Atsika
@atsika.bsky.social
Red Team enthusiast | Malware development enjoyer | Adversary Simulation at @quarkslab.bsky.social
I've heard that my fellow Red Teamers like to use SOCKS proxies for stealth operations, so here's one that (ab)uses Azure Blob Storage 🚇
Look at those cute little blobs in your internal network. They look harmless, but how about the one carrying SOCKS?
It's ProxyBlob, a reverse proxy over Azure.
Check out Alexandre Nesic's article on how it came to exist after an assumed breach mission ⤵️
👉 blog.quarkslab.com/proxyblobing...
It's ProxyBlob, a reverse proxy over Azure.
Check out Alexandre Nesic's article on how it came to exist after an assumed breach mission ⤵️
👉 blog.quarkslab.com/proxyblobing...
April 30, 2025 at 4:10 PM
I've heard that my fellow Red Teamers like to use SOCKS proxies for stealth operations, so here's one that (ab)uses Azure Blob Storage 🚇
Reposted by Atsika
Look at those cute little blobs in your internal network. They look harmless, but how about the one carrying SOCKS?
It's ProxyBlob, a reverse proxy over Azure.
Check out Alexandre Nesic's article on how it came to exist after an assumed breach mission ⤵️
👉 blog.quarkslab.com/proxyblobing...
It's ProxyBlob, a reverse proxy over Azure.
Check out Alexandre Nesic's article on how it came to exist after an assumed breach mission ⤵️
👉 blog.quarkslab.com/proxyblobing...
April 29, 2025 at 5:32 PM
Look at those cute little blobs in your internal network. They look harmless, but how about the one carrying SOCKS?
It's ProxyBlob, a reverse proxy over Azure.
Check out Alexandre Nesic's article on how it came to exist after an assumed breach mission ⤵️
👉 blog.quarkslab.com/proxyblobing...
It's ProxyBlob, a reverse proxy over Azure.
Check out Alexandre Nesic's article on how it came to exist after an assumed breach mission ⤵️
👉 blog.quarkslab.com/proxyblobing...
Reposted by Atsika
For us, EDR bypass is not just a buzzword.
MacroPack, ShellcodePack, and DarwinOps all come with bypass presets for major EDRs and Antivirus
Those presets are regularly updated and tested!
If you want to see a demo or an equivalent screenshot for the major EDRs contact us !
#redteam
MacroPack, ShellcodePack, and DarwinOps all come with bypass presets for major EDRs and Antivirus
Those presets are regularly updated and tested!
If you want to see a demo or an equivalent screenshot for the major EDRs contact us !
#redteam
April 3, 2025 at 3:47 PM
For us, EDR bypass is not just a buzzword.
MacroPack, ShellcodePack, and DarwinOps all come with bypass presets for major EDRs and Antivirus
Those presets are regularly updated and tested!
If you want to see a demo or an equivalent screenshot for the major EDRs contact us !
#redteam
MacroPack, ShellcodePack, and DarwinOps all come with bypass presets for major EDRs and Antivirus
Those presets are regularly updated and tested!
If you want to see a demo or an equivalent screenshot for the major EDRs contact us !
#redteam
Reposted by Atsika
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
April 8, 2025 at 11:00 PM
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Reposted by Atsika
Next week at the Hack The Box 0x4d meetup in Lille, France @rayanle.cat will talk about PwnShop, the challenge he prepared for the PwnMe CTF 2025 and how he accidentally discovered a RCE 0day while doing so.
Join him next Monday at Campus Cyber Hauts-the-France:
www.meetup.com/hack-the-box...
Join him next Monday at Campus Cyber Hauts-the-France:
www.meetup.com/hack-the-box...
March 25, 2025 at 2:01 PM
Next week at the Hack The Box 0x4d meetup in Lille, France @rayanle.cat will talk about PwnShop, the challenge he prepared for the PwnMe CTF 2025 and how he accidentally discovered a RCE 0day while doing so.
Join him next Monday at Campus Cyber Hauts-the-France:
www.meetup.com/hack-the-box...
Join him next Monday at Campus Cyber Hauts-the-France:
www.meetup.com/hack-the-box...
Reposted by Atsika
Balliskit Evasion Tip 🤖
To help with static analysis detection by EDR,
ShellcodePack implements a method to load a shellcode from a separate file or from an URL
This tutorial explains how to use that option!
#redteam
blog.balliskit.com/loading-a-sh...
To help with static analysis detection by EDR,
ShellcodePack implements a method to load a shellcode from a separate file or from an URL
This tutorial explains how to use that option!
#redteam
blog.balliskit.com/loading-a-sh...
