Octoberfest7
@Octoberfest73
Followers
4,039
Following
150
Media
58
Statuses
639
Red Team | Offensive Tool Dev | Malware Dev | OSCP | OSEP | RTJC
Joined February 2022
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Will Still
• 123409 Tweets
Rio Grande do Sul
• 109632 Tweets
#MOONLIGHT_MVTeaser
• 94331 Tweets
プロフェッショナル
• 54135 Tweets
RPWP CONCEPT PHOTO 2
• 47000 Tweets
JOONGDUNK LOVE WORKPOINT
• 34776 Tweets
YOASOBI
• 28234 Tweets
青山先生
• 27947 Tweets
SDカード
• 24528 Tweets
عدنان البرش
• 15686 Tweets
#無責任でええじゃないかLOVE
• 14127 Tweets
VACHSS
• 13809 Tweets
排外主義的
• 13664 Tweets
On the heels of the recent articles concerning using Microsoft Teams for phishing... tool drop Wednesday
#redteam
#malware
#cybersecurity
6
173
667
I'm exited to release GraphStrike, a project I completed during my internship at
@RedSiege
. Route all of your Cobalt Strike HTTPS traffic through .
Tool:
Dev blog:
#redteam
#infosec
#Malware
#Microsoft
9
197
621
I’m pleased to release Inline-Execute-PE, a CobaltStrike toolkit enabling users to load and repeatedly run unmanaged Windows exe’s in Beacon memory without dropping to disk or creating a new process each time.
#redteam
#cybersecurity
#malware
5
179
413
I'm sure i'm late to the party, but MSFT put a user-writable folder in $path (%HOMEPATH%\Appdata\Local\Microsoft\
WindowsApps)??? OneDrive tries to load a non-existant DLL (Microsoft.UI.Xaml.XamlTypeInfo.dll) making for an easy user-level hijack
#malware
#redteam
#cybersecurity
11
103
409
Found a user-level persistence opportunity when Steam.exe (the game platform) is installed. On boot, it runs "vulkandriverquery64.exe" which tries to load a missing DLL that can be placed in a user-writable location within %PATH%.
#redteam
#malware
#cybersecurity
#pentesting
4
87
334
Just finished an article on using XLL payloads for phishing for access. Included is a code snippet as well as test results against Microsoft Defender for Endpoint. Tagging you both in case you want to share with your networks
@Dinosn
@CyberWarship
8
93
265
Finally pretty much finished my Microsoft Teams CobaltStrike External C2. Even made it position independent so it can be stuck inside my XLL payload or other shellcode runners. Thanks to
@0xBoku
and
@NinjaParanoid
for their work which I referenced!
#malware
#redteam
#cyber
2
66
254
Turned back to learning about injection and code execution techniques. TIL with some Nt magic you can spawn any process and make it think it's being loaded from an arbitrary dir, so it's DLL search order will start where you tell it to.
#redteam
#malware
#penetrationtesting
5
68
244
I'm happy to release MemFiles (and ~7000 words of research/documentation). Run your favorite tools through CobaltStrike and capture the files they produce in memory instead of writing to disk:
#malware
#redteam
#cybersecurity
#cobaltstrike
#infosec
2
91
242
Working on a pretty scary project. I combined
@C5pider
Stardust and
@joehowwolf
recent work LLVM obfuscation work. ENDLESS_WALTZ produces unique PIC .bin's each time it's ran (== unique agents each compile...) L is normal Stardust, M+R are the same code but different runs of EW
7
45
226
Here is my latest, DropSpawn. This is a CS BOF used to spawn additional beacons via a little-known DLL hijacking method that I posted about ~2 months ago. Use as an alternative to process injection and force most any System32 exe to load an arbitrary DLL
3
78
219
With just a few modifications,
@GabrielLandau
's incredible PPLFault () runs through Inline-Execute-PE 😲Here I have modified it to kill the specified PPL protected process MsMpEng.exe. Excited to take a deeper dive into the tool and scrub for OPSEC
2
63
201
Super stoked and proud of the project I am currently working on. Introducting MemFiles, a CobaltStrike suite that will capture any files that Beacon tries to write to disk and place them in memory instead for exfiltration. Coming soon...
