 We're going to be talking about a post-exploitation tool, but we just have an extra little add-on of this O-Day. So when Jenna Magias and I were working on Eternal Blue, we discovered that part of the pool grooming process was allocating memory in a contiguous way. And by abusing those memory allocations, we were able to come up with an attack that we're calling SMB-Loris. It's similar to the slow-Loris attack that is for HTTP servers. So with that, a single machine is able to open many connections. Hold on. Just wanted to show the flags here. So the first four bytes of a connection are this NetBio session setup header, and it has a 17-bit length field. So what Windows is going to do is it's going to see that length field, and it's automatically going to allocate a buffer for whatever length you say, and preemptively allocate that much memory on the non-paged pool, which is memory that cannot be swapped out. It's physical RAM that has to be reserved. So 2 to the 17 gives you 128 kibbut bytes, and if you send many connections that do that, from a single IP, you can get to 8 kibbut bytes, which is like 8.5 gigabytes. So we're going to demo the attack now. And all we're doing is opening a lot of connections and sending this packet with a full length. And as you're seeing now, the non-paged pool is filling up. It's actually down here. Right now we're at 5, 5.5 gigs. And eventually this ping is going to die because there is not enough RAM. And you also notice that the CPU has spiked to 100 because now the operating system is searching through memory looking for a free spot. And now we actually have freezed the computer. So like Solaris, if we stop this attack, the computer will restore. Unless you sustain the attack, eventually you will get a hard freeze, which is worse than a blue screen because then you need physical access to restart that machine. You can't just RDP in. So there you go. Thank you. And I just want to mention that we did report that to Microsoft Security about 60 days ago. They said they weren't going to fix it right away. So we had to go to full disclosure. We already told RDDOS partners and stuff like that. And it works on IPv4 and IPv6. So here's just some of the artifacts that we have that happen. The first one is just like a hard freeze. And then you can crash programs. And then right here is Microsoft's response. This is fine. All right. So on to the main topic of the day. We're going to talk about the current open source malware options for Redteams. So these are things that you can use on your pen test to, you know, own a network. And then we're going to release a new tool called Koetic C3. It's an advanced JScript VB script rat. It's based on a lot of work by others. Sub-T at Nickmo X3 Ternado. They've been doing a lot of work on research, a lot of research on JScript past year or two. We're going to talk about some of the hell we went through with Windows scripting host quirks. And then at the end we're going to have a demo of the tool. So this is a list of the people who helped work on this tool. I'm zero sum. That's LF naught. We've got Jenna Magias in the audience and the Naders is watching the live stream. So we're the Red Team at RISN. It's a spin-off of New Mexico Tech led by Dr. Srinivas Mukamala. He lets us have time to do some research on side projects. So we've done extra bacon and eternal blue. We've ported both those exploits to Metasploit. We're kind of the first to look at those exploits. Just a couple quick notes before we get started. So if you use this tool for elite activities, we're not responsible. We're releasing this for pen testers. There's no ransomware or anything. Like I said, there's a ton of overlapping research from SubT and Igmo, X3 and Auto. But we're trying to consolidate all those research techniques into a single tool. And we've also advanced the state of art a little bit. So this is just a prototype. There are going to be bugs in it. So submit fixes, not ticks. And just to be very clear, this is a post-exploitation tool. So this won't be like Metasploit where you get access to a box. This assumes you already have access. And you want to do something better with that shell. You want to pivot, dump passwords and stuff like that. So the current state of Windows post-exploitation, you have, you know, meterpreter, cobalt strike, partial empire. Or you can roll your own. Those are basically your options right now for a very, and they're all very nice tools. But we're going to talk about some of the downsides of those tools and where this kind of fills a very niche gap. You're not going to use this tool a lot, but it will fill a very niche gap. So the downsides of PE malware, this is stuff like cobalt strike and meterpreter. So they're both amazing software. But most of the times in a post-exploitation scenario, you're going to be dropping a binary on disk. And that's what AV loves to eat. And you're going to have to evade that payload with either validation or shelter or some type of cryptor packer. So that's one downside. And one of the main exploits we have eaten a lot is PS exec, which is probably the most common one you use on a pen test. So the downsides of PowerShell, again, Empire's amazing software, officially requires PowerShell, obviously, which is server 2008 service pack two. You can install it on earlier versions, but officially that's what Microsoft supports. And PowerShell in Empire also uses some features that are in modern.net. So I've actually had the case where I compromised a box and had PowerShell on it, tried doing an Empire stager and it failed with an error. Another very bad downside of PowerShell is that it is a first class citizen in the logs on Windows. So that's one thing you need to realize when you're using PowerShell as you are filling up the logs. So we've made a tool made out of J script and VB script. It works on Windows 2000 service pack zero, possibly earlier. The main benefit of that is that the Windows script