Episode 4 – Our BSides A-game

[00:00:08] Speaker A: Welcome to the Red Room, a podcast for hackers, hopefuls and Red Team operators where we talk technical and hear war stories of artful hacking. Welcome to the Red Room, a podcast of Red Team stories and technical conversations for anyone who likes the offensive side of cyber. The podcast is brought to you by Redacted Information Security. I'm Remy and with me is Simon. [00:00:34] Speaker B: Hello. So for those of you who don't know, I am on a working holiday at the moment, so Remy and I are speaking internationally. [00:00:41] Speaker A: He's working very hard, also gyming very hard. All right, back on to what we're here to talk about. We pretty much do three things each episode. As you know, if you have been listening to our last three episodes, we talk about a new technique or technical concept which is spawned from the Internet or in our brains or is something we just want to go deeper on, which this week is observication. Then we have a chat with our guests about some stories they have from offensive activities they've undertaken. Before leaving you with a review of an open source Red Team tool. And keeping with the theme for this episode, we're going to take a look at the PowerShell module. Invoke obfusification. Our interviews are from Bsides Canberra this episode, so none of them are here for our other two segments, but I promise you they are quality interviews and we have four guests. Before we get into it though, a quick word of warning to people sensitive about swearing. Simon and I swear a bit and we're not going to bleep that part out. So onto our first segment, let's have a bit of a chat about oblfication. Simon, I think you have some opinions about the difference between altercation and defense evasion. And not just that, but what obfuscation is in general. [00:01:55] Speaker B: For those who do know me, I am a man who enjoys a bit of malware. I enjoy writing a bit of malware every now and again. And I think the thing about obfuscation is that it tends to be used sort of synonymously, I guess, if I'm using that word correctly. With defense evasion, people tend to see these two things as the same thing. But I think fundamentally they are not like they're different, different goals and different aims. And while I'm sure there are some techniques that achieve both obfuscation and defense evasion, I think the majority of techniques are sort of one or the other. [00:02:32] Speaker A: Would you not know that obfuscation is a subset of defense evasion? [00:02:36] Speaker B: Not necessarily. I wouldn't say necessarily. Well, no, I mean, I would. I would suggest, I would posit, Remy, that obfuscation would be sort of anti. Reverse engineering. Right. Which I think if, if you're at the point where your malware is being reverse engineered, then your defense evasion has failed. [00:02:55] Speaker A: Yeah, I'm, I'm with you there. But you wouldn't say that obfuscation also obfuscates things from whatever automated. [00:03:03] Speaker B: Well, that's, that's where I sort of draw the distinction, right, Is that I say that like I, I would say that defense evasion is a technique to sort of evolve, like avoid or evade automated security products or you know, the human, the human eye looking over this sort of thing. Whereas obfuscation is once you've, once your malware has been discovered, how hard is it to reverse engineer and signature and build, you know, profiles to try and detect more of it and stuff like that. Like, I think at that point you've sort of gone past defense evasion and now you're sort of fighting for ground. Right. So if you are of the red team variety where you don't give up once you've been discovered and you want to sort of fight to stay on the network, which is, you know, I suppose, depending on your organizational structure, maybe you will do it. There are certainly, there are certainly, you know, well known and well tracked cybercriminal, cybercriminal groups that will fight you, fight on your network, fight on your ground to remain in there. So that is probably something worth emulation for your, for your own blue team training. [00:04:10] Speaker A: I think also I'm assuming that everybody here has heard of the concept of the Pyramid of Pain, which was invented, I believe, by a SANS instructor. But the Pyramid of Pain is basically the things that you can discover about your adversary which will cause them the highest amount of pain. And at the bottom is all of the tiny things like, you know, IP addresses, and then you've got domain names and kind of pieces of infrastructure where it's like they can change those very quickly. That doesn't really bother them. And then you progress all the way up the top where you have tactics, techniques and procedures, or try and refer to it as, more concisely, capability. So if you have a particular piece of capability that allows you to conduct many sorts of operations and it doesn't necessarily have to be linked to a zero day, or it has to be, it's usually malware bound, but a piece of, a piece of software or offensive capability which allows you to conduct operations, and without it, you would not be able to do those kinds of operations. That is the thing you do not want to lose. And where I think the line is between what you're fighting for once somebody started reverse engineering, is you're fighting to keep that capability. [00:05:18] Speaker C: Right. [00:05:18] Speaker A: Because if you're trying to obfuscate all of your malware and all of your capability, then you're trying to stop people from taking that away from you so it cannot be used against you in other operations potentially. [00:05:29] Speaker B: Yeah. I mean, you're absolutely right. The Pyramid of Pain is a pretty good concept. It's one that's been well understood in the military for many, many years. And it's about, you know, targeting adversary center of gravity and, you know, what. What it is that enables them to do their missions most effectively. And the Pyramid of Pain is just sort of like a corporate restructuring of that concept. But you're. You're absolutely right. So you're targeting an adversary that is sort of trying to disrupt cyber criminal organizations, or, you know, in another. Another way of speaking, to impose cost on, to say, like, hey, look, you know, maybe it's really not worth our bottom line to go after these guys because it's going to take us, you know, a year and hundreds of thousands of dollars to try and get into this organization. Maybe we want to deflect and go off to someone else. That's an easier target. Like trying, as you said, the bottom of the Pyramid of pain, trying to go after like, IP addresses or domain names or something like that. Like, if your primary way of stopping an adversary is to block their, you know, their C2 domain names at your gateway, then you're going in. You're going to be in for a world of hurt, because they're probably rotating those every 48 to 72 hours anyway. [00:06:35] Speaker A: Crunchy shell security as well. [00:06:37] Speaker B: Yeah, if you can. If you can, target their malware. So if you can target their implants or their TTPs, their tactics, techniques, and procedures, if you can get inside that world and either signature their malware effectively or discover their primary techniques so that you can heuristically detect them easier, Changing their ttps or rewriting their malware is way, way harder, way, like, way more disruptive to their operations than just blocking a domain at the gateway. [00:07:08] Speaker A: So for this conversation, then, which we're already well into, but for this conversation, are we drawing a distinction between then are we obfuscating for the