Mass PowerShell and WMImplant

When developing WMImplant, I wanted to ensure I would have some of the same capabilities on a Device Guard (now Windows Defender Application Control) protected system as I would on a non-protected when utilizing Beacon or Meterpreter. WMImplant is a stepping stone for creating the same capabilities, but also presented some of its own engineering problems…

Read more

Veil Payloads and Veil-Ordnance

I made certain assumptions regarding Veil-Evasion’s payload naming scheme, and how Veil-Ordnance works, only to discover that understanding these tool variations is not as intuitive as I thought.  This post aims to help provide more clarity regarding Veil-Evasion and Veil-Ordnance. Veil-Evasion has different payloads which are organized by different attributes. The best way to think…

Read more

Building a Windows Defender Application Control Lab

Despite an abundance of “building your own lab” articles available online, there really is only one collection of articles that document Windows Defender Application Control (Device Guard), hereby referred to as WDAC: Matt Graeber’s Exploit Monday posts on the topic. I dove into playing with WDAC a year back while developing WMImplant, and I quickly realized that there is pretty limited…

Read more
Egress-Assess Malware Modules

Egress-Assess Malware Moduless

Github Link – https://github.com/ChrisTruncer/Egress-Assess Steve Borosh (@424f424f) and I have been working on adding a new type of module into Egress-Assess for a month or two now. Currently, Egress-Assess lets you exfiltrate faux or real data over a variety of different protocols on both Linux and Windows systems.  However, Steve had the idea to create malware…

Read more
Golden Tickets and External SIDs - Spread the Compromise

Golden Tickets and External SIDs – Spread the Compromise

Note: Be sure to check out Sean Metcalf’s (@Pyrotek3) post about this technique available here!  He talked about this at BlackHat USA 2015! Benjamin Delpy (@gentilkiwi) recently tweeted about adding External SIDs into Mimikatz’s golden tickets which was quickly followed up by Skip Duckwall (@Passingthehash) also tweeting how devastating this addition can be to defenders.  Skip said it…

Read more