Octoberfest7 @Octoberfest73 Twitter profile | Pikagi

Pikagi

Octoberfest7

@Octoberfest73

5,144

Followers

161

Following

64

Media

752

Statuses

Red Team | Offensive Tool Dev | Malware Dev | OSCP | OSEP

https://t.co/uKacINBIjC

Joined February 2022

Don't wanna be here? Send us removal request.

Pinned Tweet

@Octoberfest73

Octoberfest7

3 months

Here is a demo of the TGT Auto-Harvester that students will create in my BOF Development and Tradecraft course (). Install in a SYSTEM beacon and passively monitor + capture TGTs from new user logins without calling back to the TS, even while Beacon sleeps!

2

45

266

Last Seen Profiles

@stwmaniax

@mmaz658347

@cronixcrozzar

@BinorRaja

@BinorRaja

@Spidey937_

@anthonylt1984

@HensonBrit25437

@harajuku_king_

@funcouple777

@ai__klly

@BocaSWL

@kaiseop_1177

@FlowMamitaRika

@basnt69

@kuexam1025

@kingdie87

@joshtenet

@OfficialAFL

@_petrovskaya

@perc_ash

@Rafaela32046769

@SaikouB93826713

@Noura1l0o

@eman20kamal20

@RyeCrisp

@dietz_meredith

@Queen_____5

@welshdude7

@bokeplokalmalam

@Yazeed_AlHaider

@KayWaterbury

@jjangbyo

@jimmy_K10

@gum_mp3

@CF_Nfinity

@Octoberfest73

Octoberfest7

6 months

Well that's awkward

Tweet media one

12

78

712

@Octoberfest73

Octoberfest7

1 year

On the heels of the recent articles concerning using Microsoft Teams for phishing... tool drop Wednesday #redteam #malware #cybersecurity

Tweet media one

6

169

661

@Octoberfest73

Octoberfest7

9 months

I'm exited to release GraphStrike, a project I completed during my internship at @RedSiege . Route all of your Cobalt Strike HTTPS traffic through . Tool: Dev blog: #redteam #infosec #Malware #Microsoft

Tweet media one

9

196

622

@Octoberfest73

Octoberfest7

2 years

I’m pleased to release Inline-Execute-PE, a CobaltStrike toolkit enabling users to load and repeatedly run unmanaged Windows exe’s in Beacon memory without dropping to disk or creating a new process each time. #redteam #cybersecurity #malware

Tweet card media

GitHub - Octoberfest7/Inline-Execute-PE: Execute unmanaged Windows executables in CobaltStrike...

Execute unmanaged Windows executables in CobaltStrike Beacons - GitHub - Octoberfest7/Inline-Execute-PE: Execute unmanaged Windows executables in CobaltStrike Beacons

5

178

409

@Octoberfest73

Octoberfest7

2 years

I'm sure i'm late to the party, but MSFT put a user-writable folder in $path (%HOMEPATH%\Appdata\Local\Microsoft\ WindowsApps)??? OneDrive tries to load a non-existant DLL (Microsoft.UI.Xaml.XamlTypeInfo.dll) making for an easy user-level hijack #malware #redteam #cybersecurity

Tweet media one

11

101

401

@Octoberfest73

Octoberfest7

9 months

Found a user-level persistence opportunity when Steam.exe (the game platform) is installed. On boot, it runs "vulkandriverquery64.exe" which tries to load a missing DLL that can be placed in a user-writable location within %PATH%. #redteam #malware #cybersecurity #pentesting

Tweet media one

4

85

328

@Octoberfest73

Octoberfest7

1 year

Happy early 4th- TeamsPhisher is out now! Send messages + attachments to external Teams users for the purpose of phishing for access. This short project was a fun departure from all of the BOF and Post-ex stuff I typically focus on. #redteam #Malware

Tweet card media

GitHub - Octoberfest7/TeamsPhisher: Send phishing messages and attachments to Microsoft Teams users

Send phishing messages and attachments to Microsoft Teams users - Octoberfest7/TeamsPhisher

7

125

323

@Octoberfest73

Octoberfest7

4 months

I’m excited to announce that I have partnered with @zeropointsecltd to release my first educational course, BOF Development and Tradecraft. Learn how to write BOFs by following step-by-step instructions to create three operation-ready tools! Link:

Tweet card media

BOF Development and Tradecraft

Learn how to write and unit test BOFs in C and C++.

training.zeropointsecurity.co.uk

22

60

279

@Octoberfest73

Octoberfest7

2 years

Just finished an article on using XLL payloads for phishing for access. Included is a code snippet as well as test results against Microsoft Defender for Endpoint. Tagging you both in case you want to share with your networks @Dinosn @CyberWarship

Tweet card media

GitHub - Octoberfest7/XLL_Phishing: XLL Phishing Tradecraft

XLL Phishing Tradecraft. Contribute to Octoberfest7/XLL_Phishing development by creating an account on GitHub.

