hack.lu 2023

PXF-X - A modular python framework to hunt, extract and enrich Post-Exploitation Framework artifacts
2023-10-17 , Salle Europe

Post Exploitation Frameworks are not only the swiss army knife for Red Teamers, but also in heavy use by cybercriminals and even state actors. Many artifacts, like Beacons/Badgers or Stage Loaders end up on platforms like VirusTotal.
Tired of the many manual process steps needed to get decent insights about these hunted artifacts the PXF-X framework was born.


PXF-X should fully automate all the required analysis steps. In essence, this means: 1) artifacts are hunted with VirusTotal Livehunting YARA rules, 2) the samples are then obtained and analyzed in several ways, 3) the extracted information is then enriched by different intelligence sources and reconnaissance methods.
PXF-X is designed in a modular way. The intention is that various modules can be integrated sucessively. Currently three different Frameworks are supported: Meterpreter, Cobalt Strike and Brute Ratel C4. A bunch of others are in the makings.

Joel Doenne is a Cyber Security Analyst at ATRUVIA AG with preferences for CTI, Reverse Engineering and Digital Forensics.