AppLocker CLM Bypass via COM

Constrained Language Mode is a method of restricting Powershell's access to functionality such as Add-Type, or many of the reflective methods which can be used to leverage the Powershell runtime as a launchbed for post-exploitation tooling. Despite what Microsoft may claim, this feature is very much being used as a security control, providing defenders with the ability to stop tools such as "Invoke-Mimikatz" from executing due to the heavy reliance on reflection techniques . As I was getting... Read More »

macOS Research Outtakes - File Extensions

If you follow our research over on MDSec's blog, you will have seen a number of posts documenting macOS research we've recently completed. As RedTeamer's, we have a wealth of information available to us when it comes to attacking Windows endpoints, whether that be via a HTA, OLE, a macro office document or even simply binary hiding as a legitimate application, we are never short of options to gain access to a targets machine when phishing. The same unfortunately... Read More »

Endpoint Security Self-Protection on MacOS

In this post we will analyse BitDefender on MacOS, looking at some of the self-protection methods hooking MacOS. At the end of the post, we will have a bit of fun and show just how we can leverage this technology to hide our malware during an engagement.... Read More »

Escaping the Sandbox – Microsoft Office on MacOS

You’ve completed your recon, and found that your target is using MacOS… what next? With the increased popularity of MacOS in the enterprise, we are often finding that having phishing payloads targeting only Microsoft Windows endpoints is not enough during a typical engagement. With this in mind, I wanted to find an effective method of landing a stager on a MacOS system during a phishing campaign. In this walkthrough, I will show one possible way we can go about gaining a foothold by leveraging... Read More »

Prev Page | Next Page