Adversarial Tradecraft Development in a Nutshell

hi thank you for joining me today for the adversarial phrase craft development in a nutshell thank you besides pert actually for giving me this opportunity and hosting this great event thank you for that we will talk about the accessory simulations tradecraft development how to interpret the intelligence reports and how we can start our development journey so different types of experiences will be discussed my name is fatis algier i am a managing security consultant also a security researcher specialized on adversary simulations so i provided different types of research tools and activities to the community and i presented in different conferences including black hat defcone and some other major conferences as well firstly we need to talk about the

adversary simulations probably you hear about them a lot but the colors mean almost nothing we need to understand the context of them rate team exercises are generally covert operations and defense has no idea about that operation runs only some executives and the white team members will know that actually limits the performance of the defense improvements on the other hand it is good representation of the trade actor targeting the organization purple team-like exercises they are collaborative exercises and they provide more benefits for example improving the defense overall simulating certain tractor and understanding the defense and proactive approach of the defense teams that's why purple team has more collaboration that gives more opportunities to different types of

engineers not only offensive engineers but also defensive engineers such as incident response or forensics or trade hunting or maybe trade intelligence teams as well there is also automated approach for this automated approach actually focuses on the breach and threat emulations and specifically demonstrating the trade actor behaviors sometimes this automated approach is quite beneficial if the exercise is targeting certain organization units for certain cyber analytics components when we talk about cyber analytics we need to elaborate that part as well cyber analytics is a new actually approach we see in the defense and large organizations generally it is designed to identify the malicious behaviors on end points clouds networks and different types of services so simply the organization will collect

data from all units so always will work efficiently and they will ingest the data to a centralized data store then this data will be actually processed by machine learning algorithms artificial intelligence deep learning techniques in the end we will see how they work and what could uh actually go wrong there what type of activities will be malicious who is targeting us those are the questions to be answered by cyber analytics of course it has cyber security involvement but also only data analytics actually specialists working on the data interpretation or ingestion or making it efficient as well for algorithms it is important for us to demonstrate trajectory behaviors to improve cyber analytics in the environment as well

that's why we need to provide safer examples of the tools for them our development journey actually starts exactly that point because we need to understand the trade actor behaviors and we need to replicate them and that's why we need to actually open read and actually understand the trade intelligence reports trade intelligence reports provide indicators of compromise and also some samples of the command and control domains ctos protocols or maybe malware samples or some of the code of the exercise as well so simply we see some of the details of the campaign running for target organization trade intelligence reports are generally limited or restricted because of the confidentiality requirements or the commercial exercises this is why we need

to actually work on different types of repositories to find the right data for us and then we need to find examples vx underground for example provides a lot of malware samples coming from different campaigns also some other exercise components and some malicious code as well if we combine those two we can understand how this trajectory try to run this exercise or try to achieve their objectives then we can develop our own safe trade craft to simulate this in the wild finding examples sometimes come from trusted or maybe semi-trusted researchers as well and we can actually understand their code and we can customize it all this journey requires actually development capabilities that's why we need to understand

literally intelligence first trade intelligence is simply understanding the trajectory behaviors and then collecting the data to make them meaningful and trying to avoid the future compromises that's why trading er intelligence has different components sometimes it is day-to-day attack prevention for example iocs of domains or hashes of malware or some certain features of the attacks they are for daily actions but if you have for example long-term goals such as what trade actor targets us how they change their game what are they after if an exercise is too long for example a year of exercise such as nobelium targeting and solaris orion that's a different story and that's why we need to pay more attention to the

details in that case so we need to understand the tradecraft what tools they used what techniques they use and how we can simulate them in this case emulating the xa actually trade actor and simulating there are different terms emulation is simply replicating the behaviors of the trade actor simulations are more like building some similarities and using some approximation for techniques and tactics so different terms help us to find the right path and right solution for us offensive security leverages this trading tell and the other services to find the right approach for the adversary simulations offensive engineers read the thread intelligence data understand their actually samples techniques tactics and then implementations and build their own actually adversary

simulation or adversary emulation if it is full emulation they try to use the exact malware used by the thread actor almost maybe 99 matching with the email or domain or the cpu software trying to make it accurate as much as possible or we can actually add this with different layers and we can use similarities for example we can use the same city but we can use additional tools or we can change the approach if the thread actor is using for example excel 4 macros we can use excel dds as a replacement so this type of activity is actually diverting the route and trying to achieve same objectives in a different path and also there is ioc generators and