#malware
#redteam
#cybersecurity
3
43
182
Check out my latest blog post released during my internship at
@RedSiege
where I explore how a method for dumping LSASS popularized in 2019 can avoid detection by Microsoft Defender for Endpoint in 2024:
#Malware
#redteam
#infosec
#CyberSecurityAwareness
5
60
164
Original concept for Inline-Interactive-PE was using a socks proxy and connecting via proxychains + nc to a port bound on loopback by Beacon... I cut out the socket part entirely and now just use a BOF to send/retrieve within CS console. Run PE commands and CS commands B2B :)
1
32
142
Tool drop Thursday! Enjoy a mature and operational CobaltStrike BOF of CVE-2023-36874 Windows Error Reporting Local Privilege Escalation.
Patch your machines people.
Thanks to
@filip_dragovic
for his work.
#redteam
#cybersecurity
#cobaltstrike
#malware
3
59
127
Sneak peak: Inline-Execute-Pe. This is a suite of BOF's for CobaltStrike that allow a user to load an unmanaged PE into beacon memory and run it repeatedly without spawning a new process each time. Tested w/ dsquery, mimikatz, sysinternals,etc
#malware
#redteam
#CyberSecurity
2
24
126
@Alh4zr3d
If you'll forgive the shameless plug, I did some similar research on using powershell and nslookup to download + execute a .exe payload using MDE as a testbed. Very similiar concept but I opted for MX records because TXT was raising eyebrows
4
35
116
I spent the past couple days playing with and contributing to
@R0h1rr1m
's Shoggoth project (), which can turn PE's and BOF's into PIC. Super cool project, and one that opens up some interesting possibilities 😉
1
36
116
Some major progress on Inline-Interactive-PE. I can now map PE's within the Beacon process and then connect over socks proxy with netcat in order to run commands interactively. CTRL + C in netcat and you can go reconnect later to the same session
#redteam
#cobaltstrike
#tooldev
4
32
115
Great article on DLL Hijacking and some of the issues one can face when creating DLL's for this purpose:
0
37
109
I haven't gotten a chance to dig into this, but this looks like a promising collection of BOF's dropped by a new account on Github
1
30
94
🚨I just found a user on GitHub hosting backdoored versions of Offsec-related tools. RTLO .scr files masquerading as VS .sln files in C# projects and what appears to me to be backdoored .git files in Python projects. Just went up & ongoing.
#malware
5
37
92
Tryhard Thursday. Shspawn is old school, how about rportfwd -> webdav server with malDLL on attack box -> DLL Application Directory Hijack -> New beacon in arbitrary process with a DLL that doesn't reside in the target network
#malware
#redteam
#penetrationtesting
#cobaltstrike
5
35
90
Working on porting MemFiles() to other C2's. Have it working with Havoc. Will be taking a look at Sliver next, it'll be my first foray into Go, cross your fingers
2
15
87
Just pushed an update for Inline-Execute-PE. You can now load the PE from the target machine instead of sending it remotely; useful for LOLBINs without creating a new process and avoiding versioning issues
0
34
87
Had an idea and needed some more info on how UAC works under the hood. I found a very impressive article; the kicker is that it is from 2008! Always blows me away the obscure gems you can find
1
21
87
Malware devs who have written in Rust, what are your thoughts? Does simply writing the same tool in rust instead of c or c++ offer any real advantage in evasion? Also wondering how prohibitive the language is when it comes to interacting with low level OS components and API
17
1
82
Super cool. Tested on Win11 and Win10 22H2, certain things on system become unresponsive until msmpeng is resumed. But doing this through a Beacon using Inline-Execute-PE, beacon continues to function just fine. So suspend, do your opsec unsafe stuff, cleanup, restore?
Looks like the weirdest AV evasion I have ever seen.
1. Not all MsMpEng.exe versions allow to be suspended.
2. You may need to wait before your malware finally starts.
22
230
794
1
17
80
It's not new, but good work deserves a shoutout regardless. Great article from
@zyn3rgy
on running tools from a Windows attack platform through a SOCKS proxy. Lots to be said for avoiding IOC's on target but still being able to leverage powerful tools.
1
22
78
I'm looking for work! I'll be out of the military and available June 1st 2024. Looking for offensive tool dev / red team roles and would love to chat with anyone who might know of a good fit.
