All articles tagged as:

windows

Cisco AMP - Bypassing Self-Protection

Sometimes when you are in the middle of an engagement, you will come  across a hurdle which requires a quick bit of research, coding, and a  little bit of luck. This was the case with a recent engagement in which  we came across Cisco AMP, an endpoint protection technology which  provides analysis of processes, provides spawn chains, and exposed a  bunch of the other goodies you have come to expect from EDR products,  including our old friend…. self-protection. We’ve explored  self-protection techniques over a number of posts, often looking at just  how the technology can be bypassed on Window…

Read more »

AppLocker CLM Bypass via COM

Constrained Language Mode is a method of restricting Powershell's access to functionality such as Add-Type, or many of the reflective methods which can be used to leverage the Powershell runtime as a launchbed for post-exploitation tooling. Despite what Microsoft may claim, this feature is very much being used as a security control, providing defenders with the ability to stop tools such as "Invoke-Mimikatz" from executing due to the heavy reliance on reflection techniques . As I was getting ready to complete an engagement in an environment enforcing Constrained Language Mode, I wanted to tak…

Read more »

Exploring PowerShell AMSI and Logging Evasion

By now, many of us know that during an engagement, AMSI (Antimalware Scripting Interface) can be used to trip up PowerShell scripts in an operators arsenal. Attempt to IEX Invoke-Mimikatz without taking care of AMSI, and it could be game over for your undetected campaign.…

Read more »