Dotnettojscript

GPO Abuse - Part 2

Jan 1, 2019

Before we can really dive into modifying GPOs, we need to try and understand some of the intricacies of how they’re updated normally in GPMC and AD. Because believe me, it aint as simple as it appears.

GPO Abuse - Part 1

Jan 1, 2019

Group Policy Objects (GPOs) is a subject I’ve wanted to write about for a long time and I’m happy to have finally started.

AmsiScanBuffer Bypass - Part 4

Dec 12, 2018

As 2018 rapidly comes to an end, I thought I’d close out the year by clearing up some confusions over this AmsiScanBuffer bypass and why it appears to fail under some circumstances.

AmsiScanBuffer Bypass - Part 3

Nov 11, 2018

In Part 2, we engineered a delivery method for the AmsiScanBuffer Bypass discussed in Part 1. In this post, we’ll make some modifications to the bypass itself.

AmsiScanBuffer Bypass - Part 2

Oct 10, 2018

In Part 1, we had a brief look at the AmsiScanBuffer bypass technique. We found some circumstances where the bypass code would be identified as malicious before it could be executed (which turned out to be a simple string detection), and modified the code to circumvent this.

In this post, we’ll explore a delivery method to help stage a Cobalt Strike / Empire / <insert framework here> agent. As with Part 1, this is not about some 1337 code drop - it’s a demonstration of how I walked through engineering the final result.

So, let’s get cracking.

AmsiScanBuffer Bypass - Part 1

Oct 10, 2018

Andre Marques recently posted a pretty nice write-up for circumventing AMSI, based on previous work by CyberArk.

A Lesson in .NET Framework Versions

Sep 9, 2018

With the emergence of more C# and .NET tooling, I occasionally see people tripping up over this. It’s not a huge issue, just something to be aware of.

Enumerating AppLocker Config

Sep 9, 2018

Very quick post to explore some different ways to enumerate the AppLocker configuration being applied to a host, both remotely and locally. Understanding these rules, particularly deny rules, are useful for engineering bypasses.

RDPClip

Jun 6, 2018

This is just a quick post to demonstrate some interesting aspects of the Remote Desktop Clipboard Monitor.

CSharp, DotNetToJScript, XSL

May 5, 2018

In April 2018, Casey Smith published a finding he dubbed squiblytwo, which detailed how WMIC can be used to invoke arbitary code contained in the extensible stylesheet language (XSL) format.

CSharp, DotNetToJScript, XSL

Rasta Mouse

GPO Abuse - Part 2

GPO Abuse - Part 1

AmsiScanBuffer Bypass - Part 4

AmsiScanBuffer Bypass - Part 3

AmsiScanBuffer Bypass - Part 2

AmsiScanBuffer Bypass - Part 1

A Lesson in .NET Framework Versions

Enumerating AppLocker Config

RDPClip

CSharp, DotNetToJScript, XSL