Hexacorn

GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR

During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.

github.com/olafhartong/...

Slides available here:
github.com/olafhartong/...

feels like security research -- ideas, hypothesis, lots of digging in code, only to find out it's impossible due to some unforeseen conditions blocking the execution path we hoped to exploit; or gathering large data set (TBs) hoping to find something cool, only to discover it's very uninteresting

I bert they are just throwing some nuanced Rust references at you :)

CVE-2005-4560 and Windows Macros + all exploit packs roll in their graves when they see ClickFix and FileFix...

1 little known secret of advpack.dll, LaunchINFSection

www.hexacorn.com/blog/2025/07...

1/ During a recent incident response case, we observed the following file access: \\localhost\C$\@ GMT-2025.06.21-10.53.43\Windows\NTDS\ntds.dit

This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot.

Beyond good ol’ Run key, Part 148

www.hexacorn.com/blog/2025/07...

Beyond good ol’ Run key, Part 147

www.hexacorn.com/blog/2025/07...

malmoeb.bsky.social is one of the best people to follow; in the era of generative AI it's easy to lose motivation for doing anything really, so his posts discussing so many interesting attacks is a breath of fresh air (and even if it is his AI posting it :-P, it's that very goo' ol' school vibe)

clever carding page

hxxps://gov[.]comsitebab[.]life/gov

when you visit from the desktop, it's just a regular website (although compromised)

when you visit from a smartphone, you get a fake gov web site that harvests your CC details

Collage of screenshots showing how to enable emulated ramdisk and set its size via registry parameters for scmbus.sys. Also shown: how to create partition and properly format the DAX volume. 1. Create ramdisk of 0x1234_MB: cmd /v/c"set R=reg add HKLM\SYSTEM\CurrentControlSet\Services\scmbus /f /v&!R! CreateSimulatedRamdiskRootDevice /t 4 /d 1 &!R! RamdiskSizeInBytes /t 11 /d 0x123400000 &sc start scmbus" (reboot required, unless you're lucky). 2. Create parition as usual: list disk select disk NNNN convert gpt create partition primary assign letter X: 3. And format volume with DAX support: format X: /fs:ntfs /Q /L /DAX

Did you know Windows has built-in RAM disk?
And not just your regular RAM disk. It's pmem/nvdimm, via built-in scmbus.sys facility!

That means you can make 🦆🦆🦆 #dax volume, so data/image mappings (section views) will use "drive" directly!
No data persistence, no w10; only ws2022/w11+. EZ 📀 create:

VMwareResolutionSet.exe VMwareResolutionSet.dll lolbin

www.hexacorn.com/blog/2025/06...

wermgr.exe boot offdmpsvc.dll lolbin

www.hexacorn.com/blog/2025/06...

#lolbin

wpr.exe boottrace phantom dll axeonoffhelper.dll lolbin

www.hexacorn.com/blog/2025/06...

#lolbin

#HuntingTipOfTheDay: Services can provide persistence. Looking for changes to their commands is common, but the lesser known Environment setting is often overlooked. It could result in stealthy DLL hijacking. Inspect any paths referenced for suspicious files.

New #TinyTracer (v3.0) is out - with many cool features: github.com/hasherezade/... - check them out!

While investigating a compromised network, we found suspicious PowerShell code that ran on a domain controller. The script downloaded a file called chrome_installer.exe and installed it.

We checked the file and found it was signed by Google, so it’s a genuine Chrome installer.

mscoree.dll, RunDll32ShimW lolbin
www.hexacorn.com/blog/2025/05...

hmm triage and RCA should not be in the same sentence

imho for the triage alone, 15min SLA is very reasonable; provided it ends up with closure, or escalation to the next level (we are talking properly built triage function with clearly defined procedures)

youtu.be/5PCU48nqAIw?... start at 10:20 of the cross questioning the expert on their CV and credentials in the Karen Read trial. Shanon Burgess. #DFIR

that was painful to watch

Shell32.dll, #44 lolbin

www.hexacorn.com/blog/2025/05...

We are VERY excited to announce that Volatility 3 has now reached feature parity with Volatility 2! With this parity release, Volatility 2 is now deprecated. Full details in the blog post linked below.

Screenshot of contextjail.exe running with default arguments. Highlighted: * prisoner thread (latched to CPU1 with priority 15) couldn't run for the entire test duration (30 seconds). * 99 jailer threads (latched to 6/8 processors, CPU2..CPU7) were using 20% of total CPU time. Overlay: pseudo-ASSCII art with prisoner thread and 6 jailer threads (guards), spamming NtGetContextThread to block the prisoner. Source and compiled binary: https://pastebin.com/pBJcGp1y

Heard of #ContextJail?
It's a nasty new technique: puts target thread into ⓪ deadloop, for as long as you can afford. Requires THREAD_GET_CONTEXT right.

The gist? Just spam NtGetContextThread(tgt).😸
Target will be jailed, running nt!PspGetSetContextSpecialApc 🔁.

Src & binary in [ALT].

Usecases: ⤵️

Glad Skype data deletion works

Minority (forensic) report aka defending forward w/o hacking back

www.hexacorn.com/blog/2025/05...

#dfir

this sounds funnier in Australian

AI will never be able to write like me. Why? Because I am now inserting… | Ken Cheng | 819 comments AI will never be able to write like me. Why? Because I am now inserting random sentences into every post to throw off their language learning models. Any AI emulating me will radiator freak yellow ...

there is a solution out there - driving a forklift on a sponge of ice cream
www.linkedin.com/posts/ken-ch...

AI worms in the making ;)
www.cmdzero.io/blog-posts/i...

I guess AI-olescence TV Series is in the making