Blog post detailing Sysmon's file delete event internals and escalation to kernel code execution has been published here: undev.ninja/sysmon-internals…. PoC code uploaded here: github.com/NtRaiseHardError/….
Affected versions: v11.0 and above.
We all know Sysmon has many great features. But did you know, there is a hidden one that allows you to execute code in the kernel? Here's an example that disables lsass.exe's PPL! Many thanks to @SBousseaden for verifying.
Our tool to spot vulnerable code patterns in binary executables (CWEs) just joined the Twitterverse to celebrate the integration of #Ghidra as an available backend in its new release v0.4! Go check it out 😎
Version 0.4 of the cwe_checker was released just a few days ago.
Highlight of the release is the new Ghidra backend, which can be used as an alternative to the old BAP backend.
Check it out on github.com/fkie-cad/cwe_chec…
I made my own mini-site/blog to share my research, ideas, etc. :) Lets see if I stick to it :)
smelly.wtf/
(note: I tweeted about this yesterday but was having minor technical issues lol shameless retweet)