Tag Archive

• cobalt strike 4
• evasion 3
• injection 3
• python 3
• redteam 3
• pyramid 2
• BOF 1
• assembler 1
• backdoor 1
• coff 1
• module overloading 1
• module stomping 1
• process stomping 1
• reverse-engineering 1
• sRDI 1
• shellcode 1

cobalt strike

Mockingjay revisisted - Process stomping and loading beacon with sRDI

Executables with RWX sections can be abused using a variation of a Process Overwriting technique dubbed Process Stomping. Using (a modified) sRDI and leveraging the new features of Cobalt Strike 4.9 has been possible to load beacon in the RWX section itself without the need for a custom UDRL.

Improving the stealthiness of memory injections techniques

A journey in improving Module Stomping and Module Overloading injection technique, ending up evading Moneta and PE-Sieve

Living-Off-the-Blindspot - Operating into EDRs’ blindspot

Running Cobalt Strike BOFs from Python

Back to Top ↑

evasion

Mockingjay revisisted - Process stomping and loading beacon with sRDI

Executables with RWX sections can be abused using a variation of a Process Overwriting technique dubbed Process Stomping. Using (a modified) sRDI and leveraging the new features of Cobalt Strike 4.9 has been possible to load beacon in the RWX section itself without the need for a custom UDRL.

Improving the stealthiness of memory injections techniques

A journey in improving Module Stomping and Module Overloading injection technique, ending up evading Moneta and PE-Sieve

Living-Off-the-Blindspot - Operating into EDRs’ blindspot

Back to Top ↑

injection

Mockingjay revisisted - Process stomping and loading beacon with sRDI

Executables with RWX sections can be abused using a variation of a Process Overwriting technique dubbed Process Stomping. Using (a modified) sRDI and leveraging the new features of Cobalt Strike 4.9 has been possible to load beacon in the RWX section itself without the need for a custom UDRL.

Improving the stealthiness of memory injections techniques

A journey in improving Module Stomping and Module Overloading injection technique, ending up evading Moneta and PE-Sieve

Running Cobalt Strike BOFs from Python

Back to Top ↑

python

Improving the stealthiness of memory injections techniques

A journey in improving Module Stomping and Module Overloading injection technique, ending up evading Moneta and PE-Sieve

Living-Off-the-Blindspot - Operating into EDRs’ blindspot

Running Cobalt Strike BOFs from Python

Back to Top ↑

redteam

Mockingjay revisisted - Process stomping and loading beacon with sRDI

Executables with RWX sections can be abused using a variation of a Process Overwriting technique dubbed Process Stomping. Using (a modified) sRDI and leveraging the new features of Cobalt Strike 4.9 has been possible to load beacon in the RWX section itself without the need for a custom UDRL.

Improving the stealthiness of memory injections techniques

A journey in improving Module Stomping and Module Overloading injection technique, ending up evading Moneta and PE-Sieve

Living-Off-the-Blindspot - Operating into EDRs’ blindspot

Back to Top ↑

pyramid

Improving the stealthiness of memory injections techniques

A journey in improving Module Stomping and Module Overloading injection technique, ending up evading Moneta and PE-Sieve

Living-Off-the-Blindspot - Operating into EDRs’ blindspot

Back to Top ↑

BOF

Running Cobalt Strike BOFs from Python

Back to Top ↑

assembler

Repurposing a Linux Assembly backdoor caught in the wild

Back to Top ↑

backdoor

Repurposing a Linux Assembly backdoor caught in the wild

Back to Top ↑

coff

Running Cobalt Strike BOFs from Python

Back to Top ↑

module overloading

Improving the stealthiness of memory injections techniques

A journey in improving Module Stomping and Module Overloading injection technique, ending up evading Moneta and PE-Sieve

Back to Top ↑

module stomping

Improving the stealthiness of memory injections techniques

A journey in improving Module Stomping and Module Overloading injection technique, ending up evading Moneta and PE-Sieve

Back to Top ↑

process stomping

Mockingjay revisisted - Process stomping and loading beacon with sRDI

Executables with RWX sections can be abused using a variation of a Process Overwriting technique dubbed Process Stomping. Using (a modified) sRDI and leveraging the new features of Cobalt Strike 4.9 has been possible to load beacon in the RWX section itself without the need for a custom UDRL.

Back to Top ↑

reverse-engineering

Repurposing a Linux Assembly backdoor caught in the wild

Back to Top ↑

sRDI

Mockingjay revisisted - Process stomping and loading beacon with sRDI

Executables with RWX sections can be abused using a variation of a Process Overwriting technique dubbed Process Stomping. Using (a modified) sRDI and leveraging the new features of Cobalt Strike 4.9 has been possible to load beacon in the RWX section itself without the need for a custom UDRL.

Back to Top ↑

shellcode

Running Cobalt Strike BOFs from Python

Back to Top ↑