purpose of attempting to evade that aspect, attempting to evade people from being able to discover our capabilities and our malware, or are we talking obfuscation in the general term? Because when you talked about the difference between defense evasion and obfuscation, it was very much about, you know, it was implant focused. But in my mind, obfuscation is also things like C2. You use obfuscation to obfuscate your C2 in the most literal sense or even in the domain names of your infrastructure, that kind of thing, to make it seem like they are benign when they are in fact not. You would say that that is more on the defensive, Asian side, even though it would have a human at the end of that process. Like, you might have alerts or you might have a logs coming back to a soc and a person having eyeballs on that. The objectification is still trying to fool the human, but it's more in a systems process way rather than I am quite literally trying to throw walls up for somebody who has. Is reverse engineering my capability. [00:08:17] Speaker B: Yeah, I mean, the Venn diagram of what is obfuscation and what is defensive evasion does have some overlap in certain places. And really, like, we want to try not to get too bogged down into the semantics of, like, you know, if we. If we create a domain name that matches perhaps a client organization of yours closely for our C2, then is that defensive evasion or is that obfuscation or whatnot? I would probably lean towards the defense evasion side of things because for me, I guess as a, you know, as a malware developer, obfuscation has a sort of very literal meaning in terms of how implants are compiled and, or, you know, or how your malware is written. There's really defined techniques on that, but I'm happy for there to be sort of overlap. There's always new stuff coming out. There's all. And in terms of the way we run this podcast, like, talking about, like, the most, you know, incredible and hilarious things that come out of the world of red teaming, sometimes things come out that I'm gobsmacked by. [00:09:19] Speaker D: Right. [00:09:19] Speaker B: So we were talking earlier, Remy, you know, when we had a chat about what are we going to talk about in this. In this podcast? And I'll have to check the data. Was it this year. Was it this year that the dumpster the thing was revealed, but someone discovered that. So Dumpstack Dumpstack log, which is a file that Windows uses to dump the stack of some process memory into a file on disk for the purpose of, you know, debugging and whatnot. Later on, any file that is named Dumpstack log is ignored by Windows Defender, or at least was. I'll have to check to see whether or not Microsoft has patched this. I certainly would have by now. Anything named dumbstack log is just, is just completely ignored by Defender. And the first screen grab that I saw of it was someone renaming mimikatz, just the straight up Mimikatz, you know, exe binary to dumpstack log and copying it onto Target and executing it with no issues. Because it was just being completely ignored both on disk and at runtime by Defender. Yeah. [00:10:20] Speaker A: And I mean I'm not sure if that says more about Defender but I guess in the most basic sense you are trying to obfuscate things so that defense evasion so that you can evade defenses. I might, I might put that in the defensive Asian camp actually. [00:10:34] Speaker B: No, I would say that's firmly in defense evasion. Yeah. [00:10:38] Speaker A: Because you're like, it's an incredible one. Renaming. Renaming just the file name. That's like, that's like hacking the Internet by pinging Google level nonsense. [00:10:47] Speaker B: Yeah, yeah, just like changing the file name. [00:10:50] Speaker A: Yeah. [00:10:50] Speaker B: And I'm sure, I'm sure one of your. When that sort of research came out, there were, you know, various apts around the world doing the new Gun goes Bert sort of thing. You know, dumping. Dumping all kinds of crazy malware, just this dumpstack log on all sorts of targets. But this sounds like the sort of thing that Microsoft would be. Would be very quick to fix. So I would have to actually look up and see the dates on that. I imagine it would have happened very rapidly. [00:11:16] Speaker A: Yeah, I'm pretty sure that's being patched now. Certainly a quick Bing or Google. I'll come up with the. This is a horrible problem in terms of getting back to oblfication within, you know, within malware development or capability development. I've seen some of the, I think more common techniques before where you know, you scramble or you have arbitrary techniques and I mean certainly we talked about, in our very first episode, we talked about the use of interpretive versus non interpreted languages in trying to create malware. And if we can obfuscate that way. But you know, the, the simplest, the simplest means of doing so is you know, things like variables that go and go nowhere and functions that are, you know, that are cyclical, that are never called and all sorts of things which prevent reverse engineering. [00:12:00] Speaker B: Dummy code insertion, right? Dummy code. [00:12:02] Speaker A: Is that the term for it? [00:12:04] Speaker B: Yeah, which is actually a really interesting thing. Right. So you do dummy code insertion but depending on your compiler, like if you look, if you doing compiled malware, if you insert a function that is never called within, within the scope of your program or Even a chain of functions that there is no means by which to be called, then your compiler will most likely remove those functions at compile time for the purpose of code optimization. But yeah, your interpreted languages, yeah, you can dump, you could dump tons of dummy, dummy code and random functions and really long variables and, and all sorts of stuff like that into your code and you can randomize that to your heart's content, which actually is I suppose a somewhat effective method of reverse engineering because and there are automated tools that will do this online. Like you could paste your Python code into an online Python obfuscator and it comes out like an absolute mess and it's very, very hard to make sense of. Which actually interestingly enough leads us to two interesting. At least I think they're quite interesting. Two interesting things that come out of like these things. One is that your file size blows out massively, right? Like if you, you can run, you can run hello world into an obfuscator and it will come out just, you know, 500 lines of code depending on how many iterations of the obfuscator you will come, you'll pump out with. Which I suppose here's what I think is kind of the cutting edge, or at least the more recent things of malware obfuscation is that the way we used to look at malware is that we had to our implants very small, right? We had to keep the footprint of our implants really tiny. [00:13:45] Speaker E: Standard signature approach. [00:13:46] Speaker A: Tiny, tiny, tiny, tiny. [00:13:47] Speaker B: Yeah, really small, right? Whereas these days, like we have so much memory and we have so much disk space that like what is, what even is like a 50 megabyte implant, no one cares like that is that is the JavaScript file of a news website, right? To 60 megabytes. I mean a lot of modern websites are just an absolute mess. I think you and I spoke while we were in Las Vegas for DEF CON last year that I had some frustrations with a well known Australian airline with the kangaroo logo trying to use their website. And it was just, it was incredibly slow and very functionally broken. So I started to look at some of the traffic that was going through thinking what on earth is this website doing? Why can't I