BOF Cocktails in Cobalt Strike: Instrumenting BOFs with BEACON_INLINE_EXECUTE and Crystal Palace
Original text: “BOF Cocktails in Cobalt Strike” — Rasta Mouse, rastamouse.me (05 Jun 2026). Code blocks and the screenshot below are reproduced verbatim from the source with attribution.
Executive Summary
Post-exploitation Beacon Object Files (BOFs) historically inherited their evasion posture from whatever agent or loader executed them. If the loader took care of unhooking, masking,…
https://core-jmp.org/2026/06/bof-cocktails-cobalt-strike-beacon-inline-execute-crystal-palace/
Original text: “BOF Cocktails in Cobalt Strike” — Rasta Mouse, rastamouse.me (05 Jun 2026). Code blocks and the screenshot below are reproduced verbatim from the source with attribution.
Executive Summary
Post-exploitation Beacon Object Files (BOFs) historically inherited their evasion posture from whatever agent or loader executed them. If the loader took care of unhooking, masking,…
https://core-jmp.org/2026/06/bof-cocktails-cobalt-strike-beacon-inline-execute-crystal-palace/
👍2🔥1
BusyWork: Replacing Sleep with Real Work to Break Behavioral Detection
Original text: “BusyWork: Replacing Sleep with Real Work to Break Behavioral Detection” — patchi.fyi (07 Jun 2026, byline shows only the site handle — author not publicly attributed). Library source: github.com/PatchRequest/BusyWork. Short illustrative code excerpts are reproduced with attribution; longer routines are summarised — consult the upstream repo for full sources.
Executive Summary
A thread…
https://core-jmp.org/2026/06/busywork-replacing-sleep-with-real-work-behavioral-detection/
Original text: “BusyWork: Replacing Sleep with Real Work to Break Behavioral Detection” — patchi.fyi (07 Jun 2026, byline shows only the site handle — author not publicly attributed). Library source: github.com/PatchRequest/BusyWork. Short illustrative code excerpts are reproduced with attribution; longer routines are summarised — consult the upstream repo for full sources.
Executive Summary
A thread…
https://core-jmp.org/2026/06/busywork-replacing-sleep-with-real-work-behavioral-detection/
😱2🔥1
OOBdump: Single-Shot Heap-OOB Exploitation of objdump -g via FR30 Relocations
Original text: “OOBdump: Relocation Oriented Programming” — Calif, blog.calif.io (08 Jun 2026, no individual byline). PoCs and writeups: github.com/califio/publications/…/oobdump. Short illustrative code excerpts and the original article’s diagrams are reproduced with attribution; the prose is paraphrased.
Executive Summary
The Calif team has been quietly collecting trophy bugs in reverse-engineering tooling for a while — IDA…
https://core-jmp.org/2026/06/oobdump-objdump-fr30-relocation-oriented-programming/
Original text: “OOBdump: Relocation Oriented Programming” — Calif, blog.calif.io (08 Jun 2026, no individual byline). PoCs and writeups: github.com/califio/publications/…/oobdump. Short illustrative code excerpts and the original article’s diagrams are reproduced with attribution; the prose is paraphrased.
Executive Summary
The Calif team has been quietly collecting trophy bugs in reverse-engineering tooling for a while — IDA…
https://core-jmp.org/2026/06/oobdump-objdump-fr30-relocation-oriented-programming/
🔥1
Microsoft Defender Now Monitors Remote RPC Activity: What It Catches and How to Hunt
Original text: “Microsoft Defender now monitors RPC activity” — EdanZwick, Microsoft Tech Community / Microsoft Defender for Endpoint Blog (08 Jun 2026). The three KQL hunting queries below are reproduced verbatim with attribution. Prose is paraphrased; for the Defender XDR alert / detection screenshots, see the original post.
Executive Summary
Microsoft has extended Defender’s existing…
https://core-jmp.org/2026/06/microsoft-defender-monitors-remote-rpc-activity/
Original text: “Microsoft Defender now monitors RPC activity” — EdanZwick, Microsoft Tech Community / Microsoft Defender for Endpoint Blog (08 Jun 2026). The three KQL hunting queries below are reproduced verbatim with attribution. Prose is paraphrased; for the Defender XDR alert / detection screenshots, see the original post.
Executive Summary
Microsoft has extended Defender’s existing…
https://core-jmp.org/2026/06/microsoft-defender-monitors-remote-rpc-activity/
🔥2👍1
Client-Side Container Attack: DLL Sideloading wab.exe via Email Archive Delivery
Original text: “Initial access. Client side container attack” — Leigh Gilbert, Exploitz (exploitz.ca, June 2026). The diagrams below are reproduced with attribution; prose is paraphrased. MITRE ATT&CK reference: T1574.001 — DLL Search Order Hijacking.