host, unlike PowerShell, is baked directly into the Windows core, unlike PowerShell, which was bolted on later. So it's a little bit harder to limit. And we found some creative use of the default TXEs that are in the system folder. And we also found some ways to execute completely in memory so there's no dropping to disk. And that's the main benefit of PowerShell. So the downsides are that there is no access to the Windows API. The only thing you get is calm objects, which I'll talk about in a second. There's also no real threading. So when you have an agent running, you might want to run multiple jobs at the same time and have them report back. There's no threading in J script. It's also missing a lot of standard functions like base 64. You can use SirUtil and some other utilities that are default installed, but they're not on all versions of Windows. And then what's really bad is all the strings are UCS2 wide Unicode. So when you insert StructureShell code in memory, it's going to fill it with null bytes or even just totally clobber all of your strings and you not going to have the same shell code that you put in that you thought you had. So calm was kind of this big idea from Microsoft that you could write a class in one language and then instantiate an object in another language. So what they did was write a lot of calm objects in C and then now you can use them in J script and other scripting languages. So it's language neutral, object oriented. It has a very spelled out binary interface and it's distributed so you can actually instantiate objects on another server and then use them on your local host, which actually leads to a lot of pivot opportunities. It's an arguable precursor to .NET. It has slightly different goals than .NET did and .NET has a lot of tools that help you interact with calm. And it's also found everywhere in Windows. It's in its own registry archive. It's the HCRHK current classes or classes. So this is an example of instantiating a calm object in J script. So what we've done here is we've instantiated this object called html file. And like I said, we don't get access to Windows API, but we get access to all the interfaces that this calm object exposes. And from that we're actually able to scrape the clipboard by going to the parent window and getting the text. So we originally started this project back in October using VBScript. VBScript and J script are basically the same thing. At the end of the day they just have slightly different syntax and a couple other things. One thing that's really bad is that it has VBScript has an insane error handling thing where you have to do on error, resume next at every function scope and then for every instruction that you run you have to check if there's an error condition. So there's no like try catch blocks that you get in J script. The other thing that we ran into was slimo the painter problem. So this is a problem with string indexing. Normally for string indexing you want O of 1 lookups. So you want to look at the hundredth element in the string. That's O of 1. With J script it counts from the beginning of the string. So you actually get O of n factorial to traverse the entire string instead of O of n. So Jen imagine he solved the hardest problem in computer science when we just moved the bucket with a survey thousand iterations. We moved the string pointer up. While working on this tool we researched GNU read line which is interactive shell for Linux and Unix systems. So in Metasploit what happens is as shells start to rain in your input is getting overwritten by all those shells raining in. So we were able to redraw every time a shell came in and not mess up your input. And that picture is just an example of kind of the bad input. We committed it in PR 7570 to Metasploit. They've actually commented it out. They have to support Windows and some other systems. There was a couple bugs there but we're only supporting Linux. So I'll talk about some of the terminology before I talk about how we architected this. So a zombie is a hook target. It's basically like a session in Meturpreter or an agent in PowerShell empire. Stager is a web server that we use to have the C2 C3 server. And then an implant just starts one or more jobs on a zombie and then a job we figured out a way to fork and so you can have simultaneous jobs running and then they report back to the server. So this is done by a plugin class. There's two types of major plugins or stages which spawn web servers and implants which start jobs. They all have a load method which has variables. These are like things that you set in Meturpreter. All we do is a simple stringer place for tilde and the variable name inside of JS files. And then they also have a run method which like I said starts an HTTP server or starts a job. The job class is what you instantiate from implants and they have a report handler so when the job reports back to you you're able to handle that. And then we also implemented a standard lib.js file which kind of abstracts a lot of that comm stuff for you so you can run commands, upload download files and perform those HTTP communications. We have all the standard implant categories you would expect. You can pivot some move from machine to machine persistence so you can if a machine reboots it will still call home. Managing utils are kind of like they'll let you enable RDP or run commands, download, upload files. Elevate is a whole class of UAC bypasses. That's the run as administrator box on Windows. Gather will scrape credentials from the hives like NTLM hashes. We actually wrote a TCP scanner which I'll get into in a little bit. We have a fun category like PowerShell Empire does. They play ACDC's Thunderstruck. They blast the volume to play that. We do that but we do the Cranberry zombie song. And then we also have inject which is a whole category where we figured out how to break free of the comm chains and get to the Windows API. And from there we do reflective DLL