A small sleep obfuscation technique that uses the CreateTimerQueueTimer Win32 API function ported from C https://github.com/Cracked5pider/Ekko/ to Rust.
Example
PS C:\Users\memN0ps\Documents\GitHub\ekko-rs\target\debug\ekko-rs.exe
[*] Ekko Sleep Obfuscation by @memN0ps and @trickster0. Full credits to Cracked5pider (@C5pider), Austin Hudson (@SecIdiot), Peter Winter-Smith (@peterwintrsmith)
[+] Queue timers
[+] Wait for hEvent
[+] Finished waiting for event
[+] Queue timers
[+] Wait for hEvent
[+] Finished waiting for event
[+] Queue timers
[+] Wait for hEvent
[+] Finished waiting for event
[+] Queue timers
[+] Wait for hEvent
[+] Finished waiting for event
[+] Queue timers
[+] Wait for hEvent
[+] Finished waiting for event
[+] Queue timers
[+] Wait for hEvent
[+] Finished waiting for event
[+] Queue timers
[+] Wait for hEvent
[+] Finished waiting for event
[+] Queue timers
[+] Wait for hEvent
[+] Finished waiting for event
Credits / References
- @C5pider https://github.com/Cracked5pider/Ekko/
- Austin Hudson (@SecIdiot) https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html / https://web.archive.org/web/20220702162943/https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html
- Originally discovered by Peter Winter-Smith and used in MDSec’s Nighthawk
- Thanks for contributing @trickster012
- https://learn.microsoft.com/
- Rust Lang Community Discord: https://discord.com/invite/rust-lang-community (MaulingMonkey)