bobby_tablez

@[email protected]
4 Followers
15 Following
20 Posts
Security researcher, gamer, tech e̷n̷t̷h̷u̷s̷i̷a̷s̷t̷ breaker
bobby_tablezAug 23, 2025
Interesting way of detecting ClickFix or other fake captcha attacks. Works by looking for common "padded" text at the end of a command to hide it from the user. https://detections.ai/share/rule/aCeLBiZm
Potential Fake Captcha Code Execution via Run Dialog

This rule detects potential fake captcha code execution through the Windows "Run" dialog box. Attackers will often pad the end of a malicious command string with a fake comment like "I am not a robot: CAPTCHA Verification UID:7811" to trick users into executing malicious code.

detections.ai
Show threadbobby_tablezDec 22, 2023
https://gist.github.com/bobby-tablez/22158f0e57dae3c4f12ffae9d31701a1
AMSI Bypass Unicode Combining

AMSI Bypass Unicode Combining. GitHub Gist: instantly share code, notes, and snippets.

Gist
bobby_tablezDec 22, 2023

I just discovered an interesting #AMSI bypass which uses a massive amount of overlapping Unicode characters. Apparently if you append a few hundred before and after a known malicious command (such as an AMSI bypass, or "Invoke-Mimikatz"), AMSI either crashes or ignores the #PowerShell code in between the odd code blobs.

The best part is that the code doesn't even need to be obfuscated! Tested this on Windows 10/11 and Server installs with success.

Link to a gist with the bypass in the comments

bobby_tablezJul 24, 2023
If you work in threat research or SIEM deployments, you may find this useful: https://github.com/bobby-tablez/Enable-All-The-Logs
GitHub - bobby-tablez/Enable-All-The-Logs: This script is designed to be used in lab environments where logging is critical for building detections or malware analysis. This can be used in production, however you might want to tune the GPO edits as needed.

This script is designed to be used in lab environments where logging is critical for building detections or malware analysis. This can be used in production, however you might want to tune the GPO ...

GitHub
bobby_tablezJul 3, 2023

Hackers Can Use DNS TXT Data to Execute the Malware

https://informationsecurityworld.com/2023/06/30/hackers-can-use-dns-txt-records-to-execute-the-malware/

Hackers Can Use DNS TXT Data to Execute the Malware - Information Security World

DNS TXT record allows area directors to enter textual content into DNS, initially for human-readable notes, however now it’s utilized for numerous functions like:-  Spam prevention Area possession verification Spam e-mail senders disguise domains to evade detection, however servers confirm emails utilizing the DNS TXT file as a key factor. Furthermore, the area homeowners […]

Information Security World
bobby_tablezJul 3, 2023

WHITE SNAKE MENACE: THE GROWING THREAT OF INFORMATION STEALERS IN THE CYBERCRIME LANDSCAPE

https://blogs.quickheal.com/white-snake-menace-the-growing-threat-of-information-stealers-in-the-cybercrime-landscape/

White Snake Menace: The Growing Threat of Information Stealers in the Cybercrime Landscape

The rise of malicious software designed to steal sensitive information has become a significant problem in the cybercrime landscape. They are specifically

Quick Heal Blog
bobby_tablezJul 3, 2023

Investigator, API Yourself: Deploying Microsoft Graph on the trail of an attacker

https://news.sophos.com/en-us/2023/06/30/investigator-api-yourself-deploying-microsoft-graph-on-the-trail-of-an-attacker/

Investigator, API Yourself: Deploying Microsoft Graph on the trail of an attacker

Two clients, two threat hunts – any connection? Using Microsoft’s cloud-security API to parse piles of disparate data leads to fascinating findings

Sophos News
bobby_tablezJul 3, 2023

Crysis Threat Actor Installing Venus Ransomware Through RDP

https://asec.ahnlab.com/en/54937/

Crysis Threat Actor Installing Venus Ransomware Through RDP - ASEC BLOG

AhnLab Security Emergency response Center

ASEC BLOG
bobby_tablezJul 3, 2023
https://www.inky.com/en/blog/fresh-phish-malicious-qr-codes-are-quickly-retrieving-employee-credentials
Fresh Phish: Malicious QR Codes Are Quickly Retrieving Employee Credentials

QR codes are popping up everywhere, providing a quick path to information we seek. Once a harmless marketing tool, QR codes are being exploited by cybercriminals in a credential harvesting phishing scheme.