RIP RegPwn: The Rise and Fall of a Windows Registry Exploitation Technique
Original text by Filip Dragovic.
As part of MDSec’s R&D work, we often discover vulnerabilities and develop exploits to support our red team engagements. When researching widely used software, it is often only a matter of time before the same vulnerability is discovered by other researchers and reported to the vendor. Two weeks ago we…
https://core-jmp.org/2026/03/rip-regpwn-the-rise-and-fall-of-a-windows-registry-exploitation-technique/
Original text by Filip Dragovic.
As part of MDSec’s R&D work, we often discover vulnerabilities and develop exploits to support our red team engagements. When researching widely used software, it is often only a matter of time before the same vulnerability is discovered by other researchers and reported to the vendor. Two weeks ago we…
https://core-jmp.org/2026/03/rip-regpwn-the-rise-and-fall-of-a-windows-registry-exploitation-technique/
👍12🔥6
Silent Harvest: Extracting Windows Secrets Under the Radar
Original text by Sud0Ru
What the article is about
The article explains how attackers can quietly harvest sensitive Windows credentials and secrets after gaining initial access to a system, while avoiding detection by modern EDR solutions. The goal is to collect credentials for lateral movement without triggering typical security alerts.
The author first describes how…
https://core-jmp.org/2026/03/silent-harvest-extracting-windows-secrets-under-the-radar/
Original text by Sud0Ru
What the article is about
The article explains how attackers can quietly harvest sensitive Windows credentials and secrets after gaining initial access to a system, while avoiding detection by modern EDR solutions. The goal is to collect credentials for lateral movement without triggering typical security alerts.
The author first describes how…
https://core-jmp.org/2026/03/silent-harvest-extracting-windows-secrets-under-the-radar/
🔥12👍6
Reverse engineering undocumented Windows Kernel features to work with the EDR
Original text by 0xflux/
[Reverse engineering Windows internals: because sometimes the best way to fix a problem is to take the operating system apart.]
Intro
The information contained in this blog post is valid for the Windows 11 Kernel 24H2, and is not guaranteed to be accurate on other kernel versions.
The code for this…
https://core-jmp.org/2026/03/reverse-engineering-undocumented-windows-kernel-features-to-work-with-the-edr/
Original text by 0xflux/
[Reverse engineering Windows internals: because sometimes the best way to fix a problem is to take the operating system apart.]
Intro
The information contained in this blog post is valid for the Windows 11 Kernel 24H2, and is not guaranteed to be accurate on other kernel versions.
The code for this…
https://core-jmp.org/2026/03/reverse-engineering-undocumented-windows-kernel-features-to-work-with-the-edr/
🔥10👍7
Active Directory Security Assessment: Password Spraying, Privilege Escalation, and Kerberoasting
Active Directory remains the backbone of identity and access management in most enterprise environments. Because of its central role in authentication, authorization, and service delegation, compromising Active Directory often means compromising the entire organization. Modern attackers understand this well and frequently target domain infrastructure as the primary objective during intrusion campaigns.
Unlike traditional exploitation techniques…
https://core-jmp.org/2026/03/active-directory-security-assessment-password-spraying-privilege-escalation-and-kerberoasting/
Active Directory remains the backbone of identity and access management in most enterprise environments. Because of its central role in authentication, authorization, and service delegation, compromising Active Directory often means compromising the entire organization. Modern attackers understand this well and frequently target domain infrastructure as the primary objective during intrusion campaigns.