and memocath and stuff and we have a cool demo. So stage architecture is generally in a post-exlipitation setting you're going to hook by a manual command. That's what you do with PowerShell Empire. You just run a command and then it calls home. You can hook from IE if someone, so you can fish somebody and if they click yes, run this, you know, all these active X objects. It'll work. Also office macros you can do a sager that way. So all we're using is a simple HTTPS threaded server in Python as the main C3 server. So you get encryption through TLS or SSL. There's a caveat there. A couple caveats. So one is older versions of Windows won't have TLS enabled so you'll have to fall back to SSL. And the other one is you need a valid certificate so you'll have to call home to a domain that you own a certificate for. And how we do the call home is we do a long poll. So this is kind of the old way of doing AJAX before web sockets is you call home to the server and then the server hangs you for like a long time until there's a job to be done. And it tells you that job and you run that job. So there's a couple problems with that. There's no problem with hanging forever because once you go into the com object and you run that, you're in com world. It's outside of your script context. But there is a limited amount of instructions you can run in J script. So it's actually default to five million I believe. So if you run five million instructions in J script which is actually very easy to do, even for just a few milliseconds it's going to pop up an error saying stop running this script and it's going to hang the script till the user clicks yes or no. So for that reason we fork on a regular basis. So the first time you call home to the server you're not going to have a session ID. It's going to sign you a session ID and it's going to fork to a special job called stage. That stage is going to do that long polling process I was talking about until it gets a job ID. When it gets that job ID it's going to fork that special stage job again so we don't use too many instructions and it's going to fork the job. And then when that job calls home it's going to have both the session ID and the job ID. So then it's going to send the job payload which is going to do some work. It's going to report back to the server about that work and then it's just going to strictly exit. So some of the stages we have, we do have the traditional way of running J script and VB script through C script or W script. These require dropping a file on the disk so antivirus can catch that pretty easily. And you can always disable the windows script host. An interesting stage that we have are MSHTA HTML applications. So these are kind of like a weird IE security zone that lets you get access to the registry, the file system, the command shell. And the payload for that is really tiny. It's the tiniest payload we have. All you do is run MSHTA and then a URL. And then it's going to call home without a session ID and get a signed one and all that. So with these HTML applications they're going to pop up like a little browser window. So we experimented with many techniques to try and hide this window. The best that I could come up with and I really did a lot of experimentation was I moved the window 2000 pixels off the screen, resized it to one pixel and then I blur it so it doesn't steal focus. And then also there's some XML that we can do to hide it from the task bar. I thought this was really bad until I looked at some malware samples that were doing the same thing. So I didn't feel as bad. So run DLL32, this kind of abuses the way that run DLL32 parses the DLL it's supposed to run. So in this example it's loading the MSHTML.DLL and it's running run HTML application on it, which is the same thing that MSHTA does. Only this is a little bit more hidden. Now when that function gets called it's going to parse the entire command line and it's going to see it starts with JavaScript colon and it's going to start executing JavaScript. So actually our MSHTA stager as soon as we fork we go to this one because it has less window visibility. Another one that, another stager here that SubT we discovered is called COM plus Scriplets. They still get written to disk but it's this program called RedServer32.exe which is supposed to assist you in installing COM stuff. You can actually feed that a URL and it's going to go fetch that Scriplet and then it's going to run some JScript. So this is actually a stager that's present on Windows 2000. MSHTA is not, maybe it isn't a service pack but at the beginning it's not. So there's a couple ways to run commands. The most common way is through WScript.Shell it has two ways to run commands either exec or run. Exec gives you access to standard out and standard error for all of that process's output. The only problem is it's going to flash a little command .exe window. So it's not good. We had to resort to .run which does not give access to standard out. But we kind of pipe to a UUID in the temp folder, a text file and we pipe standard out and standard in to that file and then we read that file. So we're able to get the output. Another way to start processes is with WMI when 32 process is a part of that. And that's the Windows management instrumentation. It's just kind of for managing boxes. So one of the main things you want to do with post-executation tool is upload files and download them. But binary data is very hard to work with in J script. So writing, if you want to write a file on a disk, writing byte by byte, you use all of your limited instructions I was talking about. So what we do, what one way you can do that is you can write the response body stream directly to an ADODB.stream. The only problem is as you can see, you get an error that says safety settings on this computer prohibit accessing a data source on another domain. So this is part of that IE security zone sandboxing I was talking about. So what we do is we create a