8

93

262

@Octoberfest73

Octoberfest7

2 months

On today's episode of "do you know your tools", did you know that both CrackMapExec and NetExec both make TWO connections to each target? And that the first one (for enum) uses an empty user/hostname/domain name? And that both connections ALWAYS try SMB1 first?

Tweet media one

5

51

260

@Octoberfest73

Octoberfest7

2 months

Fun little IOC in impacket-smbserver's Negotiate Protocol Response 🙃

Tweet media one

8

61

255

@Octoberfest73

Octoberfest7

2 years

Finally pretty much finished my Microsoft Teams CobaltStrike External C2. Even made it position independent so it can be stuck inside my XLL payload or other shellcode runners. Thanks to @0xBoku and @NinjaParanoid for their work which I referenced! #malware #redteam #cyber

Tweet media one

2

66

250

@Octoberfest73

Octoberfest7

2 years

Turned back to learning about injection and code execution techniques. TIL with some Nt magic you can spawn any process and make it think it's being loaded from an arbitrary dir, so it's DLL search order will start where you tell it to. #redteam #malware #penetrationtesting

Tweet media one

5

68

242

@Octoberfest73

Octoberfest7

2 years

I'm happy to release MemFiles (and ~7000 words of research/documentation). Run your favorite tools through CobaltStrike and capture the files they produce in memory instead of writing to disk: #malware #redteam #cybersecurity #cobaltstrike #infosec

Tweet card media

GitHub - Octoberfest7/MemFiles: A CobaltStrike toolkit to write files produced by Beacon to memory...

A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk - Octoberfest7/MemFiles

2

89

241

@Octoberfest73

Octoberfest7

9 months

Working on a pretty scary project. I combined @C5pider Stardust and @joehowwolf recent work LLVM obfuscation work. ENDLESS_WALTZ produces unique PIC .bin's each time it's ran (== unique agents each compile...) L is normal Stardust, M+R are the same code but different runs of EW

Tweet media one

7

44

225

@Octoberfest73

Octoberfest7

1 year

Here is my latest, DropSpawn. This is a CS BOF used to spawn additional beacons via a little-known DLL hijacking method that I posted about ~2 months ago. Use as an alternative to process injection and force most any System32 exe to load an arbitrary DLL

Tweet card media

GitHub - Octoberfest7/DropSpawn_BOF: CobaltStrike BOF to spawn Beacons using DLL Application...

CobaltStrike BOF to spawn Beacons using DLL Application Directory Hijacking - Octoberfest7/DropSpawn_BOF

3

78

218

@Octoberfest73

Octoberfest7

1 year

With just a few modifications, @GabrielLandau 's incredible PPLFault () runs through Inline-Execute-PE 😲Here I have modified it to kill the specified PPL protected process MsMpEng.exe. Excited to take a deeper dive into the tool and scrub for OPSEC

Tweet media one

2

62

199

@Octoberfest73

Octoberfest7

2 years

Super stoked and proud of the project I am currently working on. Introducting MemFiles, a CobaltStrike suite that will capture any files that Beacon tries to write to disk and place them in memory instead for exfiltration. Coming soon... #malware #redteam #cybersecurity

Tweet media one

3

41

179

@Octoberfest73

Octoberfest7

2 years

It gets better, two NtApi's are all you need to create a process and set "The folder from which the application loaded" to a location of your choosing for DLL sideloading. No WriteProcessMemory or modification of remote PEB required to cover tracks either: #malware #cyber

Tweet media one

6

45

163

@Octoberfest73

Octoberfest7

8 months

Check out my latest blog post released during my internship at @RedSiege where I explore how a method for dumping LSASS popularized in 2019 can avoid detection by Microsoft Defender for Endpoint in 2024: #Malware #redteam #infosec #CyberSecurityAwareness

6

60

163

@Octoberfest73

Octoberfest7

4 months

TIL that SSH'ing into a Windows machine as a user who is a local Admin will automatically give you an elevated session instead of a medium integrity one

