{"version":1,"pages":[{"id":"JJVqLZQXWY2fyOs0npgh","title":"Introduction","pathname":"/0xtriboulet","siteSpaceId":"sitesp_qROto","description":""},{"id":"15fe247d70806b98629e93fc90a438487d7b15e4","title":"Artificial Intelligence","pathname":"/0xtriboulet/artificial-intelligence","siteSpaceId":"sitesp_qROto"},{"id":"917ca8f3ff61101018c01a6375a7e5e9d7dbef1d","title":"Evading the Machine","pathname":"/0xtriboulet/artificial-intelligence/evading-the-machine","siteSpaceId":"sitesp_qROto","description":"An example evasion attack against (probably) the worst machine learning classifier of all time","breadcrumbs":[{"label":"Artificial Intelligence"}]},{"id":"f22721960ddb0a80c180f73a8123c00822317647","title":"Hiding in the Trees","pathname":"/0xtriboulet/artificial-intelligence/hiding-in-the-trees","siteSpaceId":"sitesp_qROto","description":"Evading a (terrible) Random Forest Classifier","breadcrumbs":[{"label":"Artificial Intelligence"}]},{"id":"wR63velveY3QymnuIy3Y","title":"Disclaimers","pathname":"/0xtriboulet/disclaimers","siteSpaceId":"sitesp_qROto","description":"Some things you should know about my work, this page, and me"},{"id":"JrReaYB4EuB72UE1rdHl","title":"Notice","pathname":"/0xtriboulet/archive/notice","siteSpaceId":"sitesp_qROto","breadcrumbs":[{"label":"Archive"}]},{"id":"99YC9e4QlGpobnvnDNnH","title":"ZeroTotal","pathname":"/0xtriboulet/archive/notice/zerototal","siteSpaceId":"sitesp_qROto","description":"An ongoing series demonstrating various techniques for achieving zero hits on VirusTotal","breadcrumbs":[{"label":"Archive"},{"label":"Notice"}]},{"id":"XnATVGv7IoycYQ77jwq7","title":"ZeroTotal: Msfvenom Calc","pathname":"/0xtriboulet/archive/notice/zerototal/zerototal-msfvenom-calc","siteSpaceId":"sitesp_qROto","description":"The quest for an undetectable calc payload on VirtusTotal","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"ZeroTotal"}]},{"id":"VSpFwZLnw9kvasnVDnho","title":"ZeroTotal: Self-Injecting Calc","pathname":"/0xtriboulet/archive/notice/zerototal/zerototal-self-injecting-calc","siteSpaceId":"sitesp_qROto","description":"The quest to achieve an undetected self-injecting calc implant","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"ZeroTotal"}]},{"id":"BFcrPYRQvauzvA6rzOHS","title":"ZeroTotal: Rusty Calc","pathname":"/0xtriboulet/archive/notice/zerototal/zerototal-rusty-calc","siteSpaceId":"sitesp_qROto","description":"The quest to achieve an undetectable self-injecting calc implant using Rust","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"ZeroTotal"}]},{"id":"fOod9tBlHFJXP78PqAId","title":"Achieving Access","pathname":"/0xtriboulet/archive/notice/achieving-access","siteSpaceId":"sitesp_qROto","description":"A series describing techniques to quickly achieve reverse shells on Windows 10 and Windows 11 targets with Windows Defender enabled","breadcrumbs":[{"label":"Archive"},{"label":"Notice"}]},{"id":"qx78X2SM0u3z8Q7Su5KU","title":"achieving access: implantv1","pathname":"/0xtriboulet/archive/notice/achieving-access/achieving-access-implantv1","siteSpaceId":"sitesp_qROto","description":"Using classic methodology to get develop a detectable payload on Windows 10 and Windows 11. We'll use this as a springboard to more successful implants in the following sections","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Achieving Access"}]},{"id":"2d0c1E0zadpz1ua4V6u3","title":"achieving access: implantv2","pathname":"/0xtriboulet/archive/notice/achieving-access/achieving-access-implantv2","siteSpaceId":"sitesp_qROto","description":"Using a development workflow that allows for customizable reverse shell payloads","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Achieving Access"}]},{"id":"SoN8hnQwNK2AlT0h70V5","title":"achieving access: implantv3","pathname":"/0xtriboulet/archive/notice/achieving-access/achieving-access-implantv3","siteSpaceId":"sitesp_qROto","description":"We reimplement the code we developed in implantv2 using the VX-API. This API is designed with malware development in mind and is a powerful addition to your development environments","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Achieving Access"}]},{"id":"CeEu6dBDKxmwB1v9OvkQ","title":"Deceiving Defender","pathname":"/0xtriboulet/archive/notice/deceiving-defender","siteSpaceId":"sitesp_qROto","description":"A series documenting some easy ways to bypass Windows Defender and leverage existing tooling on Windows 10 and Windows 11 machines.","breadcrumbs":[{"label":"Archive"},{"label":"Notice"}]},{"id":"fVhJuvRqbsYwczmihtqT","title":"Deceiving Defender: Making nc.exe viable again","pathname":"/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-making-nc.exe-viable-again","siteSpaceId":"sitesp_qROto","description":"nc.exe is a powerful utility that allows for cross-platform connections. Many modern antivirus definitions detect nc.exe and prevent its use for Red Team operations","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Deceiving Defender"}]},{"id":"jT5MhRixxWN9yJwbEYNJ","title":"Deceiving Defender: Classic Bypass","pathname":"/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-classic-bypass","siteSpaceId":"sitesp_qROto","description":"A practical workflow for bypassing Windows Defender disk detection using ThreatCheck, Ghidra, and Cpp","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Deceiving Defender"}]},{"id":"ceEgWytKFdYVuulHhB9g","title":"Deceiving Defender: Name Bypass","pathname":"/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-name-bypass","siteSpaceId":"sitesp_qROto","description":"A simple name checking technique that bypasses Windows Defender protections on Windows 11 and Windows 10","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Deceiving Defender"}]},{"id":"2QPkZHhLiDlbM2K2cZCC","title":"Deceiving Defender: The Texas Two Step","pathname":"/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-the-texas-two-step","siteSpaceId":"sitesp_qROto","description":"Utilizing a novel high-level methodology to bypass the increased protections of Windows Defender on Windows 11 systems in order to make mimikatz.exe viable again","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Deceiving Defender"}]},{"id":"9s9JfZLnhX4yz0b12VK1","title":"Deceiving Defender: The Big Stack Bypass","pathname":"/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-the-big-stack-bypass","siteSpaceId":"sitesp_qROto","description":"Defeating Windows Defender detection on Windows 10 by creating a large (>2MB) payload allocated on the stack","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Deceiving Defender"}]},{"id":"uALxKLOWCv1kLMXJZIpc","title":"Making Meterpreter Viable Again","pathname":"/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-the-big-stack-bypass/making-meterpreter-viable-again","siteSpaceId":"sitesp_qROto","description":"In this demonstration of the Big Stack Bypass, we take one of the most signatured payloads in offensive security and successfully bypass Windows Defender and other AV engines","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Deceiving Defender"},{"label":"Deceiving Defender: The Big Stack Bypass"}]},{"id":"S3TZvrZPiw4B2eSgp5MT","title":"Deceiving Defender: Meterpreter","pathname":"/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-meterpreter","siteSpaceId":"sitesp_qROto","description":"Demonstrating manual manipulation of a meterpreter payload in order to bypass Windows Defender","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Deceiving Defender"}]},{"id":"k2rRGEIutmAWwl2E8Eef","title":"Making