Secure Enclaves for Offensive Operations (Part I)

|

This blog post was co-authored by Matteo Malvica (Researcher at OffSec and External OST developer) and Cedric Van Bockhaven (OST developer and researcher at Outflank).

This article is the first in a two-part series in which we investigate the anatomy of Virtualization-Based Security (VBS) enclaves, their internals, and the unique ways they could be leveraged for offensive operations on Windows systems.

Enclaves provide a software-based Trusted Execution Environment (TEE) and are isolated memory regions. Only code that runs within the enclave can access data within the same enclave. TEEs protect sensitive operations in computing and are designed to keep unauthorized actors away from confidential information, whether that actor is malware with user-mode or kernel-mode access or even someone with physical access to the data center.

You can imagine that being able to hide away data and code into an enclave is a powerful capability and could also be used for offensive purposes,

Read full post

2024 Wrapped: Outflank’s Top Tracks

|

As 2024 nears its end, we feel it is a great time to look back at what we achieved in 2024.

TLDR: No one would call this a quiet year for Outflank.

OST Releases: New Tools and Major Releases

22 releases! We managed to put out 22 releases of OST in 2024.

Rapid development remains a cornerstone of OST and has allowed us to match the pace of evolving threat landscape to deliver cutting edge tools and capabilities. We have a release note tracker covering every release, but highlights include:

EDR Presets

With EDRs becoming more powerful, and bypasses requiring more EDR-specific tricks, it was becoming hard to keep track of the countless options OST operators have for evasion of those EDRs.

Read full post

Introducing Early Cascade Injection: From Windows Process Creation to Stealthy Injection

|

By Guido Miggelenbrink at Outflank

Introduction

In this blog post we introduce a novel process injection technique named Early Cascade Injection, explore Windows process creation, and identify how several Endpoint Detection and Response systems (EDRs) initialize their in-process detection capabilities. This new Early Cascade Injection technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique by Marcus Hutchins [1]. Unlike Early Bird APC Injection, this new technique avoids queuing cross-process Asynchronous Procedure Calls (APCs), while having minimal remote process interaction. This makes Early Cascade Injection a stealthy process injection technique that is effective against top tier EDRs while avoiding detection.

Tags: , , , , , ,

Read full post

Will the real #GrimResource please stand up? – Abusing the MSC file format

|

In this blog post we describe how the MSC file format can be leveraged to execute arbitrary code via MMC (Microsoft Management Console) for initial access or lateral movement purposes. A sample payload that implements this technique was publicly shared recently. This sample was generated using our Outflank Security Tooling (OST) offering and hence we decided to publish additional details on this method and its discovery.

Read full post

EDR Internals for macOS and Linux

|

Many public blogs and conference talks have covered Windows telemetry sources like kernel callbacks and ETW, but few mention macOS and Linux equivalents. Although most security professionals may not be surprised by this lack of coverage, one should not overlook these platforms. For example, developers using macOS often have privileged cloud accounts or access to intellectual property like source code. Linux servers may host sensitive databases or customer-facing applications. Defenders must have confidence in their tools for these systems, and attackers must understand how to evade them. This post dives into endpoint security products on macOS and Linux to understand their capabilities and identify weaknesses.

Tags: , ,

Read full post

OST Release Blog: EDR Tradecraft, Presets, PowerShell Tradecraft, and More 

|

Malicious actors continuously deploy new or improved techniques. Red teams must maintain an equally rapid pace of development of their tooling arsenal to remain effective at testing evolving defensive measure and preparing organizations for advanced threats. With the dedicated research and development efforts from the Outflank team, OST is constantly evolving, with additions of new, leading-edge tools unique to the market as well as regular enhancements to our existing tools. 

In this quarterly release blog, we’ll summarize some of the latest updates we’ve made over the past few months.  

EDR Tradecraft

Over the last few years we have clearly seen the big EDR names in the market up their game. Generally, we can say that they are doing a great job and that EDR-bypasses are becoming harder. However, EDRs can’t be expected to do magic,

Tags: , , ,

Read full post

Unmanaged .NET Patching

|

To execute .NET post-exploitation tools safely, operators may want to modify certain managed functions. For example, some C# tools use the .NET standard library to terminate their process after execution. This may not be an issue for fork&run implementations that spawn a sacrificial process, but executing in-process will terminate an implant. One could write a small .NET program that resolves and patches these functions, but we were interested in an unmanaged approach (i.e. a unmanaged implant executing managed code in-process). While our example targets System.Environment.Exit, a similar technique should work for any managed function.

Tags:

Read full post

Mapping Virtual to Physical Addresses Using Superfetch

|

With the Bring Your Own Vulnerable Driver (BYOVD) technique popping up in Red Teaming arsenals, we have seen additional capabilities being added like the ability to kill (EDR) processes or read protected memory (LSASS), all being performed by leveraging drivers operating in kernel land.

Sooner or later during BYOVD tooling development, you will run into the issue of needing to resolve virtual to physical memory addresses. Some drivers may expose routines that allow control over physical address ranges. While this is a powerful capability, how do we make the mapping between virtual and physical addresses? Mistakes can be costly and result in BSODs. That’s what we’re exploring in this blog post. We will document a technique that relies on a Windows feature referred to as “Superfetch”.

Read full post