they are generally automated tools to actually generate the similar iocs for you yes it is the md5 hash of the binary but if the source code could be compiled in your environment the md5 hash will be different so you need to focus on maybe fuzzy hashes or you need to focus on the text of the file and you need to build some sigma or url signatures for it so you need to actually understand what iocs you need to generate than using this technique unity generator examples but the problem there is where do you start you need to understand i think firstly the thread actor because if you work on trade actor you need to understand what

campaigns they have performed against different organizations and what are they after some of those are ransomware gangs and chasing some money uh and trying to get more money from different organizations sometimes encrypting their disks sometimes threatening them to release the data sometimes just extortion on the other hand some of the trade actors have no interest in ransomware and they are working for cyber espionage and they are generally nation state actors there there are also another types of actors for example initial uh footholder sellers so they are actually reselling the organization they compromised they don't have any interest to accelerate data or perform or run a ransomware operation instead they compromise organization and sell the success and do not involve in

other initial activities so different types of actors provide different types of tradecraft tools and tactics for us so we can work on them this is an example of attack a very popular attack so darvish has been compromised by a trader named as nobelium and microsoft fireeye have been also involved in this case and some of the government organizations in the u.s have been compromised this exercise is a long-term exercise and this timeline is extracted from microsoft's trade intelligence report as can as seen in this diagram the attack takes almost a year to design the attack to plant a kind of malware to this environment and seeing this environment uh for a short period then understanding whether

it is a target or not densely building a sleeping cell for a long term and then initiating the attack a certain point against all the targets already compromised and not targets in scope because uh sorry not against the targets not in scope because those targets were compromised but they are there for another reason if they could be compromised by the same trade actor again that will be a kind of problem for the objectives on the other hand we need to understand how they approach this problem because they need to compromise the software solaris orion and they need to stay on the radar but also they need to verify the target and then they need to build a kind of

sleeping sound when the time arrives only for the in-scope targets they use a second c2 to deploy a payload which is the beacon of the kabul strike which is the malicious software that starts uh actually interactive activities on the target system all of these require actually three different cities one ctu is based on dns for this exercise and second ctu was a kind of web component and interactive co2 is a cobalt strike profile and cobalt strike itself to simulate this activity we need to understand these details very same report but this is actually this makes much more sense for us if we pay more details sorry if we pay attention uh to details and we

dive more we can see some additional artifacts there and we can start actually building a kind of map for us this is a kind of uh micro attack map and some sections are extracted and trying to understand what type of ct uh or exfiltration channels we can use and how we can build our own tradecraft this is how i approach the problem because we have trade intelligence data we have samples and we have multi-attacks so let's combine them to understand what we are exactly trying to simulate tradecraft details in the same document will also give actually will give examples for us or maybe more precise uh content that can be simulated the volume trade actor also tried to

compromise additional units using an email campaign a phishing campaign and that's why there was another trade intelligence report released by microsoft for this trade actor in this exercise and this campaign tranactor used html smuggling to drop an iso file to the victim system and then mounting it and opening this link to load the malware it's a kind of content but it does not make sense a lot because we know and we understand html can be used we understand the iso but how this happens what are the details how this link actually runs the dll and why and how these are actually questions you need to seek ask first while reading this trade intelligence report when i pay attention

i see the content of the iso file so it simply says that there is a dll generated and there is a pdf file there and there is also a link a link points out the reports however it is not a link going to reports the image looks like a shortcut and for directory which is explorer in this case but the content is calling documental and open which is the exported function truly that way the malicious software actually is not identified because exported functions are there and the um the entry point of the data is not visible that's the kind of problem for the antivirus to identify the malware so edrs can track this down now we have some details but how this

html smuggling work what domains have been used how does c2 communicated well see we are just actually digging more and more and more to find more iocs for us to simulate if we read the tales of the exercise we can see html uh smuggling attacks details we can see some code we can see domain and we can actually make this sense and question appears that where should we start because we have three options here one option is we can go to a kind of full simulation pack we can go to our c2 and implant case and fire up the exercise or we can develop some partial tradecraft the benefits and actually cancer cancers will be so different in simulation pack

