research

Personal Research

  • AMSI Bypass / Part II: Expanding the Trade

    In the previous blog we had a look at an AMSI Bypass trick where we converted the following instructions [mov eax, 0x80070057 ret] into hex [0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3] and then pass this patch to the address of AmsiScanBuffer(). We used a script to do it for us. Obviously it was not that…

  • In Memory Shellcode Runner in Golang

    Introduction When creating a malware, for adversary simulation or even if you’re a malware researcher, who is analyzing a sample, you may have come across this technique, where the actual malware dropper runs the actual malicious piece of code in memory. This skips the necessity of having a file to the disk, which can get…

  • ATT&CK | T1127: Trusted Developer Utilities – CDB.exe

    CDB or Console Debugger is a tool used to debug Windows Applications. CDB is as part of a Windows Development Kit (WDK) or a Standalone Development Kit (SDK) tool set. One can use CDB to do something simple like opening a Dump File to something complex like debugging a User-Mode Process. For the sake of…

  • Manually Exploiting Eternal Blue

    This is a small post about how one can exploit Eternal Blue without using metasploit. Here, I have used Hack The Box Blue as an Example Requirements Making Changes to the code Testing for code execution Getting a reverse shell through code execution Adding firewall bypass commands Finally Getting the shell Now when you run…

  • Leveraging File eXchange Protocol (FXP) : Port Scanning a Host behind a Firewall or in an Internal Network

    During pentests it’s normal to encounter FTP servers, there are various ways to pentest a FTP server. What we’re going to talk about here is, what if the the FTP server has FXP enabled in it, and how could you us this to your advantage and leverage it to scan a host in an Internal…

  • AMSI Bypass / Part I: Rasta’s Memory Patch Dissection

    During Pentests and mostly during Red Teaming Assessments the operators might find themselves fighting and evading defenses most of the time. To make the attackers or even threat emulators life harder companies are starting to take the concept of Defense in Depth (DiD) seriously, this approach even if it can’t promise to be bulletproof it…

  • VBA-STOMPING: Defense Evasion & A Stomp On AVs

    If there’s anything an Attacker loves, is to get by stealthily. Penetrating a network isn’t easy as it seems. You don’t just go on scanning ports and expect to poke in some of the open ports and get in. There are defenses always in place. We’ve got Firewalls, IDS/IPS, Proxies, Web Filters, UTMs, EDRs and…