Red Team & Offensive Research. Tweets are my own.

Joined May 2009
After being able to divert EDR telemetry to private infrastructure, I wanted to find collection-based blind spots and assess anti-tampering protections. So I wrote this to get a better idea of collection sources and whether disabling them could trigger detection from the sensor.
0
1
17
Show this thread
Jackson T. retweeted
PoC using signed vulnerable driver to remove process creation callbacks to blind all EDRs on the system. Building on great work by @gentilkiwi @mattifestation @_xpn_ @Jackson_T @Kharosx0 @SpecterOps @FuzzySec Writeup and sample code tomorrow.
9
249
666
Want to see what EDR sensors see when you practice attacks and develop bypasses, without tipping off defenders? I'm starting a new series on reversing and evading EDRs, with a paper on how to divert telemetry to private infrastructure. Check it out! jackson-t.ca/edr-reversing-e…
8
189
451
Future posts will elaborate on techniques for blending in, blind spot abuse, and sensor tampering, so stay tuned!
1
0
11
Hi -New paper: NINA: x64 Process Injection by @0x00dtm -New paper: GetEnvironmentVariable as an alternative to WriteProcessMemory in process injections by @TheXC3LL -New paper: Covert Data Persistence with Windows Registry Keys by @Jackson_T vxug.fakedoma.in/papers.html 1luv
0
67
140
Awesome work by @RtlMateusz and @am0nsec!
.@am0nsec and I (@RtlMateusz) present Hell's Gate: Dynamically extracting and invoking syscalls from NTDLL or other in-memory modules vxug.fakedoma.in/papers/hell… In the event of DNS errors: a.tmp.ninja/wJQUKWoOgnzq.pdf Thanks to @silascutler and @Myrtus0x0 for reviewing this paper.
0
0
6
Posted a more subtle way of hiding data within the registry. It avoids detection from RegHide because it leverages class attributes instead of null characters. This can be useful for persisting malware configurations, encryption keys, modules, etc. jackson-t.ca/registry-data-p…
5
60
140