Mockingjay revisisted - Process stomping and loading beacon with sRDI

Executables with RWX sections can be abused using a variation of a Process Overwriting technique dubbed Process Stomping. Using (a modified) sRDI and leveraging the new features of Cobalt Strike 4.9 has been possible to load beacon in the RWX section itself without the need for a custom UDRL.

Improving the stealthiness of memory injections techniques

A journey in improving Module Stomping and Module Overloading injection technique, ending up evading Moneta and PE-Sieve

Living-Off-the-Blindspot - Operating into EDRs’ blindspot

Running Cobalt Strike BOFs from Python

Repurposing a Linux Assembly backdoor caught in the wild