Sometimes when you are in the middle of an engagement, you will come across a hurdle which requires a quick bit of research, coding, and a little bit of luck. This was the case with a recent engagement in which we came across Cisco AMP, an endpoint protection technology which provides analysis of processes, provides spawn chains, and exposed a bunch of the other goodies you have come to expect from EDR products, including our old friend…. self-protection.We’ve explored self-protection techniques over a number of posts, often looking at just how the technology can be bypassed on Windows…
Constrained Language Mode is a method of restricting Powershell's access to functionality such as Add-Type, or many of the reflective methods which can be used to leverage the Powershell runtime as a launchbed for post-exploitation tooling.Despite what Microsoft may claim, this feature is very much being used as a security control, providing defenders with the ability to stop tools such as "Invoke-Mimikatz" from executing due to the heavy reliance on reflection techniques . As I was getting ready to complete an engagement in an environment enforcing Constrained Language Mode, I wanted to take…
If you follow our research over on MDSec's blog, you will have seen a number of posts documenting macOS research we've recently completed. As RedTeamer's, we have a wealth of information available to us when it comes to attacking Windows endpoints, whether that be via a HTA, OLE, a macro office document or even simply binary hiding as a legitimate application, we are never short of options to gain access to a targets machine when phishing. The same unfortunately can't be said for macOS systems. If we take a look around, there are few posts or teardowns that show viable techniques we can use wh…
As presented in our previous post exploring AV self-protection, the ability for an attacker to hide or protect software by leveraging protection features has become extremely interesting to me. With this in mind, I wanted to look at just how SIP bypasses were performed... enter VirtualBox.…
In this post we will analyse BitDefender on MacOS, looking at some of the self-protection methods hooking MacOS. At the end of the post, we will have a bit of fun and show just how we can leverage this technology to hide our malware during an engagement.…