10

12

146

@Octoberfest73

Octoberfest7

1 year

Original concept for Inline-Interactive-PE was using a socks proxy and connecting via proxychains + nc to a port bound on loopback by Beacon... I cut out the socket part entirely and now just use a BOF to send/retrieve within CS console. Run PE commands and CS commands B2B :)

Tweet media one

1

31

141

@Octoberfest73

Octoberfest7

1 year

Tool drop Thursday! Enjoy a mature and operational CobaltStrike BOF of CVE-2023-36874 Windows Error Reporting Local Privilege Escalation. Patch your machines people. Thanks to @filip_dragovic for his work. #redteam #cybersecurity #cobaltstrike #malware

Tweet card media

GitHub - Octoberfest7/CVE-2023-36874_BOF: Weaponized CobaltStrike BOF for CVE-2023-36874 Windows...

Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE - Octoberfest7/CVE-2023-36874_BOF

3

59

126

@Octoberfest73

Octoberfest7

2 years

Sneak peak: Inline-Execute-Pe. This is a suite of BOF's for CobaltStrike that allow a user to load an unmanaged PE into beacon memory and run it repeatedly without spawning a new process each time. Tested w/ dsquery, mimikatz, sysinternals,etc #malware #redteam #CyberSecurity

2

24

124

@Octoberfest73

Octoberfest7

10 months

👀Coming soon...

Tweet media one

3

5

122

@Octoberfest73

Octoberfest7

2 years

@Alh4zr3d If you'll forgive the shameless plug, I did some similar research on using powershell and nslookup to download + execute a .exe payload using MDE as a testbed. Very similiar concept but I opted for MX records because TXT was raising eyebrows

Tweet card media

GitHub - Octoberfest7/DNS_Tunneling: DNS Tunneling using powershell to download and execute a...

DNS Tunneling using powershell to download and execute a payload. Works in CLM. - Octoberfest7/DNS_Tunneling

4

35

116

@Octoberfest73

Octoberfest7

6 months

I spent the past couple days playing with and contributing to @R0h1rr1m 's Shoggoth project (), which can turn PE's and BOF's into PIC. Super cool project, and one that opens up some interesting possibilities 😉

Tweet card media

GitHub - frkngksl/Shoggoth: Shoggoth: Asmjit Based Polymorphic Encryptor

Shoggoth: Asmjit Based Polymorphic Encryptor. Contribute to frkngksl/Shoggoth development by creating an account on GitHub.

1

38

118

@Octoberfest73

Octoberfest7

1 year

Some major progress on Inline-Interactive-PE. I can now map PE's within the Beacon process and then connect over socks proxy with netcat in order to run commands interactively. CTRL + C in netcat and you can go reconnect later to the same session #redteam #cobaltstrike #tooldev

Tweet media one

4

32

112

@Octoberfest73

Octoberfest7

1 month

Inspired by this, is anyone aware of a way to execute a dll directly without aid of rundll32.exe or another utility?

@vinopaljiri

Jiří Vinopal

1 month

Inspired by @0gtweet , I created PoC: EXE-or-DLL-or-ShellCode that can be: Executed as a normal #exe Loaded as #dll + export function can be invoked Run via "rundll32.exe" Executed as #shellcode right from the DOS (MZ) header that works as polyglot stub

4

93

377

8

15

90

@Octoberfest73

Octoberfest7

2 months

Here is the full tool. Small and quick but still learned some things🙂 Enjoy! #redteam #cybersecurity #Pentesting #infosec

Tweet card media

GitHub - Octoberfest7/enumhandles_BOF

Contribute to Octoberfest7/enumhandles_BOF development by creating an account on GitHub.

@Octoberfest73

Octoberfest7

2 months

Saw this and then sat down and did a little speed run challenge for myself. Took ~1hr 15 mins but have a nice little BOF version of this now. Will release at some point. Thanks Grzegorz!

Tweet media one

1

10

90

1

31

111

@Octoberfest73

Octoberfest7

2 years

Great article on DLL Hijacking and some of the issues one can face when creating DLL's for this purpose:

Tweet card media

Adaptive DLL Hijacking

If you’ve ever “understood” DLL hijacking, only to return to your lab and fail to get it working properly, this post is for you.

0

37

108

@Octoberfest73

Octoberfest7

3 months

MemFiles has been updated with a PR from @s4ntiago_p ! I finally got some time to review and approve some improvements he made which alters the project to make use of the Beacon Data Store APIs introduced in Cobalt Strike 4.9. Grab the new version here:

Tweet card media

GitHub - Octoberfest7/MemFiles: A CobaltStrike toolkit to write files produced by Beacon to memory...

