☠️☠️☠️
38
202
5,380
209,300
Wow, the AWS Visual Studio extension is crazy.
15
115
648
Err….
I love coding on the train
28
27
615
69,855
Jumping Network Segregation with RDP rastamouse.me/2017/08/jumpin… Shout-out to @gentilkiwi for DPAPI magic
6
395
603
Assembly for n00bs with hand-on labs. Anyone interested in seeing this? 😛
46
37
535
37,272
Some pretty cool OPSEC-specific challenge labs coming to RTO soon (hopefully 🤞🏻)
20
45
467
23,784
Pretty stoked that I finally got Red Team Ops approved against the CREST Certified Simulated Attack Specialist (CCSAS) examination.
21
43
454
Found a funny way to detect Rubeus. There's a typo in the process name used when calling LsaRegisterLogonProcess, which shows up in the Windows audit logs. Not sure if that was intentional given the code comment right next to it.
8
72
435
147,915
Never ceases to amaze...
36
19
415
26,951
Ok, pinvoke.dev is now live. A simple GitBook of code-generated P/Invoke signatures. Just C# for now, but I may add Rust and a few others in the future.
6
137
414
33,687
[BLOG] Short post on how to do NTLM relaying via Cobalt Strike using PortBender, WinDivert and ntlmrelayx. rastamouse.me/ntlm-relaying-…
6
176
391
Using @rogue_kdc's CVE-2019-084 to backdoor the LAPS AdmPwd DLL and get code exec as SYSTEM on each Group Policy update. Thanks to @_RythmStick for the idea of targeting LAPS for the priv esc.
9
181
378
Working on breaking RTO out into a more structured learning path with smaller, more manageable courses. This is how it'll look.
16
27
358
28,690
[BLOG] New tool from @_xpn_ and myself - a proof of concept .NET C2 framework. All feedback and comments welcome. rastamouse.me/2020/05/sharpc…
15
196
369
I think I'm coming to the end of my infosec road. New features like admin protection dropping in Windows and instead of being excited/curious about something new to learn and bypass, I find myself just not remotely interested...
44
9
353
52,395
Been playing with Elastic Security. It's sick AF 🔥🔥🔥
19
30
353
Would there be much interest in a livestream series of how to use Cobalt Strike, aimed at beginners? Start simple and work up to more advanced tactics.
34
24
338
Someone had fun in the RTO lab
8
11
325
35,264
The most 1337 AMSI bypass for the CLR ever.
4
36
342
22,597
[BLOG] I had a series in mind like "Rubeus' Hidden Secrets" or something like that. Basically, highlighting features of the tool that seem less well known. I'm starting off with a basic one for getting crackable hashes from cached service tickets. rastamouse.me/kerberoasting-…
3
90
333
12,256
RTO II is coming along
14
19
332
15,075
Looks like GitHub is trying to prepare me for my death...
9
28
301
Teaser image for some of the #RedTeamOps updates, coming soon.
11
60
309
This took longer to write than expected because of some issues I was running into. But tl;dr C3 is awesome. rastamouse.me/2019/09/mwr-la…
6
133
311
I wrote a short primer for transitioning from P/Invoke to D/Invoke in offensive tooling. Shoutout to @TheRealWover and @FuzzySec rastamouse.me/blog/process-i…
3
151
308
Kinda funny how I did Rust for n00bs and C# for n00bs, then TCM did Rust 101 and now C# 101. I was working on Assembly for n00bs but don't think I'll bother now, TCM can have it.
40
14
305
70,580
Cobalt Strike 4.7 dropped today, it looks good in the RTO lab 😏
11
25
296
It's been a day for course releases. I've just published my own new mini-course on Windows Access Tokens. This walks you through the essentials of enumerating, creating, stealing, modifying, and impersonating access tokens. training.zeropointsecurity.c…
3
60
305
19,479
I finally got a driver working that registers a callback on process creation and injects a DLL for userland API hooking.
12
48
274
I drafted a janky mind map of Beacon's components and their relationships. Might be able to make it neater if people find it useful. Perhaps we could get this on a desk mat @joehowwolf 😅
13
47
267
15,858
And here it is: rastamouse.me/2018/05/csharp… Give it a go and let me know what you think.
Working on this blog post, hopefully I can get it out very soon. Huge props to @subTee on this one for answering all my noob questions and being generally awesome in every way.
11
143
270
Elastic have created their own C2 tooling. Pretty neat.
New in Elastic Security 8.4: Native SOAR for the modern SOC gives users the ability to quickly disable network connectivity to infected systems while still allowing responders to investigate. See how it works: go.es.io/3AxAdXo
11
39
257
[BLOG] Wrote a short piece on backdooring .NET assemblies (for persistence) with dnSpy. rastamouse.me/backdoor-net-a…🤔/
2
84
262
It seems Defender is now detecting the use of wmic and regsvr32 to grab files remotely. Crazy stuff. (note: it doesn't even grab the payload, it's detecting what's entered on the cmdline. Even wmic os get /format:"http://blah" is flagged.)
11
101
252
Most 1337 Artifact Kit bypass ever. I don't think I'll ever understand AV...
9
44
248
Took me long enough, but finally managed to hook into mscoreei.dll and stack spoof library load calls for clr.dll.
7
23
260
11,472
[BLOG] Fun post on how to combine evilginx by @mrgretzky and BITB by @mrd0x. rastamouse.me/evilginx-meet-…
4
104
249
Found the best tool ever for C# devs: CSharpRepl. A global dotnet tool that you can integrate into Windows Terminal. Now you have the power of Rosyln to quickly evaluate C# code in just a few seconds. Intellisense, tab completion and syntax highlighting. Simply orgasmic.
5
66
249
RTO is listed in this job posting from Meta metacareers.com/jobs/1734187…

