Matt HandHypervisor Detection with SystemHypervisorDetailInformationReversing how Windows gets hypervisor informationSep 15, 2023Sep 15, 2023
Matt HandCVE-2023–28072: Local Privilege Escalation in Alienware Command CenterBackgroundSep 1, 2023Sep 1, 2023
Matt HandHang Fire: Challenging our Mental Model of Initial AccessFor as long as I’ve been working in security, initial access has generally looked the same. While there are high degrees of variation…Jun 16, 2022Jun 16, 2022
Matt HandFormalized CuriosityI grew up as an insanely curious kid. My parents have seemingly endless numbers of stories of me taking things apart and trying to put them…Oct 25, 2021Oct 25, 2021
Matt HandLife is Pane: Persistence via Preview HandlersUsing shell preview handlers for privileged persistenceOct 21, 2021Oct 21, 2021
Matt HandAdventures in Dynamic EvasionMost teams I have worked with rely heavily on anecdotal evidence when it comes to evasion. If an operator is asked why they chose a…Dec 7, 2020Dec 7, 2020
Matt HandCVE-2020–14979: Local Privilege Escalation in EVGA PrecisionX1A few weeks ago, I reported a Local Privilege Escalation (LPE)affecting version <1.0.7 of EVGA’s Precision X1 performance software. This…Aug 12, 2020Aug 12, 2020
Matt HandMethodology for Static Reverse Engineering of Windows Kernel DriversIntroductionApr 15, 20202Apr 15, 20202
Matt HandMimidrv In Depth: Exploring Mimikatz’s Kernel DriverMimikatz provides the opportunity to leverage kernel mode functions through the included driver, Mimidrv. Mimidrv is a signed Windows…Jan 13, 2020Jan 13, 2020
Matt HandShhmon — Silencing Sysmon via Driver UnloadSysmon is an incredibly powerful tool to aide in data collection beyond Windows’ standard event logging capabilities. It presents a…Sep 18, 2019Sep 18, 2019