Malware","pathname":"/0xtriboulet/archive/notice/making-malware","siteSpaceId":"sitesp_qROto","description":"A series exploring the capabilities and utility of the VX-API for custom tooling","breadcrumbs":[{"label":"Archive"},{"label":"Notice"}]},{"id":"lDjGaHsku9B0yl6RRozO","title":"making malware #0","pathname":"/0xtriboulet/archive/notice/making-malware/making-malware-0","siteSpaceId":"sitesp_qROto","description":"We analyze some of the capabilities of the default implant in the VX-API and discuss some of the capabilities that VX-API provides for development","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Making Malware"}]},{"id":"6VrcIcSuKldp30x4TAOQ","title":"making malware #1","pathname":"/0xtriboulet/archive/notice/making-malware/making-malware-1","siteSpaceId":"sitesp_qROto","description":"Let's analyze some of the capabilities of the VX-API and demonstrate the practical utility of this API against a modern Windows 10 end-user target","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Making Malware"}]},{"id":"JXrUvAcQ5b9weNOV0WsJ","title":"making malware #2","pathname":"/0xtriboulet/archive/notice/making-malware/making-malware-2","siteSpaceId":"sitesp_qROto","description":"In this writeup we extend the development of our previous implant to achieve reverse shell access on a mondern Windows 10 machine!","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Making Malware"}]},{"id":"xIcKKDeTPkJORTGMXddN","title":"Just Malicious","pathname":"/0xtriboulet/archive/notice/just-malicious","siteSpaceId":"sitesp_qROto","description":"A miscellaneous repository of interesting topics that don't fit anywhere else on my blog","breadcrumbs":[{"label":"Archive"},{"label":"Notice"}]},{"id":"OHkqcIIHpgjU2mKkEaWk","title":"Advanced String Obfuscation","pathname":"/0xtriboulet/archive/notice/just-malicious/advanced-string-obfuscation","siteSpaceId":"sitesp_qROto","description":"Sunday, December 3, 2023","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Just Malicious"}]},{"id":"XGhpoRVMzSbkAsJL8rdN","title":"From C, with inline assembly, to shellcode","pathname":"/0xtriboulet/archive/notice/just-malicious/from-c-with-inline-assembly-to-shellcode","siteSpaceId":"sitesp_qROto","description":"Friday, August 11, 2023","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Just Malicious"}]},{"id":"n9SlY8xc4gBn0zbmjHd8","title":"Thnks4RWX","pathname":"/0xtriboulet/archive/notice/just-malicious/thnks4rwx","siteSpaceId":"sitesp_qROto","description":"Compile an implant with RWX sections of memory to simulate a dropper with dynamic functionality in its own .text section","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Just Malicious"}]},{"id":"PuTKueEDWmtfw3pwgIg8","title":"Unholy Unhooking","pathname":"/0xtriboulet/archive/notice/unholy-unhooking","siteSpaceId":"sitesp_qROto","description":"A series that discusses using modern tools to re-apply classic methodologies and overcome Windows AV mitigations","breadcrumbs":[{"label":"Archive"},{"label":"Notice"}]},{"id":"rRdV91d7EwgAZm9dQ4nh","title":"Unholy Unhooking: byoDLL","pathname":"/0xtriboulet/archive/notice/unholy-unhooking/unholy-unhooking-byodll","siteSpaceId":"sitesp_qROto","description":"Using our own copy of ntdll.dll, our implant will clear AV hooks and execute a malicious payload.","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Unholy Unhooking"}]},{"id":"6kCNhM2c487cxd5ZAIC6","title":"Unholy Unhooking: FrByoDLL","pathname":"/0xtriboulet/archive/notice/unholy-unhooking/unholy-unhooking-frbyodll","siteSpaceId":"sitesp_qROto","description":"Using pe2shc, we'll load a clean copy of ntdll.dll in memory, unhook our program, and execute our malicious payload.","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Unholy Unhooking"}]},{"id":"jB8fMz5iASlxOmYm2SW2","title":"Unholy Unhooking: