~/blog — All posts

EDR Evasion Using Indirect Memory Writing

Throwback to college When I started my Bachelor’s Degree in Computer Science, one of our first courses was an introduction to C++, where we learned all about variables, conditions, loops, recursion, and of course – pointers. Later on we proceeded to learn more advanced topics, such as inheritance, polymorphism and… pointers to pointers. While we were told that our variables and functions needed to be documented and have concise and revealing names to better understand their purpose, a friend of mine stuck to laconic phrasing, with naming conventions such as “bigNum” for a variable or “makePointer” for a function. His best idea for a name for a function that creates a pointer to a given pointer was: “make_pp”. 😉

When Computer Says Yes (automatically): Understanding UAC Auto-Elevation – Part 2/2

How Attackers Abuse Auto-Elevation As we’ve previously mentioned, auto-elevation doesn’t grant magical powers to every user; a standard (non-admin) user cannot force elevation via these binaries. But if the logged-in user is a local admin (running most apps in medium-integrity mode), auto-elevated binaries can be hijacked. Let us note that abusing auto-elevation allows for a stealthier privilege escalation; by using trusted Windows binaries instead of dropping custom malware, attackers minimize their detection footprint. Defenders may see “normal system activity” in their logs… unless they dig deeper.

When Computer Says Yes (automatically): Understanding UAC Auto-Elevation – Part 1/2

Windows systems have long wrestled with the balance between usability and security; we joke about how every other version of Windows is “the bad version”, when security takes precedence over user-experience (I’m talking to you, Windows Vista!). One of Microsoft’s key mechanisms for keeping users safe – while still allowing administrators to perform their job – is User Account Control (UAC); but like many security features, the implementation leaves certain “cracks” that attackers can exploit. One of those cracks lies in the concept of auto-elevated executables.

Windows Shellcode Injection: A Technical Reference

A technical reference covering the most common process injection techniques used in Windows malware — VirtualAllocEx/WriteProcessMemory, APC injection, early-bird injection, and thread hijacking. Includes C code, EDR evasion context, and detection points for each technique.

PowerShell Active Directory Enumeration Without RSAT

RSAT isn't always available and importing PowerView raises flags. This post covers native PowerShell techniques for enumerating Active Directory — users, groups, SPNs, and trust relationships — using only built-in .NET classes and LDAP queries.

Automating Recon with Python: A Practical Primer

Manual reconnaissance is slow and inconsistent. This post walks through building a basic but solid Python script that automates subdomain enumeration, port scanning orchestration, and output normalization — the unglamorous foundation of any serious engagement.

Hunting for Service Executable Hijacking

Prologue In a recent Red Team engagement my organization had, the penetration testers managed to laterally move to a Windows endpoint; since they didn’t have admin privileges on it, they were looking for ways to escalate their privileges. Luckily (for them), they found a service with insecure permissions that ran under the context of NT Authority\SYSTEM – and exploited it, gaining that level of privilege on that host. When I read the PT report, I was annoyed; was it pure luck they got to a host that was vulnerable to this misconfiguration, or was it a game of probabilities (well, that’s true in many cases, I guess)? And if so – what is the percentage of hosts which are also vulnerable to this type of hijacking? 5%? 50%? In this blog post, we will explore Windows Service Executable Hijacking from both a Red Team (adversarial) and a Blue Team (defender) perspective. We’ll discuss how Red Team operators exploit this attack and provide practical advice for Blue Teams on how to detect and mitigate this threat.

Do You Trust GPO Trustees?

Introduction Group Policy Objects (or GPOs) are a valuable and necessary pillar of any Windows-based organization. They enforce various rules and definitions on hosts, and allow sysadmins to govern the Active Directory domain, on all its users, endpoints and servers. In the ever-evolving landscape of cybersecurity, GPOs have not gone unnoticed. One notable technique in penetration testing involves the abuse of GPOs by exploiting overly permissive permissions pertaining to them. This blog post discusses the issue, and introduces a tool designed to assist both Red and Blue Teams in identifying such misconfigurations within GPOs.

BASk in The Glory of Breach & Attack Simulations?

Introduction One of the most popular (and “sexy”) fields in cyber-security is the field of penetration testing (or “pen-testing” \ “PT” for short); it is also a crucial component of any organization’s cybersecurity strategy. In simple terms, pen-testing involves simulating an attack on a system or network, in order to identify potential vulnerabilities, misconfigurations and other weaknesses. By doing so, organizations can identify (in a safe manner) areas of their security infrastructure that need improvement – before an actual attacker exploits them. As new technologies emerge, so do new terms come into existence. The notion that much of the work a human pen-tester does could be automated by a machine has created a new line of products, which Gartner has coined the term for as B.A.S., or “Breach & Attack Simulation” systems.

Communication Obstacles On the Path to Problem Solving

In our day to day job in IT (but actually, in all aspects of life), we encounter problems which need solutions, or have needs that need to be addressed and fulfilled. In an ideal situation: people will have a clear understanding of their needs, or a comprehensive view of the problem; which in turn enables them to “break them down” to modular pieces, analyze them and come up with the optimal solution (given all necessary parameters and conditions), either alone or after brainstorming with others. However, a lot more often than not – I have seen a lack of this type of analytical thinking; it starts with a lack of definitions for terms used, as well as laconic explanations of the needs or the problems that emerged, continues with mixing the problem with the solution, and ends up with explaining why the solution is in fact the real problem – and why the only real solution is to do X and not Y, or why a solution to the problem is not feasible in the first place! The following paragraphs address 4 such common obstacles in communication skills regarding problems and the ways to solve them:

Hunting For Saved Credentials in WinSCP and MobaXterm

Introduction When attackers get a foothold on a compromised machine, one of their first courses of action is seeking means for elevation of privileges; that hopefully allows them access to other resources in the target organization, a way to move laterally and reach their goals. One way for privilege escalation is by extracting passwords from areas they reside in. This could be as easy a task as opening a “passwords.txt” file located on the user’s Desktop, or as “hard” as dumping credentials from the machine’s volatile memory.