation point (!). Mimidrv is undocumented and relatively underutilized, but provides a very interesting look into what we can do while operating at ring 0.

The goals of this post is to familiarize operators with the capability that Mimidrv provides, put forth some documentation to be used as a reference, introduce those who haven’t had much time working with…

Sysmon is an incredibly powerful tool to aide in data collection beyond Windows’ standard event logging capabilities. It presents a significant challenge for us as attackers as it has the ability to detect many indicators that we generate during operations, such as process creation, registry changes, file creation, among many other things.

Sysmon is comprised of 2 main pieces — a system service and a driver. The driver provides the service with information which is processed for consumption by the user. …

With the rise in offensive .NET, particularly C#, tooling, we are seeing a great expansion in operational capability, especially with regards to running our code in memory (e.g. Cobalt Strike’s execute-assembly). While C# provides a great deal of functionality on the surface, sometimes we need to leverage functions of the operating system not readily accessible from managed code. Thankfully, .NET offers and integration with the Windows API through a technology called Platform Invoke, or P/Invoke for short.

Why P/Invoke?

Consider this common situation: you need to allocate memory in your current process to copy in shellcode and then create a new thread…

Imported from my old blog at

I’m really only writing this to save someone some time on an engagement and since there’s nothing detailed on the topic out there.

Today I was working and came across TCP port 8192, which I’ve seen a million times, and decided to poke it a little bit. This port, as well as 8193 and 8194, are known to be associated with Sophos so I figured it might be at least a little bit of information disclosure.

According to Sophos, “Port 8192 (TCP) is used to provide the connecting client (message router) with information…

Matt Hand

I like red teaming, picking up heavy things, and burritos. Adversary Simulation @ SpecterOps.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store