{"version":1,"pages":[{"id":"rjaFXZc6uORQN36TMrkc","title":"root@codex","pathname":"/codexs-terminal-window","siteSpaceId":"sitesp_w7QPT","description":"Red team research, CTF solutions, and random stuff I find interesting"},{"id":"Hhaq7N2eDXbScqqLMTt0","title":"Red Team OPSEC","pathname":"/codexs-terminal-window/red-team/red-team-opsec","siteSpaceId":"sitesp_w7QPT","description":"This page is just a collection of things I think should be done on a red team operation to hinder detection and response. Work in progress. Will be updated whenever I learn new tricks","breadcrumbs":[{"label":"Red Team","emoji":"1f419"}]},{"id":"HhZPAGFuiwuF0FO8Z3kZ","title":"Infrastructure","pathname":"/codexs-terminal-window/red-team/red-team-opsec/infrastructure","siteSpaceId":"sitesp_w7QPT","description":"","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team OPSEC"}]},{"id":"GbtXcxdUG6OfhjbZTt4s","title":"Example Red Team Infra","pathname":"/codexs-terminal-window/red-team/red-team-opsec/infrastructure/example-red-team-infra","siteSpaceId":"sitesp_w7QPT","description":"","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team OPSEC"},{"label":"Infrastructure"}]},{"id":"9aQRq5QME3JCHodmAf0i","title":"Cobalt Strike Redirectors","pathname":"/codexs-terminal-window/red-team/red-team-opsec/infrastructure/cobalt-strike-redirectors","siteSpaceId":"sitesp_w7QPT","description":"A redirector a day keeps IR away","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team OPSEC"},{"label":"Infrastructure"}]},{"id":"v5RofuQZdLbpCgwMnrHn","title":"Using SSH Tunneling to secure C2 infra","pathname":"/codexs-terminal-window/red-team/red-team-opsec/infrastructure/using-ssh-tunneling-to-secure-c2-infra","siteSpaceId":"sitesp_w7QPT","description":"Pesky AV vendors keep scanning my stuff >:C","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team OPSEC"},{"label":"Infrastructure"}]},{"id":"8sMWVLsRZSKFngXszk82","title":"Red Team Dev","pathname":"/codexs-terminal-window/red-team/red-team-dev","siteSpaceId":"sitesp_w7QPT","description":"red team related dev work that doesnt directly fall under malware dev","breadcrumbs":[{"label":"Red Team","emoji":"1f419"}]},{"id":"t0TX6LhpW65Vn2pxdPWA","title":"Extending Havoc C2","pathname":"/codexs-terminal-window/red-team/red-team-dev/extending-havoc-c2","siteSpaceId":"sitesp_w7QPT","description":"Blog series where I try to explain the third party interfaces in @C5pider's Havoc C2","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"}]},{"id":"OrkTu8UZ5hBc3qHiWb9Y","title":"Third Party Agents","pathname":"/codexs-terminal-window/red-team/red-team-dev/extending-havoc-c2/third-party-agents","siteSpaceId":"sitesp_w7QPT","description":"","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Extending Havoc C2"}]},{"id":"N1o7woRI4QkT1WbPXhod","title":"1: Understanding the interface","pathname":"/codexs-terminal-window/red-team/red-team-dev/extending-havoc-c2/third-party-agents/1-understanding-the-interface","siteSpaceId":"sitesp_w7QPT","description":"","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Extending Havoc C2"},{"label":"Third Party Agents"}]},{"id":"M0RyfP9AHLLb4Zyt4O5c","title":"2: Writing the agent","pathname":"/codexs-terminal-window/red-team/red-team-dev/extending-havoc-c2/third-party-agents/2-writing-the-agent","siteSpaceId":"sitesp_w7QPT","description":"","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Extending Havoc C2"},{"label":"Third Party Agents"}]},{"id":"FpyYXLPY76fuOVJP8obX","title":"3: Writing the agent handler","pathname":"/codexs-terminal-window/red-team/red-team-dev/extending-havoc-c2/third-party-agents/3-writing-the-agent-handler","siteSpaceId":"sitesp_w7QPT","description":"","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Extending Havoc C2"},{"label":"Third Party Agents"}]},{"id":"7jkwPdCl2BHveor8P0wG","title":"4: Testing the agent","pathname":"/codexs-terminal-window/red-team/red-team-dev/extending-havoc-c2/third-party-agents/4-testing-the-agent","siteSpaceId":"sitesp_w7QPT","description":"","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Extending Havoc C2"},{"label":"Third Party Agents"}]},{"id":"dSPFl1ZuMsRlRzfzkKBD","title":"Loader