Category: Blog

Cobalt Strike Spawn & Tunnel

Cobalt Strike 4.2 introduced a new set of “spawn and tunnel” commands called spunnel and spunnel_local. Shortly after release, Raphael Mudge published a blog post entitled Core Impact and Cobalt Strike Interoperability, in which he details how these can be used to tunnel Core Impact’s agent through Beacon. The CS manual also says the commands

Read more

Bypass In-memory Integrity Checking

In the Memory Patching AMSI Bypass post, I discussed how to patch the AmsiScanBuffer function to prevent it from returning a positive result when scanning content. That process involved: Finding the location of AmsiScanBuffer in memory. Changing the memory permissions to RWX. Copying the patched bytes across. Restoring the memory region back to RX. After

Read more

Memory Patching AMSI Bypass

This post is a replacement for my previous 4-part series. What is AMSI? The Antimalware Scan Interface is a set of Windows APIs that allows any application to integrate with an antivirus product (assuming that product acts as an AMSI provider). Windows Defender, naturally, acts as an AMSI provider as do many third-party AV solutions.

Read more