Rtl Dallas

🚨 ProxyBlob update just dropped 🚨 This cute little blob become even more versatile, as it can now be compiled into WASM 📦 It won't work in your browser, but it will certainly run in JavaScript runtimes such as Node.js, Bun, Deno, etc. 👉 github.com/quarkslab/prox…

🥳 ProxyBlob V2 is now available 🎉 As promised, here is the new version of ProxyBlob, boosted with aznet. Az-what 🤔? This version introduces a new Go module called aznet that allows you to use Azure storage services (not just blobs 😏) as a direct replacement for net.Conn! 🏎️github.com/Atsika/aznet 🌐github.com/quarkslab/prox… Complete documentation is available in the aznet repo to understand how it works 📚

Huginn Project: Project to generate COFF-format shellcode with API for : - Indirect syscall API - Stack Spoofing - Proxied LoadLibraryA calls Great for UDRLs, stage0 and OPSEC-conscious shellcode. github.com/NtDallas/Huginn

Even if stealth wasn't the objective, I still wanted to test the next release during my engagement. I must say that I'm very happy with the costs incurred 💸 This is the result of a large number of actions, which led to a massive DCSync with ~ 20k hashes 🎯

Playing in the (Tradecraft) Garden of Beacon and finding Eden. Learn how to utilize Crystal Palace, an open source project from Cobalt Strike creator Raphael Mudge, to rapidly combine different capabilities to create novel loaders/PIC tradecraft. cobaltstrike.com/blog/playing-i…

Hi, I just pushed an update on OdinLdr. I have added an EAF Bypass to resolve function addresses, NtApi calls are now made with indirect syscall and synthetic stackframe. Majority of code is rewritted to be more clean github.com/NtDallas/OdinL…

WSL2 is a powerful attacker hideout because it runs as a separate Hyper-V VM, and defenders rarely monitor it. Daniel Mayer explains how attackers pivot into WSL2 and what it took to build tooling that works across WSL2 versions. Read more ⤵️ ghst.ly/45fPUma

wrote a quick script to help with generating draugr function hook definitions for usage in crystal palace loaders github.com/ziggoon/draugr… cc @_RastaMouse

@Cyb3rMonk @magnetgang With an executable in C like printspoofer for example, you can allocate a memory region, you write the file in this region, you patch and you run it by jumping to the entry point

@Cyb3rMonk @magnetgang You can do module stomping for an unmanaged process (C/C++ for example) but for an assembly when you load it with Load_3 the bytecode (assembly data) needs to be in SafeArray.

Santa's dropping a new BOF down the chimney! My Christmas gift to RedTeam operators: BOF_ExecuteAssembly github.com/NtDallas/BOF_E…

@Jean_Maes_1994 Thanks :)

@RtlDallas Actually I'm wrong, seems yours is more feature rich :) well done!

@Jean_Maes_1994 Yes, all code : Donut, InlineExecute-Assembly, implementation in NH or BRC4 use the same method to run assembly and receive output. The big difference is in the implementation and in particular with evasion.

@RtlDallas Isn't it very similar? Maybe I didn't look close enough, but at first glance looks very similar. Nevertheless, more options is never bad :)

@Jean_Maes_1994 I don't understand sorry 😅

@RtlDallas github.com/anthemtotheego…?

@harold9850 Hi, I tested my BOF on a VM with CrowdStrike and it works, BUT it's not a silver bullet. The results can differ depending on the assembly's behaviors, potential presence of custom rules by BT, execution conditions, ...

@RtlDallas BOF don't work against top EDRs like crowdstrike. In fact cobalt strike is a useless C2 in 2026. Most top EDRs have now been trained to detect cobalt. Sliver is useless too.

[RELEASE] As promised, I’m releasing the first blog post in a series. It covers the gaps still present in current stack-based telemetry and how Moonwalking can be extended to evade detection logic and reach “on-exec” memory encryption. Enjoy ;) klezvirus.github.io/posts/Moonwalk…

Can't use you favorite impacket tools in FAST armored domains ? Fear no more ! BreakFAST is a small utility to demonstrate how Kerberos FAST armoring can be bypassed without local access to LSASS! Check out the repo: github.com/monsieurPale/B…

Small tool to create undetectable backdoored RSA keys, ideal for supply chain compromise scenarios: github.com/monsieurPale/R…

Btw, I'm just kidding this CobaltStrike update is really cool :)

A new c2 has just appeared today, HavocStrike