Author Archives: Cornelis de Plaa

Direct Syscalls in Beacon Object Files

In this post we will explore the use of direct system calls within Cobalt Strike Beacon Object Files (BOF). In detail, we will: Explain how direct system calls can be used in Cobalt Strike BOF to circumvent typical AV and EDR detections. Release InlineWhispers: a script to make working with direct system calls more easy in BOF […]

Red Team Tactics: Active Directory Recon using ADSI and Reflective DLLs

In this blog post we will explain how you can enumerate Active Directory from Cobalt Strike using the Active Directory Service Interfaces (ADSI) in combination with C/C++. This may help staying under the radar in environments where PowerShell and .NET are heavily monitored. Imagine you are in a TIBER, CBEST or other long-term red team […]