OtterHacker
@OtterHacker
Followers
5,011
Following
82
Media
135
Statuses
655
Professional redteamer and malware development enthusiast ! I will share some tips and experiences. Look at my work here :
Joined August 2021
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
梅雨明け
• 196735 Tweets
BRANDS AI TALK x FOURTH
• 131411 Tweets
Raila
• 122601 Tweets
黒人奴隷
• 100733 Tweets
Halal
• 42781 Tweets
パワプロ
• 42607 Tweets
カルストンライトオ
• 34846 Tweets
#EnflasyonMuhasebesi
• 34716 Tweets
#TheBoys
• 31648 Tweets
Yunan
• 29115 Tweets
Harmony
• 23794 Tweets
Haas
• 20657 Tweets
Colabo
• 19263 Tweets
暇空敗訴
• 16039 Tweets
BarengPRABOWO MakinOPTIMIS
• 15420 Tweets
SEMANGATbaru EKONOMItumbuh
• 14850 Tweets
#WeMakeSKZStay
• 13235 Tweets
悪魔の証明
• 11817 Tweets
全員再契約
• 11268 Tweets
CROWN PRINCE SUNG HANBIN
• 11209 Tweets
Pinned Tweet
Hey ! I published a large part of my notes, and I hope you will find something new to learn in it. It goes from simple
#OSCP
notes to
#Malware
development (
#COFFLoader
,
#ModuleStomping
,
#ReflectiveDLLInjection
...).
10
156
442
As EDR can overlook standard API that create thread, you can use EnumThreadWindows to run your payload without explicitly calling ResumeThread !
Just load your PE, perform relocation and IAT fixes then call EnumThreadWindows on your PE start address to see the magic !
6
138
549
DLL Injection seems to be the easy way to bypass EDR. I was able to bypass some well known EDR with it.
It can be used to perform the first process injection, and then perform standard self-injection to deliver the beacon to avoid unnecessary detection in the next stages.
5
116
518
Phishing Google 2FA compliant
Steal the user credentials/cookies, then reinject them in your own chrome session to steal user access.
On the right : the targeted user view
On the left : the attacker view
Automatized using undetected chromedriver.
(Sorry for the GIF quality)
13
108
505
The use of hardware breakpoint and arguments patching directly in the register seems to work like a charm.
SentinelOne hooks bypassed in a minute.
Thank
@rad9800
for the idea and your implementation example that work out of the box ! ()
0
138
453
I published my
#Defcon31
workshop on malware development !
If you want to dive into malware development or upgrade your game, feel free to browse the code snippets and try to bypass the MDE EDR !
I hope it will make you as happy as I am !
8
94
291
Didn't think it was possible, but it seems that developing
#Rust
#malware
could be a way to limit detection (at least on
#VirusTotal
).
Basic shellcode XOR encryption and API dynamic resolution seems to be enough to get a 0 score on VirusTotal.
10
62
285
I've released the python code I used to transform a binary into a C header file to hide your payload in .rdata. Nothing fancy, but could save time😊
It just splits the binary in several strings to evade static analysis and then rebuild it at compile time
2
54
220
Muscle up your game with Kerberos. Abuse tickets and Kerberos extensions to elevate your privileges.
I've built a small lab around the S4U2Self Abuse :
Find all you need here :
Thanks
@pentest_swissky
for the help on ansible !
1
71
214
A
#CobaltStrike
beacon living its best life in Chrome under an
#ATP
sun.
Always nice to work with working
#OPSEC
tools 😌
2
23
185
Simple module stomper with MSF reverse shell bypassing standard anti-virus such as
#Defender
or
#Kaspersky
. Loading a legit DLL such as amsi.dll avoids use of VirtualAlloc and gives a legit use for the allocated memory.
Got the idea from . Thanks
@__mez0__
1
45
182
Finally ! After one week spent in the WinHTTP.dll, I finally succeed in making it work with my custom DLL loader without hijacking
#IAT
.
The idea is to locate the
#LdrpInvertedFunctionTable
and add the DLL ExportDirectory in it once it has been loaded and linked to the
#PEB
.
7
26
173
Finished my LoadLibrary implementation ! Still not link to the PEB as Windows structures are pain in the * but it works !
Was nice to dive into PE structure !
Credit :
-
@Ahm3d_H3sham
-
@batsec
-
@__mez0__
3
64
172
I can go to sleep now.
The DLL loader loads an arbitrary DLL without raising the usual event. The delayed DLL are loaded just in time, to avoid loading several DLL for nothing.
The DLL ensures the integrity of Windows structures and thus is compatible with the Win32API.
4
30
160
As a reminder, the following EDR/AV offer free trials:
- Microsoft Defender For Endpoint
- Sophos
- Elastic EDR
- TrendMicro
- McAfee MVISION
- aVaSt
9
37
166
If you missed my talk at
@_leHACK_
, you can find the slides here.
The presentation shows some unusual techniques to perform process injection without the standard Win32API.
6
52
158
No imports, no statically linked DLL, just useful code and a 56KB beacon
7
17
143
Took me 8 hours but that was fun !
A nice way to begin the year 🥳
This is a nice trainning with a nice lab for anyone wanting to enhance his skillset.
If your grand parents gave you some money for Xmas, invest it on yourself and take the
#CRTO
training by
@zeropointsecltd
! 🤗
4
4
141
Swapping commandline argument at runtime on Windows signed binary through DLL Proxying.
Could be nice to avoid detection based on commandline.
Thanks
@iansus
for the idea !
4
41
137
Just adapted
@_EthicalChaos_
#ThreadLess
injection to work with
#Cobalt
beacon in pure C.
It works really nice ! I mixed it with module stomping to avoid beacon execution from unbacked memory, important VirtualAlloc and the use of CRT to execute the beacon itself.
3
17
138
All the DLL loader I saw from now are resolving all the delayed import when performing the Snapping.
You can avoid loading all the DLL by hijacking the
#ResolveDelayLoadedAPI
during the Snapping to resolve the import when they are asked by the DLL.
It avoids loading several DLL.
2
27
133
Finally 🤩 I got a PIC code for my
#beacon
! It was a really nice journey and a lot of things have been learnt on the way.
If you want to try it too, I found this blog by
@winternl_t
really interesting
And as usual, the
@C5pider
#Havoc
❤️
3
27
131
An interesting post about Kernel Callback used by EDR. It’s a nice article to read if you want to dive into EDR Kernel Callbacks bypass.
Thanks
@synzack21
for the blogpost ! :)
The part about
@fdiskyou
evil.sys driver and experiments is really nice ! :)
0
53
125
If you want to automate Google login for, ... I don't know ..., phishing campaign for example, give a try to this custom chromedriver. It bypass the restrictions set by Google on the login through automation scripts.
0
27
114
Finally I can compile my beacon directly from my custom C2.
Supporting different toolchains was challenging but can be interesting in the long run !
10
4
115
Hey ! I've totally forgotten to publish my CoffLoader code.
Remember it is not a production ready code, but an example with my article, so the code is kind of a mess...
Thanks to
@TrustedSec
and
@C5pider
for paving me the way with their code & article !
3
36
110
Wanted a full rack server but my girlfriend said that the office room is not a server room…
6
3
97
Here is some videos on of my custom C2 🫣
The first one shows JIT beacon compilation and basic commands.
The second one shows the linked beacon capabilities with a TCP beacon.
There is a lot of improvements needes but it’s a good start 😊
7
10
89
Three freaking days to find the bug.
This seems to be pModBaseAddrIndex->Root instead of pModBaseAddrIndex in the DarkLoadLibrary project.
It raises random bug with some DLL otherwise and a hell to debug. The NTDLL assembly gives the answer as always.
3
12
82
And here is the video for the Linked compilation part. In this example, it chain a shellcode loader with a wrapper to transform a
#Cobaltstrike
beacon from raw shellcode to an "
#OPSEC
" binary
Here is some videos for the compilation pipeline😊
There are three parts:
- Training to know what you use
- Simple compilation
- Linked compilation to chain different loader
This is early dev, so additional feature will be added. If you have some ideas, feel free to share !
0
8
34
6
13
78
If you try to hide your payloads in the .rdata by splitting it in several strings an reassembling them during execution, it can be interesting to disable compiler code optimization... Will save you some time...
#ElasticEDR
Premium has a quite aggressive static detection
1
17
76
Majority of custom
#GetProcAddress
I found didn't handle well forwarded export, here is a snippet for
#GetProcAddress
and
#GetModuleHandle
that handle this edge case !
Feel free to use it !
0
17
69
Another step reached !
Got full support of
#CobaltStrike
#BOF
in my custome
#C2
beacon. Some upgrade can be done, but that's a start.