Loading a shellcode from a file/URL with ShellcodePack
Shellcode in EXE files can sometimes be detected during static analysis, requiring various kinds of obfuscation to bypass EDRs.
This…
blog.balliskit.com
March 20, 2025 at 5:18 PM
Balliskit Evasion Tip 🤖
To help with static analysis detection by EDR,
ShellcodePack implements a method to load a shellcode from a separate file or from an URL
This tutorial explains how to use that option!
#redteam
blog.balliskit.com/loading-a-sh...
To help with static analysis detection by EDR,
ShellcodePack implements a method to load a shellcode from a separate file or from an URL
This tutorial explains how to use that option!
#redteam
blog.balliskit.com/loading-a-sh...
Reposted by Atsika
On PTO and bored, so playing around with MCP by exposing Mythic APIs to Claude and seeing what the result. Attempting to have it emulate threat actors while operating Apollo in a lab... would make a good sparring partner :D www.youtube.com/watch?v=ZooT...
Mythic MCP - Claude Sonnet driving Mythic (Apollo)
YouTube video by Adam Chester
www.youtube.com
March 20, 2025 at 10:24 PM
On PTO and bored, so playing around with MCP by exposing Mythic APIs to Claude and seeing what the result. Attempting to have it emulate threat actors while operating Apollo in a lab... would make a good sparring partner :D www.youtube.com/watch?v=ZooT...
Reposted by Atsika
🚨 Evilginx Pro is finally here! 🚨🎣🐟
This is it! After over two years of development, countless delays, and hundreds of manual company verifications, Evilginx Pro is finally live!
Thank you all for your invaluable support 💗
breakdev.org/evilginx-pro...
This is it! After over two years of development, countless delays, and hundreds of manual company verifications, Evilginx Pro is finally live!
Thank you all for your invaluable support 💗
breakdev.org/evilginx-pro...
Evilginx Pro is finally here!
After over two years of development, Evilginx Pro reverse proxy phishing framework for red teams is finally live!
breakdev.org
March 12, 2025 at 3:29 PM
🚨 Evilginx Pro is finally here! 🚨🎣🐟
This is it! After over two years of development, countless delays, and hundreds of manual company verifications, Evilginx Pro is finally live!
Thank you all for your invaluable support 💗
breakdev.org/evilginx-pro...
This is it! After over two years of development, countless delays, and hundreds of manual company verifications, Evilginx Pro is finally live!
Thank you all for your invaluable support 💗
breakdev.org/evilginx-pro...
Reposted by Atsika
KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
GitHub - decoder-it/KrbRelayEx-RPC
Contribute to decoder-it/KrbRelayEx-RPC development by creating an account on GitHub.
github.com
March 14, 2025 at 10:18 AM
KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
If you thought phishing was now ineffective, you may have missed something 👀
My latest post highlights the advanced tactics used to bypass security controls and deceive even the most savvy users. Check it out ⤵️
My latest post highlights the advanced tactics used to bypass security controls and deceive even the most savvy users. Check it out ⤵️
From classic HTML pages to advanced MFA bypasses, dive in with @atsika.bsky.social in an exploration of phishing techniques 🎣.
Learn some infrastructure tricks and delivery methods to bypass common detection.
👉 blog.quarkslab.com/technical-di...
(promise this one is legit 👀)
Learn some infrastructure tricks and delivery methods to bypass common detection.
👉 blog.quarkslab.com/technical-di...
(promise this one is legit 👀)
March 11, 2025 at 4:21 PM
If you thought phishing was now ineffective, you may have missed something 👀
My latest post highlights the advanced tactics used to bypass security controls and deceive even the most savvy users. Check it out ⤵️
My latest post highlights the advanced tactics used to bypass security controls and deceive even the most savvy users. Check it out ⤵️
Reposted by Atsika
From classic HTML pages to advanced MFA bypasses, dive in with @atsika.bsky.social in an exploration of phishing techniques 🎣.
Learn some infrastructure tricks and delivery methods to bypass common detection.
👉 blog.quarkslab.com/technical-di...
(promise this one is legit 👀)
Learn some infrastructure tricks and delivery methods to bypass common detection.
👉 blog.quarkslab.com/technical-di...
(promise this one is legit 👀)
March 11, 2025 at 4:06 PM
From classic HTML pages to advanced MFA bypasses, dive in with @atsika.bsky.social in an exploration of phishing techniques 🎣.
Learn some infrastructure tricks and delivery methods to bypass common detection.
👉 blog.quarkslab.com/technical-di...
(promise this one is legit 👀)
Learn some infrastructure tricks and delivery methods to bypass common detection.
