Reposted by Chris Shields
June 8, 2025 at 1:43 AM
Reposted by Chris Shields
This is all part of a broader arch. Advocate for research as a public good, advocate for researchers, and don't let others short-sighted self-interest & lack of imagination create a situation that only benefits them. How? Offer a win-win vision that honors (what were once) shared values. ...
June 5, 2025 at 2:36 PM
This is all part of a broader arch. Advocate for research as a public good, advocate for researchers, and don't let others short-sighted self-interest & lack of imagination create a situation that only benefits them. How? Offer a win-win vision that honors (what were once) shared values. ...
Reposted by Chris Shields
It's also a way to continue to encourage, pyramid of pain thinking in the industry. Chase the behaviors. Chase the tradecraft. Sort by most popular tool, write the 100th signature for an already signatured detection surface, doesn't yield gains--makes a lazy blog post on a slow day, but not progress
June 5, 2025 at 2:36 PM
It's also a way to continue to encourage, pyramid of pain thinking in the industry. Chase the behaviors. Chase the tradecraft. Sort by most popular tool, write the 100th signature for an already signatured detection surface, doesn't yield gains--makes a lazy blog post on a slow day, but not progress
Reposted by Chris Shields
June 4, 2025 at 8:25 PM
Reposted by Chris Shields
And, what of Breach Intel? A culture that values ground truth and sober/blameless discussion. A focus on root causes, contributing factors, and actionable remediations... not sensationalized tool/actor porn. It's possible:
www.cisa.gov/news-events/...
I think of it as an umbrella ideal.
www.cisa.gov/news-events/...
I think of it as an umbrella ideal.
April 2, 2025 at 3:39 PM
And, what of Breach Intel? A culture that values ground truth and sober/blameless discussion. A focus on root causes, contributing factors, and actionable remediations... not sensationalized tool/actor porn. It's possible:
www.cisa.gov/news-events/...
I think of it as an umbrella ideal.
www.cisa.gov/news-events/...
I think of it as an umbrella ideal.
Reposted by Chris Shields
I made predictions in 2019 at my last talk. A keynote lamenting things were going in a VERY bad direction for hackers. This climate continues. I'm trying steps to influence these trends too. Easier as a ghost more removed from these trends vs. someone being crushed by them
H/T x.com/edskoudis/st...
H/T x.com/edskoudis/st...
April 2, 2025 at 3:39 PM
I made predictions in 2019 at my last talk. A keynote lamenting things were going in a VERY bad direction for hackers. This climate continues. I'm trying steps to influence these trends too. Easier as a ghost more removed from these trends vs. someone being crushed by them
H/T x.com/edskoudis/st...
H/T x.com/edskoudis/st...
Reposted by Chris Shields
[Blog] This ended up being a great applied research project with my co-worker Dylan Tran on weaponizing a technique for fileless DCOM lateral movement based on the original work of James Forshaw. Defensive recommendations provided.
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
Fileless lateral movement with trapped COM objects | IBM
New research from IBM X-Force Red has led to the development of a proof-of-concept fileless lateral movement technique by abusing trapped Component Object Model (COM) objects. Get the details.
ibm.com
March 25, 2025 at 9:21 PM
[Blog] This ended up being a great applied research project with my co-worker Dylan Tran on weaponizing a technique for fileless DCOM lateral movement based on the original work of James Forshaw. Defensive recommendations provided.
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
All these people thinking anything is actually “deleted” when you tell them to…re 23andme. Ha.
March 24, 2025 at 5:38 PM
All these people thinking anything is actually “deleted” when you tell them to…re 23andme. Ha.
Reposted by Chris Shields
Someone has done an excellent job collecting RATs and documenting them by version. They also included images.
A+ work. This is amazing (we're going to ingest this eventually)
github.com/Cryakl/Ultim...
A+ work. This is amazing (we're going to ingest this eventually)
github.com/Cryakl/Ultim...
