Tradecraft Garden
@tradecraftgarden.bsky.social
Aggregator of ground truth cybersecurity technical content. Maintained by @raphaelmudge.bsky.social https://tradecraftgarden.org/
Reposted by Tradecraft Garden
So, here's a little thread on my new open source project:
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
June 5, 2025 at 2:36 PM
So, here's a little thread on my new open source project:
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
Reposted by Tradecraft Garden
Notepad++ tabs can be found in %APPDATA%\Notepad++\backup
I'm guilty of this, and so is every sysadmin I've ever been on who has had notepad++ installed. Pasting credentials, access tokens, ssh keys, and other useful information in "temporary" tabs that they forget to delete.
I'm guilty of this, and so is every sysadmin I've ever been on who has had notepad++ installed. Pasting credentials, access tokens, ssh keys, and other useful information in "temporary" tabs that they forget to delete.
April 9, 2025 at 1:43 PM
Notepad++ tabs can be found in %APPDATA%\Notepad++\backup
I'm guilty of this, and so is every sysadmin I've ever been on who has had notepad++ installed. Pasting credentials, access tokens, ssh keys, and other useful information in "temporary" tabs that they forget to delete.
I'm guilty of this, and so is every sysadmin I've ever been on who has had notepad++ installed. Pasting credentials, access tokens, ssh keys, and other useful information in "temporary" tabs that they forget to delete.
Reposted by Tradecraft Garden
See if your target is using some kind of remote connection management software, tools such as PuTTY and MobaXTerm can store credentials for hosts, and can easily be decrypted
github.com/xillwillx/Mo...
PuTTY stores creds in
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\
github.com/xillwillx/Mo...
PuTTY stores creds in
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\
GitHub - xillwillx/MobaXterm-Decryptor: MobaXterm Decryptor
MobaXterm Decryptor. Contribute to xillwillx/MobaXterm-Decryptor development by creating an account on GitHub.
github.com
April 10, 2025 at 7:20 PM
See if your target is using some kind of remote connection management software, tools such as PuTTY and MobaXTerm can store credentials for hosts, and can easily be decrypted
github.com/xillwillx/Mo...
PuTTY stores creds in
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\
github.com/xillwillx/Mo...
PuTTY stores creds in
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\
Your friend(s) at the Tradecraft Garden are here for it.
Haven't seen much TTP sharing on bsky. So in order to help start to be the solution, for the next few days I'm going to share some of my favorite places to find secrets such as SSH Keys, Credential Objects, Access Tokens, and other stuff that usually gets forgotten about.
April 11, 2025 at 4:59 PM
Your friend(s) at the Tradecraft Garden are here for it.
Hiding any kind of file within a favicon.ico. Could this also work as an embedded resource in a DLL? Cool trick.
github.com/RootUp/Perso...
via x.com/RandomDhiraj
github.com/RootUp/Perso...
via x.com/RandomDhiraj
PersonalStuff/smuggle_ico.py at master · RootUp/PersonalStuff
Upload files done during my research. Contribute to RootUp/PersonalStuff development by creating an account on GitHub.
github.com
April 10, 2025 at 3:51 PM
Hiding any kind of file within a favicon.ico. Could this also work as an embedded resource in a DLL? Cool trick.
github.com/RootUp/Perso...
via x.com/RandomDhiraj
github.com/RootUp/Perso...
via x.com/RandomDhiraj
Bypassing Detections with Command-line Obfuscation by x.com/Wietze
www.wietzebeukema.nl/blog/bypassi...
Tool: github.com/wietze/Invok...
H/T to @badsectorlabs.com excellent "Last Week in Security" 03-24-2025 edition.
www.wietzebeukema.nl/blog/bypassi...
Tool: github.com/wietze/Invok...
H/T to @badsectorlabs.com excellent "Last Week in Security" 03-24-2025 edition.
Bypassing Detections with Command-Line Obfuscation
Defensive tools like AVs and EDRs rely on command-line arguments for detecting malicious activity. This post demonstrates how command-line obfuscation, a shell-independent technique that exploits exec...
www.wietzebeukema.nl
April 7, 2025 at 5:49 PM
Bypassing Detections with Command-line Obfuscation by x.com/Wietze
www.wietzebeukema.nl/blog/bypassi...
Tool: github.com/wietze/Invok...
H/T to @badsectorlabs.com excellent "Last Week in Security" 03-24-2025 edition.
www.wietzebeukema.nl/blog/bypassi...
Tool: github.com/wietze/Invok...
H/T to @badsectorlabs.com excellent "Last Week in Security" 03-24-2025 edition.
MCP: An Introduction to Agentic Op Support by x.com/__mez0__ of @trustedsec.com
trustedsec.com/blog/mcp-an-...
trustedsec.com/blog/mcp-an-...
MCP: An Introduction to Agentic Op Support
trustedsec.com
April 2, 2025 at 6:08 PM
MCP: An Introduction to Agentic Op Support by x.com/__mez0__ of @trustedsec.com
trustedsec.com/blog/mcp-an-...
trustedsec.com/blog/mcp-an-...