Unlike traditional exploitation techniques…
https://core-jmp.org/2026/03/active-directory-security-assessment-password-spraying-privilege-escalation-and-kerberoasting/
🔥7👍6
How Kernel Anti-Cheats Work: A Deep Dive into Modern Game Protection
Original text by s4dbrd
The article explains how modern kernel-level anti-cheat systems operate and why game developers increasingly rely on kernel drivers to combat advanced cheating techniques. It describes how anti-cheat software loads privileged drivers that run at the same level as the Windows kernel, allowing them to monitor processes, detect unauthorized memory manipulation, and…
https://core-jmp.org/2026/03/how-kernel-anti-cheats-work-a-deep-dive-into-modern-game-protection/
Original text by s4dbrd
The article explains how modern kernel-level anti-cheat systems operate and why game developers increasingly rely on kernel drivers to combat advanced cheating techniques. It describes how anti-cheat software loads privileged drivers that run at the same level as the Windows kernel, allowing them to monitor processes, detect unauthorized memory manipulation, and…
https://core-jmp.org/2026/03/how-kernel-anti-cheats-work-a-deep-dive-into-modern-game-protection/
👍15🔥10
Crimes against NTDLL – Implementing Early Cascade Injection
Original text by fluxsec
Early Cascade Injection is an advanced process injection technique designed to execute payloads at the earliest stage of Windows process initialization. The method abuses internal components of the Windows loader located in ntdll.dll, specifically the Application Compatibility Shim Engine. By modifying undocumented global variables such as g_ShimsEnabled and the callback pointer…
https://core-jmp.org/2026/03/crimes-against-ntdll-implementing-early-cascade-injection/
Original text by fluxsec
Early Cascade Injection is an advanced process injection technique designed to execute payloads at the earliest stage of Windows process initialization. The method abuses internal components of the Windows loader located in ntdll.dll, specifically the Application Compatibility Shim Engine. By modifying undocumented global variables such as g_ShimsEnabled and the callback pointer…
https://core-jmp.org/2026/03/crimes-against-ntdll-implementing-early-cascade-injection/
🔥7👍5
Занятный проект! vm-filesystem
*
Название так себе - читай ФАЙЛОВЫЙ МАНАГЕР
В общем и целом это альтернативный backend для файловых операций в
Крутой архитектурный прием - можно подменить стандартный путь взаимодействия клиента с агентом и прогонять файловые операции через другой execution backend, при этом сохранив привычный UX, а знаааачит потенциально это даёт меньше телеметрии, чем
До нового боевого
*
Для любителей C2-плагинов:
repository
&
Video
#CC #C2
*
Название так себе - читай ФАЙЛОВЫЙ МАНАГЕР
В общем и целом это альтернативный backend для файловых операций в
Havoc/Kaine через Firebeam VM.Крутой архитектурный прием - можно подменить стандартный путь взаимодействия клиента с агентом и прогонять файловые операции через другой execution backend, при этом сохранив привычный UX, а знаааачит потенциально это даёт меньше телеметрии, чем
BOF/dynamic executionДо нового боевого
stealth file manager еще как до луны, но как PoC демка того, как через Firebeam VM и monkey-patching клиента можно заменить стандартный filesystem backend будет очень занятно.*
Для любителей C2-плагинов:
repository
&
Video
#CC #C2
🔥9👍7
Ghost in the PPL – LSASS Memory Dump
Original text by Clément Labro
The article explores techniques for extracting memory from the LSASS (Local Security Authority Subsystem Service) process when it runs as a Protected Process Light (PPL). Modern versions of Windows use PPL to protect sensitive processes such as LSASS from tampering or credential dumping by user-mode tools.
The research initially aimed…
https://core-jmp.org/2026/03/ghost-in-the-ppl-lsass-memory-dump/
Original text by Clément Labro
The article explores techniques for extracting memory from the LSASS (Local Security Authority Subsystem Service) process when it runs as a Protected Process Light (PPL). Modern versions of Windows use PPL to protect sensitive processes such as LSASS from tampering or credential dumping by user-mode tools.
The research initially aimed…
https://core-jmp.org/2026/03/ghost-in-the-ppl-lsass-memory-dump/
🔥15👍7
Decrypting and Abusing Predefined BIOCs in Palo Alto Cortex XDR
Original text by Manuel
Summary
The Windows Cortex XDR agent uses CLIPS rules for behavioral detections. These rules are shipped encrypted in content updates. We decrypted these rules and discovered numerous hardcoded exceptions including global whitelists that can be abused to bypass those rules. For example, if a process’s command-line arguments contain :Windowsccmcache, it is…
https://core-jmp.org/2026/03/decrypting-and-abusing-predefined-biocs-in-palo-alto-cortex-xdr/
Original text by Manuel
Summary
The Windows Cortex XDR agent uses CLIPS rules for behavioral detections. These rules are shipped encrypted in content updates. We decrypted these rules and discovered numerous hardcoded exceptions including global whitelists that can be abused to bypass those rules. For example, if a process’s command-line arguments contain :Windowsccmcache, it is…
https://core-jmp.org/2026/03/decrypting-and-abusing-predefined-biocs-in-palo-alto-cortex-xdr/
👍9
