By Adam Rose Recently, I was troubleshooting some Cobalt Strike C2 infrastructure in a Windows VM lab. To get a deeper understanding of the bugs I

In the previous PersistAssist post, we looked at how to create a new persistence module to automate backdooring a PSProfile at a user level. In this

IntroductionIn a previous article Maldoc Transfers in the Google Cloud, I wrote about using a Google Cloud Provider serverless function to serve malicious documents from a

IntroductionTwo years ago I decided I wanted to be a penetration tester. Judging by the hundreds of posts I see on subreddits and Discord servers, this

On a recent red team engagement, we faced the challenge of serving a backdoored Excel document as part of a social engineering campaign against an environment

We've been on penetration tests before and have found the need to find a system that doesn't have a user currently logged in. Why, you might

Persistence is a vital aspect of a pentest or red team and ensures you don't lose your access after you've worked so hard to get it.

On a penetration test, we were performing for a customer, an odd scenario popped up, which caused us to write some code. We found an account

tl;dr: Quickly and easily convert your raw binary output from Cobalt Strike (or any other source) into a variety of shellcode formats with either script

tl;dr: Python script that automates removing comments and newlines from PowerShell scripts https://github.com/FortyNorthSecurity/RandomScripts/blob/main/Cobalt Scripts/remove_comments.py It's

tl;dr If you want an updated and working copy of httpsc2doneright, grab it here - https://github.com/FortyNorthSecurity/RandomScripts/blob/main/Cobalt Scripts/httpsc2doneright.

Are you ready for further C2Concealer customization? Let's dive in.

Check out our repo which has multiple F# injection routines, evasion techniques, and an unmanaged F# loader.

Before we begin, I know, yet another "guide to creating a hash cracker in [insert popular cloud service here]". Well, I was on a

PowerView is by and far the defacto domain enumeration tool. We still use it on assessments and will likely do so where appropriate in the future.

This is the last part in the three part series on CIMplant. If you haven't seen the previous two, you can find them here: CIMplant Part

Penetration testing and other offensive cybersecurity assessments form an important component of most enterprise information security programs; indeed, many cybersecurity frameworks, such as PCI, require the

In the second part of our CIMplant series we'll take a deeper dive into the code of CIMplant and go over some of the more interesting

Introduction Windows Management Instrumentation (WMI) has been around for several years as a way to gather information from and manage remote or local computers. WMImplant written

Domain fronting has been around for some time now. It has its legitimate use cases for bypassing censorship along with use by pen testers, red teams,