A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk - Octoberfest7/MemFiles

0

38

100

@Octoberfest73

Octoberfest7

2 years

I haven't gotten a chance to dig into this, but this looks like a promising collection of BOF's dropped by a new account on Github

Tweet card media

GitHub - REDMED-X/OperatorsKit: Collection of Beacon Object Files (BOF) for Cobalt Strike

Collection of Beacon Object Files (BOF) for Cobalt Strike - REDMED-X/OperatorsKit

1

30

92

@Octoberfest73

Octoberfest7

3 months

A repost, but I still think this blog is super cool. Use the native Windows SSH client and shortcut files for initial access by opening a tunnel to the victim network:

5

19

92

@Octoberfest73

Octoberfest7

8 months

🚨I just found a user on GitHub hosting backdoored versions of Offsec-related tools. RTLO .scr files masquerading as VS .sln files in C# projects and what appears to me to be backdoored .git files in Python projects. Just went up & ongoing. #malware

Tweet media one

5

36

91

@Octoberfest73

Octoberfest7

2 years

Tryhard Thursday. Shspawn is old school, how about rportfwd -> webdav server with malDLL on attack box -> DLL Application Directory Hijack -> New beacon in arbitrary process with a DLL that doesn't reside in the target network #malware #redteam #penetrationtesting #cobaltstrike

Tweet media one

5

35

90

@Octoberfest73

Octoberfest7

2 months

Saw this and then sat down and did a little speed run challenge for myself. Took ~1hr 15 mins but have a nice little BOF version of this now. Will release at some point. Thanks Grzegorz!

Tweet media one

@0gtweet

Grzegorz Tworek

2 months

Listing all processes keeping particular file open is not a trivial task but since Vista we have a special syscall parameter for such purpose. Microsoft says "reserved for system use" but I was brave enough to wrap it into PowerShell function. Enjoy!

Tweet media one

14

160

703

1

10

90

@Octoberfest73

Octoberfest7

2 years

Working on porting MemFiles() to other C2's. Have it working with Havoc. Will be taking a look at Sliver next, it'll be my first foray into Go, cross your fingers

Tweet media one

2

14

88

@Octoberfest73

Octoberfest7

2 years

Just pushed an update for Inline-Execute-PE. You can now load the PE from the target machine instead of sending it remotely; useful for LOLBINs without creating a new process and avoiding versioning issues

Tweet media one

0

33

87

@Octoberfest73

Octoberfest7

1 year

Had an idea and needed some more info on how UAC works under the hood. I found a very impressive article; the kicker is that it is from 2008! Always blows me away the obscure gems you can find

Tweet card media

Vista UAC: The Definitive Guide

Learn how UAC operates behind the scenes. Use the Elevate package to start multiple elevated processes but only display one UAC elevation dialog from a non-elevated process.

www.codeproject.com

1

21

87

@Octoberfest73

Octoberfest7

8 months

Malware devs who have written in Rust, what are your thoughts? Does simply writing the same tool in rust instead of c or c++ offer any real advantage in evasion? Also wondering how prohibitive the language is when it comes to interacting with low level OS components and API

17

1

82

@Octoberfest73

Octoberfest7

2 years

Super cool. Tested on Win11 and Win10 22H2, certain things on system become unresponsive until msmpeng is resumed. But doing this through a Beacon using Inline-Execute-PE, beacon continues to function just fine. So suspend, do your opsec unsafe stuff, cleanup, restore?

@0gtweet

Grzegorz Tworek

2 years

Looks like the weirdest AV evasion I have ever seen. 1. Not all MsMpEng.exe versions allow to be suspended. 2. You may need to wait before your malware finally starts.

Tweet media one

22

229

788

1

17

80

@Octoberfest73

Octoberfest7

9 months

I'm looking for work! I'll be out of the military and available June 1st 2024. Looking for offensive tool dev / red team roles and would love to chat with anyone who might know of a good fit. #Malware #redteam #offsec #CyberSecurity #infosec

4

28

75

@Octoberfest73

Octoberfest7

11 months

It's not new, but good work deserves a shoutout regardless. Great article from @zyn3rgy on running tools from a Windows attack platform through a SOCKS proxy. Lots to be said for avoiding IOC's on target but still being able to leverage powerful tools.

