John Hammond
@johnhammond.bsky.social
Hacker. Friend. Cybersecurity Researcher at Huntress.
"'ConsentFix', a browser-based ClickFix-style attack with OAuth consent grants" ... leveraging the Azure CLI app client to social engineer for easy access into Entra ID π I got nerdsniped by this, so I played with it a bit and tried a drag-and-drop gesture! Video: youtu.be/AAiiIY-Soak
December 13, 2025 at 2:00 PM
"'ConsentFix', a browser-based ClickFix-style attack with OAuth consent grants" ... leveraging the Azure CLI app client to social engineer for easy access into Entra ID π I got nerdsniped by this, so I played with it a bit and tried a drag-and-drop gesture! Video: youtu.be/AAiiIY-Soak
Infostealer malware logs -- maybe an unconventional threat intel source, but Estelle Ruellan shows me her sweet research using LLMs to analyze stealer logs at scale:
- How did a victim get infected?
- Can we uncover a threat actor when they infect themselves? and more.
Video: youtu.be/3j4jzCU0Kwc
- How did a victim get infected?
- Can we uncover a threat actor when they infect themselves? and more.
Video: youtu.be/3j4jzCU0Kwc
December 12, 2025 at 4:05 PM
Infostealer malware logs -- maybe an unconventional threat intel source, but Estelle Ruellan shows me her sweet research using LLMs to analyze stealer logs at scale:
- How did a victim get infected?
- Can we uncover a threat actor when they infect themselves? and more.
Video: youtu.be/3j4jzCU0Kwc
- How did a victim get infected?
- Can we uncover a threat actor when they infect themselves? and more.
Video: youtu.be/3j4jzCU0Kwc
Continuing THE FUTURE IS ****** comic book Capture The Flag challenges! Carving email attachments to uncover malicious Microsoft Office macros with olevba, prompt injection within an AI chatbot, and tracking network packets to uncover flags! Video: youtu.be/Oiv3TaIR9UY
December 8, 2025 at 2:01 PM
Continuing THE FUTURE IS ****** comic book Capture The Flag challenges! Carving email attachments to uncover malicious Microsoft Office macros with olevba, prompt injection within an AI chatbot, and tracking network packets to uncover flags! Video: youtu.be/Oiv3TaIR9UY
Yapping about the GlassWorm supply chain malware campaign and the neato tricks it uses with "Invisible Unicode" characters -- essentially whitespace steganography, showcasing the Hangul Filler, zero-width space, & Private Use Area characters π€― Video: youtu.be/0XumkGQFEEk
December 5, 2025 at 2:00 PM
Yapping about the GlassWorm supply chain malware campaign and the neato tricks it uses with "Invisible Unicode" characters -- essentially whitespace steganography, showcasing the Hangul Filler, zero-width space, & Private Use Area characters π€― Video: youtu.be/0XumkGQFEEk
Big thanks to @tryhackme for their continued support of the channel! You can jump into the Advent of Cyber 2025 event right now, it is free to play and anyone can join to level up their cybersecurity skills with a new task every day! jh.live/aoc2025
TryHackMe | Cyber Security Training
TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your browser!
jh.live
December 2, 2025 at 3:55 PM
Big thanks to @tryhackme for their continued support of the channel! You can jump into the Advent of Cyber 2025 event right now, it is free to play and anyone can join to level up their cybersecurity skills with a new task every day! jh.live/aoc2025
Flattered to help start the party for the Advent of Cyber Day 02 task from TryHackMe -- walking through today's challenge using the Social Engineer Toolkit to send a phishing email and snag passwords with a simple Python HTTP server! Video: youtu.be/w8O8FcRgDXU
December 2, 2025 at 3:55 PM
Flattered to help start the party for the Advent of Cyber Day 02 task from TryHackMe -- walking through today's challenge using the Social Engineer Toolkit to send a phishing email and snag passwords with a simple Python HTTP server! Video: youtu.be/w8O8FcRgDXU
Full length reverse engineering with Invoke RE! Showcasing new iterations of the "Scavenger" malware, or what we saw as "ExoTickler" previously as a fake City Skylines 2 video game mod, now w/ more crypto/creds stealing and C2. Binary Ninja, x64dbg & more: youtu.be/wFBdeak0t70
November 29, 2025 at 2:27 PM
Full length reverse engineering with Invoke RE! Showcasing new iterations of the "Scavenger" malware, or what we saw as "ExoTickler" previously as a fake City Skylines 2 video game mod, now w/ more crypto/creds stealing and C2. Binary Ninja, x64dbg & more: youtu.be/wFBdeak0t70
Walking through the Advent of Cyber "Prep Track" from TryHackMe! Some warmup tasks before the real free event kicks off December 1 running through December 24 -- we start the party with password security, insecure defaults, log analysis and more. Video:
youtu.be/Ap5tIJtt4Tk
youtu.be/Ap5tIJtt4Tk
November 28, 2025 at 2:00 PM
Walking through the Advent of Cyber "Prep Track" from TryHackMe! Some warmup tasks before the real free event kicks off December 1 running through December 24 -- we start the party with password security, insecure defaults, log analysis and more. Video:
youtu.be/Ap5tIJtt4Tk
youtu.be/Ap5tIJtt4Tk
Walking through a PowerShell keylogger, which uses some inline C# to snag Win32 API functions from user32.dll, and funnels back keys and system info to a Tor onion address -- a nifty little challenge from LetsDefend (now part of Hack The Box π₯) Video: youtu.be/bF72IEGzniU
November 25, 2025 at 3:32 PM
Walking through a PowerShell keylogger, which uses some inline C# to snag Win32 API functions from user32.dll, and funnels back keys and system info to a Tor onion address -- a nifty little challenge from LetsDefend (now part of Hack The Box π₯) Video: youtu.be/bF72IEGzniU
Tracking down a rogue Windows service for webshell persistence -- just a teeny weeny PowerShell HTTP server wrapped with NSSM, showcased with Wazuh and their sweet new 4.14 release with visibility on IT hygiene π Video: youtu.be/7Gn1GY5CIxg
November 24, 2025 at 5:11 PM
Tracking down a rogue Windows service for webshell persistence -- just a teeny weeny PowerShell HTTP server wrapped with NSSM, showcased with Wazuh and their sweet new 4.14 release with visibility on IT hygiene π Video: youtu.be/7Gn1GY5CIxg
Hacking Twitch Chat π L3TH4L_P4ND4 shows me what looks like template injection or unsanitized variable expansion with StreamElements, then leverages Nightbot to mod yourself, ban accounts, change livestream settings or many more hijinks π Video: youtu.be/8G45lYCZzZ8
November 23, 2025 at 2:01 PM
Hacking Twitch Chat π L3TH4L_P4ND4 shows me what looks like template injection or unsanitized variable expansion with StreamElements, then leverages Nightbot to mod yourself, ban accounts, change livestream settings or many more hijinks π Video: youtu.be/8G45lYCZzZ8
Uncovered screen recordings from threat actors! π Real footage of cybercriminals using anti-detect browsers and infostealer malware logs for session hijacking, and another using GraphSpy to read their Entra ID victim's emails in Outlook! π Video: youtu.be/vX7JcpRqbEk
November 22, 2025 at 2:00 PM