Rusty Fart","pathname":"/0xtriboulet/archive/notice/unholy-unhooking/unholy-unhooking-rusty-fart","siteSpaceId":"sitesp_qROto","description":"An overview of Perun's Fart implemented in Rust","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Unholy Unhooking"}]},{"id":"nvo9n8i6ptPNAt6qUnnW","title":"TTPs","pathname":"/0xtriboulet/archive/notice/ttps","siteSpaceId":"sitesp_qROto","description":"A series focused on the review, analysis, proposal, and improvement of Tactics, Techniques, and Procedures used by open source security researchers.","breadcrumbs":[{"label":"Archive"},{"label":"Notice"}]},{"id":"UQPEt5FSEndF8nESRHgD","title":"TTPs: Embedding Payloads with MSFVenom (x86)","pathname":"/0xtriboulet/archive/notice/ttps/ttps-embedding-payloads-with-msfvenom-x86","siteSpaceId":"sitesp_qROto","description":"A indepth analysis of the mechanics behind embedded payloads using MSFVenom","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"TTPs"}]},{"id":"dLR9OGuZwzumh5jzdNg3","title":"TTPs: Embedding Payloads with MSFVenom (x64)","pathname":"/0xtriboulet/archive/notice/ttps/ttps-embedding-payloads-with-msfvenom-x64","siteSpaceId":"sitesp_qROto","description":"Demonstrating a workflow to achieve embeded payloads on x64 executables using MSFVenom, BinaryNinja, and x64Dbg","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"TTPs"}]},{"id":"s4MIs6yV9aplhmJib24g","title":"TTPs: Rust vs C++","pathname":"/0xtriboulet/archive/notice/ttps/ttps-rust-vs-c++","siteSpaceId":"sitesp_qROto","description":"A comparative analysis of C++ and Rust implant binaries","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"TTPs"}]},{"id":"2I9viWbkfU6lX95eaJsY","title":"TTPs: JmpNoCall","pathname":"/0xtriboulet/archive/notice/ttps/ttps-jmpnocall","siteSpaceId":"sitesp_qROto","description":"A proof of concept demonstration of custom payload and implant implementations that results in clean call stack execution of malicious code","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"TTPs"}]},{"id":"bFOhIDURvHg0Fz9uLFss","title":"TTPs: BadAsm","pathname":"/0xtriboulet/archive/notice/ttps/ttps-badasm","siteSpaceId":"sitesp_qROto","description":"In this writeup we use the capabilities of inline assembly to overwrite part of our program's .text section and achieve non-standard payload self-injection and execution","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"TTPs"}]},{"id":"Ojc2Y5jfAE47d69IxkBl","title":"TTPs: BadStrings","pathname":"/0xtriboulet/archive/notice/ttps/ttps-badstrings","siteSpaceId":"sitesp_qROto","description":"In this writeup we discuss a mutli-step methodology for beating string detection by Mandiant's FLOSS string deobfuscator","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"TTPs"}]},{"id":"WCpiglKoHAYb0roCTF08","title":"Weird Windows","pathname":"/0xtriboulet/archive/notice/weird-windows","siteSpaceId":"sitesp_qROto","description":"A series discussing weird features of Windows","breadcrumbs":[{"label":"Archive"},{"label":"Notice"}]},{"id":"JfZjzbhieIPKp6ytZ6sB","title":"Command Hijacking with .COM","pathname":"/0xtriboulet/archive/notice/weird-windows/command-hijacking-with-.com","siteSpaceId":"sitesp_qROto","description":"In this writeup we talk demonstrate a technique that allows for command interception from a target user's command prompt or powershell on modern Windows systems","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Weird Windows"}]},{"id":"C4ud6k3DhRep1y6zYxhN","title":"Non-Existent File Paths","pathname":"/0xtriboulet/archive/notice/weird-windows/non-existent-file-paths","siteSpaceId":"sitesp_qROto","description":"This writeup will discuss the use of non-existent file paths and present a use case","breadcrumbs":[{"label":"Archive"},{"label":"Notice"},{"label":"Weird Windows"}]}]}