we have a heel chain and we have some automation there and lots of examples for the different stages of the exercise because the exercise has full stack in command and control and implant exercise we develop or we repurpose an existing situ for this exercise try to make it relevant for example crobat strike is heavily used by trade actors which is fine but they don't use cobalt strike as is they actually modify things for example profile components or sometimes even they change the beacon code recently this has been done by a trade actor as well and they use a different type of beaker so the containers will change if you want to develop your c2 you need

to pay attention to different type of fundamentals and features of the implant and cities another thing is we can develop actually partial tradecraft for example initial compromise of it execution evasion tactic because the rest of the exercise will be so generic but that part will give us a good attribution opportunity or uh maybe that is going under rotara we need to make it relevant we need to automate this until our application cyber analytics learn from that if that is the case we can work on that partial trade craft we can work on that specific tactic so let's work on finding examples because now we know that we use trade intelligence data we read that we

understand it reactor and we know how to simulate but now where can we find some examples because initial ones were coming from predictor right one of those is understanding the actual impact of the trade intelligence report if the report is so detailed you can actually make it a kind of to-do list just like this one javascript that can actually cause base64 data to dump a file and this file will be an iso file and you know that the iso file should include a data should also include some additional link files and maybe a pdf as well and then you need to encode this as base64 copy the content to your javascript and you make it an html

content to be delivered to the client that could be hda file normal uh compiled html whatever it is whatever you prefer or whatever you see in the trade intelligence report some good researchers actually provide examples for different portions of the exercises for example uh jorge or chiles has provided the bellium iso example to the red canary so you can review it and you can see that how it is generated also generated html smuggling and ice images for trade hunting to generate the similar iocs but you can see the difference between those two examples one is prepared using a c2 one has different purpose so you can see the differences between examples based on the same trade intelligence data

also jean francois provided the emulation there as well so it gives you additional examples how you can make actually a dll or some additional content for a specific content if you are working on c sharp like me you may need at ancestors research uh c sharp dialed exports in this blog as well so you are armed to develop some certain components for this partial example or if you want to go to your own city here is your own starting point but tax c2 and implant is malware uh developed easily because they had no intention to make it a production exercise a production tool that's why it has a lot of code mistakes but it has also a good start for the

initial developers and it is coming with mit license that means you can repurpose it and make it your own it comes with different protocols such as web circuit http https smb name party cpu udp implant to implant linking support on the implants also additional components so you can use this as a baseline for your own ct or your own exercise or you want to use your own malware using another city for example mythic mythic supports custom implants custom malware so you can develop your own malware and you can use patek actually as a malware instead of its c2 if that is the case you can leverage some features of it that means it can execute uh commands it

can execute uh it can run processes it can uh run a powershell or cmd commands using this new create process it can upload it can download it can actually run some dot net assemblies in memory it can compile them in memory and run it can actually use that net direct to compile the content and give you just like powershell or maybe python like interactive shell it can use actually uh powershell in system management automation it can execute shellcode using process injection it has little moment example for wmi so you have almost everything as a baseline though it can automate things like that as well because automation was the key for my exercises i don't want to repeat myself again

again instead i provided an automation support for attack and make it a scenario these are instructions and the commas for it but if you are looking for more details there is also a for uh 40 minutes demonstration for you if you like in that link that demonstration i try to use patek implant to run on padme which is a user running on mandalar which is a windows 10 and connecting to the patak service then we compromise correspond which is another server in the back and we link it using smb name pipe using patak then also we come from ignosis and this time we'll link it using tcp 8000 the compromise is happening on wmi lateral movement techniques in genesis

we also generate another implant because we need multiple options and that's why we use internal mapping of smb name pipe and also we have another server naboo and we actually compromise it through geonosis and then link it to genesis as well so as you see there's a tree branching here and we can actually run this as well so if you like to get some graphical user interface patek is not your aspect you need something supporting a ui in this case i developed tessa malverg traffic generator which is a defensive tool for cyber analytics to generate malware traffic i mentioned this here because it is a part of my development effort for the adversary simulations as well

sometimes we need friendly application that generates that malicious or simulated traffic because we don't get approvals from everywhere because of this compliance requirements that's why we need friendly interfaces friendly applications the set has a graphical user interface as you can see here blazer ui has been used for it it generates the source code for you and it is a kind of bare bone for a c2 so you can add more protocols or you can actually change the implant and make it interactive for yourself so it is another starting point if you like but if you are simulating an exercise that makes it a bit complicated because you need to deploy passat in a certain location and you need to deploy some

