Released my Cobalt Strike BOF for fork & run injection! Features Draugr stack spoofing, PPID spoofing, multiple execution methods, and indirect syscalls for enhanced OpSec. https://t.co/kfiAcfLSaY

I just pushed an update to Draugr. The code is cleaner and easier to use, with macros for indirect syscalls and API calls over a synthetic stack frame. I’ve also updated the README to explain how it works. https://t.co/9pWckvorBi

Finding a buggy driver is one thing, abusing it is another. In his latest blog post, Luis Casvella shows you how BYOVD can be used as a Reflective Rootkit Loader ! 🚀 ➡️ https://t.co/frVCTiqVTB

Edrs do nasty stuff, checking callstack etc. It's possible to spoof it but remember we lazy but our compiler is very very kind

You're lazy, I'm lazy, so what if your compiler did the evasion for you? Based on my blogpost from earlier this week: https://t.co/SMvBNycUcX

https://t.co/5JzuNbxvRg

🔥Release 1.0.1-alpha of Arion is out🔥 https://t.co/AKq90X2JV6 The C++ emulation framework has many new features and is getting more and more stable. Here is a short thread about the main additions :

🚀 MemLoader is live! Run native PE or .NET executables entirely in-memory. Build the loader as an .exe or .dll—DllMain is Cobalt Strike UDRL-compatible, so turning it into shellcode is painless. https://t.co/0zMX6L0ftv

Since I got mentioned in a blog post, can I have a Cobalt Strike hoodie haha ? :p

Short post on an alternative method for obtaining Microsoft Entra refresh tokens via Beacon. Proof of concept BOF is available on my GitHub 🙂

ProxyBlob is alive ! We’ve open-sourced our stealthy reverse SOCKS proxy over Azure Blob Storage that can help you operate in restricted environments 🔒 🌐 https://t.co/KO4AYUDTmb Blog post for more details right below ⬇️

New update for Draugr! 🙂 Now supports indirect syscalls with a synthetic stack frame. I’ve removed Draugr-Strike and replaced it with Cobalt Strike's process injection kit (Thread Spoof or Early Bird) using indirect syscalls and a synthetic stack frame. https://t.co/9pWckvnTLK

Based on Draugr's code for synthetic stack frames, I have created a UDRL for Cobalt Strike's Beacon and post-ex DLLs. The UDRL for Beacon uses BeaconUserData.h to pass memory allocation information to Beacon, making it compatible with the sleepmask kit. https://t.co/BaJjQ56fow

CobaltStrike BOF template to make a synthetic stack frame with a randomly chosen gadget for each call. Additionally, a project for remote shellcode injection is included, providing an example of how to use it https://t.co/9pWckvorBi

I just released a tool to execute assemblies from unmanaged processes with HWBP/Patching (choice at compilation). For HWBP, I hook threads created by the assembly and thread pooling used by the CLR. https://t.co/xDIvhCvzbK

With some friends @shard7_ and @abel_theo3 We wrote a pretty cool linux rootkit. With an hypervisor from scratch and eBPF programs. Still a work-in-progress! Check it out:

I just pushed a small update to Svartalfheim. The shellcode is now executed using a spoofed thread, and the stage0 shellcode self-deletes from memory. https://t.co/VM8NuuEROb

Svartalfheim: Shellcode for stage 0, Nt API calls made using indirect syscalls, and LoadLibraryA/WinHttp calls performed with return address spoofing https://t.co/VM8NuuEROb

Small update on KrakenMask, I have added stack masking during sleep to avoid detection with HuntBeaconSleep-NG

Ulfberht: A Shellcode Loader with Advanced Evasion Features: - Indirect syscalls - Module stomping with LoadLibraryExAPC - RC4 Encryption & UUID Encoding for Payload - Direct Execution Without Creating a New Thread - NoCRT https://t.co/I849ulL58V