#Malware
#redteam
#offsec
#CyberSecurity
#infosec
4
29
75
Anyone playing with CVE-2023-36874 LPE? According to crowdstrike( ) it involves making a symlink between c:\ and a user-writable folder so that WER starts a malicious wermgr.exe. It strikes me that being able to symlink c elsewhere should open a lot of LPEs
10
23
76
This April Fools Day, I'm excited to release my latest research and blog post from my time at
@RedSiege
: SSHishing. The name might be a joke, but the technique isn't!
Read the details here:
#infosec
#CyberSecurity
#redteam
#malware
6
30
73
Started doing a HTB prolab with CobaltStrike and got frustrated because CS's lack of an interactive shell caused headaches right away. Have a POC to bind a loopback port and then use a socks proxy to connect to a powershell.exe instance mapped inside another process <1/2>
4
15
73
This has been a very challenging project for me with several 15-20 hour long roadblocks, but MemFiles is coming along. Can now successfully run SharpHound using Inline-ExecuteAssembly and have all files output into memory (instead of disk), ready for download
2
5
70
Not sure how useful this is in practicality, but what I've decided to dub 'DLL application directory hijacking' that I and others have been posting about the last few days also works with UNC paths:
1
15
70
@_xpn_
@cerbersec
I just finished a long writeup on some payload capabilities in C. I greatly respect both of your work and if you have a spare moment to take a look I'd really appreciate it!
3
27
67
Finished V2 of BeatRev- a POC to frustrate/defeat Mal Analysts and Rev Eng's by 'keying' malware to a victim. Incorporated RDLL's, UUID's, and AV evasion. Full codebase has been released, hopefully you enjoy
@Dinosn
#malware
#cybersecurity
#infosec
1
32
63
Recently attended KFiveFour's TradecraftCON conference. I presented two talks:
1. XLL Phishing
2. CobaltStrike External C2 Via Microsoft Teams
I have uploaded the slide decks here if anyone wants to check them out:
#CyberSecurity
#redteam
#malware
0
26
63
This project is ~2 months old but just now releasing it again, a small Aggressor script to help Operators track files that are uploaded to target machines in the interest of aiding the logging of artifacts and cleanup at the end of an operation.
0
15
59
When this makes it to prod and circulates throughout client environments over the next 5 years there might be some things to look at here 👀
2
25
54
I came accross
@the_bit_diddler
's github and he has an impressive collection of CobaltStrike BOF's that are worth checking out. I've already found a few functions within some of their projects I can envision a use for in mine.
1
20
53
😵💫I just found out that the default .cna script that CobaltStrike uses to define the UI is available for download. Talk about a wealth of examples:
2
9
48
Wrote a quick and dirty Aggressor script for CobaltStrike to help Operators track uploaded files during an engagement. Tracks date/time, upload location, local file, md5 hash and persists across CS Client sessions.
#cobaltstrike
#Pentesting
#redteam
0
13
42
Received my confirmation for Outflank’s upcoming training. Looking forward to it 🙂
5
1
41
Man it’s nice having an interesting project to work on! In the future I’ll be releasing a tool that red teamer’s who use CobaltStrike should have a good bit of interest in… APT 28 fans keep your eyes out 👀
1
0
39
I may look at adding this to TeamsPhisher given the recent fix for group chats. Great research from pfiatde as always.
The new Teams splash screen warning for external participants is nice and a big improvement (after almost 2 years), but can be bypassed quite easily by using the meeting-chat.
Details on my blog.
2
27
80
2
6
37
I'm pretty siloed to CobaltStrike; what other major C2's support BOF's with minimal/no modification? I know Sliver and Metasploit do. Brainstorming how I could make some of my projects C2-agnostic as long as they support BOF's but need a feel for how useful that would be
8
4
36
Just pushed an update to MemFiles, which will now better track + use the filepointer as set by programs when writing data. This fixes the issue with procdump where the .dmp files couldn't be properly parsed.
1
14
36
M365 Insider Preview now blocks XLL's from the internet () by adding MOTW. Not to worry though, with a few more steps and some social engineering, XLL's are alive and well for phishing for access.
#malware
#redteam
#microsoft
#PenetrationTesting
0
9
36
For those who have dev'd against EDRs that hook (crowdstrike, S1, etc), is removing hooks a detection in itself? I.e. Will the EDR examine a process and see its hooks arent there anymore and alert on that? Wondering if unhook->run code->rehook->sleep repeat might be useful?
