Quang Vo
@mr-r3bot.bsky.social
Offensive Security with passionate for Malware Development and Windows internal stuffs.
#redteam
#redteam
Reposted by Quang Vo
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Tradecraft Engineering with Aspect-Oriented Programming
It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engin…
aff-wg.org
November 10, 2025 at 6:21 PM
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Reposted by Quang Vo
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
github.com/pard0p/PICO-...
GitHub - pard0p/PICO-Implant: PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible...
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage...
github.com
November 7, 2025 at 4:10 PM
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
github.com/pard0p/PICO-...
Reposted by Quang Vo
"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this."
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
November 6, 2025 at 3:38 PM
"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this."
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
Reposted by Quang Vo
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
github.com/pard0p/LibWi...
GitHub - pard0p/LibWinHttp: LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO...
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTT...
github.com
November 4, 2025 at 9:21 PM
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
github.com/pard0p/LibWi...
Reposted by Quang Vo
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Tradecraft Garden’s PIC Parterre
The goal of Tradecraft Garden is to separate evasion tradecraft from C2. Part of this effort involves looking for logical lines of separation. And, with PIC, I think we’ve just found one of them. T…
aff-wg.org
October 27, 2025 at 3:48 PM
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Reposted by Quang Vo
And it's released! 🎉
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com
October 16, 2025 at 4:13 PM
And it's released! 🎉
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
Its growing
I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.
a man with glasses looks at a plant in a can that says pepsi on it
ALT: a man with glasses looks at a plant in a can that says pepsi on it
media.tenor.com
October 17, 2025 at 3:10 PM
Its growing
Reposted by Quang Vo
Weeding the Tradecraft Garden
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Weeding the Tradecraft Garden
When I started work on Crystal Palace, my initial thought was to see how much I could ease development of position-independent code DLL capability loaders using the tools and manipulations possible…
aff-wg.org
October 13, 2025 at 3:13 PM
Weeding the Tradecraft Garden
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Reposted by Quang Vo
Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
September 26, 2025 at 5:12 PM
Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
Reposted by Quang Vo
""I'm also interested in looking at the Java API a bit more to see how one might build a merged capability in a more progammatic fashion (imagine a GUI where you configure & build a capability by checking/unchecking "features" to include in the final output).""
Quick post on how to use the new make coff and merge commands in @raphaelmudge.bsky.social's Crystal Palace.
rastamouse.me/modular-pic-...
rastamouse.me/modular-pic-...
Modular PIC C2 Agents (reprise)
A few months ago, I published a post called Modular PIC C2 Agents where I mused about what it could look like to build a C2 agent out of individual (modular) COFFs. The idea was to build a capability ...
rastamouse.me
September 12, 2025 at 10:57 PM
""I'm also interested in looking at the Java API a bit more to see how one might build a merged capability in a more progammatic fashion (imagine a GUI where you configure & build a capability by checking/unchecking "features" to include in the final output).""
Reposted by Quang Vo
Quick post on how to use the new make coff and merge commands in @raphaelmudge.bsky.social's Crystal Palace.
rastamouse.me/modular-pic-...
rastamouse.me/modular-pic-...
Modular PIC C2 Agents (reprise)
A few months ago, I published a post called Modular PIC C2 Agents where I mused about what it could look like to build a C2 agent out of individual (modular) COFFs. The idea was to build a capability ...
rastamouse.me
September 12, 2025 at 10:30 PM
Quick post on how to use the new make coff and merge commands in @raphaelmudge.bsky.social's Crystal Palace.
rastamouse.me/modular-pic-...
rastamouse.me/modular-pic-...
Reposted by Quang Vo
If you're in London, Will Burgess (x.com/joehowwolf) is speaking at Beacon %25 on "Linkers and Loaders: Experiments with Crystal Palace" this Thursday.
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
Beacon %25
The fourth year of Beacon: London's home of hackers, hunters and EDR dodgers.
www.eventbrite.co.uk
September 9, 2025 at 8:46 PM
If you're in London, Will Burgess (x.com/joehowwolf) is speaking at Beacon %25 on "Linkers and Loaders: Experiments with Crystal Palace" this Thursday.
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
Reposted by Quang Vo
Position Independent Code (PIC) Development Crash Course.
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
PIC Development Crash Course
Some helpful content for writing position independent code.
vimeo.com
July 16, 2025 at 3:40 PM
Position Independent Code (PIC) Development Crash Course.
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
ي
Tradecraft Garden: Tilling the Soil
aff-wg.org/2025/07/09/t...
Some updates to... the Tradecraft Garden and Crystal Palace. Info in the 🧵 below:
aff-wg.org/2025/07/09/t...
Some updates to... the Tradecraft Garden and Crystal Palace. Info in the 🧵 below:
Tradecraft Garden: Tilling the Soil
Today, I’m releasing another update to the various Tradecraft Garden projects. This update is a dose of Future C2 and some cool updates to the Crystal Palace tech. Here’s the latest: Code Mutation …
aff-wg.org
July 10, 2025 at 1:59 PM
ي
Reposted by Quang Vo
Potato exploits have been a cornerstone of local priv esc on Windows for years, but how & why do the inner starchy workings of the potatoes function?
Join @atomicchonk.bsky.social next week to understand Windows access tokens & their use in the Windows environment. ghst.ly/june-web-bsky
Join @atomicchonk.bsky.social next week to understand Windows access tokens & their use in the Windows environment. ghst.ly/june-web-bsky
June 20, 2025 at 4:55 PM
Potato exploits have been a cornerstone of local priv esc on Windows for years, but how & why do the inner starchy workings of the potatoes function?
Join @atomicchonk.bsky.social next week to understand Windows access tokens & their use in the Windows environment. ghst.ly/june-web-bsky
Join @atomicchonk.bsky.social next week to understand Windows access tokens & their use in the Windows environment. ghst.ly/june-web-bsky
Reposted by Quang Vo
This is getting some attention today. Cool shellcode trick from:
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
April 1, 2025 at 5:48 PM
This is getting some attention today. Cool shellcode trick from:
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
Yo this is supercool
So, here's a little thread on my new open source project:
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
June 7, 2025 at 3:08 PM
Yo this is supercool
When James Forshaw post, you read 🫡
A companion blog to my Bluehat 2024 presentation on OleView.NET is up now. googleprojectzero.blogspot.com/2024/12/wind...
googleprojectzero.blogspot.com
December 13, 2024 at 11:47 AM
When James Forshaw post, you read 🫡
Good article about obfuscator
blog.back.engineering/06/05/2022/
blog.back.engineering/06/05/2022/
Theodosius - Jit linker, Symbol Mapper, and Obfuscator
Existing software protection frameworks typically operate at a small range of compilation levels. The highest level of obfuscation typically operates upon source code directly (source2source), the sec...
blog.back.engineering
December 9, 2024 at 2:00 PM
Good article about obfuscator
blog.back.engineering/06/05/2022/
blog.back.engineering/06/05/2022/
Hack the other group’s c2 infra to use for your own campaign 👌. Interesting
blog.lumen.com/snowblind-th...
blog.lumen.com/snowblind-th...
Snowblind: The Invisible Hand of Secret Blizzard
blog.lumen.com
December 5, 2024 at 1:14 AM
Hack the other group’s c2 infra to use for your own campaign 👌. Interesting
blog.lumen.com/snowblind-th...
blog.lumen.com/snowblind-th...
Reposted by Quang Vo
🛡️Windows Firewall and WFP are only two ways to silence an #EDR agent.
📢In my latest blog post I discuss another network based technique to prevent data ingest and ways to detect it.
And if you want even more, checkout part 2 released by @Cyb3rMonk Link in the post
📢In my latest blog post I discuss another network based technique to prevent data ingest and ways to detect it.
And if you want even more, checkout part 2 released by @Cyb3rMonk Link in the post
EDR Silencers and Beyond: Exploring Methods to Block EDR Communication - Part 1
For red teams and adversary alike it’s important to stay hidden. As many companies nowadays have EDR agents deployed those agents are always in focus and tools like EDRSilencer or EDRSandblast use…
cloudbrothers.info
December 1, 2024 at 3:04 PM
🛡️Windows Firewall and WFP are only two ways to silence an #EDR agent.
📢In my latest blog post I discuss another network based technique to prevent data ingest and ways to detect it.
And if you want even more, checkout part 2 released by @Cyb3rMonk Link in the post
📢In my latest blog post I discuss another network based technique to prevent data ingest and ways to detect it.
And if you want even more, checkout part 2 released by @Cyb3rMonk Link in the post
Reposted by Quang Vo
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepma...
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepma...
UDRL, SleepMask, and BeaconGate
I've been looking into Cobalt Strike's UDRL, SleepMask, and BeaconGate features over the last couple of days. It took me some time to understand the relationship between these capabilities, so the aim...
rastamouse.me
November 30, 2024 at 2:05 AM
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepma...
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepma...
Reposted by Quang Vo
Relaying DCOM has always intrigued me, so I decided to dive in. Started with a MiTM attack using a fake DNS entry, targeting certificate requests to an ADCS server and relaying to SMB.
November 29, 2024 at 9:42 PM
Relaying DCOM has always intrigued me, so I decided to dive in. Started with a MiTM attack using a fake DNS entry, targeting certificate requests to an ADCS server and relaying to SMB.