We Need To Talk About MACL

If you've never heard of MACL on MacOS, you're not alone. This obscure feature is a hidden part of MacOS that underpins Apple's concept of User-Intent, a shift in focus for MacOS privacy controls in an attempt to stop endless prompts interrupting the user. And by now we all understand just how annoying these alerts can be to us attackers. Being able to operate on an endpoint without giving the game away is of course essential, and unfortunately staying under the radar on MacOS is getting toughe... Read More »

MacOS Injection via Third Party Frameworks

In this post, we are going to take a look at a couple of interesting methods of leveraging third-party technologies to achieve our code injection goals. For us, this translates to running code in the context of a target application without having to resort to disabling SIP.... Read More »

Debugging into .NET

.NET for post-exploitation is here to stay. It has been bundled with most C2 frameworks, common tools have been ported, AMSI has been added (then bypassed) and new and clever ways have been found to launch unmanaged code. The process of loading a .NET assembly however appears to be pretty consistent. We know that tools like Cobalt Strike's execute-assembly have greatly increased the accessibility of loading a .NET assembly from memory, with most attackers using this in one way or another during... Read More »

Designing The Adversary Simulation Lab

In this post we will walk you through the technology used to create and deploy the ActiveBreach Adversary Simulation Lab, and look at the hurdles we jumped through to get things running smoothly. ... Read More »