Dotnettojscript

AmsiScanBuffer Bypass - Part 3

Nov 11, 2018

In Part 2, we engineered a delivery method for the AmsiScanBuffer Bypass discussed in Part 1. In this post, we’ll make some modifications to the bypass itself.

AmsiScanBuffer Bypass - Part 2

Oct 10, 2018

In Part 1, we had a brief look at the AmsiScanBuffer bypass technique. We found some circumstances where the bypass code would be identified as malicious before it could be executed (which turned out to be a simple string detection), and modified the code to circumvent this.

In this post, we’ll explore a delivery method to help stage a Cobalt Strike / Empire / <insert framework here> agent. As with Part 1, this is not about some 1337 code drop - it’s a demonstration of how I walked through engineering the final result.

So, let’s get cracking.

Persistence, noun, the continued or prolonged existence of something.

LAPS - Part 2

Mar 3, 2018

In Part 1 we explored how one could go about discovering and mapping the LAPS configuration in a domain. In this part, we’ll look at various ways LAPS can be abused for persistence purposes.

CSharp, DotNetToJScript, XSL

Rasta Mouse

CSharp, DotNetToJScript, XSL

Rasta Mouse

AmsiScanBuffer Bypass - Part 3

AmsiScanBuffer Bypass - Part 2

AmsiScanBuffer Bypass - Part 1

A Lesson in .NET Framework Versions

Enumerating AppLocker Config

RDPClip

CSharp, DotNetToJScript, XSL

Review: Active Directory Attacks for Red and Blue Teams

A View of Persistence

LAPS - Part 2