Pentesting, scripting, pwning!
Joined January 2019
- Tweets 3,006
- Following 337
- Followers 28,370
- Likes 4,808
318 Photos and videos
Pinned Tweet
31 Jul 2024
This year it happened. What started as a spare time hobby and fun project became a commercial product for the Offensive Security community. I founded a company, @MSecOps . And this company will sell a Packer to Red Teams or Pentesters. (1/x) 🔥
31 Jul 2024
🔥 Introducing RustPack 🔥 . RustPack is an evasive Packer/Loader, that is capable of bypassing common AV/EDR vendors.
It accepts user-provided known malicious input payloads, such as shellcode, C# assemblies or portable executables (PE).
Those inputs are encrypted, and decrypted on runtime by a newly generated non non-malicious payload.
This process is known to be called packing or crypting.
Some Features:
- Each payload looks different, making signature creation more difficult.
- Userland hooks are bypassed by default for each generated payload.
- The encryption key is never fully embedded in the final payload but always retrieved on runtime. This is good for bypassing emulators or automatic unpacking engines.
- Encrypted payloads can also be decoupled from the new binary to load them from a remote location on runtime
- Multiple Anti-Debug techniques are applied to each payload by default.
- Environmental Keying and Anti-Sandbox options included.
- No cloud service. The software is delivered to the customer as a closed source solution
Evasion options:
- Several AMSI bypass techniques ranging from Patching to using Hardware Breakpoints
- Multiple optional ETW bypasses
- Support for Module stomping
- OPSec safe remote injection techniques such as ThreadlessInject or a customised Caro-Kann technique
The tool is still under active development and lot's of features/demos/etc. will follow.
Some more information can be found here:
msecops.de/products
#redteam #pentesting #pentest #OST
138
51
302
55,874
Releasing Tunnel Vision Toolkit, part of my @x33fcon talk on Microsoft Global Secure Access.
Includes BOFs to assist in engagements where you face GSA, plus a rogue client that lets you connect to internal resources from unmanaged devices.
github.com/ar0x4/tunnel-visi…
2
35
83
8,960
S3cur3Th1sSh1t retweeted
Jun 12
JavaScript escaped the browser. JS-Tap v3 followed it. In our new #blog, Principal Security Consultant @hoodoer introduces three new beacons targeting the Electron apps, browser extensions, and Node runtimes running on corporate workstations. Read it now! hubs.la/Q04lbHYc0
1
27
60
5,534
S3cur3Th1sSh1t retweeted
Jun 11
Releasing DCOMIllusionist as part of our talk on DCOM at @x33fcon with @k3vinTell. It's a remote in memory fileless lateral movement technique based on some research of @tiraniddo
github.com/synacktiv/DCOMIll…
2
124
343
16,255
S3cur3Th1sSh1t retweeted
Jun 11
We are releasing Tracebit @x33fcon - a POC sensor aiming to fingerprint implants in memory
using only lowlevel runtime telemetry.
No signatures, no scanning. Only pagefaults.
github.com/threathunters-io/…
3
30
119
9,833
Jun 11
After “The Art of Evasion” @x33fcon I’m publishing NimSyscallPacker to the public. This is the most advanced public Packer/Loader I’m aware of:
github.com/S3cur3Th1sSh1t/Ni…
7
110
349
16,491
S3cur3Th1sSh1t retweeted
Jun 11
20
75
5,619
S3cur3Th1sSh1t retweeted
Jun 9
It’s hilarious that they made a huge deal about the cyber capabilities for months and then when they rolled it out, they’ve blocked the actual utility of the model by prohibiting cyber use 🤣
And yes this includes trusted testers. Like, what was the point in even releasing it?
37
44
467
35,489
S3cur3Th1sSh1t retweeted
New #redteam tool for blocking EDRs: EDRChoker
Instead of fully blocking the EDR agents' connections to their server, we can throttle their bandwidth so they consistently time out when sending data, which is effectively the same as blocking but avoids triggering "block" or "drop" packet events
#pentest #cybersecurity
Github: TwoSevenOneT/EDRChoker
ALT EDRChoker run throttling EDR process list
ALT Elastic EDR blocked by EDRChoker
ALT EDRChoker run remove throttling EDR process
24
178
751
109,426
Dear @github @Microsoft and @MsftSecIntel .
Thank you for your service. I have lost all hopes from you guys. As a Windows security researcher whose intent was to help the beginners and contribute to open source security tooling, and i had so much respect towards @Microsoft , that thought was changed today and i am leaving.
I have left the enough evidence in the ticket session. I would be better if a security researcher from GitHub might actually take a look at these.
Thank you and bye to the community.....
Here after you will not see posts about GitHub issues.
Ticket ID: #4440743
#github #msft #defense #unlawful
23
52
425
39,483
S3cur3Th1sSh1t retweeted
Jun 2
Can you fix Opus 4.8/4.7 to work for offensive security with proper cyber validation approval? I’m a big fan of Claude code but at this point it’s unusable. 4.6 is usable but it’s hard to justify/advocate for the spend of a model 2 versions behind frontier. @bcherny @AnthropicAI
27
23
130
20,960
> Published a tool for Security Researchers.
> Added features & Fixed 10 IoCs and major bugs.
> Pushed it to my repo
> Got shadow banned on github.
This is how security researchers are treated. We’re very disappointed @github. Kindly fix the issue.
Token id: #4440743
#issue
As promised Rustypacker has released today.
A native Rust shellcode packer with a GUI
Repo:- github.com/Whitecat18/RustyP…
What did I bring to the table :-
- Indirect syscalls for memory allocation and protection by default.
- AES-256-CBC, XOR, UUID-encoded shellcode encryption.
- Six self-injection paths through callback APIs.
- Fiber switch self injection.
- Three remote-process injection.
- Anti-debuging Techniques.
- NtDelayExecution sleep evasion with placement control.
- Domain pinning evasion.
- Output formats: EXE, DLL, DLL Sideload (Sideload or Proxy with auto-generated .def for unhandled
exports).
- Builds for x86_64-pc-windows-msvc and x86_64-pc-windows-gnu.
- DllMain stays a NO-OP. Payload rides four COM-friendly exports: Run, DllRegisterServer,
DllGetClassObject, DllUnregisterServer.
- crt-static link. No runtime DLL footprint.
- XOR-obfuscated NT API names embedded in the binary.
- Generated target/ auto-cleaned after each successful build.
#redteam #malwaredev #rust #offsec #infosec #windbg
31
68
422
57,702
Anyone from @claudeai seeing this? You will loose all the InfoSec folks using it with the current cyber strategy. 👀
2
2
18
4,021
S3cur3Th1sSh1t retweeted
May 20
New small Blog Post from my side - anyone faced 429 too many requests on Microsoft Graph in your projects? This blog provides more insights on how to bypass those. 🫡
r-tec.net/r-tec-blog-the-429…
34
109
10,985
S3cur3Th1sSh1t retweeted
May 21
Wrote a BOF that is able to execute .NET assemblies in-memory via module stomping so ETW / AMSI are seeing a legitimate GAC assembly instead - github.com/nettitude/CLR-STO…
1
61
182
13,336
May 18
The LLM won't do most tasks fully autonomously without proper guidance and input ideas from a human. Far away from replacement.
3
1,044