redirectors to simulate some traffic like this i have also a talk for malware traffic simulation in distributed networks you can see details in that talk but not here we focus on development now ta505 adversary simulation pack is a kind of end-to-end transfer for you so you see you have seen examples of partial development and now you have also c2 and implant examples you are looking for a full path for yourself ta 505 adversary simulation pack is there an asthma for the ta five or five trade group if they upgrade their techniques against the cutting edge systems what happens that was the motivation and gist of this exercise it was based on windows 10 up to date it

was based on windows defender up to date also office 2019 with exile sandbox enabled it repurposed some of the uac bypass guest system token stealing or some additional registry manipulations and mc bypass as well mcc can buffer patching actually those are the purpose well-known attacks in the wild the sixty sites also used uh some additional tools such as patak i tried to use this exercise to inform everyone but also providing after an example this is the kill chain of the exercise we simply provide a kill chain for the simulations and the skill chain actually explains the levels of the complexity of the exercise in this exercise i try to develop some examples for different layers so it provides you

partial examples but also it gives you a solid city and implant as well but of course i made mistakes i made mistakes by the design or by the decision so simply i had some uh different priorities to complete this exercise you may not actually follow this one but also there is a 50 pages report as well as details of the exercise so you can divert your path and you can see the improvement points i put there and you can improve your exercise using the suggestions i developed those six uh tools during the exercise and when issues the excel file i actually used excellent donut to generate this file but simply this file uses patek dropper which is a dropper to actually

load the additional components it gets the empty patcher to patch the windows defender then it loads the patek implant it actually laws after that methyl predator metasploit framework it performs uh ransomware activities using grand swabling which is another custom application so there's a more than four hours video set for it if you want to dive in that is your path how it can be developed from beginning to the end is available in this video it is live recorded so i made a lot of mistakes so you can see my mistakes they are not hidden so learn through my mistakes instead of making it your own again again just make your own mistakes not repeat myself okay so simply uh

read this content and after that watch the videos and make your own decisions to develop your own environment let's talk about the development effort now so we now we know that we have different types of adversary simulations we have thread intelligence to combine we know that trade intelligence can be used to develop exercises that's why we find some examples for different layers of the exercise maybe some certain tools or a full co2 and implant or a full exercise at the end now if we want to develop our own um we need to follow a couple of decisions if we are going to the designing c2 and implant patch we need to understand the essentials of this one firstly you need

bare bone implant bare bones c2 bare bone protocols for you so you can actually customize this if you start from beginning that would be so difficult that's why i provided actually a tradecraft development trainings and in my training and github repository you can find this training as well i provide some code samples that i will demonstrate shortly so you can build your implant to download some content from remote such as social media and run the instructions or you can make it more complicated for example you can download the instructions to connect the c2 or you can actually make it way more complicated you can get this data from a c2 for example a payload server and

establishing an interactive communication with another c2 which could be a web circuit as well so this type of communications are important for the implant side but if you are designing also a ctu you need to focus on some uh backbone features such as pluggable protocols for the services profile support credentials storage data loot storage logging reporting those are the core components of the cth so you can work on it and also you need to choose what abilities you expect from the implant if you are developing an implant of course dotnet tradecraft is very popular these days so if you want to follow a path for development you need to go with whatever you are comfortable sometimes this is go

or rust or nim but sometimes it is.net dotnet is good for some cases because it is so integrated to windows in several different layers and it is very very uh mixed in so simply it is well preferred but it comes with drawbacks for example mc is attached to that net after 4.8 that means if you see the clr 4.0 and then that net running on it for example 4.8 then you are dealing with mc in real time loading sound lease will be monitored but for that net 3.5 on clr2 uh would be great for you to run the code with an omc integration but this doesn't mean that edr is not monitoring you so lots of components are there but

net gives you platform invokes direct integration and also safer implementation if you are not in hostile body you can easily use dotnet for purple team exercises if you don't have any concerns to hide your malware from elsewhere or in other parties such as real trade actors i have development repositories for all of those so simply ta-505 repositories there we have ct and implant and we have tessat as well and now you have also an offensive development training straight cuff development in adversary simulations from beginning to end so simply ground sky you can easily develop your implant with advanced features as well so i provide these examples for it for a reason for example this one is a simple

