Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Greg Linares (Laughing Mantis) Profile picture
Greg Linares (Laughing Mantis)
@Laughing_Mantis
20+ yrs in Infosec. Malware Influencer. I turn Malware into Art and Music. Art @MalwareArt. 4x Pwnie Nominee. 𝕍𝕏. GameDev. Autistic.

Apr 12, 2019, 8 tweets

Alright #Infosec lets talk about #Hephaestus tool kit.

If you are unfamiliar it was a toolkit that @digbei & I started development in 2017 & got postponed due to my health (github.com/glinares/Offic…)

After I move this summer I will have some time to dig it back up & continue 1/N

@digbei Office exploitation has change for the better since those 2 years & checking out some of my code I see that AMSI has done good work to detect & deter a lot of development (good job @secbughunter & his team)

However #Hephaestus will change in order to adapt to this.

@digbei @secbughunter The toolkit will focus on being a bridge for other tools that are used to gain initial access.

Post exploitation #Hephaestus will have modules to do tasks thru Office such as recon, persistence, code exec, code tunneling, etc.

@digbei @secbughunter Instead of releasing it as one toolkit we decided to break it up into components to help with faster release and help other tools be more successful.

- A VBA Polymorph Tool that will take the evasion / anti-analysis methods and allow tools to encode their output with them

@digbei @secbughunter - A Office Persistent Tool - to allow you to have your payloads be persistent with Office components

- An Outlook Email C2C Tool - to allow coms via email to trigger events / actions

@digbei @secbughunter So to summarize how this would work is red team exploits box with an initial access tool.

Post exploitation in order to avoid AV / PSP and other detections you would drop Hephaestus elements - which would use VBA, Office API, and Office components to do activites for you.

@digbei @secbughunter One of the things added to the toolkit would be Corp-Espionage modules.

The toolkit can be used to find, extract/copy, & exfil documents as they are written.

Since many AV engines look for traditional malware - testing these persistent data theft via VBA has worked rather well.

@digbei @secbughunter AV & Office defenses still typically look for dropped/executed files/commands so by exploiting macros and VBA that look like traditional business components (ie staying in Office and doing Office related activites) attackers can still win and that is a huge opportunity.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling