In this post we will explore the use of direct system calls within Cobalt Strike Beacon Object Files (BOF). In detail, we will:

• Explain how direct system calls can be used in Cobalt Strike BOF to circumvent typical AV and EDR detections.
• Release InlineWhispers: a script to make working with direct system calls more easy in BOF code.
• Provide Proof-of-Concept BOF code which can be used to enable WDigest credential caching and circumvent Credential Guard by patching LSASS process memory.

Source code of the PoC can be found here:

https://github.com/outflanknl/WdToggle

Source code of InlineWhispers can be found here:

https://github.com/outflanknl/InlineWhispers

Read full post

In this blog post we are going to explore the power of well-known process monitoring utilities and demonstrate how the technology behind these tools can be used by Red Teams within offensive operations.

Having a good technical understanding of the systems we land on during an engagement is a key condition for deciding what is going to be the next step within an operation. Collecting and analysing data of running processes from compromised systems gives us a wealth of information and helps us to better understand how the IT landscape from a target organisation is setup. Moreover, periodically polling process data allows us to react on changes within the environment or provide triggers when an investigation is taking place.

Read full post

In this blog post we will explain how you can enumerate Active Directory from Cobalt Strike using the Active Directory Service Interfaces (ADSI) in combination with C/C++. This may help staying under the radar in environments where PowerShell and .NET are heavily monitored.

Imagine you are in a TIBER, CBEST or other long-term red team assessment and finally managed to get a foothold into the target’s network. Many hours of preparation finally pay off and your payload plus C2 channel bypass the target’s security measures. How can you run your tools for the next steps in your attack (such as Active Directory reconnaissance), without triggering modern defenses on the compromised host such as AMSI or script block logging?

Read full post

In this blog post we will explore the use of direct system calls, restore hooked API calls and ultimately combine this with a shellcode injection technique called sRDI. We will combine these techniques in proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, while not touching disk and evading AV/EDR monitored user-mode API calls.

Read full post