Customizing C2Concealer - Part 2

Are you ready for further C2Concealer customization? Let's dive in.

Continue Reading
Customizing C2Concealer - Part 1

About a year ago, we publicly released our C2 malleable profile generator for Cobalt Strike, C2Concealer. You can read the initial blog post here. In the

Continue Reading
Ordinal Values, Windows Functions, and C#

There's many different techniques that an offensive security professional could use to try to have their code avoid detection by various AV and EDR products. Various

Continue Reading
What the F#*%

Check out our repo which has multiple F# injection routines, evasion techniques, and an unmanaged F# loader.

Continue Reading
Deploying a Hash Cracker in Azure

Before we begin, I know, yet another "guide to creating a hash cracker in [insert popular cloud service here]". Well, I was on a

Continue Reading
Meet EDD - He Helps Enumerate Domain Data

PowerView is by and far the defacto domain enumeration tool. We still use it on assessments and will likely do so where appropriate in the future.

Continue Reading
CIMplant Part 3: Good Ol' maxEnvelopeSize to Ruin the Day

This is the last part in the three part series on CIMplant. If you haven't seen the previous two, you can find them here: CIMplant Part

Continue Reading
A Limitation of Penetration Tests: Part 1

Penetration testing and other offensive cybersecurity assessments form an important component of most enterprise information security programs; indeed, many cybersecurity frameworks, such as PCI, require the

Continue Reading
CIMplant Part 2: A Deeper Look into the Creation

In the second part of our CIMplant series we'll take a deeper dive into the code of CIMplant and go over some of the more interesting

Continue Reading
CIMplant Part 1: Detection of a C# Implementation of WMImplant

Introduction Windows Management Instrumentation (WMI) has been around for several years as a way to gather information from and manage remote or local computers. WMImplant written

Continue Reading
Fastly and Fronting

Domain fronting has been around for some time now. It has its legitimate use cases for bypassing censorship along with use by pen testers, red teams,

Continue Reading
A CVE in our Executive Summary

What would you say the difference between an "operational" summary and an "executive" summary is? Find out our take on it in this quick read.

Continue Reading
Quick Guide to Security Headers - Part Two

In our last post, we explored 3 of the most important security headers: Content-Security-Policy, Strict-Transport-Security and X-Frame-Options. In this post, we’ll review four additional security

Continue Reading
MalDoc Fu - Some Ideas for Malicious Document Delivery

Introduction "Hey, can you review this document? You might have to enable macros due to formatting lol" Attachment: ImportantDocument.docm We've all seen phishing

Continue Reading
Hot Manchego

tl;dr: Create a macro-enabled Excel workbook using the .NET library EPPlus to bypass some A/V detection. We created Hot Manchego to help pen testers

Continue Reading
Incoming .NET SQLClient

The github repo for SQLClient is available here - https://github.com/FortyNorthSecurity/SqlClient On an assume breach assessment, FortyNorth was able to successfully obtain a

Continue Reading
Intro to Proxmark3 RDV4: Part 3 - Practical Applications using ProxmarkWrapper

In this post, we'll go over creating a more covert application for the Proxmark3 using the BlueTooth module we installed previously along with some ideas for

Continue Reading
Creating an Internal Pen Test VM with Ngrok

Hello everyone. With the severity of the Covid-19 virus and people trying to work from home as much as possible we wanted to document how to

Continue Reading
XLM (Excel 4.0) Macro Generator for Phishing Campaigns

tl;dr EXCELntDonut takes C# source code as an input, converts it into shellcode, and generates an XLM (Excel 4.0) macro that will inject the

Continue Reading
Screenshooter: The Beacon Screenshot Savior

A C# tool to screenshot user's desktop(s) complete with multiple checks. Will work with Cobalt Strike's Execute-Assembly. Best name we could think of since SharpShooter

Continue Reading
Quick Guide to Security Headers - Part One

A month ago, we finished a series of six web application assessments for local and regional banks. In addition to common web vulnerabilities, like SQLi, we

Continue Reading
Remotely Host MSBuild Payloads

tl;dr Separate your C# payload from a MSBuild XML file and host it remotely on a WebDav server. Red teams and attackers frequently repurpose MSBuild,

Continue Reading
EyeWitness - Potential Modifications

This is the second post in relation to the new .Net implementation of EyeWitness and it will cover a few things that you should possibly do

Continue Reading
Ngrok for Local Infrastructure

IntroductionHello, meet ngrok (https://ngrok.com/), an easy way to tunnel traffic from a local machine (i.e. VM) to an external address. With ngrok, you

Continue Reading
MiddleOut: a C# Compression Tool

MiddleOut (a salute to Silicon Valley) is a tool written in C# that compresses any number of files passed to it. I wanted to learn .Net

Continue Reading