Rasta Mouse Cheesy Rumbles
Blog / May 11, 2024 / Rasta Mouse
I have been quietly working on some new Kerberos course content, and although it’s not complete yet, I wanted to take a small segue to write this post. My approach to tackling the content required capturing and decrypting legitimate Kerberos traffic on the wire, so that readers could understand the protocol at the packet level.
Blog / May 7, 2024 / Rasta Mouse
If you’re an experienced Cobalt Strike user, you will already know what roll the artifact kit plays in customising its binary (executable and DLL) payload artifacts (artefacts for the British). If not, here’s a tl;dr: Beacon is a reflective DLL that needs to be loaded into memory to run. When a payload gets generated in
Blog / March 9, 2024 / Rasta Mouse
YARP: Yet Another Reverse Proxy is a .NET library developed by Microsoft designed to run on top of ASP.NET Core infrastructure. The intended use case for YARP is to sit between backend and frontend services to provide reverse proxy and load balancing services. The content of this blog post is to show how it can
Blog / January 29, 2024 / Rasta Mouse
There are multiple structures in Windows that contain fixed sized arrays. The instance I came across recently was the KERB_QUERY_TKT_CACHE_RESPONSE struct, which looks like this: ANYSIZE_ARRAY is defined as 1 in winnt.h, but the reality is that the array will be of size CountOfTickets. This value obviously cannot be known at compile time. Translating these
Blog / January 6, 2024 / Rasta Mouse
C# is a popular language in both the commercial space (think ASP.NET Core, MVC, Blazor, WPF, MAUI, etc) and the infosec space. The most well known offensive C# tools are probably those in GhostPack (Rubeus, Seatbelt, Certify, SharpUp, etc). A lot of offensive tools that target Windows use interop (P/Invoke) quite heavily to call WinAPIs
Blog / October 3, 2023 / Rasta Mouse
The Cobalt Strike 4.9 release introduced support for registering Aggressor callbacks for several functions including bexecute_assembly, bpowerpick, and binline_execute. Prior to this feature, there was no practical way of tasking Beacon and then performing further actions based on the output (other than reading it on the console and then manually issuing more commands). To demonstrate
Blog / September 6, 2023 / Rasta Mouse
Melkor is a C# POC written by FuzzySec to simulate a TTP employed by InvisiMole. The concept is that post-ex assemblies are loaded into a payload/implant and kept encrypted using DPAPI whilst at rest. They are decrypted on demand and executed in a separate AppDomain. The AppDomain is unloaded once execution completes and only the
Blog / July 2, 2023 / Rasta Mouse
Introduction C# Source Generators made their first appearance around the release of .NET 5 and now ship as part of the .NET Compiler Platform (“Roslyn”) SDK. They allow developers to inspect user code as it is being compiled and even create new C# source files on the fly and add them to the compilation. A
Blog / April 4, 2023 / Rasta Mouse
This post will demonstrate how to use the HTTPS handler in SharpC2 with an Apache redirector. I’ll be running SharpC2 inside WSL on my physical host and an EC2 instance as my redirector. The traffic will be proxied from Apache to SharpC2 over a reverse SSH tunnel. Redirector First, install Apache and enable the relevant
Blog / January 2, 2023 / Rasta Mouse
tl;dr Since .NET Core 3, the dotnet runtime has provided a low-level hook that allows injecting managed code that will run before an application’s entry point. This hook makes it possible to effectively backdoor any .NET application on a host (Windows, Linux, and macOS). You may ask why such a feature exists. It’s used in