How to Argue like Cobalt Strike

In Cobalt Strike 3.13, the argue command was introduced as a way of taking advantage of argument spoofing. I was first made aware of the concept while watching Will Burgess's awesome talk RedTeaming in the EDR Age [https://www.youtube.com/watch?v=l8nkXCOYQC4], with Will crediting Casey Smith who presented the idea during a series of tweets. As with anything introduced to Cobalt Strike which has the chance to improve operational security, I wanted to dig into the concept further to see just how ... Read More »

ActiveBreach, powered by Ethereum Blockchain

I’m not actually sure when the abstraction of Blockchain started or when it became such a marketing buzzword, but with so many things claiming to be “Powered by The Blockchain”, I wanted to dig into the technology to understand if there was any benefit to be had by an aggressor.... Read More »

Cisco AMP - Bypassing Self-Protection

Sometimes when you are in the middle of an engagement, you will come  across a hurdle which requires a quick bit of research, coding, and a  little bit of luck. This was the case with a recent engagement in which  we came across Cisco AMP, an endpoint protection technology which  provides analysis of processes, provides spawn chains, and exposed a  bunch of the other goodies you have come to expect from EDR products,  including our old friend…. self-protection. We’ve explored  self-protection t... Read More »

AppLocker CLM Bypass via COM

Constrained Language Mode is a method of restricting Powershell's access to functionality such as Add-Type, or many of the reflective methods which can be used to leverage the Powershell runtime as a launchbed for post-exploitation tooling. Despite what Microsoft may claim, this feature is very much being used as a security control, providing defenders with the ability to stop tools such as "Invoke-Mimikatz" from executing due to the heavy reliance on reflection techniques . As I was getting ... Read More »