Breaking down an execution method used by Sodinokibi: Whilst analysing a Sodinokibi sample, I reverse a pretty cool method of executing shellcode and its one I havent seen before.
Deep Diving Process Injection: In another blog for Secarma, I wanted to look at Process Injection from a Windows and process level perspective to see how it atually works... This two parter does that :)
Exploring Remote Desktop Manager: This has been on my chopping block for a while. In this blog I had a poke around the Remote Desktop Manager Application and found a familiar way to get creds from it.
Three ways of using MSBuild to beat CrowdStrike: During an engagement, I was given a specific objective of weaponising a USB against CrowdStrike. Naturally, I defaulted to MSBuild. This blog details 3 ways in which I was able to execute MSBuild functionality.
Instancing and multi-threaded Malware: A look at instancing malware and using multiple threads to run shellcode and monitor for defensive processes.
Dynamically resolving Hashed-NTAPI Calls: Getting pointers to NTAPI Calls and FNV hashing are two of my favourite methods at the moment. This blog is an example of each.
Common Language Runtime: Part 3: A long time ago I started a series on looking into the CLR. Since that last post, I have adapted it massively adopted it into a DLL. I didn't post it as I was actively using it. But now its been quite documented so I can throw this into the fire too.
Executing shellcode with Unsafe Native Methods in PowerShell: Executing shellcode within PowerShell isn't groundbreaking stuff, but I wanted to understand how Cobalt Strike managed it. This blog post is a look into how Cobalt Strike executes shellcode from PowerShell using the Unsafe Native Methods.
Common Language Runtime: Part 2: In my previous post, I explored CLR briefly and wrote an on-disk implementation of execute-assembly. This bothered me because its not very realistic, so in this post, I solved that problem and expanded the code to run .NET from memory whilst patching ETW and AMSI.
Common Language Runtime: Part 1: A.NET Assemblies are becoming, if not already are, the preferable way to execute tooling during post-exploitation. In this post I wanted to look into what exactly the CLR is and how it operates (broadly). With that sorted, I moved into looking at how execute-assembly works and wrote an on-disk implementation.