Introduction Understanding user logon behavior is a powerful tool in red teaming and adversary simulations. By analyzing who logs into a system, when, from where, and how frequently, operators gain deep situational awareness that can inform stealthy movements, impersonation opportunities, and identify high-value targets. This post presents a PowerShell script built to extract and analyze […]
Profiling User Activity with EventLogs Read More »
Overview In this post, I am going to go over how to use WinRM to laterally move within an Active Directory network and to try and blend in with the noise. While WinRM does give you the ability to run remote commands, it may be limited in what it can access without pushing payloads to
Stealthy Lateral Movement Techniques with WinRM Read More »
Introduction A few weeks ago, there was a post on reddit asking for advice on how to get their AMSI bypass through Windows Defender without being detected. Recently, it has become much more difficult to build payloads that can evade detection. Microsoft has out a ton of effort into deploying good heuristic signatures to block
Bypassing AMSI and Evading AV Detection with SpecterInsight Read More »
Overview In this post, we will build an automated pipeline for generating a .NET loader payload that can evade both AV detection and application controls. The tools used in this post are: What is a Payload Pipeline A payload pipeline is an automated process for generating red team payloads that can evade detection by antivirus,
Building a RuntimeInstaller Payload Pipeline to Evade AV Detection Read More »
Introduction Recently, Microsoft has rolled out memory scanning signatures to detect manipulation of security critical userland APIs such as AMSI.dll::AmsiScanBuffer. You can read about the details on this post. For us red teamers, that means the era of overwriting or hooking that method to bypass the Anti-Malware Scan Interface (AMSI) incoming to an end. So
New AMSI Bypss Technique Modifying CLR.DLL in Memory Read More »
Introduction I’ve got a short post today based on some recent changes by Windows Defender. Over the weekend, I noticed that some of my unit tests began failing on code that had not been recently changed. Upon further investigation, I found that it was specifically related to the AMSI bypass through API call patching. This
Obfuscating API Patches to Bypass New Windows Defender Behavior Signatures Read More »
Overview During a recent engagement, I observed a lot of members of a particular organization authenticating with remote systems and services over the commandline with username and password in plaintext. This ranged from domain administrators using the net user command to create user accounts and updated passwords to database administrators managing their instances with commandline
Extracting Credentials From Windows Logs Read More »
Overview PowerShell profiles are scripts that automatically run when you start a PowerShell session. These profiles allow you to customize your PowerShell environment, set preferences, and execute specific commands or functions each time you launch PowerShell. There are different profiles for different scopes, enabling you to have different configurations for various scenarios. As an adversary,
How to Leverage PowerShell Profiles for Lateral Movement Read More »
Overview Ransomware is here to stay and cyber security professionals need to be trained to prevent, detect, respond, and recover from ransomeware attacks. So, how do we do that in an ethical and repeatable way? This post will walk through how SpecterInsight’s ransomware emulation capability works and give insight into the inner workings of a
How to Emulate a Ransomware Attack Read More »
Overview The primary tactic we will be exploring in this post is the use of proxies inside of a target network. There are a lot of different types of proxies for both offense and defense. This post will focus on Internal Proxies (MITRE 1090.001) which are a sub-technique of Proxy (MITRE 1090). We will cover
