31ric - 1bluebass

EDRKillShifter

Posted on 2024-11-012024-10-27 by tmack

“EDRKillShifter” is a type of malware specifically designed to disable Endpoint Detection and Response (EDR) security software on a system, allowing attackers to carry out malicious activities like deploying ransomware without detection; it is considered a sophisticated tool often used by cybercriminals to evade security measures. Key points about EDRKillShifter: Function: Its primary purpose is Read More …

New Video – Assembly Primer For Hackers – Hello World

Posted on 2024-10-312024-10-27 by tmack

This is new video I found some time ago, when I was entertaining the thought of getting the OSCP. Assembly Primer For Hackers – Hello World

How to change user agent in nmap

Posted on 2024-10-272024-10-27 by tmack

NMAP How to change user agent You can find the default value in /usr/share/nmap/nselib/http.lua (At the beginning of the file, a couple of lines after the comments) local USER_AGENT = stdnse.get_script_args(‘http.useragent’) or “Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)” You can change the value with this line local USER_AGENT = stdnse.get_script_args(‘http.useragent’) or “Mozilla/5.0 (compatible; MSIE 9.0; Read More …

Looking at Attack Surface Mapping

Posted on 2024-10-162024-03-11 by tmack

Hot Take Incomming……. Warning…… I am going to come right out and say it, and it will sound completely arrogant, but I think the majority of Attack Surface Mapping vendors out there are doing it wrong. ASM for those who are new to blogs like these, stands for Attack Surface Mapping. This process is meant Read More …

AuKill EDR Post

Posted on 2024-09-212024-09-05 by tmack

Summary AuKill is a malicious software, often used by ransomware groups, designed to disable endpoint detection and response (EDR) security solutions on a system, essentially allowing attackers to bypass security measures before deploying ransomware by terminating EDR processes using a vulnerable, outdated driver like the Process Explorer driver from Sysinternals; effectively “killing” the EDR functionality. Key points about Read More …

Hook Chain EDR Kill

Posted on 2024-09-082024-09-05 by tmack

Summary Every binary loaded into WIndows, has a list of needed functions and processes in order for it to function properly. THink of a browser, it will use a Windows DLL to resolved the hostname to the IPv4 address and so forth. This Table can be hijacked, so instead of pointing to the appropriate function Read More …

Mad about MFA?

Posted on 2024-09-052024-09-05 by tmack

Camp IT DR/BCP Conference Thoughts

Posted on 2023-11-112024-03-26 by tmack

Recently I attended a Camp IT Conference hosted at the Stephens Convention center in Rosemont Illinois. This particular conference was Disaster Recovery / Business Continuity – Resilient Infrastructure. While the Convention center in Rosemont is cavernous, our group was off to the side in the Executive areas. Next time I will remember to take photos! Read More …