ALT Pog Poggers GIF

15
11
257
11,219
I'm particularly proud to bring PPP pricing into cybersecurity.
ZPS has a new site with some pretty cool changes to pricing, labs, and exams. Read more here: zeropointsecurity.co.uk/blog…
19
20
249
18,728
A computer programmer goes to buy some bread. On his way out, his wife says, "and while you're there, get a carton of eggs". He never returned.
10
22
221
It's here!!! Tell your colleagues, tell your friends, tell your grandma. zeropointsecurity.co.uk/red-… #RedTeamOps
19
110
237
Basic overview of Persistence rastamouse.me/2018/03/a-view…
1
147
234
Red Team Ops II Teaser/Promo Video courses.zeropointsecurity.co…
40
40
230
Check out my talk from Mystikcon. Five Ways I got Caught before Lunch. A brief look at commonly used (bad) tradecraft and how to avoid. piped.video/qIbrozlf2wM
4
69
238
We're all gonna be fucked when companies adopt Windows 11 and Server 2025 properly. RunAsPPL and Credential Guard break so much stuff we take for granted.
4
20
231
21,531
[BLOG] I built a .NET web app to help test and analyse Kerberos delegation configurations. rastamouse.me/kerberos-deleg…
5
75
238
25,962
Only recently learned that you can use certutil to download files. certutil -urlcache -split -f http://file.txt c:\somewhere\file.txt Thanks @_RythmStick for the tip.
10
69
228
I've been forcing myself to learn more Rust over the last week or so by writing a basic PE loader. It's nothing special but it was fun to do.
15
13
231
36,200
I have no degree
35
18
223
Who else devs like this?
24
9
228
12,375
Sorry guys. Me and my big mouth😅 github.com/GhostPack/Rubeus/…
Found a funny way to detect Rubeus. There's a typo in the process name used when calling LsaRegisterLogonProcess, which shows up in the Windows audit logs. Not sure if that was intentional given the code comment right next to it.
12
21
228
47,632
I registered "Red Team Ops" as a trademark in the UK and it got approved

ALT Kekw Dow GIF

10
8
224
19,273
Working on a fun Crystal Palace loader that hooks APIs and pushes them through a call stack spoofing PICO.
3
21
223
18,048
Not sure why, but I suddenly have the urge to write a mini-course on External C2.
11
5
231
26,469
Short post about using EWSToolkit to install a malicious Outlook Add-In. Shout out to @dafthack @ustayready and @two06. rastamouse.me/2019/03/ews-in…
1
95
218
Happy to say that I've been accepted to speak at DEFCON @AdversaryVillag this year.
13
6
220
I am of the opinion that the overall quality of tooling in infosec is quite low. As an industry we don't conform to any coding standards, documentation standards, security standards (ironically), or testing standards. It's pretty amazing that we get on as well as we do.
26
20
218
40,133
I FINALLY got call stack spoofing working inside BeaconGate.
7
25
205
16,793
I got NtCreateUserProcess with PPID spoof and BlockDLLs working in C# (just P/Invoke for now). Thanks everyone who assisted: @_Kudaes_, @vxunderground, @brian_psu and others. Great community effort 🙂
3
31
213
55,541
Red Team Infrastructure Deployment with Terraform - Part 2 rastamouse.me/2017/09/automa…
2
106
210
I just heard the phrase "your confidence surpasses your competence" and it's the best sick burn ever 😂🔥
10
23
209
13,182
Seems like @thecybermentor and I share similar values. CRTO starts at £399, free lifetime course updates and free exam retakes with lab extensions.
9
17
205
The beginning of a new development series for #SharpC2 piped.video/3auf7mAN0O0
3
69
206
Ported some mimikatz to rust :kappa:
8
20
204
27,570
Wrote another little C# tool with @_RythmStick for extracting cookie and credential data from Chrome. github.com/rasta-mouse/Cooki… Hopefully we can add support for other browsers too.
5
90
206
What the hell kinda number is this. Fucking Mars?
19
21
188
I really can retire now, as HTB are going balls deep into "Red Team".
We see RED 😡 With all the new #redteaming scenarios soon arriving on #HackTheBox, you will too! Catering to both beginners and pros, the total 15+ real-world scenarios will help you gain familiarity with attacking #enterprise infrastructures. Learn more: okt.to/ug6f7B
8
6
191
32,146
It's my birthday today 🍰, so I'm running a small 5% discount on Red Team Ops. Valid for today only. The discount code is OLDRASTA. zeropointsecurity.co.uk/red-…
55
31
190
Elastic EDR bypass :kappa:
14
17
191
29,442
Got reverse port forwards working in Covenant.
6
15
183