Rasta Mouse Cheesy Rumbles
Blog / February 21, 2022 / Rasta Mouse
In Command & Control (C2) parlance, there are two main types of implant: egress and (peer-to-peer) P2P. An egress implant will talk directly to attacker-controlled infrastructure over a protocol such as HTTP. A P2P implant does not talk directly to an attacker, but has their communications (SMB, TCP, or whatever) relayed through one or more
Blog / December 27, 2021 / Rasta Mouse
In the previous blog post, we looked at how to enumerate and duplicate open process handles in C#. The use case that was outlined involved stealing a handle to LSASS, as this is potentially more OPSEC safe (from AV and EDRs) than obtaining a handle directly. This post will demonstrate how to use such a
Blog / November 27, 2021 / Rasta Mouse
Introduction Applications can open and maintain handles to Windows objects such as access tokens, processes, threads, files, named pipes and more. As a local admin (or with SeDebug privs), it’s possible to enumerate open handles across the entire OS and duplicate them for our own use. This is particularly useful when you want to obtain
Blog / November 12, 2021 / Rasta Mouse
Introduction This post will walk through how I created a library which implements Cobalt Strike’s External C2 Specification, introduces the ExternalC2.NET NuGet packages, and demonstrates how to use them in a custom third-party controller and client. External C2 Cobalt Strike has the ability to accept third-party command & control, allowing operators to go far beyond
Blog / November 1, 2021 / Rasta Mouse
This post will introduce a few new (related) projects that I’ve started to work on. Let’s start with my D/Invoke fork. The aim of this fork is to provide D/Invoke in a more minimalist form. It only contains the core DynamicInvoke and ManualMap functionality, without all the additional helper methods, delegates, structs or enums. This
Blog / October 4, 2021 / Rasta Mouse
Placing backdoors in legitimate applications is a good way to achieve persistence, data exfiltration, and if circumstances allow, privilege escalation. Backdooring .NET assemblies is surprisingly easy using an editor such as dnSpy. This post will run through a simplistic scenario where we backdoor a DLL used by a Blazor Server App. I thought this was
Blog / September 6, 2021 / Rasta Mouse
I’m sure the subject of combining D/Invoke with GadgetToJScript has been written about multiple times; but I wanted to throw my hat into the ring with this post. For those who don’t already know, D/Invoke provides (among other things) a means for dynamically invoking unmanaged APIs without using P/Invoke. GadgetToJScript is a spiritual successor to
Blog / August 17, 2021 / Rasta Mouse
Disclaimer: I didn’t come up with any of the methods or techniques described in this post. I merely glued other people’s work together – like Sharknado and Final Fantasy VIII’s Gunblade, only better. The premise of this post is to better conceal reflection and Assembly.Load() tradecraft in .NET Framework implants. Let’s first have a primer
Blog / July 29, 2021 / Rasta Mouse
NTLM relaying is a popular attack strategy during a penetration test and is really trivial to perform. Just roll up at the client site, plug your laptop into the LAN, fire up responder and ntlmrelayx, and away you go. The majority of opportunistic relays come when a user or a machine tries to access an
Blog / July 5, 2021 / Rasta Mouse
In Part 1, we reviewed the very simple VirtualAllocEx/WriteProcessMemory/CreateRemoteThread injection pattern. The two major OPSEC concern(s) that it had was both an RX memory region and an executing thread that were not backed by a module on disk. In this part, we’ll fix the “thread” issue by replacing the use of CreateRemoteThread with QueueUserAPC. The