Executive Summary
Leigh Gilbert’s walkthrough chains together a long-known but still effective initial-access pattern: ship a signed Microsoft binary that has…
https://core-jmp.org/2026/06/client-side-container-attack-dll-sideloading-wab-exe-email-archive/
Original text: “Initial access. Client side container attack” — Leigh Gilbert, Exploitz (exploitz.ca, June 2026). The diagrams below are reproduced with attribution; prose is paraphrased. MITRE ATT&CK reference: T1574.001 — DLL Search Order Hijacking.
Executive Summary
Leigh Gilbert’s walkthrough chains together a long-known but still effective initial-access pattern: ship a signed Microsoft binary that has…
https://core-jmp.org/2026/06/client-side-container-attack-dll-sideloading-wab-exe-email-archive/
🔥2
Patching the Windows Kernel via BYOVD: ThrottleStop.sys, MmMapIoSpace and the NtAddAtom Trampoline
Original text: “Whoops! I did it again. I patched Windows Kernel at Milan0day 2026” — zer0matt, zer0matt’s blog (29 May 2026). PoC: github.com/zer0matt/Milan0day2026. Diagrams below are reproduced from the original with attribution; prose is paraphrased.
Executive Summary
zer0matt’s Milan0day 2026 talk and accompanying writeup demonstrate a clean Bring Your Own Vulnerable Driver (BYOVD) chain that…
https://core-jmp.org/2026/06/patching-windows-kernel-byovd-throttlestop-mmmapiospace-ntaddatom/
Original text: “Whoops! I did it again. I patched Windows Kernel at Milan0day 2026” — zer0matt, zer0matt’s blog (29 May 2026). PoC: github.com/zer0matt/Milan0day2026. Diagrams below are reproduced from the original with attribution; prose is paraphrased.
Executive Summary
zer0matt’s Milan0day 2026 talk and accompanying writeup demonstrate a clean Bring Your Own Vulnerable Driver (BYOVD) chain that…
https://core-jmp.org/2026/06/patching-windows-kernel-byovd-throttlestop-mmmapiospace-ntaddatom/
👍2🔥2
Covert Kernel/User Communication Channels on Windows: Rootkits, Game Cheats, and Detection
Original text: “Covert Kernel/User Communication Channels on Windows: Rootkits, Game Cheats, and Detection” — kernullist, Kernullist’s Blog (Jun 10, 2026). Classification tables, ASCII flow diagrams, and C-language structure declarations below are reproduced verbatim with attribution captions.
Executive Summary
A modern Windows kernel-assisted threat is almost never a single user-mode binary doing all the work. It…
https://core-jmp.org/2026/06/covert-kernel-user-communication-channels-windows-rootkits-cheats-detection/
Original text: “Covert Kernel/User Communication Channels on Windows: Rootkits, Game Cheats, and Detection” — kernullist, Kernullist’s Blog (Jun 10, 2026). Classification tables, ASCII flow diagrams, and C-language structure declarations below are reproduced verbatim with attribution captions.
Executive Summary
A modern Windows kernel-assisted threat is almost never a single user-mode binary doing all the work. It…
https://core-jmp.org/2026/06/covert-kernel-user-communication-channels-windows-rootkits-cheats-detection/
🔥6😱1
GreatXML: Bypassing BitLocker on Windows 11 via a Recovery-Partition unattend.xml
Original text: “GreatXML — BitLocker bypass vulnerability” — NightmareEclipse (GitHub handle MSNightmare), released under the MIT license. The README, the unattend.xml, the ReAgent.xml and both screenshots below are reproduced verbatim with attribution captions, in line with the project’s MIT terms.
Executive Summary
GreatXML is a one-file BitLocker bypass against Windows 11 (build 10.0.26100, the 24H2…
https://core-jmp.org/2026/06/greatxml-bitlocker-bypass-winre-unattend-xml/
Original text: “GreatXML — BitLocker bypass vulnerability” — NightmareEclipse (GitHub handle MSNightmare), released under the MIT license. The README, the unattend.xml, the ReAgent.xml and both screenshots below are reproduced verbatim with attribution captions, in line with the project’s MIT terms.
Executive Summary
GreatXML is a one-file BitLocker bypass against Windows 11 (build 10.0.26100, the 24H2…
https://core-jmp.org/2026/06/greatxml-bitlocker-bypass-winre-unattend-xml/
🔥4