Here is a simple test with the
@TrustedSec
BOF collection ()
4
6
64
It's 2023, CME can now be used to make a coffee and clean your whole house while dumping the NTDS.
It's 2023, CrackMapExec can now dump DPAPI credentials as a core feature !🚀
This is possible thanks to the work of
@_zblurx
and his library dploot ! He also added a module to dump firefox passwords 🔥
Pushed on
@porchetta_ind
v5.4.5 Bruce Wayne 🪂
No excuse, DA everytime, 🔽
16
313
1K
1
13
64
This feeling when you dir \\DC\C$ will never fade.
I've rooted several forests but it always hit the same than the first time cause this is not about controlling the whole forest, it's about the journey: from the first phishing mail you sent to the total compromise of the forest
4
4
64
And the last one implemented on the pipeline !
If you want to run a Rubeus directly on the DC to wake up the SOC before the holidays.
It supports:
- Custom GetProcAddress / LoadLibrary /
GetModuleHandle
- String obfuscation
- ETW/AMSI patching
- HWBP for unhooking
- And more !
2
4
64
Hide base64 conversion table to limit binary strings in one tweet
char encode(int x){
return (char)((x + 65)*(x >= 0 && x <= 25) + (x + 71) * ( x >= 26 && x <= 51) + (x - 4)*(x >=52 && x <= 61) + (x - 19)*(x == 62) + (x - 16)*(x == 63));
}
And it's in O(1) too 🤓
2
7
56
Continuing the
#NtSetInformationProcess
exploitation series,
@th3m4ks
wrote an article on universal
#EDR
blinding through exploitation of NtSetInformationProcess and it's worth it
0
21
61
#Reversing
the
#NTDLL
is really interesting, I see several data structures or algorithms I only used in school.
I rediscovered fast sorting algorithm, red and black binary trees, dichotomy and even what I think was
#Dijkstra
algorithm.
1
2
58
Just commit my changes on
#Impacket
Secretsdump 🤞
If merged, you will be able to dump TDO secrets from a local NTDS without needing additional DCSync.
You can find the PR changes here :
2
24
58
Now all my malware have been ported to CMake, it's time to create a nice compilation pipeline.
The goal is to be able to add different layers easily through the GUI without needing to install the whole toolchain and without giving direct access to the source code...
4
6
58
@vxunderground
You can try to delete C:\Users directory and check wich directory you successfully erased
2
0
52
If you failed to use the WinHTTP.dll with a custom LoadLibrary (error 126), it can be due to the TakeSingleDllRef function.
This function perform a GetModuleHandleExA on itself to get its module HANDLE.
In this case, you have to hijack this function in the DLL's IAT when loaded.
2
8
51
Using EDR for malware development really help to understand how each technique impact the detection. Here is the difference of alerts raised with module Stomping,
@rad9800
HWBP and
@_EthicalChaos_
threadless injection.
1 - HWBP only
2 - 1 + Threadless
3 - 1 + 2 + Module Stomping
2
6
48
What a journey ! The
#Cybernetics
lab by
@hackthebox_eu
is really interesting and worth its price !
Kept me busy for a month. If you want to try an advanced HTB lab, upgrade your AD skills or just try some C2 capabilities, just take this lab. You won't regret it.
3
4
47
If you want to develop malware things, develop malware things, don't be stupid like me and start developing a full broken ecosystem by yourself...
I'm already starting to forget why I started this project 🫠
And yes I know about
#Mythic
, but I don't like WebUI C2...
3
7
46
The POC can be found right here
1
8
45
I ported my
#cobaltstrike
loaders as
#BOF
to avoid using the built-in inject command.
That was fun and not so hard with the
@TrustedSec
article and CS-Situational-Awareness-BOF repo as example.
2
10
43
Hey how is going your RedTeam ? You spend the last day scanning the webapplication, you surely found something ?
Me for the last days:
5
0
43
I think I finally managed to build a real company network at home.
I have DMZ, several VLAN, a reverse proxy, IPSEC VPN and nothing work at the same time, I don't know why and I have no idea what is exposed on Internet...
1
2
44
First step for position independent code (
#PIC
):
✔️get rid of the .data section
(if someone remember the new C keyword allowing to define string directly on the stack without using the { } notation)
1
6
41
Hey !
@Defcon
workshops have been released !
You can find mine here !
Feel free to ask for additional questions and apply !