access this particular function or why can't I access this website function? I was surprised to find to load the website and go into my account and look at my bookings, was 1500 web requests going everywhere. And I'm like, my goodness, this really stinks of, you know, developing in prod. However, we end up with this window this thing was like, file size is not strictly important anymore in terms of making. Well, because you can, you can jam all kinds of random code in there. And in fact, interestingly, it may become more effective to increase the file size because your, your defense tooling. So Windows Defender, which I imagine the most common or have a maximum file size that if your implant is larger than that, it will not be scanned by Defender because Defender is trying to save CPU cycles. Yeah. So Windows Defender will not, will not scan any file larger than 100 megabytes. Historically an insane size to have malware running at, but these days, these days, 100 megabytes, you know, download in a couple of seconds through Earth through a good pipe and you can jam it somewhere in app data and no one will ever see it. [00:15:47] Speaker A: Isn't word exe like 350 megabytes or something? [00:15:51] Speaker B: I don't know, is it? I just. Single binary is. But Windows Defender just won't scan. It'll just ignore it because it's too large and it doesn't want to. Windows is. Well, yes, Microsoft is more focused on the user experience there. Certainly you can trigger a manual scan, but by default it will not do it at its large. Look, this is sort of. There's caveats to this. Like, you know, the file size limits are only really applicable to certain file types. But I suppose the good news is that large executables are included in that, that list of file types that it doesn't look at. Yeah. [00:16:23] Speaker A: Okay, so you're saying that you can get the most bang for your buck by doing a number of iterations of objectification to absolutely make it so. To make it so difficult to reverse engineer your malware. But you can actually also gain defensive agent benefit by doing that to the point where it is, you know, over 100 megabytes. I mean, I don't know how you would, how would you then deliver that? Because obviously that makes other problems with. [00:16:46] Speaker B: Your initial, initial access vector and like. [00:16:48] Speaker A: Dropping 100 megabyte binary. So that's not like some tiny thing. No, it's going to be like no. [00:16:53] Speaker B: One'S emailing 100 megabyte binary. Right. But I mean, look, there are, there are ways. There are, there are techniques that allow you to deliver things like that to target without encountering these problems. Just like there are ways that, you know, we can separate, we can separate that execution chain out. So we could, we could, for example, you could email someone a. I wouldn't call it a stager because a stager has a certain meaning. But you could email someone a small binary less or downloader that will, yeah, that will download your larger implant, you know, in the background and then that can be, you know, your, your small downloader can then set a scheduled task in Windows to execute your malware binary and then you've broken the execution like the parent child sort of connection chain from out book or whatever. [00:17:39] Speaker A: There's also a, like a scanning limit for files in things like Dropbox and Google Drive and that sort of thing that I have encountered as well before. So you get these very large file size limits. Because I remember, I remember people used to, you know, sometimes deliver malware by putting it in a password protected zip. But then somehow Google managed to get, get around that for most instances and we're still scanning or wouldn't let you download. [00:18:04] Speaker B: I think what Google did in that circumstance is that they recognized it as an encrypted zip and then refused to because they're like, look, you know, this is encrypted. Our Google scanning cannot access this. We strongly recommend you don't download. And then, you know, I think they took the decision away from the user. I don't know if it's still the case. Yeah, we used to be able to email malware in Google by. You zip your malware up into an encrypted zip and then you zip the encrypted zip into an unencrypted zip. Google gets the unencrypted zip and they're like yeah, we can look inside this, that's fine. And then they scan the encrypted zip and it's like, well, nothing's coming up because it's just an encrypted blob of data. And then you email it just fine. [00:18:40] Speaker A: Constant mapping inside other things. And you can do that, you can do that just with straight malware as well, right? You take, take shell code and you, you then put it into base 64 and then you execute it using another function and then you take that entire thing and then you put that into base 64 or like whatever it is and then encrypt it and you just keep wrapping it up in all these layers until again you're probably over 100 megabytes. [00:19:02] Speaker B: But perhaps. Yeah, yeah, like you know, sort of multi, multi stage or multi multi step encoding, encrypting and things like that. These are all, these are all, you know, obfuscation techniques that do work at least, at least from the sort of transfer side of things. You know, like trying to get your, trying to get your malware Through a gateway or. [00:19:22] Speaker A: Yeah, definitely through a content scanner sort of thing. [00:19:24] Speaker B: Yeah. [00:19:24] Speaker A: And lime types and stuff. Yeah, that is, that is very interesting. I also think, like, in my opinion, the absolute height of big brained objectification is to make it too simple. Make it being like, what does this do? And it'll be like it does a bunch of benign stuff, but it might be incredibly useful to you specifically in that moment. [00:19:45] Speaker B: Well, that's, I mean that is the art of writing malware, if you'd asked me. So, and it's a design philosophy that I tend to follow is that especially when you're doing, when you're doing actual red team and you have actual trained human operators behind the keyboard and you're not just, you're a Russian cyber criminal blasting the Internet with some level of automated malware and you don't want to ever look at it until it returns you shells, is that you make your malware perform certain very standard functions. All kinds of malware might, you know, might, might do. Like you can't, you can't write a, like a defender profile or you know, sort of anti malware profile on something that takes a. Looks at a process list. Right. Looks at Windows process list. So if you, if you write a piece of malware like your red teaming implant and you're like, I would like to be able to, you know, use the Win32 API or whatever, whatever you want to do to look at a process list, you can't flag on that because you would flag dozens of legitimate applications. So yeah, you make your implants out of the nuts and bolts of very simple stuff and then it's the way you use it that makes it malicious. Ultimately, Remy, it's not the size that counts, it's the way you use it. [00:21:03] Speaker E: God damn it. [00:21:05] Speaker B: That's it. That entire episode was a setup for the deck. [00:21:08] Speaker E: Oh boy. Oh, all right. Do we have more, do we have more about oblification? [00:21:13] Speaker B: We can talk all kind, all kinds of, you know, various techniques and things like that. But there are just so many, like, there's so, so many. And like plenty of them have been around for scheduling years and some of them are reasonably new and whatnot. But this is getting to the point where, you know, this could get to the point where this is becoming