In Cobalt Strike, blockdlls was introduced to allow protection of spawned processes from non-Microsoft signed DLL's. In this post I will show just how this works, and look at an additional process security option which could help us to deter endpoint security products.... Read More »
In Cobalt Strike 3.13, the argue command was introduced as a way of taking advantage of argument spoofing. I was first made aware of the concept while watching Will Burgess's awesome talk RedTeaming in the EDR Age [https://www.youtube.com/watch?v=l8nkXCOYQC4], with Will crediting Casey Smith who presented the idea during a series of tweets. As with anything introduced to Cobalt Strike which has the chance to improve operational security, I wanted to dig into the concept further to see just how ... Read More »