@mhaggis.bsky.social
Just a person hacking away.
Hi
11.09.2025 13:09 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
๐จ Still on your journey to mastering ASR rules?
Donโt sleep on ASRGEN ๐ก๏ธ๐ฅ
โก Point. Click. Generate ASR rules.
๐ Learn + test safely with built-in atomic simulations
๐ฆ Export to Intune/GPO-ready formats
๐ฏ Built for defenders, by defenders
๐๐ฅ
๐ asrgen.streamlit.app
๐ github.com/MHaggis/ASRGEN
๐๐ Just dropped a 1-hour rabbit hole dive into API playgrounds, mocks, & random nerdy finds ๐ค
We started with ClickGrab, but then it turned into:
๐ Beeceptor
๐ ๏ธ Mockbin
๐งฉ Zudoku
๐ VirusTotal hunts
๐ค ChatGPT making OpenAPI bins & routes
Chaotic, nerdy, fun. Come hang out ๐ youtu.be/j7QE-6p9Y9Q
Minted narwhal!
I am/was burnt sienna goose
๐จ New ASR rules are now GA:
โ Block rebooting in Safe Mode
๐ต๏ธโโ๏ธ Block copied/impersonated system tools
ASRGEN had these since preview. ๐
Want to:
โก Quickly create Intune-ready ASR policies
๐งช Simulate and understand rule impacts
Check โ asrgen.streamlit.app
Be proactive. Be precise.
๐ฐ The hunt beginsโฆ
The first drops for PowerShell-Hunter: Season 2 are coming SOON.
New tools. Smarter hunting. Sexier telemetry.
This isnโt just DFIRโitโs an evolution.
โ๏ธ Hunt smarter. Hunt harder.
โญ github.com/MHaggis/Powe...
๐จ PowerShell-Hunter Season 2 is coming ๐จ
๐ฅ More atomic tools
๐งฌ Smarter, faster log analysis
๐ค Machine learning meets lateral movement
๐ PowerShell so slick it should be illegal
Youโre not readyโbut you should be.
โญ Star the repo or miss the magic:
๐ Exciting News: PCA Analyzer is now part of the PowerShell-Hunter suite! ๐
Check it out on GitHub: github.com/MHaggis/PowerShell-Hunter ๐ป
๐บ
๐ฅ Want a deeper dive? Check out Atomics on a Friday, where we introduce SDDLMaker!
โถ๏ธ https://www.youtube.com/watch?v=uSYvHUVU8xY
๐ RT/Reshare if you find this useful! ๐
#WindowsSecurity #SDDL #Cybersecurity #Splunk #AtomicRedTeam
๐ ๏ธ Splunk Security Content:
๐ https://research.splunk.com/stories/defense_evasion_or_unauthorized_access_via_sddl_tampering/
๐ง Mind Map:
๐ https://github.com/MHaggis/SDDLMaker/tree/main/MindMap
๐งต (5/)
๐ก Need to decode or generate SDDL? Try SDDLMaker ๐ง
๐ https://thesddlmaker.streamlit.app/
๐ Read the full blog:
๐ https://www.splunk.com/en_us/blog/security/windows-security-sddl-guide-access-control.html
๐งต (4/)
Top 3 Things You'll Learn:
1๏ธโฃ How attackers exploit SDDLโevent log tampering, service hardening, & more
2๏ธโฃ How to decode SDDL strings & analyze permissions, DACLs, and ACEs
3๏ธโฃ How to defend against SDDL abuse with detections & Atomic Red Team tests
๐งต (3/)
In our latest blog, we break down SDDL: ๐น How it structures Windows security
๐น How attackersโfrom LockBit to RomComโmanipulate it for privilege escalation & defense evasion
๐น How to detect & defend ๐ก๏ธ
๐งต (2/)
๐ Windows Security and SDDL: What You Need to Know ๐
Windows permissions misconfigurations are a goldmine for attackers. SDDL (Security Descriptor Definition Language) remains overlooked yet highly exploitable. ๐จ
@nasbench.bsky.social and I break it down -->
๐งต (1/)
Tomorrow, join us for a legendary episode of Atomics on a Friday featuring Jonathan Johnson (@jsecurity101) as we dive deep into JonMonโthe tool redefining Windows telemetry!
24.01.2025 03:02 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0
๐ Twas the night before JonMon, and all through the net,
๐ Defenders were stirring, their systems to vet.
๐ ๏ธ The telemetry was hung in EventViewer with care,
โจ In hopes that Jonny Johnson soon would be there.
๐
Friday, January 24th
โฐ 11 AM MST | 1 PM EST
๐บ
YouTube: youtube.com/watch?v=CqEhtgโฆ
I got you!
13.12.2024 01:18 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
Down to the end of my last Christmas blend, what do you recommend this holiday season? I typically get Red Rooster or Atomic.
www.redroostercoffee.com/products/goo...
atomicroastery.com/products/mer...
Happy Monday
02.12.2024 18:04 โ ๐ 2 ๐ 0 ๐ฌ 0 ๐ 0
๐ฅ Tools for Testing:
โก๏ธ Apache Builder: https://buff.ly/4fOt8F9
โก๏ธ IIS Builder: https://buff.ly/4fLGySm
Empower your security team to hunt, detect, and patch gaps before attackers exploit them. ๐ก๏ธ
Test, learn, and refine! #CyberSecurity #ThreatHunting #WebShellDetection
๐ป How to Use:
1๏ธโฃ Deploy your favorite tools (Sysmon, EDR, XDR, etc.)
2๏ธโฃ Grab a webshell of choice, upload it, and start testing!
3๏ธโฃObserve logs, alerts, and behaviors to identify gaps in your coverage.
๐ Detection Opportunities:
Use these servers to validate analytic coverage for:
๐๏ธ File modifications (webshell uploads)
โ๏ธ Process executions (commands from shells)
๐ฏ Suspicious behaviors triggered by shells
๐ก Webshell Testing for Defenders ๐ก
Having automated tools to spin up web servers isnโt just convenientโitโs a game-changer for defenders. Here's why:
๐จ Unlocking the Secrets of Braodo Stealer! ๐จ
Dive into our latest blog where the Splunk Threat Research Team dissects the elusive Python malware and its sneaky obfuscated loader! ๐๐โจ
๐ Cracking the code of Braodo Stealer's obfuscation
"Things that get built on a Monday... ๐ค
"'Haag do you have a easy way to build a Apache|NGINX|IIS server to easy simulate webshells?'
Hold my coffee... โ
โข 5-min Apache+PHP setup ๐
โข Drop-in webshell support ๐ฏ
See you Tuesday! ๐
โ๏ธ Blast from the past Atomics on a Friday โ๏ธ
Attackers are weaponizing IIS modules for persistence, post-exploitation, and data theft.
Check out the blog + AOAF for more ๐ฅ:
https://buff.ly/40UUWAI
Donโt waitโwatch to strengthen your defenses:
๐ Living off GitHub: The Stargazers Ghost Network!๐
๐ฅ I somehow missed this, but WOWโwhat a fascinating deep dive into a DaaS operation! ๐ Fully automated, primed for quick Ops, and makes you wonder about the ones we havenโt uncovered yet. ๐
https://buff.ly/3LCYEIP ๐จ
