This post and subsequent code snippets will help you quickly assess whether EDR is loaded into your process (without a debugger) and performing user-level hooking on important functions that you may wish to use, e.g. process migration using ZwOpenProcess and ZwCreateThreadEx. When red teaming in a new environment we always need to perform situation awareness.Continue reading “Worried about EDR hooking catching you out?”
When looking at entry points used by APT groups and cyber criminals, a large number of these compromises use phishing as the initial delivery vector. It makes sense, email is now an intrinsic part of how we interact with the world and therefore it is expected that we will regularly see communication from people we know and people we don’t landing in our inbox right on our front door step.
DLL Side-Loading or DLL Proxy loading allows an attacker to abuse a legitimate and typically signed executable for code-execution on a compromised system. Mitre has been keeping a log of this technique since 2017, and it continues to be a popular option by threat actors (For good reasons!) Proxy loading is very similar to DLLContinue reading “DLL Proxy Loading Your Favourite C# Implant”
TL;DR – This article is a short run through of how PoshC2‘s shellcode is automatically generated on the fly using binary patching without the need for continued re-compilation. We’ll also go over how we use GitLab CI/CD pipelines to generate the payload files and create the artefact files inside the resources folder, specifically shellcode! DevOpsContinue reading “PoshC2 Shellcode and Binary Patching”
A lot of the top-tier companies that I work with have fallen into the same trap of running a compliance driven security function which means policies are created purely to be compliant and not necessarily adopted or fully integrated by the organisation for security purposes. Policies and procedures is a great thing and provide aContinue reading “To Be A CISO For A Day”