πŸ”’
❌
There are new articles available, click to refresh the page.
βœ‡XPN InfoSec Blog

Exploring SCCM by Unobfuscating Network Access Accounts

β€”
In this post we'll explore just how SCCM uses its HTTP API to initialise a client, take a look at how Network Access Accounts are retrieved from SCCM, and see how we can decrypt these credentials without having to go anywhere near DPAPI.

βœ‡XPN InfoSec Blog

g_CiOptions in a Virtualized World

β€”
With the leaking of code signing certificates and exploits for vulnerable drivers becoming common occurrences, adversaries are adopting the kernel as their new playground. And with Microsoft making technologies like Virtualization Based Security (VBS) and Hypervisor Code Integrity (HVCI) available, I wanted to take some time to understand just how vulnerable endpoints are when faced with an attacker set on escaping to Ring-0.

βœ‡XPN InfoSec Blog

NTLMquic

β€”
In this post, we'll dig into just how SMB over QUIC works, answer some of the immediate questions around which attacks are feasible, and show how we can repurpose some existing tooling to capture NTLM handshakes.

βœ‡XPN InfoSec Blog

Object Overloading

β€”
In this post we are going to look at one such technique that I thought was cool while playing around with the Windows Object Manager, and which should allow us to load an arbitrary DLL of our creation into a Windows process during initial execution, something that I've been calling "Object Overloading" for reasons which will hopefully become apparent in this post.

βœ‡XPN InfoSec Blog

Weird Ways to Run Unmanaged Code in .NET

β€”
Recently I've been looking at the .NET CLR internals and wanted to understand what further techniques may be available for executing unmanaged code from the managed runtime. This post contains a snipped of some of the weird techniques that I found.

βœ‡XPN InfoSec Blog

Azure Application Proxy C2

β€”
In this post, we are going to look at the Application Proxy protocol, how it works, and show how we can recreate enough functionality to allow us to create a custom inbound proxy into a client environment for our C2 traffic.

βœ‡XPN InfoSec Blog

Tailoring Cobalt Strike on Target

β€”
We've all been there, you've completed your initial recon, sent in your emails to gather those leaked HTTP headers, spent an age configuring your malleable profile to be just right, set up your CDNs and spun up your redirectors. Then it's time, you send in your email aaaaaand... nothing.

βœ‡XPN InfoSec Blog

Bring Your Own VM - Mac Edition

β€”
For a while I've wanted to explore the concept of leveraging a virtual machine on target during an engagement. The thought of having implant logic self-contained and running under a different OS to the base seems pretty interesting. But more so, I've been curious as to just how far traditional AV and EDR can go to detect malicious activity when running from a different virtual environment. While this is a nice idea, the issues with creating this type of malware are obvious, with increased comple...

βœ‡XPN InfoSec Blog

The .NET Export Portal

β€”
While working on some tooling recently I revisited the topic of .NET unmanaged exports and wanted to know just why this works in the way that it does. After all, by now we've all seen the COM calls required to spin up the CLR, so what makes unmanaged exports so special?

  • There are no more articles
❌