💥 leonjza
@leonjza.bsky.social
[ 'cto @sensepost.com', '@orangecyberdef', 'caffeine fueled', '(╯°□°)╯︵ ┻━┻', 'security guy', 'metalhead', 'i saw your password', 'KOOBo+KXleKAv+KXlSnjgaM=' ]
Pinned
💥 leonjza
@leonjza.bsky.social
· Nov 10
Slides for our talk "TTP Emulation in(2024)" that I did with Wrath_ZA@x at 0xcon_jhb@x is now available here!
In this talk we covered a purple teaming approach that leverages custom payload development to maximise red&blue collaboration. Check it out!
github.com/leonjza/publ...
In this talk we covered a purple teaming approach that leverages custom payload development to maximise red&blue collaboration. Check it out!
github.com/leonjza/publ...
Reposted by 💥 leonjza
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Tradecraft Engineering with Aspect-Oriented Programming
It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engin…
aff-wg.org
November 10, 2025 at 6:21 PM
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Reposted by 💥 leonjza
I've also updated Crystal Loaders to benefit from some of the new CP features github.com/rasta-mouse/...
GitHub - rasta-mouse/Crystal-Loaders: A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike
A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike - rasta-mouse/Crystal-Loaders
github.com
October 29, 2025 at 5:39 PM
I've also updated Crystal Loaders to benefit from some of the new CP features github.com/rasta-mouse/...
Reposted by 💥 leonjza
ATT&CK v18 is now out! Today marks the release of Detection Strategies, where we've moved from single-sentence notes to structured, behavior-focused strategies across the board. A new blog post describes the changes medium.com/mitre-attack... with details at attack.mitre.org/resources/up....
ATT&CK v18: Detection Strategies, More Adversary Insights,
ATT&CK v18 is released with new Detection Strategies, Analytics, and revamped Data Components!
medium.com
October 28, 2025 at 2:56 PM
ATT&CK v18 is now out! Today marks the release of Detection Strategies, where we've moved from single-sentence notes to structured, behavior-focused strategies across the board. A new blog post describes the changes medium.com/mitre-attack... with details at attack.mitre.org/resources/up....
Reposted by 💥 leonjza
Just added SOCKS support to this reverse tunnelling tool github.com/singe/contun...
October 28, 2025 at 2:58 PM
Just added SOCKS support to this reverse tunnelling tool github.com/singe/contun...
Reposted by 💥 leonjza
github.com/singe/contun.p… this was a fun nerd snipe - how do you build a listed:listen connect:connect reverse tunnel that can handle concurrent connections when you only have Perl.
GitHub - singe/contun.pl: A concurrent listen:listen connect:connect tunnelling solution written in Perl
A concurrent listen:listen connect:connect tunnelling solution written in Perl - singe/contun.pl
github.com
October 27, 2025 at 7:00 PM
github.com/singe/contun.p… this was a fun nerd snipe - how do you build a listed:listen connect:connect reverse tunnel that can handle concurrent connections when you only have Perl.
Reposted by 💥 leonjza
🚀 Insomni’hack 2026 is coming!
🗓️ March 16-20 @ SwissTech, Lausanne
Mon-Wed: Workshops | Thu-Fri: Talks | Fri-Sat: CTF
👉 More details soon: https://ow.ly/S3uv50XgSuS
🔔 Save the dates & stay tuned!
#INSO26 #cybersecurity #CTF #event #Lausanne
🗓️ March 16-20 @ SwissTech, Lausanne
Mon-Wed: Workshops | Thu-Fri: Talks | Fri-Sat: CTF
👉 More details soon: https://ow.ly/S3uv50XgSuS
🔔 Save the dates & stay tuned!
#INSO26 #cybersecurity #CTF #event #Lausanne
October 23, 2025 at 1:30 PM
🚀 Insomni’hack 2026 is coming!
🗓️ March 16-20 @ SwissTech, Lausanne
Mon-Wed: Workshops | Thu-Fri: Talks | Fri-Sat: CTF
👉 More details soon: https://ow.ly/S3uv50XgSuS
🔔 Save the dates & stay tuned!
