Feature Spotlight: The Zig Payload Pipelines

SpecterInsight’s Zig payload pipelines give you full cross-platform, native payload generation from a single server. Zig 0.16.0 is bundled as the compiler. It runs identically on Windows and Linux hosts and cross-compiles to any combination of OS (Windows, Linux, macOS) and architecture (x86, x86_64, aarch64) without any additional toolchain setup. Before the compiler sees a […]

Feature Spotlight: The Zig Payload Pipelines Read More »

Dumping LSASS Without Touching Disk: Improvements to ShadowDumper

While integrating LSASS dumping techniques into SpecterInsight’s dumper module, I used Offensive-Panda’s ShadowDumper as a reference point. That tool is great collection of LSASS dump techniques, but I also wanted to improve upon their research by addressing some of the issues that might result in detection by an EDR: The rest of this post walks

Dumping LSASS Without Touching Disk: Improvements to ShadowDumper Read More »

Profiling User Activity with EventLogs

Introduction Understanding user logon behavior is a powerful tool in red teaming and adversary simulations. By analyzing who logs into a system, when, from where, and how frequently, operators gain deep situational awareness that can inform stealthy movements, impersonation opportunities, and identify high-value targets. This post presents a PowerShell script built to extract and analyze

Profiling User Activity with EventLogs Read More »

Bypassing AMSI and Evading AV Detection with SpecterInsight

Introduction A few weeks ago, there was a post on reddit asking for advice on how to get their AMSI bypass through Windows Defender without being detected. Recently, it has become much more difficult to build payloads that can evade detection. Microsoft has out a ton of effort into deploying good heuristic signatures to block

Bypassing AMSI and Evading AV Detection with SpecterInsight Read More »

Building a RuntimeInstaller Payload Pipeline to Evade AV Detection

Overview In this post, we will build an automated pipeline for generating a .NET loader payload that can evade both AV detection and application controls. The tools used in this post are: What is a Payload Pipeline A payload pipeline is an automated process for generating red team payloads that can evade detection by antivirus,

Building a RuntimeInstaller Payload Pipeline to Evade AV Detection Read More »

New AMSI Bypss Technique Modifying CLR.DLL in Memory

Introduction Recently, Microsoft has rolled out memory scanning signatures to detect manipulation of security critical userland APIs such as AMSI.dll::AmsiScanBuffer. You can read about the details on this post. For us red teamers, that means the era of overwriting or hooking that method to bypass the Anti-Malware Scan Interface (AMSI) incoming to an end. So

New AMSI Bypss Technique Modifying CLR.DLL in Memory Read More »

Obfuscating API Patches to Bypass New Windows Defender Behavior Signatures

Introduction I’ve got a short post today based on some recent changes by Windows Defender. Over the weekend, I noticed that some of my unit tests began failing on code that had not been recently changed. Upon further investigation, I found that it was specifically related to the AMSI bypass through API call patching. This

Obfuscating API Patches to Bypass New Windows Defender Behavior Signatures Read More »

Extracting Credentials From Windows Logs

Overview During a recent engagement, I observed a lot of members of a particular organization authenticating with remote systems and services over the commandline with username and password in plaintext. This ranged from domain administrators using the net user command to create user accounts and updated passwords to database administrators managing their instances with commandline

Extracting Credentials From Windows Logs Read More »

Scroll to Top