GPO Abuse - Part 2

Before we can really dive into modifying GPOs, we need to try and understand some of the intricacies of how they’re updated normally in GPMC and AD. Because believe me, it aint as simple as it appears.
Continue reading

In Part 1, we had a brief look at the AmsiScanBuffer bypass technique. We found some circumstances where the bypass code would be identified as malicious before it could be executed (which turned out to be a simple string detection), and modified the code to circumvent this.

In this post, we’ll explore a delivery method to help stage a Cobalt Strike / Empire / <insert framework here> agent. As with Part 1, this is not about some 1337 code drop - it’s a demonstration of how I walked through engineering the final result.

So, let’s get cracking.


Continue reading

Author's picture

Rasta Mouse

Taylor Swift fan, wannabe Red Teamer & 1337 hax0r (in that order).

Penetration Tester

UK