Uncovered screen recordings from threat actors! π Real footage of cybercriminals using anti-detect browsers and infostealer malware logs for session hijacking, and another using GraphSpy to read their Entra ID victim's emails in Outlook! π Video: youtu.be/vX7JcpRqbEk
Hat tip, kudos, and all credit where credit is due to @ PyroTek3 for his research and work referenced in this video! adsecurity.org?p=4825
Improve Entra ID Security More Quickly
At BSides Northern Virginia (BSides NoVa) in October 2025, I presented a talk on how to improve Entra ID security quickly. This post captures the key information from my talk slides. This articleβ¦
adsecurity.org
November 18, 2025 at 3:00 PM
Hat tip, kudos, and all credit where credit is due to @ PyroTek3 for his research and work referenced in this video! adsecurity.org?p=4825
Walking through the start of Sean Metcalf's presentation and writeup on "Improving Entra ID Security More Quickly"... starting with removing some insecure defaults for user settings, device settings, and guest access! youtu.be/WUHzpDdauAw
November 18, 2025 at 3:00 PM
Walking through the start of Sean Metcalf's presentation and writeup on "Improving Entra ID Security More Quickly"... starting with removing some insecure defaults for user settings, device settings, and guest access! youtu.be/WUHzpDdauAw
Solving some of the beginning Capture the Flag challenges that are included within THE FUTURE IS ****** comics... classic ciphers, mixing image R G B color values, and some quick Python code analysis! Video: youtu.be/lk9_h5DoDMw
November 16, 2025 at 2:00 PM
Solving some of the beginning Capture the Flag challenges that are included within THE FUTURE IS ****** comics... classic ciphers, mixing image R G B color values, and some quick Python code analysis! Video: youtu.be/lk9_h5DoDMw
Playing with and poking at the recent Atomic Red Team MCP server to connect it to Claude! Sample execution of threat actor TTPs from ye ol' MITRE ATT&CK framework, in a virtual environment for a cheesy clickbait video title "haha claude hacked me lol" π youtu.be/cFdOvrwxAwQ
November 14, 2025 at 2:00 PM
Playing with and poking at the recent Atomic Red Team MCP server to connect it to Claude! Sample execution of threat actor TTPs from ye ol' MITRE ATT&CK framework, in a virtual environment for a cheesy clickbait video title "haha claude hacked me lol" π youtu.be/cFdOvrwxAwQ
Previously there was a report of threat actors using .URL files pointed at a WebDAV server, which made for, air quotes, "remote code execution", and was tracked as CVE-2025-33053. Turns out, you can do the same thing with a regular Windows Shortcut. Video: youtu.be/1Ymnvd1uyzQ
November 13, 2025 at 2:03 PM
Previously there was a report of threat actors using .URL files pointed at a WebDAV server, which made for, air quotes, "remote code execution", and was tracked as CVE-2025-33053. Turns out, you can do the same thing with a regular Windows Shortcut. Video: youtu.be/1Ymnvd1uyzQ
Fake Booking-dot-com phishing site, forced download of an "ID Verification.exe" Lua-based infostealer malware, Luac bytecode obfuscated w/ π¬βοΈπEMOJIππ΄π₯₯and Windows SID crafting -- video showcase of my favorite challenge that I created for Huntress CTF! youtu.be/Q3ZE36a5CuA
November 12, 2025 at 2:01 PM
Fake Booking-dot-com phishing site, forced download of an "ID Verification.exe" Lua-based infostealer malware, Luac bytecode obfuscated w/ π¬βοΈπEMOJIππ΄π₯₯and Windows SID crafting -- video showcase of my favorite challenge that I created for Huntress CTF! youtu.be/Q3ZE36a5CuA
Yesterday folks got a phishing email for a fake DMCA report-- myself included. Caught me at a good time so I could record poking at the scam and the malware it leads to: ultimately infostealer malware (the usual) from a fake domain & clearly AI slop site: youtu.be/IzKjL16-sgY
November 6, 2025 at 3:45 PM
Yesterday folks got a phishing email for a fake DMCA report-- myself included. Caught me at a good time so I could record poking at the scam and the malware it leads to: ultimately infostealer malware (the usual) from a fake domain & clearly AI slop site: youtu.be/IzKjL16-sgY
