Brett Hawkins
@h4wkst3r.bsky.social
New research just dropped I'll be presenting at @wearetroopers.bsky.social next week - Attacking ML Training Infrastructure
💥 Model poisoning for code execution
⚠️ Abusing ML workflows
⚙️ MLOKit updates and new threat hunting rules
www.ibm.com/think/x-forc...
💥 Model poisoning for code execution
⚠️ Abusing ML workflows
⚙️ MLOKit updates and new threat hunting rules
www.ibm.com/think/x-forc...
Becoming the trainer: Attacking ML training infrastructure
Learn more about machine learning training environments and infrastructure, as well as different attack scenarios against critical components, including cloud compute, model artifact storage and model...
www.ibm.com
June 17, 2025 at 1:24 PM
New research just dropped I'll be presenting at @wearetroopers.bsky.social next week - Attacking ML Training Infrastructure
💥 Model poisoning for code execution
⚠️ Abusing ML workflows
⚙️ MLOKit updates and new threat hunting rules
www.ibm.com/think/x-forc...
💥 Model poisoning for code execution
⚠️ Abusing ML workflows
⚙️ MLOKit updates and new threat hunting rules
www.ibm.com/think/x-forc...
Register while you still can for @retbandit.bsky.social and I's @blackhatevents.bsky.social #BHUSA training, seats are filling up fast!!
www.blackhat.com/us-25/traini...
www.blackhat.com/us-25/traini...
Black Hat
Black Hat
www.blackhat.com
June 2, 2025 at 4:04 PM
Register while you still can for @retbandit.bsky.social and I's @blackhatevents.bsky.social #BHUSA training, seats are filling up fast!!
www.blackhat.com/us-25/traini...
www.blackhat.com/us-25/traini...
I am thrilled to be presenting new research on attacking ML training infrastructure at @wearetroopers.bsky.social this summer. Stay tuned for a blog post and lots of updates to MLOKit closer to the conference!
April 17, 2025 at 12:25 PM
I am thrilled to be presenting new research on attacking ML training infrastructure at @wearetroopers.bsky.social this summer. Stay tuned for a blog post and lots of updates to MLOKit closer to the conference!
Reposted by Brett Hawkins
Learn 📝 about this emerging topic in a first-of-its-kind #BHUSA training from @retbandit.bsky.social and I where you will use hands-on labs to perform attacks such as model theft, model poisoning and much more 🤖
blackhat.com/us-25/traini...
blackhat.com/us-25/traini...
Black Hat
Black Hat
blackhat.com
April 7, 2025 at 6:50 PM
Learn 📝 about this emerging topic in a first-of-its-kind #BHUSA training from @retbandit.bsky.social and I where you will use hands-on labs to perform attacks such as model theft, model poisoning and much more 🤖
blackhat.com/us-25/traini...
blackhat.com/us-25/traini...
Reposted by Brett Hawkins
[Blog] This ended up being a great applied research project with my co-worker Dylan Tran on weaponizing a technique for fileless DCOM lateral movement based on the original work of James Forshaw. Defensive recommendations provided.
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
Fileless lateral movement with trapped COM objects | IBM
New research from IBM X-Force Red has led to the development of a proof-of-concept fileless lateral movement technique by abusing trapped Component Object Model (COM) objects. Get the details.
ibm.com
March 25, 2025 at 9:21 PM
[Blog] This ended up being a great applied research project with my co-worker Dylan Tran on weaponizing a technique for fileless DCOM lateral movement based on the original work of James Forshaw. Defensive recommendations provided.
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
Reposted by Brett Hawkins
I am excited to announce the first conference dedicated to the offensive use of AI in security! Request an invite at offensiveaicon.com.
Co-organized by RemoteThreat, Dreadnode, & DEVSEC.
Co-organized by RemoteThreat, Dreadnode, & DEVSEC.
March 19, 2025 at 3:11 PM
I am excited to announce the first conference dedicated to the offensive use of AI in security! Request an invite at offensiveaicon.com.
Co-organized by RemoteThreat, Dreadnode, & DEVSEC.
Co-organized by RemoteThreat, Dreadnode, & DEVSEC.
Reposted by Brett Hawkins
The Security Conversation - The value of offensive security work is fully realized by participation in the security conversation.
aff-wg.org/2025/03/13/t...
aff-wg.org/2025/03/13/t...
March 14, 2025 at 2:51 AM
The Security Conversation - The value of offensive security work is fully realized by participation in the security conversation.
aff-wg.org/2025/03/13/t...
aff-wg.org/2025/03/13/t...
