Publications

In this blog post we will explain how you can enumerate Active Directory from Cobalt Strike using the Active Directory Service Interfaces (ADSI) in combination with C/C++. This may help staying under the radar in environments where PowerShell and .NET are heavily monitored.

Imagine you are in a TIBER, CBEST or other long-term red team assessment and finally managed to get a foothold into the target’s network. Many hours of preparation finally pay off and your payload plus C2 channel bypass the target’s security measures. How can you run your tools for the next steps in your attack (such as Active Directory reconnaissance), without triggering modern defenses on the compromised host such as AMSI or script block logging?

Read full post

In this blog post we will explore the use of direct system calls, restore hooked API calls and ultimately combine this with a shellcode injection technique called sRDI. We will combine these techniques in proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, while not touching disk and evading AV/EDR monitored user-mode API calls.

Read full post

At BlackHat Asia we released Evil Clippy, a tool which assists red teamers and security testers in creating malicious MS Office documents. Amongst others, Evil Clippy can hide VBA macros, stomp VBA code (via p-code) and confuse popular macro analysis tools. It runs on Linux, OSX and Windows.

In this blog post we will explore the features of Evil Clippy and the technology behind it. The latest source code of the tool can be found here:

https://github.com/outflanknl/EvilClippy

Latest binary releases are available at:

https://github.com/outflanknl/EvilClippy/releases

Read full post

This blog is a writeup of the various AMSI weaknesses presented at the Troopers talk ‘MS Office File Format Sorcery‘ and the Blackhat Asia presentation ‘Office in Wonderland’.

We will explore the boundaries and design weaknesses of AMSI for VBA that would allow attackers to bypass and evade this defensive mechanism. Note that attacks on the engine itself (such as in-memory patching) are out of scope for this post.

Read full post

In January and February 2019 Microsoft provided patches for CVE-2019-0540 and CVE-2019-0561, which were reported by Stan and me. We disclosed the details in our Blackhat Asia talk “Office in Wonderland”. Both vulnerabilities abuse a feature in word called “fields”. In this blog post we will dive into this.

Read full post

This multi-part blog post is about a tool we released: RedELK. In a few words you can describe it as a “Red Team’s SIEM”, although it actually does a few more things to ease the life of red teams. We released it right after our talk at BruCON 2018, and you may have already seen it at our GitHub. But until now we haven’t had the time to articulate our reasoning and give it a proper introduction.

This first part covers our reasoning. A the second part (soon to be released) we’ll dive into the technical details, explain basic usage and show you how you can benefit from using it as a red teamer.

Read full post

This month (October 2018) our team members presented at two hacker conferences:

• The MS Office magic show at DerbyCon
• Mirror on the wall: using blue team techniques in red team ops at BruCON

Below, you can find the video recordings of these presentations.

Read full post

Persistent access to a target’s network is one of the milestones in any offensive operation. During our operations, we use various types of short-haul beacons for day-to-day operations. If all short-haul beacons fail, a long-haul beacon which calls back much less frequently, can restore access to the target’s network. As such, a long-haul beacon should function in a way that it does not attract the attention of the blue team.

TL;DR
For OPSEC reasons, it is a good habit to split your command and control (C2) between low-and-slow channels (stage 1, long-haul) and operational channels (stage 2, short-haul). This blog post provides operational details for building a stage 1 C2 channel using DNS over HTTPS (HTTPS calls to dns.google.com to retrieve DNS TXT records) to trigger the download of a stager that will subsequently launch a payload for stage 2 C2.

Read full post

At our Derbycon talk, the MS Office Magic Show, Stan and myself presented various novel techniques for abusing Excel and Word in Red Teaming operations. One of the tricks introduced was about the Sylk fileformat and Excel 4.0 / XLM macro’s. Full detailled blogs on Sylk and other discussed subjects will follow later. For now it suffices to say that we shared a 99byte Sylk file that pops Calc using XLM when the victim enables macro. As Sylk files are text files they do not open in protected mode.

TL;DR
In Office 2011 for Mac XLM Macro’s in Sylk files are auto executed (no protected mode or macro prompt). Time to say goodbye and really remove office 2011. Issue may even be triggered if you have both Office 2016 and 2011 for Mac installed.

Read full post

In this post, I will dive into Excel 4.0 macros (also called XLM macros – not XML) for offensive purposes. If you grew up in the Windows 95 age or later, just as I did, you might have never heard of this technology that was introduced as early as 1992. Virtually all malicious macro documents for MS Office are based on Visual Basic for Applications (VBA). However, XLM macros are a hidden gem for red teamers and turn out to be a very good alternative to VBA macros for offensive purposes: XLM can be difficult to analyse and it appears that most antivirus solutions have trouble detecting XLM maldocs. And although the technology is 26 years old by now, Excel 4.0 macros are still supported in the most recent Microsoft Office versions (including Office 2016, at time of writing).

Read full post