Tweet card media

Proxy Windows Tooling via SOCKS

Leveraging SOCKS to proxy tools from a Windows attacker machine through a compromised host is a topic that contains some nuance and room…

posts.specterops.io

1

22

77

@Octoberfest73

Octoberfest7

1 year

Anyone playing with CVE-2023-36874 LPE? According to crowdstrike( ) it involves making a symlink between c:\ and a user-writable folder so that WER starts a malicious wermgr.exe. It strikes me that being able to symlink c elsewhere should open a lot of LPEs

Tweet card media

Discovering and Blocking a Zero-Day Exploit with CrowdStrike Falcon Complete: The Case of CVE-202...

The Falcon Complete MDR team discovered and blocked a zero-day exploit (CVE-2023-36874) affecting Windows Error Reporting. Learn more about the discovery and response!

www.crowdstrike.com

10

22

73

@Octoberfest73

Octoberfest7

1 year

Started doing a HTB prolab with CobaltStrike and got frustrated because CS's lack of an interactive shell caused headaches right away. Have a POC to bind a loopback port and then use a socks proxy to connect to a powershell.exe instance mapped inside another process <1/2>

Tweet media one

4

14

73

@Octoberfest73

Octoberfest7

7 months

This April Fools Day, I'm excited to release my latest research and blog post from my time at @RedSiege : SSHishing. The name might be a joke, but the technique isn't! Read the details here: #infosec #CyberSecurity #redteam #malware

6

30

72

@Octoberfest73

Octoberfest7

2 years

This has been a very challenging project for me with several 15-20 hour long roadblocks, but MemFiles is coming along. Can now successfully run SharpHound using Inline-ExecuteAssembly and have all files output into memory (instead of disk), ready for download

Tweet media one

2

5

70

@Octoberfest73

Octoberfest7

2 years

Not sure how useful this is in practicality, but what I've decided to dub 'DLL application directory hijacking' that I and others have been posting about the last few days also works with UNC paths:

Tweet media one

1

15

70

@Octoberfest73

Octoberfest7

2 years

@_xpn_ @cerbersec I just finished a long writeup on some payload capabilities in C. I greatly respect both of your work and if you have a spare moment to take a look I'd really appreciate it!

Tweet card media

GitHub - Octoberfest7/Mutants_Sessions_Self-Deletion: Writeup of Payload Techniques in C involving...

Writeup of Payload Techniques in C involving Mutants, Session 1 -> Session 0 migration, and Self-Deletion of payloads. - Octoberfest7/Mutants_Sessions_Self-Deletion

3

27

66

@Octoberfest73

Octoberfest7

2 years

Finished V2 of BeatRev- a POC to frustrate/defeat Mal Analysts and Rev Eng's by 'keying' malware to a victim. Incorporated RDLL's, UUID's, and AV evasion. Full codebase has been released, hopefully you enjoy @Dinosn #malware #cybersecurity #infosec

Tweet card media

GitHub - Octoberfest7/BeatRev: POC for frustrating/defeating Malware Analysts

POC for frustrating/defeating Malware Analysts. Contribute to Octoberfest7/BeatRev development by creating an account on GitHub.

1

32

63

@Octoberfest73

Octoberfest7

2 years

Recently attended KFiveFour's TradecraftCON conference. I presented two talks: 1. XLL Phishing 2. CobaltStrike External C2 Via Microsoft Teams I have uploaded the slide decks here if anyone wants to check them out: #CyberSecurity #redteam #malware

Tweet card media

GitHub - Octoberfest7/Presentations: Slide decks and/or materials from conference presentations

Slide decks and/or materials from conference presentations - Octoberfest7/Presentations

0

26

63

@Octoberfest73

Octoberfest7

2 years

Wrote a POC to 'key' malware to a specific victim box to protect it from rev engineers/malware analysts. Aes encrypts real payload and deletes on failed run. Love to hear from Blue Teamers. #infosec #maldev #BlueTeam #redteam @0xBoku @NathanMcNulty

Tweet card media

GitHub - Octoberfest7/BeatRev: POC for frustrating/defeating Malware Analysts

POC for frustrating/defeating Malware Analysts. Contribute to Octoberfest7/BeatRev development by creating an account on GitHub.

5

25

59

@Octoberfest73

Octoberfest7

2 years

This project is ~2 months old but just now releasing it again, a small Aggressor script to help Operators track files that are uploaded to target machines in the interest of aiding the logging of artifacts and cleanup at the end of an operation.

