ITESEC Newsletter 2026-05-14

TL;DR: Dev Tunnels aren’t “just port forwarding”. They consist of layers of embedded protocols with RPC messages being exchanged. Once you peel the layers, you quickly see how Dev Tunnels are a C2 framework with extra steps.

In this second video, we'll be re-using the stack-based-overflow exploit from the first tutorial along with the Windows 11 x64 environment it was developed for. By the end of the tutorial, you will have learned: What jump code is, When and how to use jump code, How do develop custom jumpcode, Flow of exploitation depending on jump operations. We'll also be using tools such as WinDBG and mona.py throughout the process - all based on the original Corelan workflow, but using modern systems and tooling.

The technique of EntryPoint Hijacking introduces a stealthier approach to code injection, as it doesn’t rely on API calls that create a new thread within the process context, and it is independent of the attack chain. Arbitrary code is written to memory, but it executes only when the process legitimately creates a new thread. This enables threat actors to evade EDR defenses and extend their dwell time within the environment.