Analysing RPC With Ghidra and Neo4j

Hunting for new lateral movement techniques or interesting ways to execute code can be a nice way to sink some free time. With Windows spawning numerous RPC services on boot, finding unusual execution techniques is sometimes as simple as scratching just below the surface. And often the payoff far outweighs the time to discovery, with SOC or EDR vendors focusing on the more common published techniques, identifying a new way to introduce code execution on a host can throw a spanner in the works of... Read More »

Cisco AMP - Bypassing Self-Protection

Sometimes when you are in the middle of an engagement, you will come  across a hurdle which requires a quick bit of research, coding, and a  little bit of luck. This was the case with a recent engagement in which  we came across Cisco AMP, an endpoint protection technology which  provides analysis of processes, provides spawn chains, and exposed a  bunch of the other goodies you have come to expect from EDR products,  including our old friend…. self-protection. We’ve explored  self-protection t... Read More »

Endpoint Security Self-Protection on MacOS

In this post we will analyse BitDefender on MacOS, looking at some of the self-protection methods hooking MacOS. At the end of the post, we will have a bit of fun and show just how we can leverage this technology to hide our malware during an engagement.... Read More »

Windows Anti-Debug techniques - OpenProcess filtering

This week I took a break from SYSTEM chasing to review some anti-debugging techniques. With quite a few Bug Bounty programs available relying on client-side applications, I thought I'd share one of the techniques used by numerous security products (and apparently game anti-cheat engines) to stop you from debugging core components, and just how we can go about bypassing this. Obviously it goes without saying, but the technique shown in this post is not a vulnerability, if an attacker has this le... Read More »