Dev","pathname":"/codexs-terminal-window/red-team/red-team-dev/loader-dev","siteSpaceId":"sitesp_w7QPT","description":"CreateRemoteThread()","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"}]},{"id":"rMARio9Lf1y05AhdJcxK","title":"In Memory OPSEC","pathname":"/codexs-terminal-window/red-team/red-team-dev/loader-dev/in-memory-opsec","siteSpaceId":"sitesp_w7QPT","description":"","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Loader Dev"}]},{"id":"RbwGi5Po2hKUyROHdiWc","title":"PE Structures","pathname":"/codexs-terminal-window/red-team/red-team-dev/loader-dev/in-memory-opsec/pe-structures","siteSpaceId":"sitesp_w7QPT","description":"","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Loader Dev"},{"label":"In Memory OPSEC"}]},{"id":"FRuMw7ebV5CsSLGP19b5","title":"Memory Permissions and Allocation Types","pathname":"/codexs-terminal-window/red-team/red-team-dev/loader-dev/in-memory-opsec/memory-permissions-and-allocation-types","siteSpaceId":"sitesp_w7QPT","description":"","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Loader Dev"},{"label":"In Memory OPSEC"}]},{"id":"3zBUixXF516f7uX0RPrC","title":"In Memory Signatures","pathname":"/codexs-terminal-window/red-team/red-team-dev/loader-dev/in-memory-opsec/in-memory-signatures","siteSpaceId":"sitesp_w7QPT","description":"","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Loader Dev"},{"label":"In Memory OPSEC"}]},{"id":"5hdB57xn4t2JJvZ9WIkp","title":"Evasion Adventures","pathname":"/codexs-terminal-window/red-team/red-team-dev/loader-dev/evasion-adventures","siteSpaceId":"sitesp_w7QPT","description":"Talk I gave on in memory evasion and memory OPSEC.","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Loader Dev"}]},{"id":"iLU1e2Cid7pAQrPgJBhx","title":"Sleep masking","pathname":"/codexs-terminal-window/red-team/red-team-dev/loader-dev/sleep-masking","siteSpaceId":"sitesp_w7QPT","description":"Because sometimes set sleep_mask \"true\"; isnt enough","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Loader Dev"}]},{"id":"LbZGEz307ZZaQRbR4KwJ","title":"Mimikatz vs Windows Defender","pathname":"/codexs-terminal-window/red-team/red-team-dev/loader-dev/mimikatz-vs-windows-defender","siteSpaceId":"sitesp_w7QPT","description":"Ever wanted to drop Mimikatz to disk during an engagement? Probably not. Lets do it anyways!","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Loader Dev"}]},{"id":"dLqLu5orsrs3J30uV8vK","title":"Indirect syscalls","pathname":"/codexs-terminal-window/red-team/red-team-dev/loader-dev/indirect-syscalls","siteSpaceId":"sitesp_w7QPT","description":"Referenced from: https://www.cobaltstrike.com/blog/writing-beacon-object-files-flexible-stealthy-and-compatible/","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Red Team Dev"},{"label":"Loader Dev"}]},{"id":"lZVz2fg0EyObbrl6jHPd","title":"Cobalt Strike","pathname":"/codexs-terminal-window/red-team/cobalt-strike","siteSpaceId":"sitesp_w7QPT","description":"Fire teh lazer!","breadcrumbs":[{"label":"Red Team","emoji":"1f419"}]},{"id":"0LnXGGSwV9ak4dufRQke","title":"Building custom C2 channels by hooking wininet","pathname":"/codexs-terminal-window/red-team/cobalt-strike/building-custom-c2-channels-by-hooking-wininet","siteSpaceId":"sitesp_w7QPT","description":"Because official specs sometimes (often) suck","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Cobalt Strike"}]},{"id":"SrgdCHjuSMUeIFkwNv0f","title":"Modifying the Sleep Mask Kit","pathname":"/codexs-terminal-window/red-team/cobalt-strike/modifying-the-sleep-mask-kit","siteSpaceId":"sitesp_w7QPT","description":"","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Cobalt Strike"}]},{"id":"RCHjzhuvuhHwxRo3amfm","title":"Discord Beacon Notifications","pathname":"/codexs-terminal-window/red-team/cobalt-strike/discord-beacon-notifications","siteSpaceId":"sitesp_w7QPT","description":":ping:","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Cobalt Strike"}]},{"id":"VF38BCZRaRrQHW2goXlG","title":"Evading Hunt-Sleeping-Beacons","pathname":"/codexs-terminal-window/red-team/cobalt-strike/evading-hunt-sleeping-beacons","siteSpaceId":"sitesp_w7QPT","description":"Reference: https://github.com/thefLink/Hunt-Sleeping-Beacons","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Cobalt Strike"}]},{"id":"n8A2RcARlWcRyRy7ABB5","title":"Beacon Object Files","pathname":"/codexs-terminal-window/red-team/cobalt-strike/beacon-object-files","siteSpaceId":"sitesp_w7QPT","description":"No mor fork and run","breadcrumbs":[{"label":"Red Team","emoji":"1f419"},{"label":"Cobalt Strike"}]},{"id":"Y89hyW728JOhtUgT0w33","title":"Misc. Interesting Stuff","pathname":"/codexs-terminal-window/red-team/misc.