Not Your Grandfather’s Empire I’ve wanted to put this blog together since returning home from DEFCON. Anytime we ran into someone who recognized our swag, they mentioned how much they loved Empire back in the day and didn’t realize it was being actively maintained. This made me reflect on all [...]
Note: All code samples shown in the post can be found in our repo here In recent years, PowerShell tradecraft has seen a drop in popularity among pentesters, red teams, and to some extent APTs. There are several reasons for this, but at the core, it was the introduction of ...
Recently, while discussing cyber risk management with a customer, they made the observation that there is a lot of training for top-level risk management in the shape of things like CISSP that focuses on building policy. There is also a lot of training on technical details, but there isn’t much ...
Reporting is, by nature, only the threat actors that have been caught. What about all the ones that didn’t get caught? There is no way to examine that and It comes down to the fact that we don’t know what they did and therein lies the problem for threat emulation.
NOTE: Some of the topics in this article are probably going to be a bit contentious, but part of the hope in publishing this article is to drive some additional discussion within the offensive security community Ransomware has become one of the most prevalent threats that companies face today. It ...
Unless you have been living under an infosec rock the past couple of weeks, you probably heard about the Follina exploit, which allows attackers to achieve remote code execution via ms-msdt. We will get to some more specifics about exactly how Follina works in a minute, but I want to ...
VBA tradecraft is constantly evolving and this past winter, I came across some articles from Adepts of 0xCC. Specifically, their article Hacking in an Epistolary Way: Implementing Kerberoast in Pure VBA caught my attention and I wanted to try and see if it would be possible to create a pure ...
While giving our talk at the DEF CON Red Team Village a couple of weeks ago, I previewed a PowerShell ScriptBlock logging obfuscation technique. I have been working on it (and a few other techniques) for a while and decided to write a short blog about it. But as I ...
This entry will focus on the obfuscation of the PowerShell Script in the ScriptBlock log and Transcription log. First, there will be a little more discussion on a module log bypass technique because we can also use it to create some obfuscation!
You may remember the good ole days where you can connect to pretty much any mail server (like Gmail) with telnet and spoof emails to your friends from whoever you want. Back then, I never realized that you could actually send attachments directly through the telnet connection. It’s not super ...