temporary ADODB object in memory. We write that stream to that object in memory and then, so now it's on our domain or whatever and then we're able to write that to file. So this is just some boilerplate code that just lets you write directly to file without using a lot of instructions. Another problem we encountered was with downloading files. So this is when you want to get a file. It's on the zombie, you know, you see x-rays, you see something interesting on the target. You want to download it to your machine. You're going to do that by having it send an HTTP request, sending an octet stream, which is going to have all that binary data. The only problem is that Windows is going to double encode that data. So through some reverse engineering we figured out it was encoding it with Windows 1252 encoding first and then UTF-8. So we saw that the binary data did not match up when we got it back. Another thing is if you send a null byte it just ends the response stream right there, the request stream. So we added another layer of encoding where we encode backslashes and null bytes. So we have three different decodings we have to do once it gets back to the server. It was really slow. LFNOT wrote a hard coded lookup table. So it's about one second per megabyte now, down from ten seconds per megabyte. So these are all of our UAC bypasses. These work because on Windows there's the current user hive, which a user is able to write to their current user hive, no problem. And then Windows has these binaries in the system 32 folder that have a manifest that auto elevates them, gives them UAC bypass privileges. And then there's a couple binaries that are going to look in that current user hive that you're allowed to write to for a commander run. I don't know why. But we're just going to put the stager command at those registry keys, start that process and it's going to call home and we're going to be elevated. Microsoft is trying to fix some of these. I've closed a couple of them in Redstone 2 and 3. But there's UACME by H Firefox. It's some future work if these methods get closed down. There's 35 plus methods we can use. Some are applicable. So another main thing you want to do in a post-exploitation tool is dump the NTLM hashes off the server. So there's a reg.exe. I believe it was added in some service pack of Windows 2000. It's at least present in Windows XP and higher. But from there, if you're elevated, you can save the same system security hives and run a core security impact which will decode, decrypt those hives and give you the hashes out of them. Same thing for domain controllers. You can create a volume shadow copy. And then the system hive, you can get that. And we get the NTDS.Dit. We can run the same tool with some different arguments and extract 80 credentials out of them. So there's several different HTTP com objects. Most of them are just like MSXML2.XML HTTP and then there's a server XML HTTP. So this states back to the early days of the internet where you first started with AJAX. And so the ones that are not marked server are going to have a bad sandboxing policy. It's going to have that cross origin AJAX policy you see in web browsers. Whereas the server versions are going to be what you would have ran on a classic ASP server if you wanted the server to fetch something. So it's going to be less sandboxed. So it's the same interface but a little bit different behavior. Using these objects, checking out the error messages they do when we try to do an HTTP connection to an IP. We're able to tell which ports are open. And so we have two different methods of telling if a port is open or not and based on the error code. So we were able to write a TCP scanner using these methods. Another interesting com object is the Wscript.network. This lets you enumerate the printer connections and the network drives that that computer is connected to. So that's useful information. And now we're going to talk about the pivoting modules. So PS exec was originally written by Mark Rosinovich. First the SysInternals before it was hired by Microsoft. Now it is a Microsoft signed binary. And this lets admins run commands on different boxes remotely. There's no reason for us to have to upload this binary to the server because Microsoft is hosting it on a live share on the internet. So we just use that live share. We do get a dirty bit when we do that but the bypass I found was just running it. Instead of Wscript.run I ran it through WMI or something I forget. But we didn't get that dirty bit which would have popped up a message of an error. So that just lets you run commands on another box. And we do have a working pivot with that. Another way to pivot is with WMI. So this lets you spawn that WMI Win32 process I was talking about on another server. As long as you have cash or either your credentials or you get credentials out of memory. You can't perform it past the hash with Jscript. We found a really bad problem with this is when you start that new process it's going to run in session zero on the server which is a GUI list process so you won't be able to elevate. But it does let you get onto other boxes and maybe there's a work around. Another thing that's been making the waves the past couple weeks are Decom lateral movement techniques. So MMC20 dot application and Nygma XO3 found back in January. But it has a you can spawn this object on another server and it has an interface called execute shell command. Let's see re-stage. And then just this week we had Excel dot application and Outlook dot application by Ryan Hansen, 424f, 424f and Stalred. But both of these have ways that you can load commands on another server. So that's some future work. We don't actually have plugins for this yet. But if PSX, WMI aren't good enough we can write a plugin for Decom. So now we're going to talk about some of the ways we escaped that com context into Windows API. So work they gave us some office licenses and we did find a good use for