Posts

• 14 Sep 2023    -  Bypassing UAC with SSPI Datagram Contexts
  

• 10 Feb 2023    -  LocalPotato - When Swapping The Context Leads You To SYSTEM
  

• 22 Dec 2022    -  Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
  

• 3 Nov 2022   -  Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor (White paper here)
  

• 21 Sep 2022    -  Giving JuicyPotato a second chance: JuicyPotatoNG
  

• 28 Jun 2022    -  The hidden side of Seclogon part 3: Racing for LSASS dumps
  

• 5 May 2022    -  A very simple and alternative PID finder
  

• 7 Dec 2021    -  The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory
  

• 13 Sep 2021   -  Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms (White paper here)
  

• 26 Apr 2021   - Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol

• 16 Jul 2020   -  Weaponizing Mapping Injection with Instrumentation Callback for stealthier process injection

• 11 May 2020  -  No more JuicyPotato? Old story, welcome RoguePotato!

•   6 Dec 2019   -  We thought they were potatoes but they were beans (from Service Account to SYSTEM again)

• 31 Jul 2017    -  Reverse Engineering a Javascript Obfuscated Dropper

• 21 Jun 2017   -  Ransomware at X-Rays (DM me here if you need the pdf)

•   7 Jul 2016    -  New Locky variant - Zepto Ransomware Appears On The Scene

• 26 Jun 2016   -  Locky Ransomware is back! 49 domains compromised!