Tweet card media

GitHub - Octoberfest7/CS_Uploads_Tracker: Aggressor script add-in for CobaltStrike to track file...

Aggressor script add-in for CobaltStrike to track file uploads - Octoberfest7/CS_Uploads_Tracker

0

15

56

@Octoberfest73

Octoberfest7

7 months

When this makes it to prod and circulates throughout client environments over the next 5 years there might be some things to look at here 👀

Tweet card media

SMB alternative ports now supported in Windows Insider

The ability to configure client to connect to ports other than TCP/445 and QUIC/443

techcommunity.microsoft.com

2

25

53

@Octoberfest73

Octoberfest7

2 years

I came accross @the_bit_diddler 's github and he has an impressive collection of CobaltStrike BOF's that are worth checking out. I've already found a few functions within some of their projects I can envision a use for in mine.

Tweet card media

EspressoCake - Overview

Somewhere, doing something. EspressoCake has 112 repositories available. Follow their code on GitHub.

1

20

52

@Octoberfest73

Octoberfest7

7 months

According to VT and MDE, ssh.exe is our friend 🙂

Tweet media one

3

3

50

@Octoberfest73

Octoberfest7

10 months

😵‍💫I just found out that the default .cna script that CobaltStrike uses to define the UI is available for download. Talk about a wealth of examples:

2

9

47

@Octoberfest73

Octoberfest7

9 months

Received my confirmation for Outflank’s upcoming training. Looking forward to it 🙂

Tweet media one

5

1

41

@Octoberfest73

Octoberfest7

2 months

I haven’t been to DEFCON before and the things I see on here aren’t super encouraging either (cost, lines, badge drama, hotel drama, etc). Maybe WWHF or something as my first industry convention

10

0

40

@Octoberfest73

Octoberfest7

2 years

Wrote a quick and dirty Aggressor script for CobaltStrike to help Operators track uploaded files during an engagement. Tracks date/time, upload location, local file, md5 hash and persists across CS Client sessions. #cobaltstrike #Pentesting #redteam

Tweet card media

GitHub - Octoberfest7/CS_Uploads_Tracker: Aggressor script add-in for CobaltStrike to track file...

Aggressor script add-in for CobaltStrike to track file uploads - Octoberfest7/CS_Uploads_Tracker

0

13

41

@Octoberfest73

Octoberfest7

10 months

Man it’s nice having an interesting project to work on! In the future I’ll be releasing a tool that red teamer’s who use CobaltStrike should have a good bit of interest in… APT 28 fans keep your eyes out 👀

1

0

39

@Octoberfest73

Octoberfest7

2 years

I'm pretty siloed to CobaltStrike; what other major C2's support BOF's with minimal/no modification? I know Sliver and Metasploit do. Brainstorming how I could make some of my projects C2-agnostic as long as they support BOF's but need a feel for how useful that would be

8

4

36

@Octoberfest73

Octoberfest7

1 year

I may look at adding this to TeamsPhisher given the recent fix for group chats. Great research from pfiatde as always.

@pfiatde

pfiatde

1 year

The new Teams splash screen warning for external participants is nice and a big improvement (after almost 2 years), but can be bypassed quite easily by using the meeting-chat. Details on my blog.

Tweet media one

2

27

80

2

6

37

@Octoberfest73

Octoberfest7

2 years

Just pushed an update to MemFiles, which will now better track + use the filepointer as set by programs when writing data. This fixes the issue with procdump where the .dmp files couldn't be properly parsed.

Tweet card media

GitHub - Octoberfest7/MemFiles: A CobaltStrike toolkit to write files produced by Beacon to memory...

A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk - Octoberfest7/MemFiles

1

14

36

@Octoberfest73

Octoberfest7

3 months

Monoliths and monopolies are rarely a good thing. I’ve never taken a SANS course, in part because I could just never get past the price tag. For what they charge they had better be teaching alchemy. Red Siege is a great shop, excited to see what’s next!

@TimMedin

Tim Medin 🇺🇦

3 months

My team at Red Siege has written, instructed and developed some awesome training over the last year with zero involvement from me. Unfortunately, even though they don't work for SANS and I have had zero input or part in their courses, SANS has told me that unless they stop

110

124

1K

2

1

37

@Octoberfest73

Octoberfest7

2 years

For those who have dev'd against EDRs that hook (crowdstrike, S1, etc), is removing hooks a detection in itself? I.e. Will the EDR examine a process and see its hooks arent there anymore and alert on that? Wondering if unhook->run code->rehook->sleep repeat might be useful?

