In this post, we are going to take a look at a couple of interesting methods of leveraging third-party technologies to achieve our code injection goals. For us, this translates to running code in the context of a target application without having to resort to disabling SIP.... Read More »
.NET for post-exploitation is here to stay. It has been bundled with most C2 frameworks, common tools have been ported, AMSI has been added (then bypassed) and new and clever ways have been found to launch unmanaged code. The process of loading a .NET assembly however appears to be pretty consistent. We know that tools like Cobalt Strike's execute-assembly have greatly increased the accessibility of loading a .NET assembly from memory, with most attackers using this in one way or another during... Read More »
It turns out that there is a method of disabling ETW in .NET, strangely exposed by setting an environment variable of COMPlus_ETWEnabled=0. This post explores how this works.... Read More »
In this post we will walk you through the technology used to create and deploy the ActiveBreach Adversary Simulation Lab, and look at the hurdles we jumped through to get things running smoothly.... Read More »
In this post we will focus on Event Threading for Windows (ETW), how it is used to surface events on .NET assemblies, and how we can evade this kind of detection.... Read More »