a class for coming out of your classroom topic on defense evasion and obfuscation. The differences between obfuscation and this is. I suppose we've discussed this already, but one other thing about that is the obfuscation will help if you obfuscate the hell out of your implant and make it really, really difficult to reverse engineer. Once someone gets a look at the binary, that is one thing, but it may not necessarily be effective against defense products because defense products don't necessarily look specifically at binary. Right. They rather, they rather detect heuristically on the, on the things that the binary does. And I'd say, like, you know, there is a. There is a limited number of ways that you can do process injection. Right. There are only a certain number of system calls that you could do and there's. There's a few. And every now and again someone comes up with, you know, a somewhat novel way, but it is, it is limited. Most of those methods are pretty carefully scrutinized by defensive products. Right. And no amount of obfuscation you can do to your binary is going to change what it actually does. That's really part of the distinction between obfuscation and defensive version. [00:22:45] Speaker A: At some point it has to make a call into kernel space and be. [00:22:49] Speaker B: Like, it has to do the thing. Right. You can obfuscate the hell out of it, but it has to do the thing. [00:22:55] Speaker A: Yeah. So you would perhaps say then that altercation in terms of obscuring malware from reverse engineering is very much like a human centric. Is a human centric, centric technique bundle. It's things where you're like, you're trying to fool a human being or a tool that they're using which is made for their eyes. Whereas defense evasion is very much like. It's more of a systems understanding. You're trying to defeat. Trying to defeat systems and automatic automated system. [00:23:20] Speaker B: Yeah, in most circumstances. Cause there is obviously like a lot of detection systems are a combination of automated systems and human involvement. So sometimes you want to sort of do a little bit of borrow, like you want to try and fool both of them. [00:23:34] Speaker A: But yeah, absolutely. I think there's enough about that. If anyone wants to hit us on you can just. [00:23:39] Speaker E: You send us an email. [00:23:41] Speaker A: We'll build a class. I think you do have a class on it, actually, Simon. [00:23:44] Speaker B: I gave a class a few years ago on on bypassing Defender, in fact, using Covenant, I think, which was we spoke about in one of our early episodes. But yeah, Covenant was a great tool at the time to discuss ways to obfuscate against Defender. [00:23:59] Speaker A: All right, let's go on now to our interviews. These interviews were taken at BSides Canberra at the Black Bag Room. For those listeners who don't know, Simon and I, we run what are commonly referred to as cyber Reverse escape rooms. So physical spaces in which you and your team must hack your way through and find various flags for various challenges. It's a different spin on a ctf, but it's much the same. You have to capture flags. While we were running it at bsidescamber 2024, I had a little podcast corner set up and we sat on some beanbags and had some chats with some really great, you know, great offensive security professionals. And here they are. [00:24:50] Speaker E: I'm here at BSIDES Canberra with Tom and Jack, who have professed to me that they are, in fact, not red teamers or penetration testers or even cybersecurity experts. They are software developers. Now, I know you might think it's odd listening to a Red Team podcast and talk to some software developers, but we like to get other perspectives from time to time, because that's really what red teaming is. It's about getting into the shoes of other people. So tell me, why are you at a cybersecurity conference, Tom? [00:25:18] Speaker F: I mean, honestly, even though I've been programming for the longest time, I've just found cyber really fun. There's something about, you know, trying to break into a system and being intentionally malicious, you know, legally, of course. Oh, of course. Super exciting. It's sort of like, you know, when you're a child exploring places that, you know, you're not allowed to be, you know, out of bounds at school, I would definitely try to explore the little hidey holes. And I think, you know, hacking definitely has that same kind of joy to it. [00:25:42] Speaker E: Does it. Does it make you a better developer? [00:25:44] Speaker B: Honestly? [00:25:44] Speaker F: Yeah, in the sense that I have looked at my code sometimes and thought, oh, wow, someone has got to exploit that. If I don't sanitize my inputs or if I don't block repeated requests, just, I often find myself seeing very exploitable things in my programs and fixing them. I'm not sure if that's had a direct impact on my life so far. I mean, I've mostly just made personal projects and haven't done too much for enterprise. But, you know, I'm sure going into industry, that information is going to get more and more valuable. [00:26:13] Speaker E: Yeah, that's fair enough. How about you, Jack? [00:26:16] Speaker G: Yeah, I mean, I feel like I've just found value in having some idea of where different exploits come from and where there might be vulnerabilities in the systems I develop, because oftentimes it doesn't take that much to be able to, like, secure a system. There might be, like, if you just have one little vulnerability in there somewhere. People can take advantage of that and get in. Like you don't want to be exposing your systems in that way. And so just being aware of like the kinds of vulnerabilities that might appear, I think, like, even if I'm like, you know, not confident that they're secured or anything, whenever I, you know, if I'm ever like, you know, deploying software at a place where these vulnerabilities might become a concern and I'm not just like running it on my own computer, I can just be aware of that. I can know what I would need to investigate further and in a professional context be able to talk with people who are, know, more versed in cybersecurity than me and ensure that we're, we're targeting those potential weak points. [00:27:05] Speaker E: So are you, are you going to go into cybersecurity? Are you going to, like, we're at a, we're at a hacking conference, right? Is that, does that appeal to you? Are you going to go like, what is better, software dev or hacking? [00:27:14] Speaker A: That is what I'm trying to ask you here. [00:27:16] Speaker F: I've actually been saying to Jack today over and over again that I find hacking and sort of cybersecurity stuff possibly more intuitive than software engineering in the sense that I found it easier to pick up than programming, which has taken me much longer to sort of refine my skills in, which is a good sign if I, you know, want to go into cybersecurity. Yeah, I'm not sure if I'm quite ready to yet. I have a graduate job at TikTok sort of lined up at the end of the year. Trying to stick with for now, but, you know, after a couple of years, who knows what I'll be interested in? One thing for sure though, I want to keep doing CTFs and that's probably. [00:27:46] Speaker C: Going to make me more and more. [00:27:48] Speaker F: Interested in hacking as time goes on. [00:27:49] Speaker E: Well, I hear that TikTok do need some, some red team happening over there. So, you know, maybe, maybe there's something there, you know, I don't know, make their, not necessarily make their code more secure, but just, yeah, maybe, maybe make them have better data residency if they're. [00:28:06] Speaker F: Down to get some red