In this blog post we will explore the use of direct system calls, restore hooked API calls and ultimately combine this with a shellcode injection technique called sRDI. We will combine these techniques in proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, while not touching disk and evading AV/EDR monitored user-mode API calls.Read full post
At BlackHat Asia we released Evil Clippy, a tool which assists red teamers and security testers in creating malicious MS Office documents. Amongst others, Evil Clippy can hide VBA macros, stomp VBA code (via p-code) and confuse popular macro analysis tools. It runs on Linux, OSX and Windows.
In this blog post we will explore the features of Evil Clippy and the technology behind it. The latest source code of the tool can be found here:
Latest binary releases are available at:Read full post
This blog is a writeup of the various AMSI weaknesses presented at the Troopers talk ‘MS Office File Format Sorcery‘ and the Blackhat Asia presentation ‘Office in Wonderland’.
We will explore the boundaries and design weaknesses of AMSI for VBA that would allow attackers to bypass and evade this defensive mechanism. Note that attacks on the engine itself (such as in-memory patching) are out of scope for this post.Read full post
In January and February 2019 Microsoft provided patches for CVE-2019-0540 and CVE-2019-0561, which were reported by Stan and me. We disclosed the details in our Blackhat Asia talk “Office in Wonderland”. Both vulnerabilities abuse a feature in word called “fields”. In this blog post we will dive into this.Read full post
This multi-part blog post is about a tool we released: RedELK. In a few words you can describe it as a “Red Team’s SIEM”, although it actually does a few more things to ease the life of red teams. We released it right after our talk at BruCON 2018, and you may have already seen it at our GitHub. But until now we haven’t had the time to articulate our reasoning and give it a proper introduction.
This first part covers our reasoning. A the second part (soon to be released) we’ll dive into the technical details, explain basic usage and show you how you can benefit from using it as a red teamer.