Last year I posted a few tricks to help when targeting MacOS users, and included a technique useful for spoofing file extensions with the aim of taking advantage of Finder's removal of the .app extension from certain filenames.... Read More »
In Cobalt Strike, blockdlls was introduced to allow protection of spawned processes from non-Microsoft signed DLL's. In this post I will show just how this works, and look at an additional process security option which could help us to deter endpoint security products.... Read More »
Encountering Apple devices during RedTeam engagements is becoming increasingly common, so it's useful to have a few techniques available when navigating around whatever privacy or security changes are introduced with each version of MacOS. When MacOS Mojave rolled out at the end of 2018, a set of privacy restrictions were introduced to alert a user when an application requested access to sensitive data, such as the camera, microphone, address book, calendar etc.. And as (more often than not) o... Read More »
In this blog post we will look at a somewhat familiar, but extremely limited window of opportunity which may come in handy when reviewing a fresh Active Directory forest deployment.... Read More »
Hunting for new lateral movement techniques or interesting ways to execute code can be a nice way to sink some free time. With Windows spawning numerous RPC services on boot, finding unusual execution techniques is sometimes as simple as scratching just below the surface. And often the payoff far outweighs the time to discovery, with SOC or EDR vendors focusing on the more common published techniques, identifying a new way to introduce code execution on a host can throw a spanner in the works of... Read More »