New AMSI Bypss Technique Modifying CLR.DLL in Memory

Introduction Recently, Microsoft has rolled out memory scanning signatures to detect manipulation of security critical userland APIs such as AMSI.dll::AmsiScanBuffer. You can read about the details on this post. For us red teamers, that means the era of overwriting or hooking that method to bypass the Anti-Malware Scan Interface (AMSI) incoming to an end. So

New AMSI Bypss Technique Modifying CLR.DLL in Memory Read More »

Obfuscating API Patches to Bypass New Windows Defender Behavior Signatures

Introduction I’ve got a short post today based on some recent changes by Windows Defender. Over the weekend, I noticed that some of my unit tests began failing on code that had not been recently changed. Upon further investigation, I found that it was specifically related to the AMSI bypass through API call patching. This

Obfuscating API Patches to Bypass New Windows Defender Behavior Signatures Read More »

Extracting Credentials From Windows Logs

Overview During a recent engagement, I observed a lot of members of a particular organization authenticating with remote systems and services over the commandline with username and password in plaintext. This ranged from domain administrators using the net user command to create user accounts and updated passwords to database administrators managing their instances with commandline

Extracting Credentials From Windows Logs Read More »

How to Leverage PowerShell Profiles for Lateral Movement

Overview PowerShell profiles are scripts that automatically run when you start a PowerShell session. These profiles allow you to customize your PowerShell environment, set preferences, and execute specific commands or functions each time you launch PowerShell. There are different profiles for different scopes, enabling you to have different configurations for various scenarios. As an adversary,

How to Leverage PowerShell Profiles for Lateral Movement Read More »

How to Emulate a Ransomware Attack

Overview Ransomware is here to stay and cyber security professionals need to be trained to prevent, detect, respond, and recover from ransomeware attacks. So, how do we do that in an ethical and repeatable way? This post will walk through how SpecterInsight’s ransomware emulation capability works and give insight into the inner workings of a

How to Emulate a Ransomware Attack Read More »

How to Leverage Internal Proxies for Lateral Movement, Firewall Evasion, and Trust Exploitation

Overview The primary tactic we will be exploring in this post is the use of proxies inside of a target network. There are a lot of different types of proxies for both offense and defense. This post will focus on Internal Proxies (MITRE 1090.001) which are a sub-technique of Proxy (MITRE 1090). We will cover

How to Leverage Internal Proxies for Lateral Movement, Firewall Evasion, and Trust Exploitation Read More »

Credential Harvesting with PowerShell and SpecterInsight

Overview Credential harvesting, also known as credential theft or credential stealing, refers to the collection sensitive authentication information from individuals or systems. The goal of credential harvesting is to obtain usernames, passwords, or other authentication tokens that allow access to protected resources. This post will cover a variety of different credential harvesting techniques, how to

Credential Harvesting with PowerShell and SpecterInsight Read More »

Persistence with WMI Event Subscription and PowerShell Cradles

Overview In this post, we are going to demonstrate how to build a script to automate persistence lay down via WMI Event Subscription and dynamically generated PowerShell payloads. By the end, we will have a single parameterized script that can be leveraged to establish signature resistant persistence, thus alleviating much of the tedious manual work

Persistence with WMI Event Subscription and PowerShell Cradles Read More »

Scroll to Top