teamers. I mean, I'll be the first one on that list. [00:28:09] Speaker E: Yeah, I mean, I think I have. [00:28:10] Speaker A: Some, but I think they probably need. [00:28:12] Speaker E: More in any case as software devs. Like, does the prospect of, you know, operating system exploitation of field you. Because I, you'd probably be really into like the web penetration test sort of stuff. [00:28:23] Speaker A: Right. [00:28:23] Speaker E: Is that what you're thinking here or are you like. Yeah, I really want to do like. [00:28:26] Speaker A: Binary reverse exploitation and like, you know. [00:28:29] Speaker E: Or are you really into like networking sort of stuff like you know, packets or into operating systems? Like does, is it, is it that it is different or are you just focusing really on the application stuff? [00:28:41] Speaker G: I have a fairly wide range of interests when it comes to software dev and one of the interests I pick up, picked up this year is OS development. And so OS exploitation is directly applicable of course. [00:28:53] Speaker E: When you, when you say OS development you mean like developing your own kernel and user land and everything? Yeah, like the whole thing. [00:29:00] Speaker G: Yeah, so I, I've picked that up. I picked that up over the, the university break because I had an OS course this semester which is like one of my favorites right now. And so my goal is, you know, once I graduate from university, I've got a bit of time before I'll start working full time. I've got a few months and I want to just develop a mobile OS in that time. So I've already like worked on Hell yeah before but I want to like do something larger and so uh, yeah, definitely the cybersecurity applications and that are very important and crucial and so I would say that my interests would more align with that kind of like lower level stuff. You know, I enjoy reverse engineering and like digging into assembly. I'd say that's where my passion lies a lot more than like some of the web based stuff. But I think a lot of the web based stuff is very cool and interesting. I think it just doesn't come to me as natural. [00:29:43] Speaker E: Okay, do you guys have any stories about any code that you've written or people that you know that have written code which has ended up horribly vulnerable and exploited in a terrible way any like open, open repos, hard coded creds, that sort of thing? [00:29:58] Speaker F: Yeah, we actually recently got a great story basically at the university right now we have a course where you and you know, up to eight other people develop a software solution together. [00:30:09] Speaker B: Yep. [00:30:10] Speaker F: And so we're doing a project with math tech where we have to you know, write this block compression algorithm and compete against other teams on like a leaderboard. So the team with the best compression and the fastest speed, you know, Galmatov. [00:30:20] Speaker A: Okay. [00:30:20] Speaker E: I mean this sounds like an episode of Silicon Valley, but if you've seen that show here, the best compression. [00:30:25] Speaker F: Yeah, yeah, yeah, no, and it is like hugely competitive as well. However, we noticed that Maptech, what they do is they basically take an executable or a Python file and then run sub process on it with, you know, their own input to make sure it's compressing correctly. But they don't restrict much about what you can do in that script, including the fact that you can run your own sub processes. So we've been using that to do all sorts of exploits. I've set up a couple of reverse shells and tried messing around with them that way, but I think they have some sort of intrusion detection system where whenever I set up a web server within five minutes it's like blocked and have to make another one. [00:31:00] Speaker B: Right. [00:31:00] Speaker E: That they don't fix the root cause. And this is at your university. It's a system that allows you to check compression, but it'll just arbitrarily run whatever the hell you want. [00:31:10] Speaker F: It would just arbitrarily run code. It's a cybersecurity major's absolute dream, I think. [00:31:15] Speaker E: Oh my God. [00:31:16] Speaker F: Something that we were successful at just the other day as well was we were able to. So the way they measure speed is they compare the speed of your compression algorithm to a reference algorithm they made, but that algorithm is stored sort of on their server and it's not write protected. So we just swapped a file that like waits for an hour and we got like a million percent speed comparison. [00:31:37] Speaker E: So you, so you red teamed your compression competition. You know, it just, it didn't matter what you wrote, you were just always going to win because you were swapping out the goalposts. [00:31:48] Speaker F: Yeah, yeah, it was pretty fantastic. [00:31:50] Speaker E: That is a great story. [00:31:51] Speaker G: I do find it very funny that in our course called Software Engineering Project, despite weeks of software engineering before this to like, you know, barely beat out the other teams in terms of our speed, we're a bit further behind on compression. Tom has just come in this week and just spent like a few days non stop hacking into their servers and has just elevated us so far. They are now wildlife grief. [00:32:11] Speaker E: Do they know or you're not going to let them know? You're just absolutely going to read this whole thing out like this is ours now. I mean, look at it, you know, on a certain level it is their bad security. [00:32:23] Speaker F: Yeah, yeah. And you know, if they're actually using this as part of their internal operations, then it would be great if they knew. We did get permission from the tutor who was sort of a middleman. Competition organizers. Whether the competition organizers are fine with that is who knows. But I, I guess it's not our problems. [00:32:39] Speaker E: I love that. That is, I think that is one of the best stories that we've had for red teaming that you are that you are red teaming so hard that you have turned your software engineering project into a red team project and that. And that is actually being accepted by the university. That is excellent. [00:32:53] Speaker F: That is excellent. [00:32:54] Speaker E: Thank you guys so much for coming on. Still here at Bsides with Chris and Sam. So you have a good red team story for me. What is your favorite almost hilarious engagement? [00:33:05] Speaker C: I won't start with the red team story. I'll leave a couple of those to Sam first. But recently I did an SOE breakout for Windows 11. I thought it would be one of the most boring tests I was going to do just because it starts off with Almost default Windows 11 install and basically I went onto it as a low proof user found that I was able to access the bitlocker key for the device using Microsoft 365 under My Devices. Then from there I ran an enumeration script with my empty bypass. After that found a encrypted with DP API system key SCCM credentials Sharp SCCM exe on to a exclusion path and managed to extract the credentials. And those credentials are actually local admin credentials to the SCCM server. In terms of red team stories, Sam has done quite a few so I'm sure he's got one in mind. [00:33:53] Speaker E: I mean that, that was. That was pretty good and a lot of it is like besides using what besides Sharp sccm that was all living off the land? Pretty much, yeah. [00:34:03] Speaker C: Pretty much. [00:34:03] Speaker A: Yeah. [00:34:04] Speaker C: Yeah. With. Especially with the exclusion path it was like just the entirety of zscaler. So just put my binary in there. [00:34:13] Speaker E: Hell yeah. Path based rules. Yeah, I would