Tradecraft Garden
@tradecraftgarden.bsky.social
Aggregator of ground truth cybersecurity technical content. Maintained by @raphaelmudge.bsky.social https://tradecraftgarden.org/
Reposted by Tradecraft Garden
Notepad++ tabs can be found in %APPDATA%\Notepad++\backup
I'm guilty of this, and so is every sysadmin I've ever been on who has had notepad++ installed. Pasting credentials, access tokens, ssh keys, and other useful information in "temporary" tabs that they forget to delete.
I'm guilty of this, and so is every sysadmin I've ever been on who has had notepad++ installed. Pasting credentials, access tokens, ssh keys, and other useful information in "temporary" tabs that they forget to delete.
April 9, 2025 at 1:43 PM
Notepad++ tabs can be found in %APPDATA%\Notepad++\backup
I'm guilty of this, and so is every sysadmin I've ever been on who has had notepad++ installed. Pasting credentials, access tokens, ssh keys, and other useful information in "temporary" tabs that they forget to delete.
I'm guilty of this, and so is every sysadmin I've ever been on who has had notepad++ installed. Pasting credentials, access tokens, ssh keys, and other useful information in "temporary" tabs that they forget to delete.
Reposted by Tradecraft Garden
See if your target is using some kind of remote connection management software, tools such as PuTTY and MobaXTerm can store credentials for hosts, and can easily be decrypted
github.com/xillwillx/Mo...
PuTTY stores creds in
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\
github.com/xillwillx/Mo...
PuTTY stores creds in
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\
GitHub - xillwillx/MobaXterm-Decryptor: MobaXterm Decryptor
MobaXterm Decryptor. Contribute to xillwillx/MobaXterm-Decryptor development by creating an account on GitHub.
github.com
April 10, 2025 at 7:20 PM
See if your target is using some kind of remote connection management software, tools such as PuTTY and MobaXTerm can store credentials for hosts, and can easily be decrypted
github.com/xillwillx/Mo...
PuTTY stores creds in
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\
github.com/xillwillx/Mo...
PuTTY stores creds in
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\
Oh man! I was thinking of icons for Windows applications and not browser favicons. A different set of cool possibilities.
April 10, 2025 at 5:51 PM
Oh man! I was thinking of icons for Windows applications and not browser favicons. A different set of cool possibilities.
Another possibility: Process Argument Spoofing from @williamburgess.bsky.social 2018 Red Teaming in the EDR Age. Starts at 9:02.
youtu.be/l8nkXCOYQC4?...
Inspiration for Cobalt Strike's 'argue' command:
hstechdocs.helpsystems.com/manuals/coba...
Public POC: kwcsec.gitbook.io/the-red-team...
youtu.be/l8nkXCOYQC4?...
Inspiration for Cobalt Strike's 'argue' command:
hstechdocs.helpsystems.com/manuals/coba...
Public POC: kwcsec.gitbook.io/the-red-team...
Red Teaming in the EDR age
YouTube video by Wild West Hackin' Fest
youtu.be
April 7, 2025 at 5:49 PM
Another possibility: Process Argument Spoofing from @williamburgess.bsky.social 2018 Red Teaming in the EDR Age. Starts at 9:02.
youtu.be/l8nkXCOYQC4?...
Inspiration for Cobalt Strike's 'argue' command:
hstechdocs.helpsystems.com/manuals/coba...
Public POC: kwcsec.gitbook.io/the-red-team...
youtu.be/l8nkXCOYQC4?...
Inspiration for Cobalt Strike's 'argue' command:
hstechdocs.helpsystems.com/manuals/coba...
Public POC: kwcsec.gitbook.io/the-red-team...
Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation) from BlackHat 2018 by x.com/danielhbohan...
Tool: github.com/danielbohann...
Paper: services.google.com/fh/files/mis...
Notes: www.ired.team/offensive-se...
www.youtube.com/watch?v=mej5...
Tool: github.com/danielbohann...
Paper: services.google.com/fh/files/mis...
Notes: www.ired.team/offensive-se...
www.youtube.com/watch?v=mej5...
Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)
YouTube video by Black Hat
www.youtube.com
April 7, 2025 at 5:49 PM
Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation) from BlackHat 2018 by x.com/danielhbohan...
Tool: github.com/danielbohann...
Paper: services.google.com/fh/files/mis...
Notes: www.ired.team/offensive-se...
www.youtube.com/watch?v=mej5...
Tool: github.com/danielbohann...
Paper: services.google.com/fh/files/mis...
Notes: www.ired.team/offensive-se...
www.youtube.com/watch?v=mej5...
More references and context by @attack.mitre.org
T1027.010 Obfuscated Files or Information: Command Obfuscation
attack.mitre.org/techniques/T...
T1027.010 Obfuscated Files or Information: Command Obfuscation
attack.mitre.org/techniques/T...
Obfuscated Files or Information: Command Obfuscation, Sub-technique T1027.010 - Enterprise | MITRE ATT&CK®
attack.mitre.org
April 7, 2025 at 5:49 PM
More references and context by @attack.mitre.org
T1027.010 Obfuscated Files or Information: Command Obfuscation
attack.mitre.org/techniques/T...
T1027.010 Obfuscated Files or Information: Command Obfuscation
attack.mitre.org/techniques/T...
"Talk to your Malware" using AI to generate agent-side executable code from natural language task descriptions for one-off post-ex tasks.
gosecure.ai/blog/2025/03...
gosecure.ai/blog/2025/03...
Talk To Your Malware - Integrating AI Capability in an Open-Source C2 Agent
Explore how AI-enabled implants can generate and execute custom malware commands on the fly, no coding required.
gosecure.ai
April 6, 2025 at 9:31 PM
"Talk to your Malware" using AI to generate agent-side executable code from natural language task descriptions for one-off post-ex tasks.
gosecure.ai/blog/2025/03...
gosecure.ai/blog/2025/03...
@und3rf10w.bsky.social and @marcusjcarey.com did a 2023 demo of using LLMs to drive security tools including Cobalt Strike (via Aggressor Script... Cortana's successor).
www.youtube.com/watch?v=AcG4...
36:38 starts offense discussion.
42:08 starts Cobalt Strike driving demo
www.youtube.com/watch?v=AcG4...
36:38 starts offense discussion.
42:08 starts Cobalt Strike driving demo
Track 1 10 AI pocalypse Now - Jonathan Echavarria & Marcus Carey
YouTube video by HackMiami
www.youtube.com
April 2, 2025 at 6:08 PM
@und3rf10w.bsky.social and @marcusjcarey.com did a 2023 demo of using LLMs to drive security tools including Cobalt Strike (via Aggressor Script... Cortana's successor).
www.youtube.com/watch?v=AcG4...
36:38 starts offense discussion.
42:08 starts Cobalt Strike driving demo
www.youtube.com/watch?v=AcG4...
36:38 starts offense discussion.
42:08 starts Cobalt Strike driving demo
More info in my (@raphaelmudge.bsky.social) DEFCON 20 talk:
Cortana: Rise of the Automated Red Team
www.youtube.com/watch?v=Eca1...
Topics covered included agent programming, positive control ideas, but also the more pragmatic (then) other stuff.
Cortana: Rise of the Automated Red Team
www.youtube.com/watch?v=Eca1...
Topics covered included agent programming, positive control ideas, but also the more pragmatic (then) other stuff.
Cortana: Rise of the Automated Red Team (DEFCON 20)
YouTube video by Cobalt Strike Archive
www.youtube.com
April 2, 2025 at 6:08 PM
More info in my (@raphaelmudge.bsky.social) DEFCON 20 talk:
Cortana: Rise of the Automated Red Team
www.youtube.com/watch?v=Eca1...
Topics covered included agent programming, positive control ideas, but also the more pragmatic (then) other stuff.
Cortana: Rise of the Automated Red Team
www.youtube.com/watch?v=Eca1...
Topics covered included agent programming, positive control ideas, but also the more pragmatic (then) other stuff.
Cobalt Strike's Aggressor Script is a successor to Cortana, which was a 2011 DARPA Cyber Fast Track funded to explore bots/agents on top of Armitage's red team collaboration architecture. The agent focus is what made it CFT worthy.
www.cobaltstrike.com/blog/cortana...
www.cobaltstrike.com/blog/cortana...
Cortana: real-time collaborative hacking… with bots | Cobalt Strike
At BSides Las Vegas, I talked about Force Multipliers for Red Team Operations. In this talk, I shared several stories about how my evil bots stole passwords, instantly installed back doors, and genera...
www.cobaltstrike.com
April 2, 2025 at 6:08 PM
Cobalt Strike's Aggressor Script is a successor to Cortana, which was a 2011 DARPA Cyber Fast Track funded to explore bots/agents on top of Armitage's red team collaboration architecture. The agent focus is what made it CFT worthy.
www.cobaltstrike.com/blog/cortana...
www.cobaltstrike.com/blog/cortana...
A demonstration by x.com/_xpn_ of using similar ideas to drive a Mythic agent.
www.youtube.com/watch?v=ZooT...
Details at: x.com/_xpn_/status...
www.youtube.com/watch?v=ZooT...
Details at: x.com/_xpn_/status...
Mythic MCP - Claude Sonnet driving Mythic (Apollo)
YouTube video by Adam Chester
www.youtube.com
April 2, 2025 at 6:08 PM
A demonstration by x.com/_xpn_ of using similar ideas to drive a Mythic agent.
www.youtube.com/watch?v=ZooT...
Details at: x.com/_xpn_/status...
www.youtube.com/watch?v=ZooT...
Details at: x.com/_xpn_/status...
Three part blog series on these topics:
1. Intro to SuperMega Loader Lab (Framework to play w/ EXE Injection techniques)
blog.deeb.ch/posts/superm...
2. How EDR works (Background info)
blog.deeb.ch/posts/how-ed...
3. "Cordyceps" (an EXE shellcode Injection technique)
blog.deeb.ch/posts/exe-in...
1. Intro to SuperMega Loader Lab (Framework to play w/ EXE Injection techniques)
blog.deeb.ch/posts/superm...
2. How EDR works (Background info)
blog.deeb.ch/posts/how-ed...
3. "Cordyceps" (an EXE shellcode Injection technique)
blog.deeb.ch/posts/exe-in...
April 1, 2025 at 5:48 PM
Three part blog series on these topics:
1. Intro to SuperMega Loader Lab (Framework to play w/ EXE Injection techniques)
blog.deeb.ch/posts/superm...
2. How EDR works (Background info)
blog.deeb.ch/posts/how-ed...
3. "Cordyceps" (an EXE shellcode Injection technique)
blog.deeb.ch/posts/exe-in...
1. Intro to SuperMega Loader Lab (Framework to play w/ EXE Injection techniques)
blog.deeb.ch/posts/superm...
2. How EDR works (Background info)
blog.deeb.ch/posts/how-ed...
3. "Cordyceps" (an EXE shellcode Injection technique)
blog.deeb.ch/posts/exe-in...
My First and Last Shellcode Loader by Dobin Rutishauser
Talk: www.youtube.com/watch?v=SYM4...
Slides: conference.hitb.org/hitbsecconf2...
Code: github.com/dobin/SuperM...
Talk: www.youtube.com/watch?v=SYM4...
Slides: conference.hitb.org/hitbsecconf2...
Code: github.com/dobin/SuperM...
#HITB2024BKK #COMMSEC D1: My First and Last Shellcode Loader
YouTube video by Hack In The Box Security Conference
www.youtube.com
April 1, 2025 at 5:48 PM
My First and Last Shellcode Loader by Dobin Rutishauser
Talk: www.youtube.com/watch?v=SYM4...
Slides: conference.hitb.org/hitbsecconf2...
Code: github.com/dobin/SuperM...
Talk: www.youtube.com/watch?v=SYM4...
Slides: conference.hitb.org/hitbsecconf2...
Code: github.com/dobin/SuperM...
A better link for the above (to see the replies):
Railgun was introduced to the Metasploit Framework via a mailing list post in June 2010 by Patrick HVE:
seclists.org/metasploit/2...
Railgun was introduced to the Metasploit Framework via a mailing list post in June 2010 by Patrick HVE:
seclists.org/metasploit/2...
Metasploit: Presenting Meterpreter extension: RAILGUN
seclists.org
March 31, 2025 at 6:36 PM
A better link for the above (to see the replies):
Railgun was introduced to the Metasploit Framework via a mailing list post in June 2010 by Patrick HVE:
seclists.org/metasploit/2...
Railgun was introduced to the Metasploit Framework via a mailing list post in June 2010 by Patrick HVE:
seclists.org/metasploit/2...
@c5pider.bsky.social built on the above and discussed it here. I don't believe code was made public.
x.com/C5pider/stat...
x.com/C5pider/stat...
5pider on X: "I haven't posted anything about Havoc in a while so imma share something I have been working on. Wrote a custom VM/Interpreter (based on the RISC-V instruction set) to execute exploits and other arbitrary code. The client is now fully extendable and scriptable via the Python API https://t.co/niRXY7v85w" / X
I haven't posted anything about Havoc in a while so imma share something I have been working on. Wrote a custom VM/Interpreter (based on the RISC-V instruction set) to execute exploits and other arbitrary code. The client is now fully extendable and scriptable via the Python API https://t.co/niRXY7v85w
x.com
March 31, 2025 at 6:27 PM
@c5pider.bsky.social built on the above and discussed it here. I don't believe code was made public.
x.com/C5pider/stat...
x.com/C5pider/stat...
One of the downsides of syscall proxy--roundtrips to the C2 for each call. How to package together multiple calls, branching logic, etc. and get the benefit of proxying each API call? Use a VM!
secret.club/2023/12/24/r...
github.com/thesecretclu...
VIA x.com/mrexodia and github.com/oopsmishap
secret.club/2023/12/24/r...
github.com/thesecretclu...
VIA x.com/mrexodia and github.com/oopsmishap
RISC-Y Business: Raging against the reduced machine
Abstract In recent years the interest in obfuscation has increased, mainly because people want to protect their intellectual property. Unfortunately, most of what’s been written is focused on the theo...
secret.club
March 31, 2025 at 6:27 PM
One of the downsides of syscall proxy--roundtrips to the C2 for each call. How to package together multiple calls, branching logic, etc. and get the benefit of proxying each API call? Use a VM!
secret.club/2023/12/24/r...
github.com/thesecretclu...
VIA x.com/mrexodia and github.com/oopsmishap
secret.club/2023/12/24/r...
github.com/thesecretclu...
VIA x.com/mrexodia and github.com/oopsmishap
An interesting idea (2011), using Meterpreter's Railgun for covert forensic collection of a compromised target.. leaving no trace for the adversary. These ideas cut both ways, don't they?
VIA x.com/McGrewSecurity
www.youtube.com/watch?v=807m...
VIA x.com/McGrewSecurity
www.youtube.com/watch?v=807m...
DEF CON 19 - Wesley McGrew - Covert Post-Exploitation Forensics With Metasploit
YouTube video by DEFCONConference
www.youtube.com
March 31, 2025 at 6:27 PM
An interesting idea (2011), using Meterpreter's Railgun for covert forensic collection of a compromised target.. leaving no trace for the adversary. These ideas cut both ways, don't they?
VIA x.com/McGrewSecurity
www.youtube.com/watch?v=807m...
VIA x.com/McGrewSecurity
www.youtube.com/watch?v=807m...
A June 2021 discussion, by Annisa Ayu Pramesti, of the potential of syscall proxying to frustrate computer forensics:
medium.com/@nisaprmst/s...
medium.com/@nisaprmst/s...
Syscall Proxy: A Way To Minimize “Footprint”
This article will discuss one of the most advanced techniques of anti-forensics. Anti-forensics is tools or techniques that frustrate…
medium.com
March 31, 2025 at 6:27 PM
A June 2021 discussion, by Annisa Ayu Pramesti, of the potential of syscall proxying to frustrate computer forensics:
medium.com/@nisaprmst/s...
medium.com/@nisaprmst/s...