Octoberfest7

After over a year of work my second course with @_ZeroPointSec is now available! In it students will apply low level windows tradecraft in the writing of Cobalt Strike’s UDRL and Sleepmask components. To celebrate, the BOF course is 25% off thru Jan 12th! zeropointsecurity.co.uk/course/udrl-sl…

@4ndr3w6S Didn’t take long linkedin.com/posts/alex-lin…

Mean Time to Attack (MTTA) or Mean Time to BOF (MTTBOF). Chicken or Egg problem 🤔🤣

Seeing decent amounts of discussion along the lines of “you trust your compiler output, trust AI the same” and about how having a “human in the loop” is like SO last year. Either a massive psyop by the Machine Spirit or people have lost their goddamn minds.

@abdo_mhanni Thanks for sharing! Awesome info here

@Octoberfest73 I remember you once posted a quirk of impacket that could be used as an ioc so I thought you’d like this list of 50+ impacket IOCs😄 github.com/ThatTotallyRea…

This is some really nice work. A deep dive into what legitimate Windows network traffic looks like and how Impacket differs. Lots of goodness for both red and blue. Nice job @abdo_mhanni!

@ShitSecure @x33fcon Won’t be in Poland but excited!

Anyone interested in what you need for proper loader development in 2026? My talk for @x33fcon was accepted, so I'll take about Malware again. 🔥 It's a unique talk and will only be held there this year! Hope to see some of you in Poland. 😎

@vxunderground @lildylannn God bless Claude’s machine spirit*

@Octoberfest73 @lildylannn I recognized it immediately doing stuff with WinRT. God bless your soul for traversing the darkest corners of their undocumented mess

Here is my BOF POC (emphasis on POC...) of this research. As the README states it's not an operationally-ready tool, but it was neat research and I figure the code might be useful for someone else. Thanks to @lildylannn and his colleague for their work! github.com/Octoberfest7/D…

@vxunderground @lildylannn God help whoever decides to read and make sense of that slop

@Octoberfest73 @lildylannn __FIAsyncOperationWithProgress_2_Microsoft__CManagement__CConfiguration__CApplyConfigurationSetResult_Microsoft__CManagement__CConfiguration__CConfigurationSetChangeData *pApplyOp = NULL; Yesssss kingggg. Strip the headers

@0xC0rnbread @lildylannn I haven’t sat down and confirmed myself, but my current understanding is that this is local only, not DCOM

@Octoberfest73 @lildylannn New lateral movement exec method?

👀 Claude go brrrrr

@lildylannn Great research! It was quite the adventure working with Claude to get the c-style COM interfaces / headers / etc. still mulling over what the “so what” or use case is really gonna be for the BOF version

@Octoberfest73 now this is epic

hi, it's an awesome blog about Advanced Module Stomping kuwaitist.github.io/posts/Astral-P…

I just dropped some research: DSCourier and would love for your opinion and to check it out!! It’s a novel post-exploitation technique abusing WinGet’s COM API to execute code through Microsoft-signed binaries. GitHub: github.com/DylanDavis1/DS… Blog: dylansec.com/DSCourier/

@haider_kabibo @R0h1rr1m Original SilentHarvest blog: sud0ru.ghost.io/silent-harvest… SilentNimvest: github.com/frkngksl/Silen…

Had some fun making this credential dumper BOF implementing the Silent Harvest mechanism from @haider_kabibo . Thanks to him as well as @R0h1rr1m for his SilentNimvest implementation of the research! github.com/Octoberfest7/S…

@jamieantisocial They say this, and then 2 minutes later they are using VirtualAlloc, memcpy, and CreateThread to execute their smuggled payload. This is all really just a fancy container to download a payload through, it doesn’t appear to me to offer any advantages from an execution standpoint

⨍ꫀׁׅܻɑׁׅ֮tׁׅυׁׅꭈׁׅꫀׁׅܻ꯱ׁׅ֒

TotalRecall Reloaded. Enjoy. github.com/xaitax/TotalRe…

@cyb3rops @HackingLZ On the offensive side, in my short time, I have seen and felt similar. AI has totally changed the math around releasing “just a POC”. I have angled toward paid course offerings, but there are def things that don’t meet the bar for that I’d like to put out w/o AI snapping up

A bit more context on why I think this way: I’ve shared a lot over the years - thousands of rules, blog posts, methods, tuning ideas, and research. That was always fine as long as turning public ideas into working tools and solid detections still took real time, skill, and engineering effort. What changed is that the cost of copying has dropped a lot, while the pace at which the remaining gap may close is hard to predict. It’s not about being against sharing. It’s about not handing out every detail once the cost of copying it has dropped that much. And to be honest, many of the people acting morally outraged about this are not living by some absolute principle of full openness either. Most people do not share the code, detection logic, methods, or internal know-how that directly supports their livelihood, their employer, or obligations they’ve signed up for. They just usually don’t say that part out loud.

@HackingLZ @0xTriboulet @github I have been trying to sponser x64dbg / @mrexodia for a month now, with GitHub always kicking back the payment saying there is a billing problem. Opened a support ticket a month ago and have yet to receive a reply / any update on it

I'm going to apologize in advance for daily rants about @github not being a serious company with account suspensions with no notifications, and no direct path to resolve the issue.

@LorenzoMeacci @HackingLZ I think you got confused about which thread you were looking at here. This looks like the main thread running the sleepmask code making the WaitForSingleObject call here, not a timer thread. Timer threads absolutely do unwind down to RtlUserThreadStart and BaseThreadInitThunk

New research: InsomniacUnwinding "Call stack spoofing is mandatory for sleep masking" No, it's not. Surgical UNWIND_INFO preservation: ~250 bytes vs ~6KB .rdata. Signatures encrypted, stack intact, no spoofing. Github: github.com/kapla0011/Inso… Blog: lorenzomeacci.com/unwind-data-ca…