Author: Rasta Mouse

OUs and GPOs and WMI Filters, Oh My!

Abusing GPOs is a tactic that’s been actively in-play for many years. ACL-based path-finding for GPOs was introduced to BloodHound 1.5 in 2018, and other tools have been released such as SharpGPOAbuse which implement various abuse primitives. You may be familiar with this representation, where a machine is a member of an OU and a

Read more

Why Tool-Restricted Exams (Sometimes) Matter

As the author of the Red Team Ops course and certification, I often get asked why the tools available in the exam are restricted to those provided in the pre-configured environment. The answer is a little involved to explain fully on Twitter or Discord, so this post is my attempt at providing a more complete

Read more

SOCKS4a Proxy in C#

Some time ago, I tweeted a teaser about implementing a SOCKS4 proxy in .NET. This post will finally provide a basic run-down of how I implemented it. There are some short-comings, which I’ll try and callout as they come up. We start off by creating a class that will bring a bind address and port

Read more

Adjacency List to Manage P2P Implants

In Command & Control (C2) parlance, there are two main types of implant: egress and (peer-to-peer) P2P. An egress implant will talk directly to attacker-controlled infrastructure over a protocol such as HTTP. A P2P implant does not talk directly to an attacker, but has their communications (SMB, TCP, or whatever) relayed through one or more

Read more

Dumping LSASS with Duplicated Handles

In the previous blog post, we looked at how to enumerate and duplicate open process handles in C#. The use case that was outlined involved stealing a handle to LSASS, as this is potentially more OPSEC safe (from AV and EDRs) than obtaining a handle directly. This post will demonstrate how to use such a

Read more

Duplicating Handles in C#

Introduction Applications can open and maintain handles to Windows objects such as access tokens, processes, threads, files, named pipes and more. As a local admin (or with SeDebug privs), it’s possible to enumerate open handles across the entire OS and duplicate them for our own use. This is particularly useful when you want to obtain

Read more

ExternalC2.NET

Introduction This post will walk through how I created a library which implements Cobalt Strike’s External C2 Specification, introduces the ExternalC2.NET NuGet packages, and demonstrates how to use them in a custom third-party controller and client. External C2 Cobalt Strike has the ability to accept third-party command & control, allowing operators to go far beyond

Read more

D/Invoke Baguette

This post will introduce a few new (related) projects that I’ve started to work on. Let’s start with my D/Invoke fork. The aim of this fork is to provide D/Invoke in a more minimalist form. It only contains the core DynamicInvoke and ManualMap functionality, without all the additional helper methods, delegates, structs or enums. This

Read more

Backdoor .NET assemblies with… dnSpy 🤔

Placing backdoors in legitimate applications is a good way to achieve persistence, data exfiltration, and if circumstances allow, privilege escalation. Backdooring .NET assemblies is surprisingly easy using an editor such as dnSpy. This post will run through a simplistic scenario where we backdoor a DLL used by a Blazor Server App. I thought this was

Read more

D/Invoke & GadgetToJScript

I’m sure the subject of combining D/Invoke with GadgetToJScript has been written about multiple times; but I wanted to throw my hat into the ring with this post. For those who don’t already know, D/Invoke provides (among other things) a means for dynamically invoking unmanaged APIs without using P/Invoke. GadgetToJScript is a spiritual successor to

Read more