Red team guy at @SpecterOps | Aut viam inveniam aut faciam

USA
Joined June 2010
Just released a post detailing a methodology for analyzing Windows drivers. My goal is to lower the barrier to entry for finding exploitable driver vulnerabilities through static reversing. posts.specterops.io/methodol…
1
355
797
Matt Hand retweeted
We've noted our findings after a couple of years auditing #Windows #Defender Attack Surface Reduction events. Hopefully it will help anyone considering block mode. Being able to use the credential stealing/lsass rule was the surprise for me. medium.com/palantir/microsof…
12
143
323
Matt Hand retweeted
Introduction episode coming January 11th, with @jaredcatkinson and @jsecurity101 hosting, and @v3r5ace as producer. This will be available wherever you listen to podcasts. We are all excited to start getting content out to you, drop a follow to keep updated!
2
20
34
Replying to @byt3bl33d3r
Yep! For example, Sysmon is registered at 385201, which is one of the ways that Shhmon locates it in case the default name has changed. While these altitudes are registered with MSFT, they aren't enforced. The mini filter can be moved to a different altitude that isn't taken.
1
0
7
It's also worth noting that these are just the minifilters and not the primary kernel drivers used by EDRs.
1
0
4
Show this thread
Matt Hand retweeted
A very quick note on detecting hooked syscalls ired.team/offensive-security… Thanks to @matterpreter 👊
4
89
251
Replying to @spotheplanet
Great work as always! 🍻
1
0
2
Matt Hand retweeted
All video and slide content from SO-CON 2020 has been posted to our website. Check them out: specterops.io/so-con2020 Also, YouTube playlist link: invidious.snopyta.org/playlist?list=PL… Thank you again to all of the attendees!
0
124
243