This is getting some attention today. Cool shellcode trick from:
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
April 1, 2025 at 5:48 PM
This is getting some attention today. Cool shellcode trick from:
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
Finding Pastures New: An alternate approach to implant design VIA x.com/sapientflow
medium.com/@sapientflow...
medium.com/@sapientflow...
Finding pastures new: An alternate approach for implant design
(MetaInvoke [Alpha])
medium.com
March 31, 2025 at 6:27 PM
Finding Pastures New: An alternate approach to implant design VIA x.com/sapientflow
medium.com/@sapientflow...
medium.com/@sapientflow...
A thread about 'module stomping' for allocating payload memory...
February 13, 2014 'Mask' Malware Called 'Most Advanced' Cyber-espionage Operation
www.voanews.com/a/mask-caret...
Technical write-up (quoted below):
media.kasperskycontenthub.com/wp-content/u...
February 13, 2014 'Mask' Malware Called 'Most Advanced' Cyber-espionage Operation
www.voanews.com/a/mask-caret...
Technical write-up (quoted below):
media.kasperskycontenthub.com/wp-content/u...
'Mask' Malware Called 'Most Advanced' Cyber-espionage Operation
Since at least 2007, the malware collected secrets from government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists
www.voanews.com
March 28, 2025 at 4:59 PM
A thread about 'module stomping' for allocating payload memory...
February 13, 2014 'Mask' Malware Called 'Most Advanced' Cyber-espionage Operation
www.voanews.com/a/mask-caret...
Technical write-up (quoted below):
media.kasperskycontenthub.com/wp-content/u...
February 13, 2014 'Mask' Malware Called 'Most Advanced' Cyber-espionage Operation
www.voanews.com/a/mask-caret...
Technical write-up (quoted below):
media.kasperskycontenthub.com/wp-content/u...
Draugr - A BOF template to demonstrate callstack spoofing. Includes a POC to implement remote process injection with this capability. VIA x.com/RtlDallas
github.com/NtDallas/Dra...
github.com/NtDallas/Dra...
GitHub - NtDallas/Draugr: BOF with Synthetic Stackframe
BOF with Synthetic Stackframe. Contribute to NtDallas/Draugr development by creating an account on GitHub.
github.com
March 27, 2025 at 9:31 PM
Draugr - A BOF template to demonstrate callstack spoofing. Includes a POC to implement remote process injection with this capability. VIA x.com/RtlDallas
github.com/NtDallas/Dra...
github.com/NtDallas/Dra...
Reposted by Tradecraft Garden
The Things We Think and Do Not Say: The Future of Our Beacon Object Files (BOFs) www.netspi.com/blog/technic...
The Things We Think and Do Not Say: The Future of Our Beacon Object Files (BOFs)
Learn about a reference design for a new Beacon Object Files portable executable concept and helpful features.
www.netspi.com
March 19, 2025 at 6:29 PM
The Things We Think and Do Not Say: The Future of Our Beacon Object Files (BOFs) www.netspi.com/blog/technic...
Reposted by Tradecraft Garden
Cobalt Strike BOF for evasive .NET assembly execution https://github.com/EricEsquivel/Inline-EA
GitHub - EricEsquivel/Inline-EA: Cobalt Strike BOF for evasive .NET assembly execution
Cobalt Strike BOF for evasive .NET assembly execution - EricEsquivel/Inline-EA
github.com
March 26, 2025 at 11:32 PM
Cobalt Strike BOF for evasive .NET assembly execution https://github.com/EricEsquivel/Inline-EA
Loki C2: A complete C2 written in JavaScript contained within an Electron Application. VIA x.com/0xBoku/
securityintelligence.com/x-force/bypa...
securityintelligence.com/x-force/bypa...
Bypassing Windows Defender Application Control with Loki C2
Microsoft offers a bug bounty for qualifying bypasses into Windows Defender Application Control. Learn how IBM's X-Force team found a bypass using Loki C2.
securityintelligence.com
March 26, 2025 at 7:18 PM
Loki C2: A complete C2 written in JavaScript contained within an Electron Application. VIA x.com/0xBoku/
securityintelligence.com/x-force/bypa...
securityintelligence.com/x-force/bypa...
Reposted by Tradecraft Garden
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Windows Bug Class: Accessing Trapped COM Objects with IDispatch
Posted by James Forshaw, Google Project Zero Object orientated remoting technologies such as DCOM and .NET Remoting make it very easy ...
googleprojectzero.blogspot.com
January 30, 2025 at 6:37 PM
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Reposted by Tradecraft Garden
[Blog] This ended up being a great applied research project with my co-worker Dylan Tran on weaponizing a technique for fileless DCOM lateral movement based on the original work of James Forshaw. Defensive recommendations provided.
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
Fileless lateral movement with trapped COM objects | IBM
New research from IBM X-Force Red has led to the development of a proof-of-concept fileless lateral movement technique by abusing trapped Component Object Model (COM) objects. Get the details.
ibm.com
March 25, 2025 at 9:21 PM
[Blog] This ended up being a great applied research project with my co-worker Dylan Tran on weaponizing a technique for fileless DCOM lateral movement based on the original work of James Forshaw. Defensive recommendations provided.
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...