Olivia
Online
Rtl Dallas
@RtlDallas
Joined August 2023
194 Following
681 Followers
66 Posts
Recent supply chain attacks have demonstrated that the most valuable targets are developers 🧑💻
In this new blog post, I'll walk you through the full setup of a phishing attack 🎣 (ab)using GitHub OAuth App to gain control over an account! Trusted domains, free infrastructure, social engineering tricks, ...
🌐 https://t.co/6zFxAUemy6
P.S: I've updated the blog design ✨, hope you enjoy it
New research: InsomniacUnwinding
"Call stack spoofing is mandatory for sleep masking"
No, it's not. Surgical UNWIND_INFO preservation: ~250 bytes vs ~6KB .rdata. Signatures encrypted, stack intact, no spoofing.
Github: https://t.co/3O37yFy4i8
Blog:
https://t.co/8iN9GuJJHg
🚨 ProxyBlob update just dropped 🚨
This cute little blob become even more versatile, as it can now be compiled into WASM 📦 It won't work in your browser, but it will certainly run in JavaScript runtimes such as Node.js, Bun, Deno, etc.
👉 https://t.co/ftKYHMxr3x
🥳 ProxyBlob V2 is now available 🎉
As promised, here is the new version of ProxyBlob, boosted with aznet. Az-what 🤔?
This version introduces a new Go module called aznet that allows you to use Azure storage services (not just blobs 😏) as a direct replacement for net.Conn!
🏎️https://t.co/AZDniVnzGY
🌐https://t.co/BkczwWO1xi
Complete documentation is available in the aznet repo to understand how it works 📚
Huginn Project:
Project to generate COFF-format shellcode with API for :
- Indirect syscall API
- Stack Spoofing
- Proxied LoadLibraryA calls
Great for UDRLs, stage0 and OPSEC-conscious shellcode.
https://t.co/tIiSlawD8K
Even if stealth wasn't the objective, I still wanted to test the next release during my engagement. I must say that I'm very happy with the costs incurred 💸 This is the result of a large number of actions, which led to a massive DCSync with ~ 20k hashes 🎯
Playing in the (Tradecraft) Garden of Beacon and finding Eden. Learn how to utilize Crystal Palace, an open source project from Cobalt Strike creator Raphael Mudge, to rapidly combine different capabilities to create novel loaders/PIC tradecraft.
https://t.co/lHbGHMG1gL
Hi, I just pushed an update on OdinLdr.
I have added an EAF Bypass to resolve function addresses, NtApi calls are now made with indirect syscall and synthetic stackframe.
Majority of code is rewritted to be more clean
https://t.co/BaJjQ55HyY
WSL2 is a powerful attacker hideout because it runs as a separate Hyper-V VM, and defenders rarely monitor it.
Daniel Mayer explains how attackers pivot into WSL2 and what it took to build tooling that works across WSL2 versions.
Read more ⤵️ https://t.co/TaPsDDW4Cq
wrote a quick script to help with generating draugr function hook definitions for usage in crystal palace loaders
https://t.co/MCG7lfFhps
cc @_RastaMouse
@Cyb3rMonk @magnetgang With an executable in C like printspoofer for example, you can allocate a memory region, you write the file in this region, you patch and you run it by jumping to the entry point
Santa's dropping a new BOF down the chimney!
My Christmas gift to RedTeam operators: BOF_ExecuteAssembly
https://t.co/jQeNZjPi65
@Cyb3rMonk @magnetgang You can do module stomping for an unmanaged process (C/C++ for example) but for an assembly when you load it with Load_3 the bytecode (assembly data) needs to be in SafeArray.
@Jean_Maes_1994 Thanks :)
@Jean_Maes_1994 Yes, all code : Donut, InlineExecute-Assembly, implementation in NH or BRC4 use the same method to run assembly and receive output. The big difference is in the implementation and in particular with evasion.
@Jean_Maes_1994 I don't understand sorry 😅
@harold9850 Hi, I tested my BOF on a VM with CrowdStrike and it works, BUT it's not a silver bullet. The results can differ depending on the assembly's behaviors, potential presence of custom rules by BT, execution conditions, ...
[RELEASE] As promised, I’m releasing the first blog post in a series. It covers the gaps still present in current stack-based telemetry and how Moonwalking can be extended to evade detection logic and reach “on-exec” memory encryption.
Enjoy ;)
https://t.co/4Yf28y7cT4
Can't use you favorite impacket tools in FAST armored domains ? Fear no more ! BreakFAST is a small utility to demonstrate how Kerberos FAST armoring can be bypassed without local access to LSASS! Check out the repo:
https://t.co/IgA1GdSFi5
Small tool to create undetectable backdoored RSA keys, ideal for supply chain compromise scenarios: https://t.co/GXDQqEXgiD
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers