research
Personal Research
-
For better readability please visit my Github and read it from there. SSH (Secure Shell) has long been the de facto standard for secure remote access to UNIX-based systems. Traditionally, SSH relies on key-based authentication, where a user’s Public Key is stored on the server, and the corresponding Private Key is held by the user. When the…
-
For better readability please visit my Github and read it from there. Attack Note: This technique is only relevent to Cloud Function 1st-Gen. With Cloud Function 2nd-Gen this is not possible. Cloud Functions are a prime target for Privilege Escalation which is evidently clear by past research “Privilege Escalation via Cloud Functions“. One way to detect Cloud Function abuse was…
-
For better readability please visit my Github and read it from there. Attack Phase I – Ways to Deploy a Cloud Function in GCP There are three ways to deploy a Cloud Function in GCP: Reason to not use Cloud Console: While Cloud Console may seem user-friendly for creating resources in GCP, we won’t be…
-
Introduction In the second installment of the tradecraft improvement series we will be discussing about a very common technique used when running/injecting shellcode in-memory. Most of the time when we directly inject shellcode in-memory of the current process or a remote process, it shows up as an unbacked memory region. That means there is no…
-
Introduction Sometimes there are few steps that we would want to take in order to improve our tradecraft. We might want to make our PE files more difficult to detect or difficult to create signatures for. For this reason, I wanted to start a blog series regarding this particular topic of improving tradecrafts. In this…
-
Pre-requisites To fully understand this topic, one needs to have some knowledge about the following concepts: Introduction Recently, while going through some malware evasion techniques, I came across a very new and uncommon technique, called Perun’s Fart in a Blog by Sektor7. This is a novel technique, which primarily focuses on retrieving a fresh unhooked copy of the ntdll.dll. This is…
-
Overview This blog is about my solutions to the challenge of session – 2 of the 3 machine session of Auror Project by Sudarshan Pisupati The challenge is about detecting changes to Active Directory Security Groups and Domain and Local Admins. The challenge overview is given as something as follows: The Use Cases are something as follows :…
-
Pre-requisites The following are some pre-requisites, which will help you to enjoy this blog even more Introduction A few months back, I came to know about a PE image tampering method called Process Ghosting. It is very similar to Process Doppelgänging and Process Herpaderping. The difference is that in case of Process Doppelgänging, the PE…
-
Pre-requisites Here are some pre-requisite knowledge, that might help you in understanding the blog even more: Introduction This blog is about, how I was able to recreate the EarlyBird UserAPC process injection technique with DInvoke. There is also a POC version of this technique on my repository : EarlyBird It is a very simple code execution…
-
DLL Proxying is a technique which can be thought of like a Enterprise Proxy Server. The difference lies in the fact that the Proxy Server is the Malicious DLL. When a specific application calls a particular function, the function first passes through the Malicious DLL which then gets forwards to the Original DLL. This way…
Anomaly Hunt 