cocomelonc’s tabby is a tiny teaching framework for writing position-independent Windows x64 shellcode in C, with indirect NT syscalls and no IAT, no CRT, no PE header — the whole toolchain runs on Linux via mingw-w64, nasm, a custom linker script, and objcopy. The whole thing is ~500 lines of C plus ~80 of NASM and produces a flat shellcode.bin ready to inject.
Weaponizing Writable SMB Shares to Steal Domain Credentials
A walkthrough of a classic-but-still-effective Active Directory attack: how write access to an SMB share — plus a single .lnk file — lets an attacker capture Net-NTLMv2 hashes from every user who simply browses the folder, with no clicks, no payload execution, and almost no EDR signal.
Centurion: A Virtualized Loader and the “Bring Your Own Execution Environment” Model
Praetorian’s Centurion is a virtualized loader built around a custom x86-64-inspired ISA and freestanding C runtime, where the PE loader, TLS stack and HTTP client all live behind the interpretation layer. The result — a TLS bind shell running inside a custom VM, shipped in roughly a week of LLM-assisted development.
Client-Side Container Attack: DLL Sideloading wab.exe via Email Archive Delivery
Walkthrough of an initial-access chain that ships a signed Microsoft binary (wab.exe / Windows Address Book) and a hidden CRYPTDLG.dll proxy in the same archive, delivered via Google Drive to dodge Gmail’s blanket 7-zip block. perfect-dll-proxy / SharpDllProxy generate the forwarder, cl.exe compiles the x64 DLL, DllMain pops a MessageBox to confirm execution — and when MotW doesn’t propagate through the extract step the operator gets clean code execution under a trusted Microsoft signer.
BOF Cocktails in Cobalt Strike: Instrumenting BOFs with BEACON_INLINE_EXECUTE and Crystal Palace
Cobalt Strike 4.13 ships a new BEACON_INLINE_EXECUTE Aggressor hook that lets operators rewrite Beacon Object File bytes on the fly. Combined with Rasta Mouse’s Crystal Palace toolkit, the hook becomes a clean intercept point for merging tradecraft — API instrumentation, unhooking, telemetry suppression — directly into postex BOFs at runtime, no agent or loader hacks required.
Reverse-engineering Valorant’s Vanguard Guarded Regions: PML4 Cloning, CR3 Swaps, and the SwapContext Hook PoC (Walk-through of Xyrem’s Post)
Walk-through of Xyrem’s reversing.info analysis of Valorant’s Vanguard Guarded Regions: how Vanguard hides game state behind a private “shadow” PML4 entry that’s only swapped in when one of its own whitelisted threads is on the CPU, the SwapContext hook that drives the swap, and how a cheat can rebuild the same primitive with its own kernel driver to expose hidden game memory after thread whitelisting.
Red Team Tactics: Utilizing Syscalls in C# — Writing the Code (Walk-through of Jack Halon’s Direct-Syscall PoC)
Walk-through of Jack Halon’s “Utilizing Syscalls in C# — Part 2” post: building a direct-syscall NtCreateFile PoC in C# .NET 3.5, extracting the syscall stub from ntdll in WinDbg, mapping it as executable memory with VirtualProtect, invoking it through a P/Invoke delegate, and verifying via Process Monitor that the call goes straight to the kernel without touching ntdll’s NtCreateFile prologue.
Bypassing Windows Defender and AMSI: A Practical Defense Evasion Guide for Red Team Operators
A practical, layer-by-layer walkthrough of modern Windows defense evasion for red team operators: the architecture of Microsoft Defender, three generations of AMSI bypass (classic patching, hardware breakpoints, AMSI Write Raid), ETW silencing, AppLocker bypass with built-in LOLBins, and how to stitch them into a working kill chain — plus what blue teams can still detect.
Kernel Karnage Part 1: Patching Windows Kernel Callbacks to Disable EDR from a Driver
A walk-through of NVISO Labs’ first Kernel Karnage post: writing a small Windows kernel driver, locating the undocumented PspCreateProcessNotifyRoutine callback array through disassembly, and patching the EDR’s registered callback out of it. Covers the User/Kernel-space architecture, PatchGuard, kernel-debugger setup, the three-byte opcode bug that caused a BSOD, and a Mimikatz demo with callbacks on and off.
Visual Studio Extensions Revisited: Building, Publishing, and Hunting Malicious VSIXs
MDSec returns to the Visual Studio extension ecosystem three years after their VS Code work. A modern “VisualStudio.Extensibility” extension that fetches and runs an arbitrary .NET assembly via reflection — built from the stock template, published on the Marketplace under the “MSAzure” publisher with no security checks — takes a renamed “Microsoft” publisher around an hour to land. The second half of the post is a five-stage triage pipeline (Acquisition → Unpacking → Decompilation → LLM Triage → Agent Investigation) over the 8,566 analysable VSIX packages currently on the Marketplace, surfacing a backdoor-shaped “vs-publisher-1477920/FVsEx” extension that exfiltrates host info to “qweq.xyz” and dispatches commands to “cmd.exe”.