3

4

36

@Octoberfest73

Octoberfest7

2 years

M365 Insider Preview now blocks XLL's from the internet () by adding MOTW. Not to worry though, with a few more steps and some social engineering, XLL's are alive and well for phishing for access. #malware #redteam #microsoft #PenetrationTesting

0

9

36

@Octoberfest73

Octoberfest7

9 months

For anyone wanting a deeper dive into the development process and theory behind GraphStrike, consider checking out the long-form blog I wrote. #infosec #redteam #malware #CyberSecurity

@RedSiege

Red Siege Information Security

9 months

🛠️ DEV BLOG 🛠️ READ: With the release of GraphStrike, go deeper into the anatomy of the tool development with @Octoberfest73 . including the research, viability and technical design! #hacking #infosec

1

8

32

3

8

33

@Octoberfest73

Octoberfest7

9 months

I know that MDE detects and blocks this technique (Gabriel kindly worked with the MDE team to facilitate this), but I do wonder about other EDR vendors out there

@GabrielLandau

Gabriel Landau

9 months

Friendly reminder that these 476-day kernel and PPL exploits still work on fully-patched 23H2. Happy January pwnage! #NotASecurityBoundary

Tweet media one

3

91

307

1

3

31

@Octoberfest73

Octoberfest7

7 months

Would an initial access vector that resulting in a tunnel/socks proxy to the target network but no hashes or implant/further code execution on the device be useful? Also have concerns about remote work, possible to infect a work device and have a tunnel to someones home network.

11

2

33

@Octoberfest73

Octoberfest7

4 months

Back from a week-long trip and I check github and find a ton of traffic to my XLL phishing repo from a couple years ago (with the most by far from Breachforums). Turns out a new HTB machine came out that requires XLL phishing. Pretty cool!

3

0

34

@Octoberfest73

Octoberfest7

2 months

I liked OSCP (the test at least, course was nothing special) back when I took it, but having to take it again every 3 years… woof. I don’t know that I would pass it if taken tomorrow, the skills and strategies for the test are def not the same ones I use day to day for #realjob

3

1

33

@Octoberfest73

Octoberfest7

5 months

I have a vague memory of some research posted in the past year or two about a technique for executing encrypted shellcode by decrypting the next instruction, executing it, remasking it, etc. Ring any bells for anyone?

1

4

33

@Octoberfest73

Octoberfest7

7 months

It feels like the pace of OST releases has dropped in the last year or so. Just me or have others felt this as well?

8

1

30

@Octoberfest73

Octoberfest7

1 year

P.S. I will be getting out of the military in less than a year and looking for red team and offensive tool dev roles. Keep me in mind :)

6

5

28

@Octoberfest73

Octoberfest7

8 months

@HackingLZ I’ve grinded awfully hard the last several years to make a name for myself and secure future employment. But for my own sake I hope to diversify my hobbies and find something else besides just work.

2

1

25

@Octoberfest73

Octoberfest7

2 years

Been out for a bit now, but this is a BOF combo of KillDefender and Backstab. Strip a process of its privs and integrity (defender), and kill PPL protected processes in order to 'revert' them (by manually starting or service) @Dinosn @ptracesecurity

Tweet card media

GitHub - Octoberfest7/KDStab: BOF combination of KillDefender and Backstab

BOF combination of KillDefender and Backstab. Contribute to Octoberfest7/KDStab development by creating an account on GitHub.

1

13

25

@Octoberfest73

Octoberfest7

7 months

Friendly reminder whether you’re designing malware or protecting against it, normal users don’t see computers the same way you do. I have to remind myself sometimes that a black box flickering momentarily, or a consent prompt from MOTW don’t raise the same alarms they do for us

2

6

25

@Octoberfest73

Octoberfest7

1 year

Can someone help me understand this? Win11, just installed Aug monthly patch, WDAV enabled + tamper protection. Using elevated powershell and set-mppreference to add an exclusion path prompts UAC; saying 'No' to UAC prompt still results in the exclusion path being added

4

3

25

@Octoberfest73

Octoberfest7

10 months

Broad question: how much would you/your org be willing to pay as a one-time fee to access a high quality offensive security tool via private GitHub page? $50-100? I figure with a sponsership model a lot of folks will pay for a month, grab all the code, and cancel anyways

20

1

25

@Octoberfest73

Octoberfest7

1 year

Is CobaltStrike's lack of secure staging actually a big deal for anyone? There are ways to control who can request the stage via redirectors, but im more talking about being MitM'd and your stager running something it shouldn't

