Olivia
Online
thefLink
@thefLinkk
Joined July 2018
150 Following
1.2K Followers
58 Posts
Modern C2 implants use sleep masking & metamorphic code to stay hidden. We’re revealing how to unmask them using low-level runtime telemetry (ETW & CPU profiling) live in production including a POC with a lightweight sensor.
My team will be presenting our research at x33fcon:
https://t.co/qhtckSyxx5
@GabrielLandau @x33fcon @CaptnBanana Thank you for your feedback :-)
We have seen your impressive work and appreciate you sharing it publicly!
@GabrielLandau Leistungsdruck.
As presented @x33fcon, this bigger update of Hunt-Sleeping-Beacons allows enumerating pending timers and their callbacks to identify timer-based sleepmasks.
Additional detection ideas included :-)
https://t.co/pqlhQnqMIC
We accidently built a Sysmon compatible tool with some neat features on top, like (in)direct syscall detection & more. Without drivers, with less resource footprint & using ETW only.
Curious? My team is presenting at @x33fcon in June.
Come & say hello!
https://t.co/TDjO5hUlIz
[RELEASE] EvtPsst a small mute tool developed by me, that abuses exposed SYNCHRONIZE and Token handles in order to get a process handle to the EventLog Process with more access.
Blogpost over the techniques will follow in the next days.
https://t.co/aMDXTJKbof
#redteam
Here is a little ETW based tool to play with different IOCs by ImageLoad events.
I feel like proxying Kernel32!LoadLibrary through Ntdll is a very strong IOC. :-)
https://t.co/6sekfLSjOe
Here is a ETW based POC to monitor for (some) direct and indirect syscalls. Should find multiple open source implementations trying to avoid userlandhooks.
https://t.co/kUp73Apxcs
Today we published a new tool to tamper with Sysmon.
Uses handle elevation and a SACL bypass to remain difficult to observe using Sysmon itself or Windows Event logs.
https://t.co/OZ4tkgNOAD
Our powerintern @testert01 strikes again, teamed up with @thefLinkk and developed SysmonEnte: a hard to detect attack on Sysmon. Check out our new blogpost: https://t.co/ol4jrl1Ewa
Added an attempt to detect suspicious and blocking callbacks of timers to Hunt-Sleeping-Beacons.
Probably detects some C2 using timer callbacks for sleep encryption
https://t.co/Y6EiqMUs3W
@codex_tf2 Electron apps in general are fps I believe :(.
Just pushed a detection idea for Foliage/AceLdr to Hunt-Sleeping-Beacons.
State Wait:UserRequest is triggered by KiUserApcDispatcher? Probably a Beacon :-)
https://t.co/ro4WETq9Ox
As part of our #x33fcon talk, @invist and @theflinkk release a socks4a proxy leveraging PIC, Websockets and static obfuscation on assembly level 😎 Check it out: https://t.co/uqHNa6j3jQ
Our @thefLinkk and @TjarkRasche will give a workshop tomorrow at @bsidesbud on creating complex offensive tools as PIC. Come and learn about offensive coding techniques, memory artifacts and benefits of coding tools as PIC.
Here is my variant of Gargoyle for x64 to evade memory scanners. Fully relies on ROP and PIC without any APC.
Huge thanks to @waldoirc for the documentation.
https://t.co/hPBwMoAd7A
the callstack scan was inspired by @thefLinkk's https://t.co/5iHCJXazIr (mentioned in the code: https://t.co/hh2JEYiJO2)
Here is another implementation of Hellsgate + Halosgate
It makes sure, that all resolved syscalls go through ntdll.dll by reusing syscall;ret instructions from clean syscall stubs.
https://t.co/MHAAx0abcz
.NET Remoting Revisited – playing around with .NET Remoting led @mwulftange to new insights, some enhancements for @tiraniddo's #ExploitRemotingService, a new universal #YSoSerialNet ObjRef gadget and its counterpart #RogueRemotingServer (1/2) https://t.co/Qt6r7dIslu
We are going live tonight at 4 PM EST.
Season 5 episode 1 Tonight we gave a special guest @thefLinkk is going to present offensive PIC for red teamers.
https://t.co/VBA5zaZSS4
❤
#redteam #Pentesting
Here is an idea to identify running beacons:
1. Beacons ThreadState often is: DelayExecution
2. Calltrace to NtDelayExecution includes unknown regions
Works also fine against beacons sitting in file backed memory
https://t.co/ro4WETq9Ox
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.1M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.3M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.7M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers