Red & Lonesome | RWXStoned

Making the Debugging of UDRLs (a bit) Easier

a simple addition to the UDRL-VS framework to enable the logging of debug strings in your loader at runtime

Posted on July 6, 2025

The introduction of this Visual Studio project as a template for building Cobalt Strike UDRL has come with a lot of little gimmicks aimed at making your life a bit easier as a malware developer. Developing Position Independant Code (PIC)... [Read More]

How is my Browser blocking RWX execution ?

reviewing an EDR-like mechanism implemented by a popular browser

Posted on January 4, 2025

EDIT January 10, 2025 [Read More]

Introducing GimmeShelter.py

a situational awareness Python script to help you find where to put your beacons

Posted on December 6, 2024

GimmeShelter.py is a lightweight Python script which will help you get a good view of what a Windows environment looks like, and highlight opportunities for hiding/running malware from unusual modules, or memory setups. [Read More]

BeaconGate, Sleepmask... customizing Cobalt Strike after 4.10

a quick new Sleep PoC using the latest Cobalt Strike features

Posted on November 13, 2024

Cobalt Strike keeps on evolving and this has serious implications on what happens behind the scenes when your payload runs, and what the resulting IOCs will be. With the growing complexity of the product there has also been a lot... [Read More]

An RTO2 Review

A great (and cheap) cert from ZeroPoint Security

Posted on November 7, 2024

This is my review of the CRTL training from ZeroPoint Security, and incidentally, of the Elastic EDR, which is the solution used in the course and its lab. The CRTL (or RTO2) is a fairly new certification following-up on RTO... [Read More]