1. ThreadStackSpoofer by mgeeky
- [ThreadStackSpoofer GitHub Repository]
2. CallStackSpoofer by WithSecureLabs
- [CallStackSpoofer GitHub Repository]
3. Draugr by NtDallas
- [Draugr GitHub Repository]
4. LoudSunRun by susMdT
- [LoudSunRun GitHub Repository]
5. BokuLoader by boku7
- [BokuLoader GitHub Repository]
https://dtsec.us/2023-09-15-StackSpoofin/
#Loader #callstack
Overview: This tool demonstrates an advanced in-memory evasion technique that spoofs the thread call stack. It's designed to bypass thread-based memory examination rules, making it harder for analysts to detect injected shellcode within process memory.
- [ThreadStackSpoofer GitHub Repository]
2. CallStackSpoofer by WithSecureLabs
Overview: This proof-of-concept implementation demonstrates how to spoof arbitrary call stacks during system calls, such as NtOpenProcess. It's a more advanced technique that builds upon the concepts introduced in ThreadStackSpoofer.- [CallStackSpoofer GitHub Repository]
3. Draugr by NtDallas
Overview: Draugr is a Cobalt Strike Beacon
Object File (BOF) template that facilitates the creation of synthetic stack frames, effectively spoofing the call stack during execution. It utilizes gadgets fromKERNELBASE.DLLto achieve this
- [Draugr GitHub Repository]
4. LoudSunRun by susMdT
Overview: LoudSunRun is a technique that involves stack spoofing with synthetic frames. It calculates the total stack size of fake frames and adjusts stack arguments accordingly to obscure the true execution path.
- [LoudSunRun GitHub Repository]
5. BokuLoader by boku7
Overview: BokuLoader is a proof-of-concept Cobalt Strike Reflective Loader that aims to recreate, integrate, and enhance Cobalt Strike's evasion features. It combines various evasion techniques, including call stack spoofing, to achieve stealthy execution.
- [BokuLoader GitHub Repository]
https://dtsec.us/2023-09-15-StackSpoofin/
#Loader #callstack
👾4
Dissect_DCOM_1.pdf
3.1 MB
"Dissecting DCOM"
This article aims at giving an introduction to the base principles of COM and DCOM protocols as well as a detailed network analysis of DCOM
See also:
DCOM Lateral movement PoC
Lateral Movement Using DCOM and DLL Hijacking
👾5
👾1
Forwarded from RedTeam brazzers (Миша)
UnderConf.pptx
10.5 MB
Всем привет!
Делюсь презентацией с Underconf :)) запись будет чуть позже
Делюсь презентацией с Underconf :)) запись будет чуть позже
👾7
Forwarded from Source Byte
Exposing CharmingKitten's malicious activity for IRGC-IO devision Counterintelligence devision (1500)
https://github.com/KittenBusters/CharmingKitten
https://github.com/KittenBusters/CharmingKitten
👾3
How to kill AV/EDR (of different kinds) with a couple of clicks
Requirements:
- Admin rights on the machine;
- Ability to deliver procmon.
And then everything is more than straightforward.
1. Enable the "EnableBootLogging" feature;
2. Create a symbolic link:
mklink C:\Windows\Procmon.pmb "<Full path to the file that needs to be overwritten>"
3. Reboot the machine.
Magic happens.
More details:
https://www.zerosalarium.com/2025/09/Break-Protective-Shell-Windows-Defender-Folder-Redirect-Technique-Symlink.html
Requirements:
- Admin rights on the machine;
- Ability to deliver procmon.
And then everything is more than straightforward.
1. Enable the "EnableBootLogging" feature;
2. Create a symbolic link:
mklink C:\Windows\Procmon.pmb "<Full path to the file that needs to be overwritten>"
3. Reboot the machine.
Magic happens.
More details:
https://www.zerosalarium.com/2025/09/Break-Protective-Shell-Windows-Defender-Folder-Redirect-Technique-Symlink.html
👾7
Recent additions to LOLBAS-Project.github.io:
• iscsicpl.exe for DLL exec+UAC bypass
• eudcedit.exe for UAC bypass
• reset.exe/change.exe/query.exe for proxy exec
• pixtool.exe/applauncher.exe/mpiexec.exe for dev tool proxy exec
• iscsicpl.exe for DLL exec+UAC bypass
• eudcedit.exe for UAC bypass
• reset.exe/change.exe/query.exe for proxy exec
• pixtool.exe/applauncher.exe/mpiexec.exe for dev tool proxy exec
👾6
NET R&D Digest (September, 2025)
Oleg Karasik .NET R&D Digest October 3, 2025 6 Minutes
#guide
Oleg Karasik .NET R&D Digest October 3, 2025 6 Minutes
The summer is over, September is left behind and .NET 10 is coming closer and closer (in fact, it is so close that Stephen Toub has already published his amazing “Performance Improvements in .NET 10” novel), which means it is just about time to read something new about the upcoming release (for instance, the great “Exploring the .NET 10 preview” series by Andrew Lock).
However, if, by any chance, you are interested in something besides .NET 10, then this issue of .NET R&D Digest is here to provide you with various bits of software development 🙂
This issue includes bits of AI, software development, learning, C#, performance, security, C, programming languages, ruby, and of course .NET and .NET Internals.
#guide
👾4
Bypassing Enrollment Restrictions to Break BYOD Barriers in Intune (bring your own device)
This byod is not that byod😅
Ways of device ownership spoofing and more for persistent access to Intune
This byod is not that byod😅
👾9
Forwarded from Order of Six Angles
ANALYZING WINPMEM DRIVER VULNERABILITIES
https://static.ernw.de/whitepaper/ERNW_White_Paper_73-Analyzing_WinpMem_Driver_Vulnerabilities_1.0_signed.pdf
https://static.ernw.de/whitepaper/ERNW_White_Paper_73-Analyzing_WinpMem_Driver_Vulnerabilities_1.0_signed.pdf
👾1