have. [00:34:16] Speaker C: I would have just neutered Defender by just like changing all the binary names. But yeah, they had what's it called tamper protection on and I just couldn't figure out how to get past it. [00:34:23] Speaker E: This, this sounds like a pretty type tight sue like. [00:34:26] Speaker C: Yeah, yeah. The glaring issue. [00:34:28] Speaker E: Except for the glare. Yeah, except for the things that you did. But I mean they had a lot of security controls in there so that is. Yeah, they. [00:34:34] Speaker C: They did well. [00:34:35] Speaker B: Yeah. [00:34:35] Speaker C: So quite proud of that one. Great. [00:34:37] Speaker E: And Sam, apparently you have some as well. [00:34:40] Speaker D: Yeah, actually I've got a very similar one. I'll get to the same stuff in a bit. So similar thing Citrix environment. So first and then on the box they had the Fender and they had Airwalk. [00:34:50] Speaker B: Yep. [00:34:50] Speaker D: Turns out you could just turn off Airlock. You just put in why you're turning it off. This whole work. [00:34:56] Speaker E: If anyone, if anyone from airlock is listening to this. [00:34:59] Speaker A: I'm sorry. [00:35:00] Speaker D: And then they. Yeah. Also had Defender. It turns out there's a default Microsoft path or it's something to do with Azure, like enrollment in cloud ad. Azure ad. And it just adds a path to Microsoft exclusions. Exactly the same thing. And it didn't exist in the box. So add the path to the exclusion without path existing. You can just make that folder and it's. And then you get that. [00:35:18] Speaker E: Oh, but you can't make the folder before it. Before you put the exclusion in. No. [00:35:22] Speaker D: So exclusion is created by some automated rule from. [00:35:27] Speaker E: Yeah, but it doesn't. Yeah, but it does. [00:35:29] Speaker F: Yeah. [00:35:29] Speaker E: It's not there yet. Yeah, yeah. [00:35:31] Speaker D: So they must have pushed out this policy to everything, whether it was join or not anyway, for that one. And then from there we didn't end up needing that one in the end because we had the security session and we could just living off land use purely Microsoft MMC. Oh, yeah. And get ADCs straight to do identity user. So like. [00:35:49] Speaker E: Well, how did you get. How did you get the domain creds then? [00:35:52] Speaker D: Oh, so we're giving domain. [00:35:53] Speaker E: Sorry, that was like. [00:35:55] Speaker D: If you are a normal user on a Citrix in a Citrix environment, what can you do? So you break out to the box. [00:36:01] Speaker B: Yep. [00:36:01] Speaker D: And then you run mmc and then you make cert. And then you are da, essentially. [00:36:06] Speaker B: Oh, wow. [00:36:07] Speaker E: Okay. [00:36:07] Speaker D: That was video within a couple hours. [00:36:09] Speaker E: Nice. Well, that's. That's a bit of a common theme on this podcast. People come in with stories and being like, da in two hours. [00:36:14] Speaker D: Yeah, everyone likes to tell about those ones. You don't like, tell other ones to wear in your toilet. [00:36:20] Speaker A: Yeah, yeah, yeah. [00:36:21] Speaker D: We had one at a hospital, walked in. So there was a bunch of different sites. We've done a few different ones already. I've mem. This is for a physical, sort of more social type 1. Another tester and I, Dylan, enjoy listening probably. So we've done all this research. We've learned where the head office is. We've learned who the right people are so we can drop the light names and stuff. We walk into the reception of one of the small clinics and I blurt out all this garbage about, oh, hey, I'm here from this. I'm. [00:36:45] Speaker A: There's something wrong with the server. [00:36:46] Speaker D: Can you like, let us into the server room? I need this meet that this person sends us. And the receptionist just kind of looks at me with a stunned face and the other guy goes, we're from it. Can we please come in? [00:36:56] Speaker A: So you just. [00:36:56] Speaker E: You just overcooked your backstory and then just unloaded on this woman, and she's. [00:37:01] Speaker D: Like, I really want to say it all, you know, and I'm not the best actor at the best of times. [00:37:05] Speaker E: Still, though, that's pretty funny. And also kind of classic, right? It's keep it simple. [00:37:10] Speaker C: Yeah, absolutely. [00:37:10] Speaker E: You know, keep it absolutely simple, but have the backup plan. [00:37:13] Speaker C: I'll tell the story of how I did my own Red team gig in the hospital as well. Well, actually, second one where I was just running the Red team completely on my own, so went down to this hospital, pretend to be a student, had, like, a student badge. You know, hospitals by design, you're allowed. [00:37:28] Speaker D: To just walk in. [00:37:29] Speaker C: They're a public space. So me and the person I was with, we just looked at the directory, like, okay, well, where. Looks like aau. Good place to go. [00:37:38] Speaker A: And we saw the directory that. [00:37:39] Speaker C: It was like this one wing of the building that was like, academics and meeting rooms and stuff like that. So, like, Ethernet port there that we can just jack into and then figure it out from there. Anyway, we start walking towards there, and it's clear that there's only and staff that are walking there. So we're very out of place because we're, like, looking around, trying to find any rooms that we can walk into and stuff. And one of the staff members or two of them actually stopped us and like, hey, you guys look a little bit lost. Can we help you? I was like, oh, yeah, I'm just. Just a student just looking for a meeting room, if that's okay. Like, oh, yeah, right this way. And it took us straight there. [00:38:12] Speaker E: So the COVID story still worked. [00:38:14] Speaker C: Yeah, the door had a lock on it. It was great. So we just, like, walked in. We're the only two in the room, locked the door, jack in, and just esc8. And. Yeah, again within a few hours. [00:38:25] Speaker B: And. [00:38:25] Speaker C: Yeah, you just D8. Just like that. Wow. I think it was responder to ESC8. I don't like using Responder on a gig. But, you know, we did it. [00:38:33] Speaker E: We did a review of Responder last episode, so it is a great tool. [00:38:37] Speaker C: It is, but it's just so noisy. [00:38:38] Speaker B: Yeah. Yeah. [00:38:39] Speaker D: I was using it for other reasons the other day. As opposed to just the spoofing. Just as a listing server. And it's bait Mac. Like, you just. [00:38:45] Speaker A: Yeah. Just to catch. Yeah. [00:38:47] Speaker D: Like, whatever it gets sent to, it'll just track and do it all for you. As opposed to, like, having to set up proper SMB servers or HTTP servers or whatever. [00:38:54] Speaker A: Yeah, yeah. [00:38:55] Speaker C: I saw A I saw a great. [00:38:56] Speaker E: Talk, which is mostly unresponder, was about leaking NTLM hashes out of like over the Internet. There was a pretty good like one click Outlook one where you send the phishing and then you just get that reflective one. And yeah, it was pretty good. [00:39:09] Speaker D: I've never actually managed to use it in the wild, but there was that bug for a while or for a very long time in Outlook where you send someone a meeting invite, the only meeting. So similar to the talk, it was actually just done. But in your meeting invite you specify that when the reminder for this meeting comes up. [00:39:24] Speaker E: Oh yeah, the sound file. Yes. [00:39:26] Speaker D: And then you say, you specify the sound being out on your external server. [00:39:29] Speaker E: Yeah, on an SMB. [00:39:30] Speaker D: Yeah, SMB. [00:39:31] Speaker B: Yeah. [00:39:32] Speaker D: Unc Pass Public