Clik here to view.
Analyzing the "Power Worm" PowerShell-based Malware
On March 27, 2014, Trend Micro revealed the so called “Power Worm” PowerShell-based malware that is actively being used in the wild. With so few publicly reported instances of PowerShell malware in...
View ArticlePowerShell Summit 2014
Yesterday, I gave two presentations at the PowerShell Summit. The first presentation was on advanced eventing techniques in PowerShell and the second was on using PowerShell as a reverse engineering...
View ArticleClik here to view.
.NET Method Internals - Common Intermediate Language (CIL) Basics
For those who have had the privilege of reverse engineering heavily obfuscated .NET code, you've probably encountered cases where your decompiler of choice completely fails (or even crashes in an epic...
View ArticleClik here to view.
Encrypting and Viewing DNS Connections Using DNSCrypt for Windows
For a while now, I’ve been using DNSCrypt – A local DNS resolver that encrypts and forwards requests to an upstream DNS server. This is both a strong defense against man-in-the-middle attacks and a...
View ArticlePowerShell v3 Cmdlet: Get-CourseraVideos
For those who haven't been through any of Coursera's free online courses, I cannot recommend them highly enough. For a while now, I've been wanting to download all of a classes videos to disk. Doing...
View ArticleGet-MethodAddress - A Tool For Comparing .NET MSIL and ASM Method...
Download: Get-MethodAddressLately, as part of my research, I've found myself wanting to learn more about how MSIL (Microsoft Intermediate Language) opcodes in .NET assemblies get translated to assembly...
View ArticleIn-Memory Managed Dll Loading With PowerShell
Download: Out-CompressedDllThe .NET framework has a very handy method which loads a managed executable as a byte array – [System.Reflection.Assembly]::Load(byte[] rawAssembly). From the perspective of...
View ArticleDumping Strong-Name Keypair Paths Used by Microsoft
When you want to sign a managed assembly with a strong name, you must do so with a key pair in the form of an snk file. Microsoft's assemblies are no exception. After seeing a few assemblies signed by...
View ArticleList All Win32/Native Functions Declared/Used By PowerShell
The PowerShell v3 command below will list every P/Invoke declaration made by the assemblies loaded in your PowerShell session. This knowledge may be useful for those seeking to avoid performing their...
View ArticleInvestigating Subversive PowerShell Profiles
With PowerShell attacks on the rise, it is important that incident responders be aware of exactly how PowerShell code is executed on a victim system. Once such aspect of code execution is the...
View ArticleThoughts on Exploiting a Remote WMI Query Vulnerability
On December 1, 2015, a really interesting vulnerability was disclosed in the Dell Foundation Services software. If installed, a SOAP service will listen on port 7779 and grant an attacker the ability...
View ArticleWMI object correlation using ASSOCIATORS OF
tl;drWhile this post isn’t directly related to infosec, infosec pros who work with WMI should take note as there are some powerful queries that could be performed for both offense and defense. The...
View ArticleOffensive Tool Design and the Weaponization Dilemma
With the impending reboot of PowerSploit, partly commissioned by my new employer (Veris Group - Adaptive Threat Division), I’ve been writing a lot of new PowerShell code and refactoring some old code...
View ArticleThe PowerSploit Manifesto
It’s been a long journey and after so many years of learning PowerShell, starting to learn better software engineering disciplines, developing a large open source, offensive PowerShell project, using...
View ArticleProperly Retrieving Win32 API Error Codes in PowerShell
Having worked with Win32 API functions enough in PowerShell using P/Invoke and reflection, I was constantly annoyed by the fact that I was often unable to correctly capture the correct error code from...
View ArticleMisconfigured Service ACL Elevation of Privilege Vulnerability in Win10 IoT...
As of this writing, the latest public preview of Windows 10 IoT Core (build 14393) suffers from an elevation of privilege vulnerability via a misconfigured service ACL. The InputService service which...
View ArticleWMI Persistence using wmic.exe
Until recently, I didn’t think it was possible to perform WMI persistence using wmic.exe but after some experimentation, I finally figured it out. To date, WMI persistence via dropping MOF files or by...
View ArticleBypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner
Imagine you’ve gained access to an extremely locked down Windows 10 host running Device Guard. The Device Guard policy is such that all PEs (exe, dll, sys, etc.) must be signed by Microsoft. No other...
View ArticleClik here to view.
Introduction to Windows Device Guard: Introduction and Configuration Strategy
IntroductionWelcome to the first in a series a Device Guard blog posts. This post is going to cover some introductory concepts about Device Guard and it will detail the relatively aggressive strategy...
View ArticleUsing Device Guard to Mitigate Against Device Guard Bypasses
In my last post, I presented an introduction to Device Guard and described how to go about developing a fairly locked down code integrity policy - a policy that consisted entirely of implicit allow...
View Article