I’m so glad to see you in Vegas 🤗
1
7
40
Something nice to know, WinHTTP.dll, when loaded, WinHTTPOpen function reload the WinHTTP.DLL to find some specific functions...
Bru, if you are executing this code it's because you are already loaded why are you doing this ? You fuck up the benefits of my custom LoadLibrary...
4
6
38
If you are doing some development in C/C++, you really should use Microsoft Application Verifier !
It is really nice to debug memory allocation, double free, wrong API usage and a lot more !
1
8
36
Yes, UDRL CobaltStrike development is fun...
Trying to allocate with ModuleStomping instead of VirtualAlloc on the
@kyleavery_
AceLdr
1
4
34
Here is some videos for the compilation pipeline😊
There are three parts:
- Training to know what you use
- Simple compilation
- Linked compilation to chain different loader
This is early dev, so additional feature will be added. If you have some ideas, feel free to share !
0
8
34
My
#CoffLoader
is fully functionnal ! It support unintialized variable through dynamic .bss and several relocation type.
Thank’s to
@C5pider
for giving me the idea through its
#CoffeeLdr
and
@TrustedSec
for showing me the way !
I will try to make it public as soon as I can 🥹
1
2
34
If you want to learn how to unhook
#EDR
hooks with style and understand how kernel callbacks can be bypassed through a vulnerable driver, look at the
#EDRSandblast
code !
I’ve learnt so much from this project ! Thank’s
@th3m4ks
and
@_Qazeer
for your work !
Bonus : static lib ❤️
0
6
32
My first
@defcon
has ended.
It was a great experience even if my workshop didn't fully worked as planned due to some Wifi failure limiting acces to the cloud EDR and the tools download.
Now, it's a 2 weeks infosec break for a USA road trip ! First step, Vegas to Grand Canyon.
2
0
32
What it’s like to be a redteamer ? 🫣
Spending 3 days changing a legit app compromised in a full C2 to rebound among all users and avoiding a painful phishing campaign 🫠
I’m sure they didn’t even know their application can be used like this 😂
1
0
31
Me fucking around the Ldr Red and Black trees until my DLL accepts to appear as loaded and stop crashing during entrypoint processing...
(yes treeS, they got two freaking trees to keep track of a loaded DLL)
1
0
26
And all the explanation about CoffLoading can be found here :
1
12
26
How, I saw you have finally found an exploitation path, so everything is finished now ? Can you extract the NTDS ? Should not take too long
Me and my 3 chained SOCKS
Hey how is going your RedTeam ? You spend the last day scanning the webapplication, you surely found something ?
Me for the last days:
5
0
43
2
0
25
I 'm glad to announce that I will be at
@_leHACK_
Paris for my first talk (in French) about malware development techniques this July !
4
2
23
Yey ! Finally got
@offsectraining
response ! Got my
#OSCP
with all box rooted !
Next one in line :
#CRTO
from
@_RastaMouse
! Can’t wait to discover the wonderful lab !
4
0
24
I'm so glad it can be used by someone else ! Feel free to reuse the code, build on it and step up your tools !
Thanks and Credit to
@OtterHacker
at this point, as your DefCon Workshop Slides/Code gave me the inspiration to combine Module Stomping with ThreadlessInject to avoid any injection alerts.
2
4
34
0
0
22
@nu11charb
Trendmicro still using hooking on NtWriteVirtualMemory. Your loader must be adapted to the EDR. Saying this technique is an OPSEC mistake depends on the EDR…
2
0
21
Just submitted my first machine to
@hackthebox_eu
! Hope it will be accepted 🤞
The machine is based on vulnerability found during pentests !
Thanks for this amazing playground !
2
2
19
Once again, my today experience shows that
#NAC
is not a security measure against attack but against simple users.
Took 2 network adapters, and few commands to bypass it...
Other surprise, I saw a printer supporting 802.1x.
Write up can be found here:
0
7
19
Yey ! I just have to pack this in a nice
#Impacket
function and add the option in
#Secretsdump
!
WinXP source code helped me to successfully map NTDS columns with its content ! Never though I would one day have to look at this code 😊
0
3
19
It is gonna be long to describe ASREQ ASN1 with my custom structure 😅
The more I dive into Windows internal crypto to compute hashes and Kerberos elements, the more respect I have for
@gentilkiwi
.
Spent hours with a debugger trying to understand how the CRYPTDLL interface works
0
7
16
Majority of the
#COFFLoader
code can be found here
I've done some modification to make it position independant but the main code is here
1
2
16