Ekko

A small sleep obfuscation technique that uses CreateTimerQueueTimer Win32 API.
Proof of Concept. Can be done better.

NOTE

This implementation has known flawes.
So I wouldn't recommend using it without knowing how it works or know how to spot and fix those flaws.
TLDR: don't copy and past it into your implants.

Credit

• Austin Hudson (@SecIdiot) https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html
• Originally discovered by Peter Winter-Smith and used in MDSec’s Nighthawk