And a HUGE thank you to Panther for sponsoring this video! Take control of your security operations with Panther -- you can ditch legacy SIEMs and embrace an AI-driven, autonomous and engineer-first SOC platform and solution: jh.live/panther
Panther | The Security Monitoring Platform for the Cloud
Panther is the security monitoring platform for the cloud, trusted by teams at Zapier, Dropbox, Asana and more to optimize costs and control, accelerate detection and response, and achieveβ¦
jh.live
October 31, 2025 at 1:01 PM
And a HUGE thank you to Panther for sponsoring this video! Take control of your security operations with Panther -- you can ditch legacy SIEMs and embrace an AI-driven, autonomous and engineer-first SOC platform and solution: jh.live/panther
Off the tails of a recent NightShade C2 writeup, experimenting with building a "UAC prompt bomb" (... best YouTube video title I could ask for π
(plz dont ban me)) repeatedly asking for admin privileges -- short & sweet in just a line of PowerShell! Video: youtu.be/JpWbytYrL2s
October 31, 2025 at 1:01 PM
Off the tails of a recent NightShade C2 writeup, experimenting with building a "UAC prompt bomb" (... best YouTube video title I could ask for π
(plz dont ban me)) repeatedly asking for admin privileges -- short & sweet in just a line of PowerShell! Video: youtu.be/JpWbytYrL2s
Safari ride-style showcase of password spraying tools & techniques with an extra flair for Entra ID-- featuring OpenBullet, MSOLSpray, entraspray, TeamFiltration & hints of FireProx, OmniProx, etc to finally simply rotate IPs low and slow with Tor. Video: youtu.be/oWv50EF0juc
October 20, 2025 at 1:01 PM
Safari ride-style showcase of password spraying tools & techniques with an extra flair for Entra ID-- featuring OpenBullet, MSOLSpray, entraspray, TeamFiltration & hints of FireProx, OmniProx, etc to finally simply rotate IPs low and slow with Tor. Video: youtu.be/oWv50EF0juc
Another "old but gold" little trick, harkening back to @mubix's blog post waaay back in 2013: "Stealing passwords every time they change" -- creating a Password Filter & adding it to Windows Registry. A clever persistence trick to exfiltrate credz. Video: youtu.be/DhP2Hw-6DgY
October 16, 2025 at 1:01 PM
Another "old but gold" little trick, harkening back to @mubix's blog post waaay back in 2013: "Stealing passwords every time they change" -- creating a Password Filter & adding it to Windows Registry. A clever persistence trick to exfiltrate credz. Video: youtu.be/DhP2Hw-6DgY
An idea I had some time ago was to create an open-source project with community contributions to centralize different social engineering lure techniques & native GUI tools that could be leveraged for ClickFix... a LOLBins-style site w/ mitigations. Video: youtu.be/UQqsaO5k2M0
October 7, 2025 at 1:01 PM
An idea I had some time ago was to create an open-source project with community contributions to centralize different social engineering lure techniques & native GUI tools that could be leveraged for ClickFix... a LOLBins-style site w/ mitigations. Video: youtu.be/UQqsaO5k2M0
And a HUGE thank you to Hex-Rays for sponsoring this video! Disassemble, decompile & debug with IDA Pro, the state of the art binary code analysis tool. Code HAMMOND50 takes 50% off any IDA Pro product and HAMMOND30 takes 30% off any IDA Pro training π jh.live/hex-rays
Hex-Rays: State-of-the-Art Binary Code Analysis Tools
Professional binary analysis with IDA Pro disassembler and decompiler. Tools for reverse engineering, malware analysis, and vulnerability research.
jh.live
October 2, 2025 at 1:01 PM
And a HUGE thank you to Hex-Rays for sponsoring this video! Disassemble, decompile & debug with IDA Pro, the state of the art binary code analysis tool. Code HAMMOND50 takes 50% off any IDA Pro product and HAMMOND30 takes 30% off any IDA Pro training π jh.live/hex-rays