Reverse Engineering the Tapo C260 and Tapo Discovery Protocol v2
Original text by Spaceraccoon
The article describes the reverse-engineering process of the TP-Link Tapo C260 smart camera and the analysis of its proprietary Tapo Discovery Protocol v2 (TDPv2). The research was conducted during the SPIRITCYBER IoT hardware hacking contest and focused on understanding the device firmware and network attack surface. The author begins with a…
https://core-jmp.org/2026/03/reverse-engineering-the-tapo-c260-and-tapo-discovery-protocol-v2/
Original text by Spaceraccoon
The article describes the reverse-engineering process of the TP-Link Tapo C260 smart camera and the analysis of its proprietary Tapo Discovery Protocol v2 (TDPv2). The research was conducted during the SPIRITCYBER IoT hardware hacking contest and focused on understanding the device firmware and network attack surface. The author begins with a…
https://core-jmp.org/2026/03/reverse-engineering-the-tapo-c260-and-tapo-discovery-protocol-v2/
👍6
LOLExfil: Stealthy Data Exfiltration Using Living-Off-the-Land Techniques
LOLExfil, a concept and toolset for performing data exfiltration using “Living-Off-the-Land” (LOL) techniques that rely on legitimate system utilities, trusted services, and built-in operating-system functionality rather than custom malware. The research explores how attackers can abuse standard tools already present in enterprise environments—such as scripting engines, networking utilities, cloud APIs, and legitimate web services—to covertly…
https://core-jmp.org/2026/03/lolexfil-stealthy-data-exfiltration-using-living-off-the-land-techniques/
LOLExfil, a concept and toolset for performing data exfiltration using “Living-Off-the-Land” (LOL) techniques that rely on legitimate system utilities, trusted services, and built-in operating-system functionality rather than custom malware. The research explores how attackers can abuse standard tools already present in enterprise environments—such as scripting engines, networking utilities, cloud APIs, and legitimate web services—to covertly…
https://core-jmp.org/2026/03/lolexfil-stealthy-data-exfiltration-using-living-off-the-land-techniques/
🔥11
Peeling Back the Socket Layer: Reverse Engineering Windows AFD.sys
Original text by Mateusz Lewczak
Part 1: Investigating Undocumented Interfaces
The four-part research series explores the reverse engineering of the Windows AFD.sys (Ancillary Function Driver) to understand how networking operations work beneath the Winsock API. AFD.sys is a kernel driver that acts as a bridge between user-mode socket APIs and the lower networking stack, translating…
https://core-jmp.org/2026/03/peeling-back-the-socket-layer-reverse-engineering-windows-afd-sys/
Original text by Mateusz Lewczak
Part 1: Investigating Undocumented Interfaces
The four-part research series explores the reverse engineering of the Windows AFD.sys (Ancillary Function Driver) to understand how networking operations work beneath the Winsock API. AFD.sys is a kernel driver that acts as a bridge between user-mode socket APIs and the lower networking stack, translating…
https://core-jmp.org/2026/03/peeling-back-the-socket-layer-reverse-engineering-windows-afd-sys/
👍8
EDR Internals for macOS and Linux
Original text by Kyle Avery
The article analyzes how Endpoint Detection and Response (EDR) systems operate internally on macOS and Linux, focusing on the telemetry sources and monitoring mechanisms these agents rely on. The research notes that most public discussions about EDR internals focus on Windows, while macOS and Linux implementations remain less documented despite…
https://core-jmp.org/2026/03/edr-internals-for-macos-and-linux/
Original text by Kyle Avery
The article analyzes how Endpoint Detection and Response (EDR) systems operate internally on macOS and Linux, focusing on the telemetry sources and monitoring mechanisms these agents rely on. The research notes that most public discussions about EDR internals focus on Windows, while macOS and Linux implementations remain less documented despite…
https://core-jmp.org/2026/03/edr-internals-for-macos-and-linux/
👍11
This media is not supported in your browser
VIEW IN TELEGRAM
macOS cmd-obfuscation
*
В ArgFuscator добавили более чем 60 нативных бинарей macOS готовых к обфускации.
На видео EDR, пытающийся предотвратить дамп учеток.
*
В ArgFuscator добавили более чем 60 нативных бинарей macOS готовых к обфускации.
На видео EDR, пытающийся предотвратить дамп учеток.
🔥16👍4
WSL, COM Hooking, & RTTI
Original text by Jonathan Johnson
The article explores a technique for hooking COM methods inside Windows Subsystem for Linux (WSL) by leveraging C++ Runtime Type Information (RTTI). The research begins with the author’s attempt to instrument and log activity within WSL components that interact with Windows through COM interfaces. Instead of relying on traditional API-level…
https://core-jmp.org/2026/03/wsl-com-hooking-rtti/
Original text by Jonathan Johnson
The article explores a technique for hooking COM methods inside Windows Subsystem for Linux (WSL) by leveraging C++ Runtime Type Information (RTTI). The research begins with the author’s attempt to instrument and log activity within WSL components that interact with Windows through COM interfaces. Instead of relying on traditional API-level…
https://core-jmp.org/2026/03/wsl-com-hooking-rtti/
🔥7