thefLink

Here is my variant of Gargoyle for x64 to evade memory scanners. Fully relies on ROP and PIC without any APC. Huge thanks to @waldoirc for the documentation. github.com/thefLink/DeepS…

@GabrielLandau @x33fcon @CaptnBanana Thank you for your feedback :-) We have seen your impressive work and appreciate you sharing it publicly!

Great talk @thefLinkk @CaptnBanana! Have you seen our work? elastic.co/security-labs/… elastic.co/security-labs/… We also have research on detecting spoofed callstacks: elastic.co/security-labs/… Our behavioral detection rules are public: github.com/search?q=repo%… I really like your idea on enumerating/scanning thread pool timer callbacks 🙂

🌟 Don't miss our talk at #x33fcon: "Busting Redteam Trends with Style - Lessons Learned from Building an ETW based Sysmon Replacement from Scratch" 🌟 Join @thefLinkk and @CaptnBanana as they reveal how they built a custom Sysmon replacement to enhance #ThreatHunting and detect advanced threats. Learn more: x33fcon.com/#!s/SebastianF… #Windows #ETW #Research #Monitoring #RedTeam #BlueTeam #PurpleTeam

@GabrielLandau Leistungsdruck.

Is there a term for fear of success, thinking you’ve peaked and will never hit the same high again? I imagine there’s some 30-letter German word for it.

As presented @x33fcon, this bigger update of Hunt-Sleeping-Beacons allows enumerating pending timers and their callbacks to identify timer-based sleepmasks. Additional detection ideas included :-) github.com/thefLink/Hunt-…

Happy to present our team's research @x33fcon together with @CaptnBanana

[RELEASE] EvtPsst a small mute tool developed by me, that abuses exposed SYNCHRONIZE and Token handles in order to get a process handle to the EventLog Process with more access. Blogpost over the techniques will follow in the next days. github.com/nothingspecial… #redteam

Here is a little ETW based tool to play with different IOCs by ImageLoad events. I feel like proxying Kernel32!LoadLibrary through Ntdll is a very strong IOC. :-) github.com/thefLink/Hunt-…

Here is a ETW based POC to monitor for (some) direct and indirect syscalls. Should find multiple open source implementations trying to avoid userlandhooks. github.com/thefLink/Hunt-…

Today we published a new tool to tamper with Sysmon. Uses handle elevation and a SACL bypass to remain difficult to observe using Sysmon itself or Windows Event logs. github.com/codewhitesec/S…

Added an attempt to detect suspicious and blocking callbacks of timers to Hunt-Sleeping-Beacons. Probably detects some C2 using timer callbacks for sleep encryption github.com/thefLink/Hunt-…

@codex_tf2 Electron apps in general are fps I believe :(.

@thefLinkk Discord is an FP 🤔

Just pushed a detection idea for Foliage/AceLdr to Hunt-Sleeping-Beacons. State Wait:UserRequest is triggered by KiUserApcDispatcher? Probably a Beacon :-) github.com/thefLink/Hunt-…

As part of our #x33fcon talk, @invist and @theflinkk release a socks4a proxy leveraging PIC, Websockets and static obfuscation on assembly level 😎 Check it out: github.com/codewhitesec/L…

Our @thefLinkk and @TjarkRasche will give a workshop tomorrow at @bsidesbud on creating complex offensive tools as PIC. Come and learn about offensive coding techniques, memory artifacts and benefits of coding tools as PIC.

the callstack scan was inspired by @thefLinkk's github.com/thefLink/Hunt-… (mentioned in the code: #L77" target="_blank" rel="nofollow noopener">github.com/hasherezade/pe…)

Here is another implementation of Hellsgate + Halosgate It makes sure, that all resolved syscalls go through ntdll.dll by reusing syscall;ret instructions from clean syscall stubs. github.com/thefLink/Recyc…

.NET Remoting Revisited – playing around with .NET Remoting led @mwulftange to new insights, some enhancements for @tiraniddo's #ExploitRemotingService, a new universal #YSoSerialNet ObjRef gadget and its counterpart #RogueRemotingServer (1/2) codewhitesec.blogspot.com/2022/01/dotnet…

We are going live tonight at 4 PM EST. Season 5 episode 1 Tonight we gave a special guest @thefLinkk is going to present offensive PIC for red teamers. patreon.com/MrUn1k0d3r ❤ #redteam #Pentesting

Here is an idea to identify running beacons: 1. Beacons ThreadState often is: DelayExecution 2. Calltrace to NtDelayExecution includes unknown regions Works also fine against beacons sitting in file backed memory github.com/thefLink/Hunt-…

PIC your Katz! Say hello to HandleKatz, our position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump() brought to you by @thefLinkk #BruCON0x0D github.com/codewhitesec/H…