Breaking The Browser – A tale of IPC, credentials and backdoors

Web browsers are inherently trusted by users. They are trained to trust  websites which “have a padlock in the address bar” and that “have the  correct name”, This trust leads to users feeling comfortable entering  their sensitive data into these websites. From an attackers stand point  this trust is an…

Pwning Windows Event Logging with YARA rules

The Event Log coupled with Windows Event Forwarding and Sysmon can be extremely powerful in the hands of defenders, allowing them to detect attackers every step of the way. Obviously this is an issue for the attackers. Before privilege escalation it is limited what we can do to evade event…

Defending Your Malware

Malware is an important part of an engagement, though as many security solutions are now evolving past rudimentary signature comparisons to using more advanced techniques to detect malicious activity, it is important that we as attackers understand the methods they are using and how we can avoid them. Consider the…

Introducing SHAD0W

Available from the projects GitHub Post exploitation is large part of a red team engagement. While many organisations begin to mature and start to deploy a range of sophisticated Endpoint Detection & Response solutions (EDR) onto their networks, it requires us, as attackers to also mature. We need to upgrade…

Universally Evading Sysmon and ETW

The source code and latest release are both available. Sysmon and windows event log are both extremely powerful tools in a defender's arsenal. Their very flexible configurations give them a great insight into the activity on endpoints, making the process of detecting attackers a lot easier. It's for this reason…