GitHub - Cryakl/Ultimate-RAT-Collection: For educational purposes only, exhaustive samples of 450+ classic/modern trojan builders including screenshots.
For educational purposes only, exhaustive samples of 450+ classic/modern trojan builders including screenshots. - Cryakl/Ultimate-RAT-Collection
github.com
March 22, 2025 at 5:25 PM
Someone has done an excellent job collecting RATs and documenting them by version. They also included images.
A+ work. This is amazing (we're going to ingest this eventually)
github.com/Cryakl/Ultim...
A+ work. This is amazing (we're going to ingest this eventually)
github.com/Cryakl/Ultim...
Reposting here so people don’t have to go..there. “Loki C2 blog drop”. All credit to Bobby Cook (0xBoku), I’m just relaying.
securityintelligence.com/x-force/bypa...
securityintelligence.com/x-force/bypa...
Bypassing Windows Defender Application Control with Loki C2
Microsoft offers a bug bounty for qualifying bypasses into Windows Defender Application Control. Learn how IBM's X-Force team found a bypass using Loki C2.
securityintelligence.com
March 18, 2025 at 6:17 PM
Reposting here so people don’t have to go..there. “Loki C2 blog drop”. All credit to Bobby Cook (0xBoku), I’m just relaying.
securityintelligence.com/x-force/bypa...
securityintelligence.com/x-force/bypa...
Reposted by Chris Shields
Dig through this timeline and you'll figure out what I'm here to do. I spoke to a commercial leader in the offensive security space last year. My words: you're fucking it up.
What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it.
What does all of this mean?
What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it.
What does all of this mean?
March 15, 2025 at 3:57 AM
Dig through this timeline and you'll figure out what I'm here to do. I spoke to a commercial leader in the offensive security space last year. My words: you're fucking it up.
What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it.
What does all of this mean?
What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it.
What does all of this mean?
Reposted by Chris Shields
By the way, who thinks about what does and doesn't work (and why)? Security researchers. Red teams. That's our message. And, when you vilify us, you kick us out of the conversation because we have to protect ourselves too. And, this vilification has gone on for a long damned time.
March 15, 2025 at 3:57 AM
By the way, who thinks about what does and doesn't work (and why)? Security researchers. Red teams. That's our message. And, when you vilify us, you kick us out of the conversation because we have to protect ourselves too. And, this vilification has gone on for a long damned time.
Reposted by Chris Shields
Imagine a discipline called Breach Intelligence. Instead of describing breaches as tools+actors, we use root-cause analysis to dissect the attack path, identify contrib factor issues, and their mitigations. And, aggregate data about which compensating controls (security products) failed
March 15, 2025 at 3:57 AM
Imagine a discipline called Breach Intelligence. Instead of describing breaches as tools+actors, we use root-cause analysis to dissect the attack path, identify contrib factor issues, and their mitigations. And, aggregate data about which compensating controls (security products) failed
Reposted by Chris Shields
The Security Conversation - The value of offensive security work is fully realized by participation in the security conversation.
aff-wg.org/2025/03/13/t...
aff-wg.org/2025/03/13/t...
March 14, 2025 at 2:51 AM
The Security Conversation - The value of offensive security work is fully realized by participation in the security conversation.
aff-wg.org/2025/03/13/t...
aff-wg.org/2025/03/13/t...
Reposted by Chris Shields
Kicking off a new blog series. We will be exploring and abusing DNS by building a key/value store.
www.offensivecontext.com/abusing-dns-...
www.offensivecontext.com/abusing-dns-...
Abusing DNS, Part 1: How does DNS do what it do?
DNS is one of the protocols that make the internet possible. In many ways DNS is the phone book of the internet. DNS turns the domain you are trying to get to into the IP address your computer needs t...
www.offensivecontext.com
February 20, 2025 at 7:52 PM
Kicking off a new blog series. We will be exploring and abusing DNS by building a key/value store.
www.offensivecontext.com/abusing-dns-...
www.offensivecontext.com/abusing-dns-...