Internet server with the credential. With the. [00:39:36] Speaker E: This is my most minor red team story because I think it's very much one of the first things. So I used, I used to work at like a popular Australian like electronic store chain. You can probably guess there's a few. But my managers weren't that hot on, you know, computers and I was working computer sales. So I was like, yeah, I'll take a look at the store computer, see. [00:39:53] Speaker A: What'S, see what's wrong with it. [00:39:55] Speaker E: But they just gave me like the, their admin creds, like the store manager. [00:39:59] Speaker C: Admin creds for it. [00:40:00] Speaker E: And so I went in there and the problem was basically like, it was just a boot problem. But while I was in there I. [00:40:06] Speaker A: Thought I'd play a prank. Basically I replaced the Windows startup sound file. [00:40:10] Speaker E: I think it's. It's a pretty classic by teenage prank. But I took a, like took a sound of myself, a recording of myself. Just be like, ha. And then I met me just yelling the store manager's name and made it like 20 minutes long. And so, so back then, Windows, I think it was Windows is. Or it was Vista, I think it was Vista. But either of them, the boot process cannot complete until the sound has played. So you would have to wait 20 minutes of this crazy sound being played. Anyway, I closed it and left. And then about like 30 minutes later I hear all this yelling and like smashing. And I walk back in and the store manager is just like putting his boot into this computer. Just speak like, oh my God. [00:40:55] Speaker F: And I was like, what happened? [00:40:56] Speaker E: And he's like, the things, the things fucked. It's broken. It just keeps screaming my name. It's dead. I'm going to get another one. And I'm like, that is. That is not the reaction I expected. [00:41:07] Speaker C: That's funny. [00:41:08] Speaker A: Yeah. [00:41:09] Speaker E: So if you ever find a Vista or an XP computer, just replace the Windows startup sound file. It's totally great. It's. Yes, it's a dart service attack. [00:41:17] Speaker A: That's what it is. [00:41:18] Speaker E: So enough of my stories. I'm here to talk about your stories. [00:41:21] Speaker C: No, it's all good. I had a good laugh. [00:41:23] Speaker B: Yeah, I got two. [00:41:24] Speaker C: I just thought up recently. I found like an old computer just at like the junkyard. And I was like, okay, well, let's see what I can do with it. [00:41:32] Speaker E: Is this like a filing cabinet you bought in like a Canberra second store? And it contained classified files kind of story. [00:41:38] Speaker C: It was part of like the local council, like running Windows 7. So, yeah, I just did like the classic. There was no bitlocker on it. Just did the classic. Replace sticky keys with cmd, get a system shell and just add myself as account. And yeah, it was just. It was a local council computer. So I was like, oh, I better not touch this. But. But yeah, it was funny. [00:41:57] Speaker E: And it still had, like. It still had hashes in the. [00:42:00] Speaker C: Obviously didn't try them. [00:42:01] Speaker E: Yeah, of course they're still there. Yeah, yeah. [00:42:04] Speaker C: So that was just a valuable story. Anyway, the other one that popped into my head was when our mate Dylan, he was doing a red team for a client and she was. We found like this meeting room that we had plugged Raspberry PI into the back of a TV through. And that's where we're doing most of our working from. Anyway, we go back there a few days later and mind you, like, we've unplugged the TV and the TV's ethernet cable so we can stick behind there as we're working. Like 10 minutes before we're about to head off, this engineer walks into the meeting room that we're in and he's like, oh, sorry guys, didn't disturb you? Like, oh, no. It would be like 10, 15 minutes and then we'll be gone. Like, oh, what are you here for? And he goes, oh, the TV's not working, so I'll just sent in to check it out. I'm like, oh, yeah, just give us like 10, 15 minutes and we'll be gone. He's like, yeah, no worries, mate. As soon as he leaves, we just unplugged our PI. Unplugged everything. We'd been done the engagement by that point as well. So, like, yeah, we got to get out of here. It'd be a few minutes later or like, if we just left it there, would have been burnt just straight away. So we found the pie. [00:43:02] Speaker D: Yeah. [00:43:03] Speaker C: So just funny little story there. [00:43:05] Speaker E: Yeah, that's. That's pretty good. And that's where like, you know, IT engineering. Right. [00:43:09] Speaker A: Because they. [00:43:09] Speaker E: They would have, you know, concerned with service delivery. They would have WhatsApp kind of like availability. [00:43:15] Speaker B: Yeah. [00:43:16] Speaker E: You know, dashboards and everything. And they'd be like, oh, the TV's down. [00:43:18] Speaker C: And they'll. [00:43:18] Speaker E: They'll go and get that. And that's like. That stuff is powerful, like for. From a cyber security perspective if you harness it. And they're not just like the place that. That the TV went down. [00:43:29] Speaker C: Yeah. Legit. That's always a funny story. I remember Sam and Yellow. So this. [00:43:34] Speaker D: Well, actually, yeah, same thing. Very similar gig that we were doing our draft. We, you know, went in and unplugged the TV and got caught because we'd unplug the tv. Not because we were doing the malicious stuff, not because they picked that up. But the team that, you know, were monitoring the TVs were not. Same as the security team. And so we managed to get by unscathed even though we got caught and continue the gig elsewhere. Separate. One was we did a password survey and, you know, so we've done a password sway. We were assigned to use the thing. We happened to have a meeting scheduled, sort of update with the client at the time. So we're like, all right, so we've done the password sway, letting him know. Yep. We tell him the name of the person who we've managed to compromise. And it is a very important person. And he's like, stop whatever you're doing. Log everything you've just done. Do not. Do not perceive the disc and be like, probably could have told this. Told us this a little bit early. [00:44:23] Speaker A: Damn. [00:44:24] Speaker D: So, yeah, got away with that one instead. [00:44:27] Speaker E: Good, good. We do often get stories of how. [00:44:30] Speaker A: Things go somewhat awry on People's Red Team journey here. [00:44:34] Speaker E: Thank you guys so much for sharing your stories. It's been great. Normally I ask other questions, but you guys have so many. Just like, here's all this great stuff that we've done. So we'd love to have you back on again, but thank you for coming. [00:44:45] Speaker D: Thanks very much. [00:44:46] Speaker C: Yeah, no worries. Thank you very much. [00:44:55] Speaker A: All right, let's do our tool review. Okay, so Obation. For this episode, we have chosen to do a very quick review of the PowerShell module. Invoke obfification. I actually chose this once because I had used it in the past for my master's the Offensive Security class. I did an attack chain where I only use living off the land attacks. Now you might argue with me that using Invoke obfication is not part of living off the land. And you would be correct. [00:45:26] Speaker B: For some reason they have it installed. [00:45:28] Speaker E: Yes, that's true. [00:45:30] Speaker A: However, I did use Invoke Oblfication to obscure a bunch of PowerShell so they could then get a PowerShell reverse shell which is living off the land, but execute it using one of the VBS scripts that just happens to be sitting in the