demonstration of the simple components these exercises are split to four chapters and this video is for the second chapter simply we have examples for example this one is check process it's a simple class you can add this to your code and this will give you an idea if a process runs or not if it is running that's that's something for you let's make it offensive check the process running or not and the process name will be for example crosstrack and those defender or something like that then you can see that there's an edr or antivirus run see it is easy web client gives you the web communications and it accepts parameters and then it actually retrieves some data

from remote and then parses this data and then gets it any actually instruction list interactive menus are also provided for example register registry menu advanced is that file so you can see the interactive manager but in this example the web collide is actually getting the data and the data is parsed as input so the interactive menu turned to a non-interactive menu through that page asm helps us to load an assembly from uh local or remote it is up to us in this case we use dotnet so we use client download data and it is url that means we will use that netweb client if it would be a file we could download the file from the

local pad what it does is simply executing the net assembly or compiling the source to make it running and in this case everything happens in memory and you have examples of the content to write to the files you have also examples of uh compiling admitted application and you have examples of how to run a third party.net code with no information but in your process so examples are there but if you've gone to if you want to go back the chapter one there are very easier examples and it starts with hello so i don't know where you want to start from but this is a good example that actually gives you opportunity to customize your code for example this

part is so easy to run.net called segments because it gives you only five lines to run this and it is so easy to understand if you go to the website implant the the objective will be changing slightly because you make it interactive circuit so you can use this circuit as is in your environment and you can make it an interactive component so simply your malware will be connected to you using http or https but top of it hdb web socket just like the tcp stocks it will be in real time and it is a native http protocol so you don't need to justify your scenario it could be like an api or a kind of web

chat or something like that so it blends in very fast then processing the instructions it is that easy it is not that complicated it is easy so simply your menu this time driven by a kind of webster case service i also provide the absolute service for you so it can be identified through that way and it can run and this service circuit is simply creating a new circuit for you and then listening to the implants connecting when the implants connect you have interactive menu again to run on it so it's up to you again what you want to do is really unlimited in this case instructions will be a kind of landing page for you

and then you can add your other instructions for example inject payload inject content run this command get this command check the process running but every part of it are actually split up to gadgets that's why while developing i use generally gadgets and make them actually working just like legos this is the chapter 2 content so we can actually compile the content using mono or the native windows in that training you can see the details of various options how we can compile them and how we can run them this is an example of web client compiled and if we use uh the same repository you will understand that there is also a cq like text file there so you can use the

text file as a c2 for example running those commas will help you you can download the text or you can give that content to our web client directly so it's up to you our web client was downloading a file and running it right so if we give a url to our raw assembly file it should run it that's the scenario so that's what we expect so our malware initially has no malicious intentions but it goes internet downloads another actually executable another.net assembly loads the memory and runs this see it makes it malicious from now on because we have a third party called coming and in memory not on disk that's why antivirus doesn't understand this

but edrs still monitor and that's another case that we discuss in that trainings ladder sections another example is websocket web socket is the interactive example for this one because in the web socket we simply make it interactive in real time that's why it needs a service this time because initially the web itself is http file and it can be any file text or binary or regardless but in web circuit we need to host something and we need to wait for the connection in this case i use net web website service and it will be running just.netron so you can start actually modifying it and you can run it as that network it can work on that net

2.2 3.1 and that net five as service so you could be quite flexible for the server component as seen you are actually on a shell and waiting for an implant to connect if the implant has the classes i pointed out the implant can connect to that url that url is ws by the way it can be http as well for executables you need to use mono on linux and mac because they are not native windows as we see it is connected to our web server environment which is web socket and the implant is there when we hit the commands we see the implant is actually running those instructions so you can take it from there and you can

actually advance it now let's move on what we can do more patek has individual capabilities it is coming with the same training as well and you can actually differentiate those components and you can actually focus on one of those or maybe a couple of those if you need and this what i did actually i will explain shortly these examples for example executing a.net sharp binary dot net assembly simply another sharp code a kind of net source code c sharp source code exec for the process or published automation they are features that you can take out as a kind of function but you also need to add evasion tactics because eventually your repository will be open

for example patek is out there for almost two years and it is significant in different levels its name its binary its source code so you need to change things you need to hide some content you need to perform objections or you need to add layers such as dropper then a loader then a shell coat full implant and then adding additional modules on the implant this journey is a long path and if it is identified by a kind of malware reverse engineer the engineer will see only one of those or whatever you loaded in memory but not all the phases of the exercise that's why what we are trying to do is making things harder for them