Reposted by Brett Hawkins
#MythicTip Want to start automating stuff with Mythic, but not sure where to start? Check out the built-in Jupyter notebooks with Mythic Scripting installed and have fun! Lots of ready to run examples exist already :) Just log in with the Jupyter token from your .env file
March 6, 2025 at 4:25 PM
#MythicTip Want to start automating stuff with Mythic, but not sure where to start? Check out the built-in Jupyter notebooks with Mythic Scripting installed and have fun! Lots of ready to run examples exist already :) Just log in with the Jupyter token from your .env file
Reposted by Brett Hawkins
It was an honor to speak at the @780thmibdecyber.bsky.social’s AvengerCon on the use of AI in Offensive Cyber Operations, Vuln Discovery/Weaponization, OST Dev as well as attacking AI systems.
Here’s a few slides from the talk…
@NSACyber @ARCYBER @CISAgov @US_CYBERCOM
Here’s a few slides from the talk…
@NSACyber @ARCYBER @CISAgov @US_CYBERCOM
March 4, 2025 at 10:14 PM
It was an honor to speak at the @780thmibdecyber.bsky.social’s AvengerCon on the use of AI in Offensive Cyber Operations, Vuln Discovery/Weaponization, OST Dev as well as attacking AI systems.
Here’s a few slides from the talk…
@NSACyber @ARCYBER @CISAgov @US_CYBERCOM
Here’s a few slides from the talk…
@NSACyber @ARCYBER @CISAgov @US_CYBERCOM
Reposted by Brett Hawkins
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
February 18, 2025 at 1:12 PM
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
Reposted by Brett Hawkins
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Windows Bug Class: Accessing Trapped COM Objects with IDispatch
Posted by James Forshaw, Google Project Zero Object orientated remoting technologies such as DCOM and .NET Remoting make it very easy ...
googleprojectzero.blogspot.com
January 30, 2025 at 6:37 PM
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
If you would like to learn how to attack and defend popular platforms that are used to develop and deploy ML models, early sign-up is now available for @retbandit.bsky.social and I's @blackhatevents.bsky.social training course ⬇️
www.blackhat.com/us-25/traini...
www.blackhat.com/us-25/traini...
Black Hat USA 2025
Black Hat USA 2025
www.blackhat.com
January 30, 2025 at 3:15 PM
If you would like to learn how to attack and defend popular platforms that are used to develop and deploy ML models, early sign-up is now available for @retbandit.bsky.social and I's @blackhatevents.bsky.social training course ⬇️
www.blackhat.com/us-25/traini...
www.blackhat.com/us-25/traini...
Reposted by Brett Hawkins
In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...
Intune Attack Paths — Part 1
Intune is an attractive system for adversaries to target…
posts.specterops.io
January 15, 2025 at 5:33 PM
In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...
Reposted by Brett Hawkins
Live streams from the last ShmooCon security conference, which took place last week, are available on YouTube
www.youtube.com/playlist?lis...
www.youtube.com/playlist?lis...
ShmooCon 2025 - YouTube
You can reach me at https://twitter.com/Strong1Wind
www.youtube.com
January 15, 2025 at 1:17 PM
Live streams from the last ShmooCon security conference, which took place last week, are available on YouTube
www.youtube.com/playlist?lis...
www.youtube.com/playlist?lis...
You can find our @shmoocon.bsky.social presentation slides at the below GitHub repo. Thanks again to all that attended. Also, thank you to the conference organizers for putting on a great con and having us! #shmoocon
github.com/h4wkst3r/Con...
github.com/h4wkst3r/Con...
January 12, 2025 at 4:12 PM
You can find our @shmoocon.bsky.social presentation slides at the below GitHub repo. Thanks again to all that attended. Also, thank you to the conference organizers for putting on a great con and having us! #shmoocon
github.com/h4wkst3r/Con...
github.com/h4wkst3r/Con...
Reposted by Brett Hawkins
New
@netspi.bsky.social
blog out today on "Hijacking Azure Machine Learning Notebooks (via Storage Accounts)". This is very similar to Storage Account attacks that have been done against Function/Logic Apps and Cloud Shell - www.netspi.com/blog/technic...
@netspi.bsky.social
blog out today on "Hijacking Azure Machine Learning Notebooks (via Storage Accounts)". This is very similar to Storage Account attacks that have been done against Function/Logic Apps and Cloud Shell - www.netspi.com/blog/technic...
Hijacking Azure Machine Learning Notebooks (via Storage Accounts)
Abusing Storage Account Permissions to attack Azure Machine Learning notebooks
www.netspi.com
January 8, 2025 at 4:32 PM
New
@netspi.bsky.social
blog out today on "Hijacking Azure Machine Learning Notebooks (via Storage Accounts)". This is very similar to Storage Account attacks that have been done against Function/Logic Apps and Cloud Shell - www.netspi.com/blog/technic...
@netspi.bsky.social
blog out today on "Hijacking Azure Machine Learning Notebooks (via Storage Accounts)". This is very similar to Storage Account attacks that have been done against Function/Logic Apps and Cloud Shell - www.netspi.com/blog/technic...
Reposted by Brett Hawkins
Unequivocally one of the best pieces of writing on Tier 0 there is...
What is Tier Zero — Part 1
Tier Zero is a crucial group of assets in Active Directory (AD) and Azure. Its purpose is to protect the most critical components by…
posts.specterops.io
January 7, 2025 at 6:15 PM
Unequivocally one of the best pieces of writing on Tier 0 there is...
MLOps platforms are becoming critical to enterprises. This has caused @retbandit.bsky.social and I to research these platforms and how they can be abused by attackers. Check out our research we will be presenting @shmoocon.bsky.social this week.
securityintelligence.com/x-force/abus...
securityintelligence.com/x-force/abus...
Abusing MLOps platforms to compromise ML models and enterprise data lakes
With the rush to implement AI across organizations came the increase in the use of MLOps platforms and a greater risk of attack. Learn more about MLOps platforms and how threat actors are using them.
securityintelligence.com
January 6, 2025 at 4:19 PM
MLOps platforms are becoming critical to enterprises. This has caused @retbandit.bsky.social and I to research these platforms and how they can be abused by attackers. Check out our research we will be presenting @shmoocon.bsky.social this week.
securityintelligence.com/x-force/abus...
securityintelligence.com/x-force/abus...
Reposted by Brett Hawkins
IBM X-Force's Logan Goins has released Krueger, a .NET tool for remotely killing EDR using the Windows Defender Application Control (WDAC) utility
github.com/logangoins/K...
github.com/logangoins/K...
GitHub - logangoins/Krueger: Proof of Concept (PoC) .NET tool for remotely killing EDR with WDAC
Proof of Concept (PoC) .NET tool for remotely killing EDR with WDAC - logangoins/Krueger
github.com
December 26, 2024 at 1:46 PM
IBM X-Force's Logan Goins has released Krueger, a .NET tool for remotely killing EDR using the Windows Defender Application Control (WDAC) utility
github.com/logangoins/K...
github.com/logangoins/K...
Reposted by Brett Hawkins
Detection Engineering is sometimes hard, and may fail. Still a lot of things can be learned by the process. In this blog I cover a lot. I had a detection, currently it's broken but MS is on it :D
medium.com/falconforce/...
medium.com/falconforce/...
Detection engineering rabbit holes — parsing ASN.1 packets in KQL
TL;DR: Detection engineering is sometimes hard. Your efforts may seem to have failed, but perseverance can pay off. Or you can still fail…
medium.com
December 16, 2024 at 2:37 PM
Detection Engineering is sometimes hard, and may fail. Still a lot of things can be learned by the process. In this blog I cover a lot. I had a detection, currently it's broken but MS is on it :D
medium.com/falconforce/...
medium.com/falconforce/...
Reposted by Brett Hawkins
Secureworks Japan has released PyTune, a post-exploitation tool for enrolling fake devices into Microsoft Intune
www.blackhat.com/eu-24/briefi...
github.com/secureworks/...
www.blackhat.com/eu-24/briefi...
github.com/secureworks/...
Black Hat Europe 2024
Black Hat Europe 2024
www.blackhat.com
December 14, 2024 at 7:14 PM
Secureworks Japan has released PyTune, a post-exploitation tool for enrolling fake devices into Microsoft Intune
www.blackhat.com/eu-24/briefi...
github.com/secureworks/...
www.blackhat.com/eu-24/briefi...
github.com/secureworks/...
@retbandit.bsky.social and I are thrilled to be speaking @shmoocon.bsky.social in January on research we have been conducting on attacking and defending popular enterprise Machine Learning Operations (MLOps) platforms we see during adversary simulation engagements. Whitepaper and tool coming soon!
December 10, 2024 at 9:00 PM
@retbandit.bsky.social and I are thrilled to be speaking @shmoocon.bsky.social in January on research we have been conducting on attacking and defending popular enterprise Machine Learning Operations (MLOps) platforms we see during adversary simulation engagements. Whitepaper and tool coming soon!