Windows folder for it to communicate with one of the Windows Mobile products, which Windows 10 still has, which I think is hilarious, but that you can terminate it and then just invoke some random PowerShell and you don't even, you don't even trigger the antiscript or the script warning in the PowerShell runtime. But obviously then Defender would flag on hey, this is a quite well known powershell reverse shell. I'm definitely not going to execute this, but using Invoke Obfuscation I was able to bypass Defender quite effectively. So kudos to them. That is a point in Mr. Daniel Bannon's you know, in his column. It does work and it does work quite well and it is pretty user friendly. It is a very simple PowerShell module you can get off GitHub and once you load it in it has its own little menu to say and its own little syntax so that you can, you can find and you know copy and execute and make either tokens string oblification. You can have little launcher techniques, little different ways in PowerShell that you, you might launch whatever you've obfuscated and it will still unwrap it out of whatever you've got. Shellcode base 64 tokens, whatever your, whatever you're making. So I found it quite user friendly. I once I got my head around it and it has pretty good documentation which I think Simon, you might, well I don't know, you might disagree with this, but a lot of open source Red team tools suffer from poor documentation. [00:47:11] Speaker B: No being it being a dude who writes Red team tools and never writes documentation for it, I would, I could probably agree. Daniel Bohannon, he wrote this, he wrote this ages ago. It is an obfuscation tool straight up. So this is, this is what you, this is what you think about when you think how am I going to obfuscate this PowerShell code? It is extremely user friendly. I would agree. Like it has a nice little menu and everything. Like it guides you through how to use it. It's done quite well. But it is like largely, you know, string obfuscation, encryption, some encoding, like turn your 100k powershell nice, clean powershell script into 500k. The jumbled fucking mess serves its purpose. And I think it allows sort of multiple iterations of Obfuscation as well. [00:47:58] Speaker A: Yeah, I think it also doesn't. It doesn't really have any intense dependencies either, which is something that I appreciated because I think I was running it. I was running on PowerShell in Linux, which I know they say is the same as PowerShell on Windows, but I've found some weird dependency issues using PowerShell on Linux. But yeah, I was able to. I was able to wrap a few things in. I'll actually pop a little video, a little screen capture video I made obfuscating some shell code which originally was PowerShell reverse shell, and then having it execute. Having it execute on a machine which does have Windows Defender running and Windows Defender not flagging it. So, I mean, like you were saying, Simon, in the purest sense, it does its job. And it does its job. [00:48:37] Speaker B: It does what it says on the tin. [00:48:38] Speaker D: Right. [00:48:39] Speaker B: Interestingly enough. So Daniel Bohannon's GitHub is kind of full of fun little tools that he's made and like most of them, I mean, I think having a look at his GitHub now, invoke obfuscation came out seven, eight years ago. [00:48:54] Speaker A: Yeah, I think he's last to me five years ago. [00:48:56] Speaker B: Yes. Yeah, we'll see. But he has another tool. He has Invoke dosfication, which is sort of a similar thing, but for older versions of PowerShell and for the DOS command prompt in Windows, if you want to. You want to use that, which is fun. And then he went ahead and wrote Revoke Obfuscation, a tool to detect PowerShell obfuscation. So look, if you're going to make. [00:49:21] Speaker E: It, he's absolutely like. [00:49:22] Speaker A: That is the definition of white hatting this. Right? [00:49:25] Speaker B: Like, he's done. He's done the responsible red team thing. He's like, hey, you could do this build. Like he's how you undo this. Part of me is just. Is shouting from the back of the auditorium. [00:49:35] Speaker A: Yeah. Don't you dare unravel this. [00:49:38] Speaker E: That's. [00:49:39] Speaker A: Yeah, that's pretty funny. Yeah. [00:49:41] Speaker E: Apparently it says he works for Mandiant. [00:49:43] Speaker B: So now I think he has previously worked for Mandiant, now works for Permiso Security. I haven't had the pleasure of meeting Daniel, but seems like a cool guy, has a great beard. [00:49:56] Speaker A: Yeah, he runs. He runs a B. Sides, it looks like I Would say I recommend this tool for. If you're trying to do some, you know, PowerShell stuff. Even if you're just. I reckon, you know, even if you're just using PowerShell Empire or something like that, you know, adding something like this into the mix can be. Can be somewhat effective depending on what you're trying to execute. Like some of the functions, you know, making, making tokens or even just the encoding. If you're trying to pipe, you know, if you're trying to pipe whatever implant that you're using a little shell or download or whatever you've made in PowerShell, trying to lodge it with some other technique or it might have human eyes on it, you're trying to get it through a gateway. [00:50:31] Speaker B: This. [00:50:32] Speaker A: I found this to be quite a quick and effective way of doing that even when you're using other pieces of malware that are well signatured. Right. I've tested it with things just like basic MSF venom. Outputting either powershell or shell code and then using invocobsification. 3 iterations I think was the bottom limit that I found. One iteration with just tokenized or really did not. Was not happy. But once I did three iterations, which isn't that much like we're talking, like you said, turning 100k to 500k which is still pretty small. That was generally enough to defeat most of the AV that I'd seen. And even putting it into VirusTotal. VirusTotal was like whatever. [00:51:11] Speaker B: So that's. [00:51:12] Speaker A: That's pretty good. I think. You know, it's something you're tool about taking. Taking even just open source super signature stuff like Metasploit or PowerShell Empire and being able to turn it into something that you can realistically use and with. [00:51:24] Speaker B: A super easy, you know, very friendly, nice colorful menu and things like that. It's. Yeah, that's. It's lovely. Lovely to see. [00:51:31] Speaker A: Two thumbs up. [00:51:32] Speaker B: Nice to. Nice to hear. You know, Powershell Empire mentioned on the podcast as well. Like it's still BC Security, still maintaining a repo on powershell Empire even though the original. The original repo is. Yeah, maybe the original repo is all since dead, but the BC Security Fork is looking at their GitHub. It was last committed to two months ago, so quite. Still quite recent. [00:51:58] Speaker D: Yeah. [00:51:59] Speaker A: No. [00:51:59] Speaker B: I loved Empire. [00:52:00] Speaker E: Oh Empire. [00:52:01] Speaker A: I loved you the most. We will wait I think that seal that we'll try and do Empire next time. Even though it's a bit of a behemoth. We'll try and do Powershell Empire next I think that's all we have time for. Thank you so much for listening. I hope you enjoyed our episode on both BSIDES interviews and Obfuscation. We will have the breakdown of this episode launched with with the episode itself on our website. Redacted au, you can check that out. As always, keep hacking. Contact us if you like. And thank you very much for listening. [00:52:32] Speaker B: Thanks everyone. Catch you next time. [00:52:37] Speaker F: This has been a KBI Media production.