Remotely Searching for Sensitive Files

When on an assessment, one of the steps that a red teamer, or pen tester, might take is to search for files containing sensitive data. The

Continue Reading
How to Port Microsoft.Workflow.Compiler.exe Loader to Veil

Immediately after reading Matt Graeber’sblog post on Microsoft.Workflow.Compiler.exe, I wanted to dive into this technique and understand how I can use this

Continue Reading
Remotely Modify Anti-Virus Configurations

Last week, we covered how to enumerate anti-virus configurations on remote systems. The information that you could gather would allow you to create a much more

Continue Reading
Remotely Enumerate Anti-Virus Configurations

There are a variety of reasons why a pen tester would want to obtain the anti-virus configurations of the system they are targeting. The ability to

Continue Reading
WMI & PowerShell: An Introduction to Copying Files

WMI (Windows Management Instrumentation) is a service that is installed and enabled by default since Windows 2000. It provides administrators the ability to perform a large

Continue Reading
Mass PowerShell and WMImplant to Get Process Output

When developing WMImplant, I wanted to ensure I would have some of the same capabilities on a Device Guard (now Windows Defender Application Control) protected system

Continue Reading
Cyber Security for Title and Real Estate Companies

I recently met with the owner of a large real estate brokerage to discuss the scope and value of offensive security services.  It was a great

Continue Reading
Updating an Existing Windows Defender Application Control Policy

In our first blog post on Windows Defender Application Control (WDAC), we created a code integrity policy that was built by scanning a gold imaged system

Continue Reading
Explaining Veil Payloads and Invoking Veil-Ordnance

In order to effectively use cyber security tools we need to know, in detail, how they work. Only then we are able to leverage them to

Continue Reading
Building a Windows Defender Application Control Lab

Despite an abundance of “building your own lab” articles available online, there really is only one collection of articles that document Windows Defender Application Control (Device

Continue Reading
WMImplant - Out of the Box Detection Opportunities

WMImplant can be used to compromise Windows systems within a domain in an agent-less manner. However, every tool that exists also provides opportunities to detect their

Continue Reading
Vulnerability Scans, Pen Testing, and Red Teaming

When it comes to searching for different offensive security services, you may find that each company has a different definition of a vulnerability assessment, penetration test,

Continue Reading
An Introduction to WMImplant Post-Exploitation

Up to this point in time, I’ve explained in previous talks how WMImplant can be useful when attempting to operate on Device Guard protected systems.

Continue Reading
Egress-Assess Malware Modules

For a month or two now, Steve Borosh (@424f424f) and I have been working on adding a new type of modules into Egress-Assess. As of November

Continue Reading
Golden Tickets and External SIDs - Spread the Compromise

Note: Be sure to check out Sean Metcalf’s (@Pyrotek3) post about this technique available here!  He talked about this at BlackHat USA 2015! Benjamin Delpy

Continue Reading
Aggressor - Get Text Messages For Your Incoming Beacons

Whether it be through phishing, or some other means, waiting for your incoming beacons can be an anxious moment.  Every time I send off phishing e-mails,

Continue Reading