CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿 (@_EthicalChaos

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

3,547 posts

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

Ceri Coburn: Hacker | R̷u̷n̷n̷e̷r̷ DIYer| Vizsla Fanboy and a Little Welsh Bull apparently 🏴󠁧󠁢󠁷󠁬󠁳󠁿 Author of poorly coded tools: github.com/CCob

In a field somewhere

Joined February 2015

Pinned
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Mar 19, 2025
A little while ago I tweeted about a potential BOF-PE design. So here it is, a new design that includes a fully linked PE, C++ exceptions and use of the STL template library.
NetSPI
@NetSPI
Mar 19, 2025
Beacon Object Files (BOFs) in C2 platforms limit developers. ow.ly/rQ2e50VjZBU Read NetSPI's blog post to explore a reference design for a new BOF portable executable (PE) concept that bridges the gap between modern C++ development and memory-executable C2 integration.
37K
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Oct 16, 2021
Been a few months in development on and off, but finally got an end to end POC working for lsarelayx. System wide NTLM relay from Windows which relays all incoming NTLM authentications without affecting the original target application. Silent relay if you will.
00:00
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Aug 18, 2022
Want to authenticate to RDP/Citrix using your abused ADCS certificate and live of the land? PIVert has got your back. Will be releasing soon!
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Nov 12, 2021
Well here it it is, the initial release of lsarelayx. Considered alpha at this stage, so I recommended lab use only for now. Appreciate any feedback, especially non working environments.
GitHub - CCob/lsarelayx: NTLM relaying for Windows made easy
From github.com
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Jun 14, 2020
Here is part 2 of the EDR bypass series which introduces SharpBlock. Enjoy!
ethicalchaos.dev
Lets Create An EDR… And Bypass It! Part 2 - Ethical Chaos
A 2 part series on creating a basic EDR detection system and then a bypass implementation. In part 2 I introduce SharpBlock, a tool for bypassing EDR's.
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Nov 22, 2023
Working on a new tool that will be ready soon. One thing I can say from the research.... if your environment leverages Windows Hello without TPM's, DO NOT allow the default setting of a digit only based pin. Windows stores the pin length and can be brute forced in seconds.
63K
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Aug 8, 2021
BeaconEye: My first defensive tool release for my #DFIR friends. Detects and monitors beacon command output. Should be considered alpha at this stage and appreciate any feedback on undetected beacons.
GitHub - CCob/BeaconEye: Hunts out CobaltStrike beacons and logs operator command output
From github.com
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Apr 17, 2022
Happy Easter everyone. I've just published the article and code for the In-Process Patchless AMSI bypass for those that are interested.
ethicalchaos.dev
In-Process Patchless AMSI Bypass - Ethical Chaos
Some of you may remember my patchless AMSI bypass article and how it was used inside SharpBlock to bypass AMSI on the child process that SharpBlock spawns. This is all well a good when up against...
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Mar 12, 2021
The next blog post should be a good one. Dumping LSASS in memory using a new C# port of MinHook. Dynamic DLL assembly generation using Boo thrown in too, negating the need for opening the LSASS process handle directly.
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Jan 16, 2021
Dumping lsass completely in memory without touching disk. Need an exfil BOF added to BOF.NET now to get that 55MB dump straight into #CobaltStrike.
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Jun 27, 2021
Look ma, printer bug DC sync from low privileged service by merging @itm4n PrintSpoofer and @tifkin_ SpoolSample. How MS continue to say this is a feature is ridiculous.
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Nov 5, 2021
Another weekend or so left and lsarelayx should be at least ready for lab testing. In the meantime checkout the latest feature. Kerberos -> NTLM downgrade, so even clients attempting to connect with Kerberos will be forced to use NTLM.
00:00
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
May 5, 2024
Time to be terrified. I've just dropped my Okta Terrify tool which I demonstrated as part of my @BSidesCymru talk last week. You can now backdoor compromised Okta accounts via Windows Okta Verify using attacker controlled passwordless keys. Enjoy -
GitHub - CCob/okta-terrify: Okta Verify and Okta FastPass Abuse Tool
From github.com
36K
CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿
@_EthicalChaos_
Jul 14, 2021
Just got a POC of BeaconEye working (WIP) - My first blue team tool for my #DFIR friends. Scans processes for Cobalt Strike's beacon and then spits out a real time log of the activity.
00:00