When I need to bypass AMSI, I tend to use RastaMouse‘s AmsiScanBufferBypass. Rastamouse has a few blog posts that cover how it works. The basics of it is this: Load amsi.dll, then patch the AmsiScanBuffer() function so that it always returns AMSI_RESULT_CLEAN. This allows for your nasty payloads to execute without AMSI ruining your day.…
All posts in redteam
DLL Search Order Hijacking with vmms.exe / Hyper-V
In one of my darker moments, I decided to install Hyper-V on my Windows 10 desktop. While looking into other issues on my system, I noticed that during sytstem startup vmms.exe, which is related to Hyper-V, was looking for a DLL in a directory I had added to my path. To test out if this…
Unprivileged Zoom Persistence Part 2 – COM Hijacking
In a previous post I discussed how to do user persistence with the Zoom client by abusing its folder permissions to drop a DLL and patching the Zoom.exe binary. Zoom fixed the issue of dropping an arbitrary DLL to be loaded by Zoom by adding a check for loaded DLLs, and patching the binary is…
Covenant C2 Infrastructure with Azure Domain Fronting
In a previous post I discussed to setup basic redirectors with Covenant C2. In this post, I hope to show you how to use domain fronting through an Azure CDN for your C2 traffic. A lot of this is based on another post I read from ar-infosec that you can find here. What is Domain…
Unprivileged User Persistence with Zoom
*** UPDATE: It looks like the most recent version of Zoom has fixed the issue of loading an unsigned DllSafeCheck.dll. This persistence technique no longer works. Thank you to @LadhaAleem for bringing this to my attention. See the Patching Zoom.exe section for details on how this can be bypassed. Zoom has been in security news…
DLL Side-loading and Zero-width Spaces
My previous post discussed using appverif.exe and DLL side-loading to execute a payload on a system. The advantage of using a legitimate Microsoft signed binary such as appverif.exe to load and execute your DLL was to bypass anti-virus and application whitelisting. One drawback to this technique is that you are executing appverif.exe outside of its…
DLL Side-loading Appverif.exe
A couple of weeks ago, FireEye published a blog called “Abusing DLL Misconfigurations.” The gist of the blog post is that when an application is executed, it will try and load DLLs for whatever functionality it needs. If the Windows Side-by-side manifest for the application does not have the explicity full path of the DLL,…
Unconstrained Delegation
One of the weaknesses that I configured in my lab environment was “Unconstrained Delegation.” Systems in an Active Directory (AD) environment can be configured for unconstrained delegation. This means that a system can “delegate”, or impersonate users that authenticate to it. Normally, when a user authenticates to a service running on a system, the user…
Kerberoasting
This post will demonstrate how to perform a “Kerberoasting” attack in an Active Directory (AD) environment. In a previous post, I detailed how to create an AD lab in AWS and how to configure a user with a Service Principal Name (SPN) that will allow for the Kerberoasting attack. Background Information Kerberoasting is an attack…
Covenant C2 Infrastructure with Redirectors
In my previous post, I wrote about getting started with Covenant C2. In that post the infrastructure I setup for the C2 communications was very simple: The C2 agents connected directly to the C2 server over a private subnet. This works for a lab environment, but for a real world redteam engagement having your C2…