3
4
36
Would an initial access vector that resulting in a tunnel/socks proxy to the target network but no hashes or implant/further code execution on the device be useful? Also have concerns about remote work, possible to infect a work device and have a tunnel to someones home network.
11
2
34
I know that MDE detects and blocks this technique (Gabriel kindly worked with the MDE team to facilitate this), but I do wonder about other EDR vendors out there
Friendly reminder that these 476-day kernel and PPL exploits still work on fully-patched 23H2. Happy January pwnage!
#NotASecurityBoundary
3
93
314
1
3
31
For anyone wanting a deeper dive into the development process and theory behind GraphStrike, consider checking out the long-form blog I wrote.
#infosec
#redteam
#malware
#CyberSecurity
🛠️ DEV BLOG 🛠️
READ:
With the release of GraphStrike, go deeper into the anatomy of the tool development with
@Octoberfest73
.
including the research, viability and technical design!
#hacking
#infosec
1
8
32
3
8
33
It feels like the pace of OST releases has dropped in the last year or so. Just me or have others felt this as well?
8
1
30
P.S. I will be getting out of the military in less than a year and looking for red team and offensive tool dev roles. Keep me in mind :)
6
5
28
Friendly reminder whether you’re designing malware or protecting against it, normal users don’t see computers the same way you do. I have to remind myself sometimes that a black box flickering momentarily, or a consent prompt from MOTW don’t raise the same alarms they do for us
2
6
26
Been out for a bit now, but this is a BOF combo of KillDefender and Backstab. Strip a process of its privs and integrity (defender), and kill PPL protected processes in order to 'revert' them (by manually starting or service)
@Dinosn
@ptracesecurity
1
13
25
Is CobaltStrike's lack of secure staging actually a big deal for anyone? There are ways to control who can request the stage via redirectors, but im more talking about being MitM'd and your stager running something it shouldn't
5
4
25
Broad question: how much would you/your org be willing to pay as a one-time fee to access a high quality offensive security tool via private GitHub page? $50-100? I figure with a sponsership model a lot of folks will pay for a month, grab all the code, and cancel anyways
20
1
25
Can someone help me understand this? Win11, just installed Aug monthly patch, WDAV enabled + tamper protection. Using elevated powershell and set-mppreference to add an exclusion path prompts UAC; saying 'No' to UAC prompt still results in the exclusion path being added
4
3
25
@HackingLZ
I’ve grinded awfully hard the last several years to make a name for myself and secure future employment. But for my own sake I hope to diversify my hobbies and find something else besides just work.
1
0
23
This is some fantastic research and tooling that I plan on digging into👀fantastic work
@x86matthew
0
5
23
Mixed thoughts. It was eye opening reading threat intel regarding threat actors actively using some of my tooling. Then again, MSFT was very aware of and deliberately chose to do nothing to mitigate the vulnerability until my tool went public and made it easy to abuse. 🤷♂️
0
0
23
Had some fun playing with a priv persistence method using SetConsoleCtrlHandler and SetProcessShutdownParameters. Make beacon wait until after AV has exited to drop to disk when machine shutsdown/reboots; and drop to disk as a missing DLL that is loaded before AV starts on boot.
1
0
21
Any hot tips for working in bloodhound with large data sets (10k+ hosts, 30k+ users) besides "dont try and visualize anything that has a 4+ digit number"?
8
3
19
Shower thought: You have System on a workstation and are looking to move lat. What are your thoughts IRT hooking a normal user functionality and popping a 'xxx isn't working, please contact the support team' to coerce a workstation admin / DA to log in for token or cred theft?
5
2
20
I swear there was an article released in the last ~year advocating for running as much tooling as possible over the network via tunnels instead of on a compromised host; does this ring any bells for anyone?
5
2
18
Inconsistency across versions with the OneDrive DLL hijack I posted. Same OD consumer version works on Win10Pro, doesn't on Win11Ent, a later ver Win11E ODc works, a later ver Win11P OD enterprise version works. Oh and all versions seem to be past what OD release notes list
3
5
19
@HackingLZ
@0xBoku
has a nice POC doing this, using graph api with drafts in azure outlook
I used his as a reference for my own project, using graph API to send c2 traffic as Teams messages & files to/from SharePoint. Mine was a CS external C2 tho, not full custom C2
2
2
19
So predictably MSFT just slapped MOTW onto XLL's coming from the internet. It slightly complicates the attack chain but if you can get the victim to run powershell, jscript or vbscript to remove MOTW you can still leverage XLL's to do the heavy lifting for you
2
6
19
0
3
18
Hats off to all of the devs who build GUIs. It’s right up there with the most frustrating and least entertaining programming I’ve ever done.
0
0
18
Resisiting the urge to title my next research 'sshishing'
3
0
17
My takeaway / question to the industry is: Has the line between a pentest and a red team assessment been significantly blurred, and if so is this just due to poor understanding of the differences and people mixing terminology, or is it because of the evolution of EDR & security?
I wrote this to try to bring some reality to people trying to break into cyber. People will disagree with some (all) of it but hopefully somebody benefits from what I saw when I worked as a pentester.
54
198
811
7
0
16
I went back and checked out my TeamsPhisher tool again now that almost two months have passed; it still works, but Microsoft has added an "External" marking on attached files... which is progress I guess?
1
0
17
My latest research on a strategy for persistence and egress in networks utilizing authenticated web proxies. No hard code examples, but might be of interest to penetration testers and red teamers who run up against similar challenges.
@Dinosn
1
10
17
@TheDFIRReport
I think it's circumstantial. For an org with an internal red team, blue uploading red's tooling to VT is just costing the company money when red has to go back and spend additional dev cycles
1
1
17
Small little Aggressor script release. Custom aliases don't feature tab-complete which can be a pain when specifying filepaths, so use the underlying linux OS 'locate' command to find matches and easily copy/paste the result you want.
0
7
17
Way more people should be looking at this.
To RBI or Not to RBI? That is the Question! 🤨
Lance Cain & Alexander DeMine unpack Remote Browser Isolation, the methods our consultants have researched to successfully circumvent this technology & their recommendations regarding its use.
2
24
61
0
2
17
It still blows my mind that the "Unblock-File" cmdlet exists allowing you to remove Mark-of-the-web from files, even in constrained language mode...
1
0
16
SSH, Nmap, and socket guru's, I just made a post on Stack Overflow with details of a problem I'm having in some research. Would appreciate any suggestions:
1
2
16
😅Never expected to have an article in BleepingComputer about my work! Thanks
@billtoulas
for the write up!
1
1
15
Ok I need a sanity check- All of my past experience (+the internet) says nmap through proxychains you need to use '-Pn -sT' to disable ping discovery + use a connect scan. Now doing so, all ports return open/false positive, but doing a -sS scan accurately reports results. WTF?
6
5
15
You know you're sick when you are spending free time on a Saturday reading about DCOM 🙃
3
1
16
This looks really promising. Great how-to writeup, will be interested in taking a closer look at this in the future.
Watched
@ustayready
webcast yesterday and decided to try implement the technique myself.
Got it working and as a POC plant DLL in Teams folder to be sideloaded for persistence / code exec. Very cool initial access technique. Amazing work
@ustayready
Blog:
9
52
170
0
6
16
You can create custom MS Teams apps + distribute by sending a .zip that contains a manifest file. When loaded by user into Teams, Teams reaches out to remote server where the app(.dll) is hosted and loads it... couple hoops to jump thru and org setting dependent but hmm...
1
3
16
Teamsphisher isn't dead anymore 🙃👀
Microsoft Teams (old client) splash warnings were annoying to bypass manually.
I just made a new pull request to implement the new bypass identified by
@pfiatde
where the sender is removed from the group chat after the initial message.
@Octoberfest73
4
17
57
0
0
13
That I have more followers than Gabriel is insane. If you aren't already, you need to follow him and check out his research. It's always impressive.
Forget vulnerable drivers - Admin is all you need
Article 👉
👇 Demo - enable sound 🔊
14
144
378
1
3
15
@jsecurity101
@burning_pm
Nice writeup. I played with session jumping a bit a few years ago, and will echo
@pfiatde
's comments regarding Session 0 and proxies causing issues for egress
1
3
14
@LloydLabs
i just finished a long article on payload capabilities in C, part of which included your self-deletion POC. Would appreciate any feedback you might have
3
11
15