-interesting-stuff","siteSpaceId":"sitesp_w7QPT","description":"This is where I put stuff that I'm lazy to categorize","breadcrumbs":[{"label":"Red Team","emoji":"1f419"}]},{"id":"Vfh9H4YMD6AC6Fsez4VC","title":"Detecting Cobalt Strike","pathname":"/codexs-terminal-window/blue-team/detecting-cobalt-strike","siteSpaceId":"sitesp_w7QPT","description":"Stuff that causes Cobalt Strike to be flagged, so we don't accidentally burn ourselves.","breadcrumbs":[{"label":"Blue Team","emoji":"1f6e1"}]},{"id":"J8YJ9NIR2W4FjgkpG8kk","title":"Sleep Mask Kit IOCs","pathname":"/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs","siteSpaceId":"sitesp_w7QPT","description":"YARA rule included!","breadcrumbs":[{"label":"Blue Team","emoji":"1f6e1"},{"label":"Detecting Cobalt Strike"}]},{"id":"D4WYHmFVNNE8pp6Fv6zY","title":"Hunting Beacon in the heap","pathname":"/codexs-terminal-window/blue-team/detecting-cobalt-strike/hunting-beacon-in-the-heap","siteSpaceId":"sitesp_w7QPT","description":"WORK IN PROGRESS","breadcrumbs":[{"label":"Blue Team","emoji":"1f6e1"},{"label":"Detecting Cobalt Strike"}]},{"id":"8vKUP343fgq9z0ojWQeg","title":"Decrypting C2 traffic with known key","pathname":"/codexs-terminal-window/blue-team/detecting-cobalt-strike/decrypting-c2-traffic-with-known-key","siteSpaceId":"sitesp_w7QPT","description":"Reference: https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/","breadcrumbs":[{"label":"Blue Team","emoji":"1f6e1"},{"label":"Detecting Cobalt Strike"}]},{"id":"2vK0OMh1gDO7SvXb7Bzf","title":"Cyber Defenders Discovery Camp 2021","pathname":"/codexs-terminal-window/ctf-solutions/cyber-defenders-discovery-camp-2021","siteSpaceId":"sitesp_w7QPT","description":"This CTF was problematic...to say the least :/","breadcrumbs":[{"label":"CTF Solutions","emoji":"1f6a9"}]},{"id":"7zLMyKYNksXvXFz0nRvY","title":"Lets Go Hunting","pathname":"/codexs-terminal-window/ctf-solutions/cyber-defenders-discovery-camp-2021/lets-go-hunting","siteSpaceId":"sitesp_w7QPT","emoji":"1f441-1f5e8","description":"","breadcrumbs":[{"label":"CTF Solutions","emoji":"1f6a9"},{"label":"Cyber Defenders Discovery Camp 2021"}]},{"id":"paboyINxmgQMs6a206JH","title":"Linux Rules The World!","pathname":"/codexs-terminal-window/ctf-solutions/cyber-defenders-discovery-camp-2021/linux-rules-the-world","siteSpaceId":"sitesp_w7QPT","emoji":"1f427","description":"","breadcrumbs":[{"label":"CTF Solutions","emoji":"1f6a9"},{"label":"Cyber Defenders Discovery Camp 2021"}]},{"id":"CBLbTHqmfQt2lnDFgCM0","title":"Going active","pathname":"/codexs-terminal-window/ctf-solutions/cyber-defenders-discovery-camp-2021/going-active","siteSpaceId":"sitesp_w7QPT","emoji":"1f4fb","description":"","breadcrumbs":[{"label":"CTF Solutions","emoji":"1f6a9"},{"label":"Cyber Defenders Discovery Camp 2021"}]},{"id":"NAuaKZa0FcagTipu3U8q","title":"File it away","pathname":"/codexs-terminal-window/ctf-solutions/cyber-defenders-discovery-camp-2021/file-it-away","siteSpaceId":"sitesp_w7QPT","emoji":"1f5c4","description":"","breadcrumbs":[{"label":"CTF Solutions","emoji":"1f6a9"},{"label":"Cyber Defenders Discovery Camp 2021"}]},{"id":"b2yN4K3ZxSFXdQ1y3y51","title":"Behind the mask","pathname":"/codexs-terminal-window/ctf-solutions/cyber-defenders-discovery-camp-2021/behind-the-mask","siteSpaceId":"sitesp_w7QPT","emoji":"1f637","description":"Red team time!","breadcrumbs":[{"label":"CTF Solutions","emoji":"1f6a9"},{"label":"Cyber Defenders Discovery Camp 2021"}]},{"id":"kDK4DrZw7xcA7VLo0wdx","title":"Box Writeups","pathname":"/codexs-terminal-window/box-challenges/box-writeups","siteSpaceId":"sitesp_w7QPT","emoji":"1f4e6","description":"I like to do boxes with a bit of red team tradecraft added in for fun.","breadcrumbs":[{"label":"Box challenges"}]},{"id":"6d58d4fb2308d499763fce5af7b4bab9190075c8","title":"Home | Ethan Seow","pathname":"/codexs-terminal-window/home-or-ethan-seow","siteSpaceId":"sitesp_w7QPT"}]}