#INSO26 #cybersecurity #CTF #event #Lausanne
🗓️ March 16-20 @ SwissTech, Lausanne
Mon-Wed: Workshops | Thu-Fri: Talks | Fri-Sat: CTF
👉 More details soon: https://ow.ly/S3uv50XgSuS
🔔 Save the dates & stay tuned!
#INSO26 #cybersecurity #CTF #event #Lausanne
Reposted by 💥 leonjza
Working on a new PICO! This one is an in-memory CLR hoster that uses the same technique as execute-assembly/donut to invoke a .NET assembly without touching the disk.
October 16, 2025 at 8:54 AM
Working on a new PICO! This one is an in-memory CLR hoster that uses the same technique as execute-assembly/donut to invoke a .NET assembly without touching the disk.
Reposted by 💥 leonjza
📢Insomni'hack Call for Paper is now open!
The CFP 2026 is now accepting submissions.
Want to speak, lead a workshop, or present a case study? We want to hear from you!
🔗 Submit: https://ow.ly/nNov50Xbylu
#InsomniHack #CFP #Cybersecurity #Infosec #TechTalks
The CFP 2026 is now accepting submissions.
Want to speak, lead a workshop, or present a case study? We want to hear from you!
🔗 Submit: https://ow.ly/nNov50Xbylu
#InsomniHack #CFP #Cybersecurity #Infosec #TechTalks
October 15, 2025 at 9:07 AM
📢Insomni'hack Call for Paper is now open!
The CFP 2026 is now accepting submissions.
Want to speak, lead a workshop, or present a case study? We want to hear from you!
🔗 Submit: https://ow.ly/nNov50Xbylu
#InsomniHack #CFP #Cybersecurity #Infosec #TechTalks
The CFP 2026 is now accepting submissions.
Want to speak, lead a workshop, or present a case study? We want to hear from you!
🔗 Submit: https://ow.ly/nNov50Xbylu
#InsomniHack #CFP #Cybersecurity #Infosec #TechTalks
Reposted by 💥 leonjza
pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
October 4, 2025 at 10:39 AM
pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
Romhack was absolute 🔥! The conference, the community, the vibe - all of it was just something else. Special mention to merlos1977@x and the CybersaiyanIT@x team for making the speaking experience excellent too. 🙃
September 28, 2025 at 6:41 AM
Romhack was absolute 🔥! The conference, the community, the vibe - all of it was just something else. Special mention to merlos1977@x and the CybersaiyanIT@x team for making the speaking experience excellent too. 🙃
Soon™
Private invites at Romhack next week, public release a while later.
Private invites at Romhack next week, public release a while later.
September 18, 2025 at 6:52 PM
Soon™
Private invites at Romhack next week, public release a while later.
Private invites at Romhack next week, public release a while later.
Reposted by 💥 leonjza
added a cheat sheet to the official Git website
(with a lot of help from other folks who work on the website)
git-scm.com/cheat-sheet
(with a lot of help from other folks who work on the website)
git-scm.com/cheat-sheet
Git Cheat Sheet
git-scm.com
September 16, 2025 at 6:28 PM
added a cheat sheet to the official Git website
(with a lot of help from other folks who work on the website)
git-scm.com/cheat-sheet
(with a lot of help from other folks who work on the website)
git-scm.com/cheat-sheet
I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)
September 10, 2025 at 1:41 PM
I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)
Reposted by 💥 leonjza
Did you know your MacBook has a sensor that knows the exact angle of the screen hinge?
It’s not exposed as a public API, but I figured out a way to read it and make it sound like an old wooden door.
It’s not exposed as a public API, but I figured out a way to read it and make it sound like an old wooden door.
September 6, 2025 at 8:44 PM
Did you know your MacBook has a sensor that knows the exact angle of the screen hinge?
It’s not exposed as a public API, but I figured out a way to read it and make it sound like an old wooden door.
It’s not exposed as a public API, but I figured out a way to read it and make it sound like an old wooden door.
Using @radareorg.bsky.social to dynamically get the virtual address of a @golang.org embed.FS structure to extract some sus embed's with go-embed-extractor¹ in this "dodgy-go-bin" 🔥
¹ github.com/BreakOnCrash...
