In the field of Windows security offense and defense, Function Hooking is a core technology for EDR (Endpoint Detection and Response) to monitor process behavior and for attackers to bypass protections. To counter modern EDR interception, the first step is to master the operating mechanism of function hooking in user mode. Centered on the framework of “FUNCTION-HOOKING…

In penetration testing, XXL-Job vulnerabilities are often highlighted for their convenience in direct reverse shell attacks. However, real-world scenarios frequently involve “non-outbound networks” or “missing scheduler panels,” which pose greater challenges. This article breaks down the version detection, command execution, and multiple memory shell injection methods for the XXL-Job Executor default token vulnerability, using practical…

SOC-CERT is an AI-powered open-source threat intelligence system that monitors CVEs from CISA, NIST, CERT-FR & OTX, delivering real-time alerts at zero cost. This is a submission for the AI Agents Challenge powered by n8n and Bright Data 🛡️ What I Built ⚡ TL;DR: 📖 Description: 🚀 Unique Innovation: soc-cert-workflow-architecture.png🏗️ Architecture Overview: ⚡ Complete threat intelligence automation pipeline processing 100+…

Intro Grzegorz Tworek recently published some C code demonstrating how to steal and impersonate Windows tokens from a process. The standard way to do this is with the OpenProcess, OpenProcessToken, DuplicateTokenEx, and ImpersonateLoggedOnUser APIs. Grzegorz shows how to achieve the same using Nt* APIs, specifically NtOpenProcess, NtOpenProcessToken, NtDuplicateToken, and NtSetInformationThread. Because I’m a C# junky, I…

What is BadUSB? Using the STM32F407 development board, we’ll study HID device development and implement a low-cost BadUSB. This article uses the development board for testing. Those with the means can also create a PCB prototype and print the enclosure to create a highly realistic BadUSB.BadUSB is an attack that masquerades as a USB HID…

Model Context Protocol (MCP) is gaining traction, but critical security gaps remain. This guide explores common MCP vulnerabilities in the 2025-06-18 release — from misconfigurations and credential leaks to command injection and remote code execution — helping developers secure their MCP deployments. MCP adoption is picking up quickly, so I have been digging into the…

This article explores how ARMO researchers leveraged the io_uring mechanism to bypass popular Linux security monitoring tools such as Falco and Tetragon. It also demonstrates the workings of the open-source attack tool Curing, explaining its core calls, exploitation process, and potential defense strategies. Background The ARMO research team recently revealed a major flaw in Linux…

This article details methods for debugging packaged Electron applications, including main/renderer process debugging techniques, ASAR file extraction and modification, debugging tool installation, and solutions for common issues like WebSockets request errors, ideal for Electron developers troubleshooting applications. Even after an Electron application has been packaged and distributed, it’s still possible to debug it using various…