Hey ! I published a large part of my notes, and I hope you will find something new to learn in it. It goes from simple #OSCP notes to #Malware development (#COFFLoader, #ModuleStomping, #ReflectiveDLLInjection...).

I was today old when I learnt that you can't use a ST on a DC that generated it. It seems to be a security feature to avoid replay attack. But if you activate Protected User on a domain with one DC you basically just locked you down but prevent attacks through SID History...

@TontonTortue @iansus forwarded me this link

I’m waiting for the moment where I will have to pentest applications developed with AI… I’m pretty sure it’s going to be a carnage…

@gzobraJn Socks5 :)

@zux0x3a Yes if I add to much sleep on the beacon the connections tends to timeout. But depending on the tools, extending the read/write timeout fix the problem but it makes the socks really slow ^^

@EAGAIIN @httpyxel @C5pider @BlackAlpsConf Hey ! The process injection only work with admin privileges. The sleep obfuscation will always work. The difference is that: - with process injection you are adding a hook on a remote process => need SE DEBUG - with sleepobfuscation you are adding a hook on yourself

@awwhwhasz Yes kinda like. I juste remappd the PE in memory and called the entrypoint :

@d5fa4lt Right here

Might be the most appropriate Xmas gift I had !

Finally took the time to implement a Ekko (documented by @C5pider) like sleep obfuscation on my beacon ! Thank's to all previous implementation it was quite easy. The technique might be well detected now but I found the main principle very pretty !

Finally implemented a SOCKS in my custom C2. I faced several challenged regarding constant polling and timeout due to the beacon sleep but I'm quite happy with the performances !

@techspence How would you pay the guy handling the detections ?

Just trying to use LLM to automate PPTX and DOCX translation. It seems it needs some additional fine-tuning...

If you missed my talk at @BlackAlpsConf , you can find the slide deck in my usual repo ! The talk should be published in the end of the year !

Hey ! I just saw that I didn't upload the slide deck... This is done now 😅

@zux0x3a @httpyxel @C5pider @BlackAlpsConf Nop, when the beacon sleeps no thread related to the beacon exists !