In Part 1, we had a brief look at the AmsiScanBuffer bypass technique. We found some circumstances where the bypass code would be identified as malicious before it could be executed (which turned out to be a simple string detection), and modified the code to circumvent this.

In this post, we’ll explore a delivery method to help stage a Cobalt Strike / Empire / <insert framework here> agent. As with Part 1, this is not about some 1337 code drop - it’s a demonstration of how I walked through engineering the final result.

So, let’s get cracking.


Continue reading

Very quick post to explore some different ways to enumerate the AppLocker configuration being applied to a host, both remotely and locally. Understanding these rules, particularly deny rules, are useful for engineering bypasses.


Continue reading

RDPClip

This is just a quick post to demonstrate some interesting aspects of the Remote Desktop Clipboard Monitor.


Continue reading

Author's picture

Rasta Mouse

Taylor Swift fan, wannabe Red Teamer & 1337 hax0r (in that order).

Penetration Tester

UK