👉 blog.quarkslab.com/technical-di...
(promise this one is legit 👀)
Reposted by Atsika
#PEbear (github.com/hasherezade/...) is now available via WinGet (learn.microsoft.com/en-us/window...)! You can install it easier than ever - just type: `winget install pe-bear` from Powershell.
March 9, 2025 at 4:07 PM
#PEbear (github.com/hasherezade/...) is now available via WinGet (learn.microsoft.com/en-us/window...)! You can install it easier than ever - just type: `winget install pe-bear` from Powershell.
Reposted by Atsika
[DEMO] Searching for #AceLdr in memory, with #PEsieve/#HollowsHunter threads scan: www.youtube.com/watch?v=RQf2... ; read more: github.com/hasherezade/...
[DEMO] Searching for AceLdr in memory, with PE-sieve/HollowsHunter thread scan
YouTube video by hasherezade
www.youtube.com
March 9, 2025 at 4:08 PM
[DEMO] Searching for #AceLdr in memory, with #PEsieve/#HollowsHunter threads scan: www.youtube.com/watch?v=RQf2... ; read more: github.com/hasherezade/...
Reposted by Atsika
Recently came across a pretty neat technique to silently load (malicious) VS Code extensions using its bootstrapping and portability features. Thought it was interesting enough to warrant my first blog post in 4 years 🙃
Check it out 👇
casvancooten.com/posts/2025/0...
Check it out 👇
casvancooten.com/posts/2025/0...
Abusing VS Code's Bootstrapping Functionality To Quietly Load Malicious Extensions
Wow, been a while since my last blog 😅. During some research I came across a technique variation which I felt was interesting enough to share in a brief blog post. It relates to how the bootstrapping ...
casvancooten.com
February 28, 2025 at 3:57 PM
Recently came across a pretty neat technique to silently load (malicious) VS Code extensions using its bootstrapping and portability features. Thought it was interesting enough to warrant my first blog post in 4 years 🙃
Check it out 👇
casvancooten.com/posts/2025/0...
Check it out 👇
casvancooten.com/posts/2025/0...
Reposted by Atsika
A Plan to Pwn: Reviving a 17 year old bug or winning a race against Project Management? We've got both.
Mathieu Farrell shows you how in the "Pwn Everything, Bounce Everywhere, all at once" blog post series.
blog.quarkslab.com/pwn-everythi...
Mathieu Farrell shows you how in the "Pwn Everything, Bounce Everywhere, all at once" blog post series.
blog.quarkslab.com/pwn-everythi...
February 25, 2025 at 7:39 PM
A Plan to Pwn: Reviving a 17 year old bug or winning a race against Project Management? We've got both.
Mathieu Farrell shows you how in the "Pwn Everything, Bounce Everywhere, all at once" blog post series.
blog.quarkslab.com/pwn-everythi...
Mathieu Farrell shows you how in the "Pwn Everything, Bounce Everywhere, all at once" blog post series.
blog.quarkslab.com/pwn-everythi...
Reposted by Atsika
ICYMI: 5 vulnerabilities in SOPlanning, an open source project management application used by major consulting services providers.
In part 2 of "Pwn Everything, Bounce Everywhere, all at once" Mathieu Farrell tells you how to chain them for unautheticated RCE
blog.quarkslab.com/pwn-everythi...
In part 2 of "Pwn Everything, Bounce Everywhere, all at once" Mathieu Farrell tells you how to chain them for unautheticated RCE
blog.quarkslab.com/pwn-everythi...
February 26, 2025 at 4:04 PM
ICYMI: 5 vulnerabilities in SOPlanning, an open source project management application used by major consulting services providers.
In part 2 of "Pwn Everything, Bounce Everywhere, all at once" Mathieu Farrell tells you how to chain them for unautheticated RCE
blog.quarkslab.com/pwn-everythi...
In part 2 of "Pwn Everything, Bounce Everywhere, all at once" Mathieu Farrell tells you how to chain them for unautheticated RCE
blog.quarkslab.com/pwn-everythi...
Reposted by Atsika
In this blog post, I explain how I was able to create a PowerShell console in C/C++, and disable all its security features (AMSI, logging, transcription, execution policy, CLM) in doing so. 💪
👉 blog.scrt.ch/2025/02/18/r...
👉 blog.scrt.ch/2025/02/18/r...
February 19, 2025 at 9:13 AM
In this blog post, I explain how I was able to create a PowerShell console in C/C++, and disable all its security features (AMSI, logging, transcription, execution policy, CLM) in doing so. 💪
👉 blog.scrt.ch/2025/02/18/r...
👉 blog.scrt.ch/2025/02/18/r...