because adversaries already make it harder so we need to train our defense in that manner we can also add detections for automated analysis as well we can force the analysts to take it in person we can detect the sandbox we can avoid virtualization we can refuse debugger environments so those are the things that we can leverage to make things harder for the analysts i developed a new project the blunt implantment and there is no documentation for it yet but the repository is there tbi so you can go to my github and you can find this one and i still have a limited understanding of what i will do next with that but currently it works just like in this one

it actually grows in memory it has some functionalities the core functionalities such as running instructions or loading your model or loading your model from an image in remote so if the model is for example sample module it looks forget instructions and operate and it actually get use get instructions to extend the menu and add the menu items and then operate to run those instructions in that new model so it doesn't know what modules are there and how it is developed what it is interested in is actually are get instructions and operate so it's a good example and i used a legitimate websites to actually drive this tool for example image website because i hide my

content in image images those images are simply having the bytecode after the end of file and they have actually exer key as a part of it so xor key is the separation and after that the byte code is there actually not bytecode bytes simply byte array so byte array is a binary content that we don't know it is a text file such as config or an internal module for tbi modules or a shell code to inject and tbi actually loads these components from this image service and then adds additional stages or additional features to run some assembly to extend the features for example uh using assembly components it bypasses mc it a provides you interactive web circuit it gives you

a injection opportunity so you can use donut or cobalt strike injections so it uses legitimate websites and you can drive this and the components are actually growing in memory so you don't need to shift everything at the same time and they are a part of the same environment and you can interactively grow them these are the sample commas such as load module from a remote location the type is image the type could be a local file as well that is also fine or exor file so it's up to you how to design this because there is a deployment script there that you can choose when you load the module that many features the instructions available in the module

such as disable it available for antivirus bypass exec assembly image is available for the assembly module or injector model has injector or inject xor inject image so you have multiple options so you can use it this is a simple example of this execution i have recorded this video in our internal the missing link event so simply uh it's a very short video deployment sh compiles everything for us and you have a compiler there as well but you need to customize it and it is not error-free believe me when i used the web circuit as i previously demonstrated the service is running there i'm currently using process config and it will process the config file given

so the tbi is running and it will look for the url and then x-door key for example kimi so it will download this png file which is uh an image and it will use kimi to actually decrypt this xor and then it will run the commands inside the commands are simply load assembly features load web socket and connect to the web circuit and give the content as you see it is connected to our web socket and that web circuit module is there but there are other modules and initially it didn't have any connect command but now it has because of this model and now we are using load model file kimi again the exal key simply

and antivirus bypass model and this module could be a remote model or local one in this case it is file xor file instead of an image on the remote service as you see the module is loaded now antivirus bypass model is there and disable it is available now which is a new command that can disable antivirus so we have multiple modules here but you also need some essential features such as swissy img test and xor inc and that helps you actually actually those help you to encode something encrypt something add some features and etc so they are serious iron knife and knives for you to develop additional segments so you can hide your activities in

plain images just like stenography but in a poor way poor man's standard efficiently after the end of file components and it will be a part of the png jpeg or other files and you can use legitimate environments such as image share simply we need to remember always tradecraft development requires trade intelligence data we are not developing this in the wild uh and just without no information we are making it through the trade intelligence data because we hear something and we try to make it sense that's why we developed those tools adversary simulation packs provide actually examples for various components antivirus bypasses evasion tactics executions injections so seeing an adversary simulation pack is quite valuable so you can

investigate every layer of it so find your favorite language and start developing that's what i'm suggesting otherwise from beginning or from uh in the middle of it just changing your code segment or start with a hello it's up to you but development really helps for adversary simulations these are my references for this talk and the content so it will help you to understand how i develop my tools and my components i hope this can answer satisfy a couple of questions in your mind anyway and feel free to ask more questions so this is a recording i'm not sure how i will uh get the answers but it will be honestly in the business part so i

appreciate you if you ask questions and uh i will try to answer them live or uh through linkedin or github you can of course register your questions or issues as well tbi is still proof of concept i haven't decided what to do with that so uh you can use tbi but don't don't expect any support yet i will decide what to do next and then i will inform you as well thank you for your time thank you for listening to me and thank you peace i support hosting me for this presentation have a great one