them. We didn't actually write any reports with them but we did create a GUI list Excel object in memory and then from that GUI list Excel object we also wrote some registry keys that let us run macros without a prompt. And so we actually and when you run macros in that it's visual basic which is different than VB script. That lets you get access to the entire Windows API. So from there we were able to run shell code or reflective DLLs. So that's one of the ways we escaped. Another technique was published a couple months ago by Tieranito. He's guy from Google Project Zero. So when you install .NET on a server it gives you or a workstation or anything. It gives you a bunch of com objects for that .NET installation. And one of the couple of those com objects that you write some memory and then also deserialize a .NET object. And when you can deserialize a .NET object you get access to the Windows API because .NET has access to Windows API. So we can do all that from J script. And then the final way we found in our research was Dynamic Rapper X. This was a DLL written by Yori Popov and released his freeware in like the late 90s, early 2000s. It does have zero out of 61 of Iris Total. People are using this for legitimate reasons. But basically this just lets you install a com object on the server which gives you access to the Windows API. Normally installing a com object you're going to have to write a lot of registry keys and stuff like that. But sub T rediscovered a thing called registration free com. So we don't actually have to write all those registry keys. We just drop a manifest file also on the disk and that DLL and then we're able to load that com object at least for our process. So now that we have access to the Windows API one of our design goals was to use the power cats dot DLL. So this is the PowerShell Empire DLL that lets you get access to Mimicats. There was a problem with this and that was that all of the DLL mapping was performed in PowerShell. So normally with a reflective DLL you're going to write some C code that will load itself. And they did it in PowerShell. So we have limited instructions. We can't do all of that DLL mapping. So what I did is I wrote a DLL called Mimishim. And that's just a normal reflective DLL. So all the loading code is in C. It's part of the DLL. And we just say start a thread there and it'll load itself. So what it's going to do is it's going to see if we're an x64 or an x86 process on an x64 system. Which if you've ever dealt with Mimicats that can be an issue. If that is an issue we're just going to fork assistnativenopad.exe. We're going to process all of that and inject the PowerCats.DLL into it. And from there we're going to do a couple of default things. We're going to do, we're going to get the debug privilege which is kind of a God mode privilege on Windows. And then we're going to elevate our token to system. And then we're going to run whatever custom Mimicats command you want to run. Which will let you extract plain text passwords out of memory. Provided that credential guard or some other defenses aren't enabled. And with that I'll leave not run the demos. I heard you guys like live demos. Alright so what we're going to do here is we're going to show our tool off. At least we have a screen. I heard we had screen problems on the other ones. Okay so the first thing we're going to do is we're just going to load it up and we're trying to get our stager first. Right? I know we were talking about this in the beginning. So we're greeted with a screen like this. We have a lot of options in here. So as you can see it's a very similar kind of structure to like Metasploit or other tools of a similar kind of nature. We run info and we can set our L host. This is a local host internal network for a domain that we have here on a couple of VMs right now. Yeah the only reason why he's setting his L host manually is because we have a weird network set up so we're not on the internet. Normally it'll try to go to 8.8.8.8 and get your IP, your local IP automatically and spawn a stager there. So and then after that's run the stager is done. You can close the window and you see no windows popped up and nothing seems out of the ordinary but we get a stager coming back right here. And we'll see. We take a good look here. It's not an elevated prompt as you can tell right here. We come back with a star if it was. And so from here we have our zombie and we can kind of do what we want. So to demonstrate the kind of ridiculousness that we had to go through we can kind of upload a file, get a shot some, download the file and do a shot some again. So we're going to use an implant and we see everything is like a nice little options file. So we can also get into a command shell from here. So if we look onto our hooked client right here and we take a look at the directory where we should have uploaded the putty and you will see it and it's right here. Nice and uploaded. We'll open up a local window right here and we'll do a shot some of the actual putty file. We'll see this is a shot some right here. 8.1 and ends with 5e. And so now we will download the file from the victim client right now the one that's hooked and we'll see that the integrity has been kept right so we got a nice upload and download and the client doesn't notice a thing the windows are coming up nothing at all it's a nice and in the background here. So what we're going to do next is we're going to try to elevate the prompt right a little bit of a UAC bypass and stuff like that right so we're going to use or elevation. So if everything if everything goes right we should be see a shell come back with a little bit of a elevated type of thing looks like we're coming back and here we are we have a nice elevated prompt. Alright so from here you could kind of move around and try to pivot across a network I know we were trying to explain to everybody the the ridiculousness that had to do for kind of TCP scanning and everything