5

4

25

@Octoberfest73

Octoberfest7

8 months

Mixed thoughts. It was eye opening reading threat intel regarding threat actors actively using some of my tooling. Then again, MSFT was very aware of and deliberately chose to do nothing to mitigate the vulnerability until my tool went public and made it easy to abuse. 🤷‍♂️

0

0

23

@Octoberfest73

Octoberfest7

2 years

This is some fantastic research and tooling that I plan on digging into👀fantastic work @x86matthew

0

5

23

@Octoberfest73

Octoberfest7

1 year

Had some fun playing with a priv persistence method using SetConsoleCtrlHandler and SetProcessShutdownParameters. Make beacon wait until after AV has exited to drop to disk when machine shutsdown/reboots; and drop to disk as a missing DLL that is loaded before AV starts on boot.

1

0

21

@Octoberfest73

Octoberfest7

21 days

@vxunderground This is the same group selling cracked versions of commercial c2’s and who have had past GitHub drama before too. I wouldn’t hold your breath on them correcting things.

1

0

22

@Octoberfest73

Octoberfest7

5 months

Man, the feeling of finally solving a big blocker in a project after 5 days of thinking/tinkering >>>

1

0

20

@Octoberfest73

Octoberfest7

28 days

Recently completed a move I’ve been looking forward to for 4 years. Good to be back.

Tweet media one

0

0

20

@Octoberfest73

Octoberfest7

1 year

Any hot tips for working in bloodhound with large data sets (10k+ hosts, 30k+ users) besides "dont try and visualize anything that has a 4+ digit number"?

8

3

19

@Octoberfest73

Octoberfest7

4 months

Exciting news coming Monday 👀

0

1

20

@Octoberfest73

Octoberfest7

1 year

Shower thought: You have System on a workstation and are looking to move lat. What are your thoughts IRT hooking a normal user functionality and popping a 'xxx isn't working, please contact the support team' to coerce a workstation admin / DA to log in for token or cred theft?

5

2

20

@Octoberfest73

Octoberfest7

2 years

So predictably MSFT just slapped MOTW onto XLL's coming from the internet. It slightly complicates the attack chain but if you can get the victim to run powershell, jscript or vbscript to remove MOTW you can still leverage XLL's to do the heavy lifting for you

@BleepinComputer

BleepingComputer

@BleepinComputer

2 years

Microsoft Excel now blocking untrusted XLL add-ins by default - @serghei

1

38

85

2

6

19

@Octoberfest73

Octoberfest7

2 years

@0xBoku @NinjaParanoid @0xBoku work: @NinjaParanoid work:

Executing Position Independent Shellcode from Object Files in Memory

Reflective DLL and shellcode injection remain one of the most used techniques for threat actors as well as Red Teamers for post exploitation since the executions happen only in memory and they don’t...

0

3

18

@Octoberfest73

Octoberfest7

2 years

Inconsistency across versions with the OneDrive DLL hijack I posted. Same OD consumer version works on Win10Pro, doesn't on Win11Ent, a later ver Win11E ODc works, a later ver Win11P OD enterprise version works. Oh and all versions seem to be past what OD release notes list

3

5

19

@Octoberfest73

Octoberfest7

7 months

I swear there was an article released in the last ~year advocating for running as much tooling as possible over the network via tunnels instead of on a compromised host; does this ring any bells for anyone?

5

2

18

@Octoberfest73

Octoberfest7

2 years

@HackingLZ @0xBoku has a nice POC doing this, using graph api with drafts in azure outlook I used his as a reference for my own project, using graph API to send c2 traffic as Teams messages & files to/from SharePoint. Mine was a CS external C2 tho, not full custom C2

Tweet card media

GitHub - boku7/azureOutlookC2: Azure Outlook Command & Control (C2) - Remotely control a compromi...

Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP...

2

2

19

@Octoberfest73

Octoberfest7

1 year

Hats off to all of the devs who build GUIs. It’s right up there with the most frustrating and least entertaining programming I’ve ever done.

0

0

18

@Octoberfest73

Octoberfest7

7 months

Resisiting the urge to title my next research 'sshishing'

3

0

17

@Octoberfest73

Octoberfest7

1 year

I went back and checked out my TeamsPhisher tool again now that almost two months have passed; it still works, but Microsoft has added an "External" marking on attached files... which is progress I guess?

Tweet media one

1

0

17