Sean Hopkins

Fun little time sink creating a red team logger. Feel free to play around, give some feedback, and if there is enough interest I'll put some more time in to it. github.com/seahop/Clio

Published the source if anyone fancies a look. github.com/crystal-c2 No docs or pre-built releases yet, so expect to be confused :)

The Only Git Command List You'll Need to Bookmark → Daily Lifesavers: • git status — Your repo’s daily health check • git add . — “Take everything, I’m ready” • git commit -m "msg" — The diary entry for your work • git push — Send it to the world • git pull --rebase — Fresh updates, minus the merge mess → Branch Magicians: • git branch — Show me all timelines • git checkout -b feature-x — Start a new adventure • git switch main — Jump between universes • git merge feature-x — Combine worlds • git rebase -i HEAD~5 — Rewrite history like a pro → Debugging Detectives: • git log --oneline --graph --decorate — Visual crime scene • git diff — What changed? Who changed it? Why?? • git blame {file} — Name and shame (lovingly) • git bisect — Find that one evil commit • git fsck — Check repo sanity → Oops Fixers: • git restore . — Undo accidental chaos • git reset --hard HEAD~1 — Delete the last mistake • git checkout -- {file} — Bring back a lost file • git stash — Hide your unfinished sins • git reflog — The ultimate undo time machine → Collaboration Superpowers: • git fetch --all — Pull updates, no drama • git remote -v — Show your repo connections • git pull origin main — Sync with the team • git push -u origin branch-name — Set an upstream buddy • git cherry-pick {hash} — Borrow just one commit from another branch → Release Masters: • git tag -a v1.0 -m "first release" — Stamp your moment • git tag — All milestones at a glance • git push --tags — Ship your releases • git describe --tags — Find where you are in release land • git archive --format=zip HEAD > release.zip — Pack and ship your code → Cleanup Crew: • git gc — Garbage collector for your repo • git prune — Get rid of unreachable commits • git clean -fd — Delete untracked files (danger + power) • git reset --soft HEAD~1 — Undo commit but keep changes • git branch -d feature-x — Remove dead branches → Power User Tricks: • git config --global alias.s status — Create your own shortcuts • git show {hash} — Peek into a commit’s soul • git shortlog -sn — Who contributed how much? • git worktree add ../dir branch — Work on multiple branches at once • git grep -n "text" — Search inside the repo like a detective What are YOUR go-to Git commands?

Custom Mach-O Image Loader with in-memory Mach-O loader github.com/FFRI/XPRTestSu… #redteam

Reduced Docker image size from 2.1GB to 180MB. Deployments 8x faster. The original Dockerfile: - Started with ubuntu:latest - Installed everything via apt - Included dev dependencies - Copied entire project directory - Left build artifacts - No layer optimization The problems: - Pull time: 6-8 minutes - Registry storage costs high - Deployment took forever - Security scan found 47 vulnerabilities - Most from unnecessary packages What we optimized: 1. Base image - ubuntu:latest (2.1GB) → alpine:latest (5MB) 2. Dependencies - Removed dev dependencies - Multi-stage build - Only production packages 3. Layer caching - Copied requirements first - Installed dependencies - Then copied source code - Leveraged Docker layer cache 4. .dockerignore - Excluded .git, tests, docs - Removed 800MB of files The new image: 180MB The impact: - Pull time: 6min → 45sec - Build time: 8min → 2min - Deploy frequency: 2x per day → 15x per day - Registry costs: $340/month → $60/month - Security vulnerabilities: 47 → 3 - Kubernetes pod startup: 90sec → 12sec Every MB in your image costs time and money. Optimize Docker images like you optimize code.

Forget common backdoors — a DLL hijack in Windows Narrator can grant SYSTEM-level persistence at login. In our new blog, @Oddvarmoe shows how attackers abuse accessibility features and what defenders should monitor. Read now! trustedsec.com/blog/hack-cess…

A Rust-based tool that generates Windows PE executables containing data patterns designed to trigger YARA rule matches. github.com/Sam0rai/guilty…

rolled out a bof for getting the dpapi_system key used by mimikatz /system: when ingesting master keys. If that's something you need it's live at github.com/trustedsec/CS-…

Last month, @d_tranman and I gave a talk @MCTTP_Con called "COM to the Darkside" focusing on COM/DCOM cross-session and fileless lateral movement tradecraft. Check out the slides here: github.com/bohops/COM-to-… Recording should be released soon.

Redirect any Windows TCP and UDP traffic to HTTP/Socks5 proxy github.com/InterceptSuite…

@_RastaMouse But RTOIII

I found it far more enjoyable doing string replacements in Aggresor than in the C2 profile because the feedback loop is so much quicker - no need to stop/start the server after every change.

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm

@_nextjenn Dark mode transcends types of phones. All hail dark mode.

@_seahop Bold of you to assume this screenshot wasn’t from a burner phone

If you/friends/fam have Facebook app installed, check these settings as FB is silently switching them on

[Crystal Kit] Evasion kit for Cobalt Strike. github.com/rasta-mouse/Cr…

My very first Crystal Palace shared library 🤗 github.com/rasta-mouse/Li…

Why should Microsoft's Nested App Authentication (NAA) should be on your security team's radar? @Icemoonhsv breaks down NAA and shows how attackers can pivot between Azure resources using brokered authentication. ghst.ly/45h2Zw3

EDR vendors secure their sales pipelines but neglect monitoring GitHub for exposed installer tokens -leaving customers vulnerable to abuse and over-licensing. Adversaries likely exploit these tokens to build sandboxes for payload testing. Here are search patterns to help identify these exposures and push vendors toward better security practices: CrowdStrike: Base: - Falcon - falconctl - CrowdStrike - FalconSensor_Windows Filters: - /[A-Za-z0-9]{32}-[0-9]{2}/ Example Queries: crowdstrike /CID=[A-Za-z0-9]{32}-[0-9]{2}/ NOT owner:crowdstrike - crowdstrike falcon /[A-Za-z0-9]{32}-[0-9]{2}/ NOT "1234567890ABCDEF1234567890ABCDEF-12" SentinelOne: Base: - SITE_TOKEN - sentinelctl - SentinelOne - SentinelOneInstaller Filters: - 5zZW50aW5lbG9uZS5uZXQiL - eyJ1 Example Queries: - SITE_TOKEN 5zZW50aW5lbG9uZS5uZXQiL - Sentinelone language:powershell eyJ1 Carbon Black: Base: - COMPANY_CODE - installer_vista_win7_win8 Filters: - /COMPANY_CODE=[A-Z0-9]{19}/ Example Queries: - installer_vista_win7_win8 /COMPANY_CODE=[A-Z0-9]{19}/ Note: Add "s3" to any base term search to find publicly hosted installer binaries. Vendors must apply the same rigor to token management as they do to sales - protecting customers from licensing abuse and denying threat actors easy sandbox setup.

Beyond Beacon: Writing BOF and a Native Rust COFF Loader malware-decoded.com/rust-bof-coff-… #redteam

I was today years old when I learnt that you can run ELF using ld-linux. Useful when the executable bit is not set (and you can't change it).

Solid overview of OPSEC considerations when operating with Sliver C2 by @zimnyaatishina 💪 #redteam #c2 #malware #opsec tishina.in/opsec/sliver-o…