along that line so what we could do is we could try to find another victim and we could scan them look for like an open port 445 and then try to migrate and pivot right or pivot just pivot this time. So we're going to use another implant for this doesn't really matter what zombie we use for this response is a little ridiculous we had to make it large for everybody so as we see here a nice little readout of a nice scanning from one of the hooked hosts to another host upon the domain and right now we're going to try to pivot okay so a ruin to use actually should probably get the hashes first from the current machine that we got right we're going to use the elevated zombie with the elevated prologos to kind of dump the hashes here and here we go we got the hashes from the past machine and that's a memecats command you can kind of run any command from there from memecats so right now we're going to kind of pivot from the one machine that's compromised and we're going to pivot and we're going to get a stager on the next machine within the main right we as you see we got the credentials from memecats and so we're assuming we got the plain text password or something along that lines and we're going to move on to the next machine so and here we go we pivoted throughout the network and we moved and we can see a command shell we take a look here take a look at who am I and we're here on the machine pitting through the network nice and through all these nice little commas and everything here so yeah so you can see he has two different or three different shells here the first one was his medium integrity next one was when he elevated and then this has a different IP because he's pivoted to another machine so we're going to talk about some of the mitigations you can do against this there are some ransomware samples that we saw that do all of their operations in J script including their cryptography so people are mainly focused on PowerShell right now we kind of want to point out that J script is also an attack surface so there's a thing called the anti-mower scanning interface I haven't actually played with it but it was designed to catch PowerShell scripts before they execute it's also a hook for antivirus to get J script and VB script files before they execute even if they're using the type of in memory stages that we talked about another thing is device guard app locker CI it's all kind of a the same umbrella for a term a common term called app whitelisting in your environments you only want to run the programs that you want to run and this will actually prevent a lot of extra malware that gets on your system from running if you only have a whitelist of what can run it's kind of a pain to set up right now it requires a lot of PowerShell and registry editing I've heard that there are good things coming there so just keep an eye out probably Redstone 4 next year but if you do get it working you want to block the windows script host you want to block HTA and com plus scriptlets you can also delete the mshca.exe and red server some components rely on that and windows update will probably reinstall them but that's one thing you can try another thing is you can delete com objects if you're not using them it's hard to tell what you're actually using including the script parsers themselves so like a J script and VV script those are all com objects that are script parsing I haven't actually tried deleting them I think you might break your system but we do have some intent to add this to metasploit at least for a target as ps exec so right now it has it drops a file or it runs a power shell command we want to do a mshca command back and then iterate through all those methods that we found a fork to Windows API and try to spawn a interpreter binary that way just iterate yeah just iterate all over those methods some more future work is exploring com seeing what is exposed through the interfaces it's a large attack surface on windows that was kind of forgotten about or it's kind of a difficult concept to grasp ternito has a cool tool I forget what it's called like OLE viewer or something that lets you get the interfaces for a lot of these com objects and you can see what you can do with them another thing is that with this tool like I said there's a lot of bugs so we do plan to clean up the code and do a small plug-in revamp so right now plugins are kind of reusing a lot of the same code and we also want to implement a javascript obfuscator so right now all the payloads are pretty generic they're all the same but if we had obfuscator it's going to kind of add some bypasses for very obvious lookups of that we've kind of neglected persistence implants so I wouldn't talk about them there are a few ways to get persistence that's when the machine reboots it'll restage WMI subscriptions is one that we could do and then another thing is we're using the basic Python server just very generic so we actually do have the slow laurus attack I believe that works on this so remember we dropped that ODE SMB laurus that we have the slow laurus attack on this so that's one thing we want to close down by throttling the amount of IPs some related talks by Tere Nito he did com in 60 seconds this is the best primer on com you can watch better than any book I ever read he does it it's not actually 60 seconds it's 60 minutes but he did an infiltrate this year another one is windows archaeology which sub T and enigma OX3 did at B sides Nashville this year and then last year sub T wrote a very basic J script rat and presented that at Derby con we've kind of expanded that concept and made it you know as close to empire as we could and so yeah this code is available at github zero some slash poetic we're also doing a workshop today it was a registration only though but we have also released that code as well just check my github more lower-level stuff see and shell code but still cool stuff so yeah that's zero some and if not thank you guys very much