| What I Do | Red Team Lead |
| Blog | https://pentestlab.blog |
| Website | https://pentestlaboratories.com |
| Discord | https://discord.gg/rR6FJBH |
| BlueSky | https://bsky.app/profile/netbiosx.bsky.social |
Detection of EntryPoint Hijacking consists of the following:
1️⃣ EntryPoint address escapes the module’s DllBase range
2️⃣ MEM_IMAGE → MEM_PRIVATE transition
3️⃣ OriginalBase fails validation
🎙️ EntryPoint Hijacking introduces a stealthier approach to code injection as it doesn’t use API calls that create a new thread within the context of a process.
Arbitrary code is written in memory, but it is executed only when a thread is created by the process legitimately.
🛠️ 𝐀 𝐍𝐞𝐰 𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐨𝐧‑𝐅𝐨𝐜𝐮𝐬𝐞𝐝 𝐂𝐚𝐩𝐚𝐛𝐢𝐥𝐢𝐭𝐲
In the article, a 𝐭𝐨𝐨𝐥 is introduced that monitors:
🧠 The memory address of the EntryPoint
🧬 The EntryPoint memory type is changed to PRIVATE
🛑 OriginalBase is not valid
✒️ 𝐑𝐞𝐚𝐝 𝐭𝐡𝐞 𝐟𝐮𝐥𝐥 𝐚𝐫𝐭𝐢𝐜𝐥𝐞 https://ipurple.team/2026/05/13/entrypoint-hijacking/
🚨 Cross‑Session Activation is a detection gap hiding in plain sight.
💡 The technique abstract below highlights the minimum viable signals for defenders.
💭 Interesting to know if this technique is part of your threat emulation library.
📉 𝐂𝐲𝐛𝐞𝐫 𝐬𝐢𝐠𝐧𝐚𝐥 𝐢𝐬 𝐝𝐫𝐨𝐩𝐩𝐢𝐧𝐠.
📈 𝐀𝐈 𝐧𝐨𝐢𝐬𝐞 𝐢𝐬 𝐫𝐢𝐬𝐢𝐧𝐠.
To help, I created a list of active cybersecurity blogs written by people who still publish real research.
If you follow any of these already (or have gems I should add), let me know.
📌https://github.com/netbiosX/CyberSec-Blogs #redteam #purpleteam #threathunting
Lists of independent cybersecurity blogs covering threat intelligence, purple team, red team, threat hunting, and detection engineering. Most are personal blogs maintained by practitioners who publ...
Yesterday, I published a deep‑dive into how adversaries abuse the 𝐂𝐫𝐨𝐬𝐬-𝐒𝐞𝐬𝐬𝐢𝐨𝐧 𝐀𝐜𝐭𝐢𝐯𝐚𝐭𝐢𝐨𝐧 mechanism to execute code under another user’s interactive session, including some novel CLSIDs to use.
But here’s the catch 👇
In Red Team Ops, we typically rely on 𝒒𝒖𝒔𝒆𝒓, a built‑in Windows utility, to enumerate active sessions. It works, but only one host at a time, which slows down the enumeration stage.
🛠️ 𝐀 𝐍𝐞𝐰 𝐎𝐩𝐞𝐫𝐚𝐭𝐨𝐫‑𝐅𝐨𝐜𝐮𝐬𝐞𝐝 𝐂𝐚𝐩𝐚𝐛𝐢𝐥𝐢𝐭𝐲
In the article, a 𝐭𝐨𝐨𝐥 (private at this stage) was introduced that can:
🔍 Enumerate active sessions 𝐚𝐜𝐫𝐨𝐬𝐬 𝐚𝐧 𝐞𝐧𝐭𝐢𝐫𝐞 𝐈𝐏 𝐫𝐚𝐧𝐠𝐞
⚡ Quickly identify hosts suitable for Cross‑Session Activation
🎯 Reduce manual enumeration and accelerate target selection
✒️ 𝐑𝐞𝐚𝐝 𝐭𝐡𝐞 𝐟𝐮𝐥𝐥 𝐚𝐫𝐭𝐢𝐜𝐥𝐞
https://ipurple.team/2026/05/04/cross-session-activation/
Phantom-Evasion-Loader is a standalone, pure x64 Assembly injection engine engineered to minimize the detection surface of modern EDR/XDR solutions and Kernel-level monitors like Falco (eBPF). It l...
📢 New Article: Lateral Movement via Microsoft Speech
🎙️ Microsoft Speech Platform is built-in in Windows environments to enable Speech recognition, Voice input, Text-to-Speech & Speech features in Windows, Edge & Office
🦄 Deep‑dive playbook on how Microsoft Speech can be abused for lateral movement and how defenders can perform detection.
📖 1x Playbook
💡 Detection Opportunities
🏹 1x MDE Query
𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐨𝐧 - 𝐄𝐯𝐞𝐧𝐭 𝐈𝐃'𝐬
✅️ 4657 & 4663 - {655D9BF9-3876-43D0-B6E8-C83C1224154C}
✅️ 4688 - SpeechRuntime.exe
✅️ 7040 & 7036 - RemoteRegistry Service
✒️ https://ipurple.team/2026/04/07/microsoft-speech/ #purpleteam #blueteam #detectionengineering
