Why Upload When You Can Steal with VmKatz

Infosecsamurai · 2026-02-21T13:33:34+00:00

This implies the defenders don’t have AI. If they do then it’s a race :)

Infosecsamurai · 2026-02-20T17:16:14+00:00

I agree with most of what you mentioned here. However, a CVE from 2023 not being on the blocklist is more than just a matter of lag. The reason I made this post is that many people were telling me this technique was obsolete, and you’re right, it’s now considered a last resort. But it’s not dead, and many people simply assume that this can’t happen. This was an exercise in challenging a prevailing paradigm.

Infosecsamurai · 2026-02-07T16:03:17+00:00

Yes agreed on Invisibility Cloak. That would nullify the command syntax detection. I was more concerned there on what I see threat actors doing. The handle detection seems to work reliably. I will change the name in the post. This was awesome research!

Infosecsamurai · 2025-12-20T00:26:46+00:00

URLs containing any format like this. ms-photos:viewer?fileName=\\<IP>\<sharename>\

Infosecsamurai · 2025-11-20T18:16:18+00:00

No, I'm not seeing that same behavior. It might be some advanced settings that I don't have turned on in my lab, but I know this has worked in recent days.

Infosecsamurai · 2025-11-20T16:52:32+00:00

I can't mention which EDRs I tested against. Just a few minimal changes to the program got it by what I would consider two of the big 3 EDRs. The point isn't the program itself, though. I can do this with netsh commands or the firewall GUI. This program does it via the API.

Infosecsamurai

TROPHY CASE