Blog

Using RPC in BOFs

In previous blog posts, I detailed how a windows programmer can develop against RPC and solidified why I feel Beacon Object Files (BOFs) have become cemented as a usable technique for the time being. I will complete this mini-series by making the previous RPC POC code that we had into a BOF. Planning The first...

Disabling AV With Process Suspension

Every now and again, I see a crazy tweet that feels like it just can’t be true. Many of them are not true or are folks making overblown statements about something cool they found—this is part of the research game, and folks are entitled to be excited about what they are learning. Recently, however, I...

Data Retention Practices – A Brief Overview

Data retention practices can vary between companies based on compliance requirements, location, and types of data. Best practice dictates an organization should only retain data for only as long as it is useful, or to satisfy legal or regulatory requirements. Defining what is needed for an organization will ensure compliance with relevant legal statues and...

Situational Awareness BOFs for Script Kiddies

Introduction Thanks for the download on BOFs, but now, where can I actually download some BOFs? In my previous blog post, “BOFs for Script Kiddies,” I covered the basics of BOFs. I described what a BOF was (a Beacon Object File), when you would want to use a BOF (post-exploitation), and why you would want...

Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)

Threat Overview Earlier this week, Microsoft released a patch for Outlook vulnerability CVE-2023-23397, which has been actively exploited for almost an entire year. This exploit has caught the attention of a hacking group linked to Russian military intelligence that is using it to target European organizations. CVE-2023-23397 allows threat actors to steal NTLM credentials of...

Shells in Plain Sight – Storing Payloads in the Cloud

THIS POST WAS WRITTEN BY @NYXGEEK I stumbled upon an old side project the other day — it was a tool to get payloads through web content filters by hiding PowerShell in images on public sites. For example, this tweet from 2018 contains a bind shell encoded in the image, hosted by Twitter. While I don’t...