¹ github.com/BreakOnCrash...
August 27, 2025 at 7:58 PM
Using @radareorg.bsky.social to dynamically get the virtual address of a @golang.org embed.FS structure to extract some sus embed's with go-embed-extractor¹ in this "dodgy-go-bin" 🔥
¹ github.com/BreakOnCrash...
¹ github.com/BreakOnCrash...
Reposted by 💥 leonjza
Phrack turns 40.
The digital drop is live.
Download it. Archive it. Pass it on.
💾 www.phrack.org
#phrackat40 #phrack72
The digital drop is live.
Download it. Archive it. Pass it on.
💾 www.phrack.org
#phrackat40 #phrack72
August 19, 2025 at 5:08 AM
Phrack turns 40.
The digital drop is live.
Download it. Archive it. Pass it on.
💾 www.phrack.org
#phrackat40 #phrack72
The digital drop is live.
Download it. Archive it. Pass it on.
💾 www.phrack.org
#phrackat40 #phrack72
Hah! Made it to a @badsectorlabs.com LWiS release with my collection of bloatware exploits released @defcon.bsky.social earlier this month!
Check out the POC's for CVE-2025-3462, CVE-2025-3463, CVE-2025-27812, CVE-2025-27813, CVE-2025-5491 and CVE-2025-27811 here: github.com/sensepost/bl...
Check out the POC's for CVE-2025-3462, CVE-2025-3463, CVE-2025-27812, CVE-2025-27813, CVE-2025-5491 and CVE-2025-27811 here: github.com/sensepost/bl...
GitHub - sensepost/bloatware-pwn: LPE / RCE Exploits for various vulnerable "Bloatware" products
LPE / RCE Exploits for various vulnerable "Bloatware" products - sensepost/bloatware-pwn
github.com
August 19, 2025 at 5:06 AM
Hah! Made it to a @badsectorlabs.com LWiS release with my collection of bloatware exploits released @defcon.bsky.social earlier this month!
Check out the POC's for CVE-2025-3462, CVE-2025-3463, CVE-2025-27812, CVE-2025-27813, CVE-2025-5491 and CVE-2025-27811 here: github.com/sensepost/bl...
Check out the POC's for CVE-2025-3462, CVE-2025-3463, CVE-2025-27812, CVE-2025-27813, CVE-2025-5491 and CVE-2025-27811 here: github.com/sensepost/bl...
Always dig the @defcon.bsky.social artwork around the convention center.
August 10, 2025 at 3:19 PM
Always dig the @defcon.bsky.social artwork around the convention center.
Reposted by 💥 leonjza
Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.
sensepost.com/blog/2025/a-...
sensepost.com/blog/2025/a-...
July 31, 2025 at 4:19 PM
Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.
sensepost.com/blog/2025/a-...
sensepost.com/blog/2025/a-...
Had a fairly complex exploit for an LPE, when @ipmegladon.bsky.social showed me a way to make it a one-liner last night. Gosh I love working with the people @sensepost.com.
July 23, 2025 at 7:47 AM
Had a fairly complex exploit for an LPE, when @ipmegladon.bsky.social showed me a way to make it a one-liner last night. Gosh I love working with the people @sensepost.com.
Reposted by 💥 leonjza
[BLOG]
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...
Modular PIC C2 Agents
All post-exploitation C2 agents that I'm aware of are implemented as a single rDLL or PIC blob. This means that all of their core logic such as check-in's, processing tasks, sending output, etc, are a...
rastamouse.me
July 20, 2025 at 12:25 PM
[BLOG]
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...
Reposted by 💥 leonjza
The Apple Watch has a closed down ecosystem, only compatible with the iPhone. Nils reverse engineered its interfaces to open it up for Android! ✨ WatchWitch ✨ allows using your Apple Watch ⌚ on Android devices, interpreting your health data, answering messages on the Watch & more. (1/2)
July 11, 2025 at 2:26 PM
The Apple Watch has a closed down ecosystem, only compatible with the iPhone. Nils reverse engineered its interfaces to open it up for Android! ✨ WatchWitch ✨ allows using your Apple Watch ⌚ on Android devices, interpreting your health data, answering messages on the Watch & more. (1/2)