Cat & Mouse - or Chess?

Last year I had the idea for a new approach to block EDR DLLs from loading into a newly spawned process. After several months this idea lead to a PoC, which was then published after presenting the topic at x33fcon and Troopers this year.

This post will cover the background and description of the technique.

read more

Alternative use cases for SystemFunction032

Some days ago I woke up in the middle of the night - thinking about the Advapi32.dll/SystemFunction032 function. Really? Yes. Strange, this InfoSec folks. This post will show my nightly idea and sample Code on how to weaponize it.

read more

The difference between signature-based and behavioural detections

In this blog post, the main difference between signature-based and behavior-based Detections are explained. In addition, examples are shown with respective Detection bypasses.

read more

Stageless HTTP in Covenant

This is a short post on how to use stageless HTTP Grunt’s in Covenant + some staged vs stageless thoughts from my side.

read more

LSASS dumping in 2021/2022 - from memory - without C2

This post will explain my trials&fails and road to success for building scripts to dump LSASS from memory. It’s nothing new, existing tools, existing techniques. But those techniques for in memory execution may fail in certain situations. Those situations plus potential solutions are shown here. The LSASS dumping tools were all released/published within the last year and are from my point of view state of the art for this time.

read more

SharpImpersonation Release

This blog is an introduction for my newly released post exploitation / privilege escalation tool SharpImpersonation. The code base makes heavy use of Tokenvator, so a big credit goes to @0xbadjuju. I changed the usage and also added several other improvements. This post covers one example usecase - and afterwards we dive into the features and changes.

[SharpImpersonation.Program]::Main($Command.Split(“ “))

read more

On how to access (protected) networks

This post is about common misconfigurations and attack szenarios that enable an attacker to access separated networks with critical systems or sensitive data. The content is heavily inspired by my personal experience in real world projects and company networks.

read more

Named Pipe Pass-the-Hash

This post will cover a little project I did last week and is about Named pipe Impersonation in combination with Pass-the-Hash (PTH) to execute binaries as another user. Both techniques used are not new and often used, the only thing I did here is combination and modification of existing tools. The current public tools all use PTH for network authentication only. The difference to this “new” technique is therefore, that you can also spawn a new shell or C2-Stager as the PTH user for local actions and network authentication.


2.05.2021: Update

Unfortunately I learned, that my technique can only be used for local actions, but not for network authentication, as Impersonation Tokens are restricted to that.


read more

The most common on premises vulnerabilities & misconfigurations

In the last years my team at r-tec was confronted with many different company environments, in which we had to search for vulnerabilities and misconfigurations. For customers, who have not yet carried out regular penetration tests, we recommend in the initial step to check systems on the Internet (DMZ) as well as internal systems for the most common critical attack techniques and vulnerabilities. This can be done with a predefined number of person-days. Anything found within this period will be included in the report. This approach provides an initial overview of the most critical vulnerabilities and risks from both external and internal threats. For such initial projects, we also recommend choosing an open scope. Here, any of the client’s systems will be examined, but also any attack techniques such as social engineering via phishing mails can be used.

In this blog post I’m gonna cover the in my opinion most common findings in a Windows Active Directory environment, which can be found and abused for Privilege Escalation and Lateral Movement in such a project. It’s about on premises vulnerabilities and misconfigurations in an internal company environment as well as mitigations.

read more

The difference between Powershell only & process specific AMSI bypasses

In the last months I was often asked about potential errors using PowerSharpPack or other PS1-scripts loading .NET assemblies via [System.Reflection.Assembly]::Load(). The reason for theese messages is actually not an error or a bug, but the .NET AMSI Interface, which catches the binaries loaded via [System.Reflection.Assembly]::Load(). Some of the public Powershell AMSI bypasses just don`t work for loaded .NET binaries and the error message is not self explanatory. Therefore I’m gonna show some examples and bypass methods in this post.

read more

A tale of EDR bypass methods

In a time full of ransomware as well as Advanced persistent Thread (APT) incidents the importance of detecting those attacking groups has become increasingly important. Some years ago the best tools/techniques for security incident detection and response included a SIEM-system filled with logs from IPS/IDS systems, proxies, firewalls, AV-logs and so on. In the recent years, an in my personal opinion increasingly relevant component has been added - “Endpoint detection and response - EDR” systems and or features. The features of those EDR systems include live monitoring of endpoints, data analysis, Threat-detection and blocking as well as Threat-hunting capabilities. In both, penetration tests and red-team engagements, these systems can make it difficult to use the public offensive security toolings, as they are more often detected and blocked. However, theese systems have a weakness which allows attackers to bypass the protection. In this blog post I’m gonna summarize all EDR bypass methods I found so far.

read more

Bypassing Windows protection mechanisms & Playing with OffensiveNim

In this post I’m telling a short story from an environment I faced some time ago and how to handle the situation bypassing Constrained Language Mode and Applocker using well known techniques. I recently had some time to take a look at the OffensiveNim repository by @byt3bl33d3r who did some really awesome work here. By looking at the code examples and fiddling around with some of them I found that this is pretty cool and has nice benefits. Therefore the seccond chapter is about my amusings with the Nim templates. C# binaries wrapped in Nim could have been used to bypass the windows protection mechanisms as well - for fun and profit. There will be nothing new in this blog post, everything used is already public. But maybe some of you will face a similar situation in the future - this post could maybe help you here.

read more

Excel-Phish - Phish protected Excel-file passwords

This post will cover a little Excel Macro project by @0x23353435 and me. It was made during an engagement at a customers environment. They were using a password protected Excel-file as password manager. This post will show how to attack such szenarios and why people should not use this method for password storage.

read more

Customizing C2-Frameworks for AV-Evasion

This post will cover how to edit some open source Command & Control (C2) Frameworks source code for AV-Evasion. It will cover Powershell Empire, Pupy C2 and Covenant.

read more

Building a custom Mimikatz binary

This post will cover how to build a custom Mimikatz binary by doing source code modification to get past AV/EDR software.

read more

Bypass AMSI by manual modification part II - Invoke-Mimikatz

This blog post will cover some lets say more advanced AMSI triggers. I decided to build a custom Invoke-Mimikatz script without AMSI trigger. I will also cover some information how Invoke-Mimikatz basically works for those who did not know it before.

read more

Bypass AMSI by manual modification

This is my very first blog post. Its about how to manually change AMSI signatures/triggers to bypass it.

read more