Backdoor .NET assemblies with… dnSpy 🤔

Placing backdoors in legitimate applications is a good way to achieve persistence, data exfiltration, and if circumstances allow, privilege escalation. Backdooring .NET assemblies is surprisingly easy using an editor such as dnSpy. This post will run through a simplistic scenario where we backdoor a DLL used by a Blazor Server App. I thought this was

Read more

D/Invoke & GadgetToJScript

I’m sure the subject of combining D/Invoke with GadgetToJScript has been written about multiple times; but I wanted to throw my hat into the ring with this post. For those who don’t already know, D/Invoke provides (among other things) a means for dynamically invoking unmanaged APIs without using P/Invoke. GadgetToJScript is a spiritual successor to

Read more

.NET Reflection and Disposable AppDomains

Disclaimer: I didn’t come up with any of the methods or techniques described in this post. I merely glued other people’s work together – like Sharknado and Final Fantasy VIII’s Gunblade, only better. The premise of this post is to better conceal reflection and Assembly.Load() tradecraft in .NET Framework implants. Let’s first have a primer

Read more

NTLM Relaying via Cobalt Strike

NTLM relaying is a popular attack strategy during a penetration test and is really trivial to perform. Just roll up at the client site, plug your laptop into the LAN, fire up responder and ntlmrelayx, and away you go. The majority of opportunistic relays come when a user or a machine tries to access an

Read more

Exploring Process Injection OPSEC – Part 2

In Part 1, we reviewed the very simple VirtualAllocEx/WriteProcessMemory/CreateRemoteThread injection pattern. The two major OPSEC concern(s) that it had was both an RX memory region and an executing thread that were not backed by a module on disk. In this part, we’ll fix the “thread” issue by replacing the use of CreateRemoteThread with QueueUserAPC. The

Read more

Infrastructure as Code (Terraform + Ansible)

If you’ve any experience with building infrastructure designed to support a red team or adversary simulation exercise, you’ll have likely come across the Red Team Infrastructure Wiki. If not, it’s a curated collection of resources for creating secure and resilient infrastructure – covering everything from high-level design considerations to step-by-step setup instructions. Just a cursory

Read more

Cobalt Strike Spawn & Tunnel

Cobalt Strike 4.2 introduced a new set of “spawn and tunnel” commands called spunnel and spunnel_local. Shortly after release, Raphael Mudge published a blog post entitled Core Impact and Cobalt Strike Interoperability, in which he details how these can be used to tunnel Core Impact’s agent through Beacon. The CS manual also says the commands

Read more

Exploring Process Injection OPSEC – Part 1

This is the first in a short series of posts designed to explore common (remote) process injection techniques and their OPSEC considerations. Each part will introduce a different technique that will address one or more “weaknesses” previously identified. This post will analyse the most classical method of injection – the VirtualAllocEx/WriteProcessMemory/CreateRemoteThread pattern; and assumes the

Read more

Bypass In-memory Integrity Checking

In the Memory Patching AMSI Bypass post, I discussed how to patch the AmsiScanBuffer function to prevent it from returning a positive result when scanning content. That process involved: Finding the location of AmsiScanBuffer in memory. Changing the memory permissions to RWX. Copying the patched bytes across. Restoring the memory region back to RX. After

Read more

Memory Patching AMSI Bypass

This post is a replacement for my previous 4-part series. What is AMSI? The Antimalware Scan Interface is a set of Windows APIs that allows any application to integrate with an antivirus product (assuming that product acts as an AMSI provider). Windows Defender, naturally, acts as an AMSI provider as do many third-party AV solutions.

Read more