Overview Visual Studio is a complex and powerful IDE developed by Microsoft and comes with a lot of features that can be interesting from a red team perspective. During this…
- ActiveBreach
Nighthawk 0.2.6 – Three Wise Monkeys
Overview See no evil, hear no evil, speak no evil. This Japanese maxim epitomises the EDRs coming up against our latest release of Nighthawk. Following copious amounts of research and… - ActiveBreach
The Not So Pleasant Password Manager
Overview During a recent adversary simulation, the MDSec ActiveBreach red team were asked to investigate the organisation’s Password Manager solution, with the key objective of compromising stored credentials, ideally from… - ActiveBreach
Leveraging VSCode Extensions for Initial Access
Introduction On a recent red team engagement, MDSec were tasked with crafting a phishing campaign for initial access. The catch was that the in-scope phishing targets were developers with technical… - ActiveBreach
CVE-2023-26258 – Remote Code Execution in ArcServe UDP Backup
Overview During a recent adversary simulation, the MDSec ActiveBreach red team were performing a ransomware scenario, with a key objective set on compromising the organisation’s backup infrastructure. As part of… - ActiveBreach
Nighthawk 0.2.4 – Taking Out The Trash
May 2nd 2023 Congratulations to our new king and in honour of the coronation, we proudly present Nighthawk 0.2.4. Our last Nighthawk public post was for our 0.2.1 release in… - ActiveBreach
Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability
Date: 14th March 2023 Today saw Microsoft patch an interesting vulnerability in Microsoft Outlook. The vulnerability is described as follows: Microsoft Office Outlook contains a privilege escalation vulnerability that allows… - ActiveBreach
Nighthawk: With Great Power Comes Great Responsibility
Recently, Proofpoint released a blog post entitled “Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice”. In this post, Proofpoint outlined a campaign used by a legitimate red… - ActiveBreach
Nighthawk 0.2.1 – Haunting Blue
November 1st 2022 This Halloween week brings our third and final Nighthawk release for the year and its packed with exciting new features, backed by MDSec’s world class research and… - ActiveBreach
Autodial[DLL]ing Your Way
The use of the AutodialDLL registry subkey [located in HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters] as a persistence method has been previously documented by @Hexacorn in his series Beyond good ol’ Run key, [Part 24]…. - ActiveBreach
Microsoft Office Online Server Remote Code Execution
Microsoft’s Office Online Server is the next generation of Office Web Apps Server; it provides a browser based viewer/editor for Word, PowerPoint, Excel and OneNote documents. The product can be… - ActiveBreach
Analysing LastPass, Part 1
Having been in IT longer than I care to remember, one issue keeps coming up. It doesn’t matter how well you have implemented what really matters is… - ActiveBreach
PART 3: How I Met Your Beacon – Brute Ratel
Introduction In part one, we introduced generic approaches to performing threat hunting of C2 frameworks and then followed it up with practical examples against Cobalt Strike in part two. In… - ActiveBreach
Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service [LSASS]
Introduction Process enumeration is necessary prior to injecting shellcode or dumping memory. Threat actors tend to favour using CreateToolhelp32Snapshot with Process32First and Process32Next to gather a list of running processes…. - ActiveBreach
PART 2: How I Met Your Beacon – Cobalt Strike
Cobalt Strike is one of the most popular command-and-control frameworks, favoured by red teams and threat actors alike. In this blog post we will discuss strategies that can be used… - ActiveBreach
PART 1: How I Met Your Beacon – Overview
Introduction Its no secret that MDSec provides a commercial command-and-control framework with a focus on evasion for covert operations. With this in mind, we are continuously performing on-going R&D in… - ActiveBreach
Altiris Methods for Lateral Movement
Introduction During a recent engagement the team came up against an unfamiliar product, Altiris. Very little public research was available about Altiris, with a considerable lack of information regarding abusing… - ActiveBreach
Nighthawk 0.2 – Catch Us If you Can
Introduction It’s been some months since our 0.1 release in December ‘21 and the development team have been working hard on new features, research and development, alongside bug fixes and… - ActiveBreach
Resolving System Service Numbers using the Exception Directory
Introduction While developing new features for Nighthawk C2, we observed that NTDLL contains up to three internal tables with the Relative Virtual Address [RVA] of all system calls. Two of these… - ActiveBreach
Process Injection via Component Object Model [COM] IRundown::DoCallback[]
Introduction The MDSec red team are continually performing research in to new and innovative techniques for code injection enabling us to integrate them in to tools used for our red… - ActiveBreach
ABC-Code Execution for Veeam
This blog post details several recently patched vulnerabilities in the Veeam Backup & Replication and Veeam Agent for Microsoft Windows. We’ll detail MDSec’s process for identifying these 1Day vulnerabilities, writing… - ActiveBreach
EDR Parallel-asis through Analysis
Introduction Post-exploitation tooling designed to operate within mature environments is frequently required to slip past endpoint detection and response [EDR] software running on the target. EDR frequently operate by hooking… - ActiveBreach
Nighthawk 0.1 – New Beginnings
Introduction MDSec’s ActiveBreach red team operate in the some of the highest maturity environments, where a significant degree of in-memory and post-exploitation operational security is often required to counteract defensive… - ActiveBreach
NSA Meeting Proposal for ProxyShell
As part of Microsoft Exchange April and May 2021 patch, several important vulnerabilities were fixed which could lead to code execution or e-mail hijacking. Any outdated and exposed Exchange server… - Response
Investigating a Suspicious Service
The Incident Response team at MDSec regularly gets queries from our customers, as well as our consultants about odd things that they’ve found, either during engagements, or on an ad-hoc… - ActiveBreach
Bypassing Image Load Kernel Callbacks
As security teams continue to advance, it has become essential for attacker’s to have complete control over every part of their operation, from the infrastructure down to individual actions that… - ActiveBreach
Phishing Users to Take a Test
Introduction When looking for new interesting attack surfaces in Windows, I’ve often looked to default file handlers and LOLBins. Another interesting place to look is the default protocol handlers and… - ActiveBreach
Farming for Red Teams: Harvesting NetNTLM
Overview In the ActiveBreach red team, we’re always looking for innovative approaches for lateral movement and privilege escalation. For many of the environments we operate in, focusing on the classic… - ActiveBreach
macOS Post-Exploitation Shenanigans with VSCode Extensions
Overview It’s no secret that macOS post-exploitation is often centric around targeting the installed apps for privilege escalation, persistence and more. Indeed, we’ve previously posted about approaches for code injection… - ActiveBreach
Breaking The Browser – A tale of IPC, credentials and backdoors
Web browsers are inherently trusted by users. They are trained to trust websites which “have a padlock in the address bar” and that “have the correct name”, This trust leads… - ActiveBreach
Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams
Introduction The motivation to bypass user-mode hooks initially began with improving the success rate of process injection. There can be legitimate reasons to perform injection. UI Automation and Active Accessibility will use it… - ActiveBreach
A Fresh Outlook on Mail Based Persistence
Introduction Low privileged, user land persistence techniques are worth their weight in gold, as there are far fewer opportunities from this perspective than when you’re elevated. As such, we are… - ActiveBreach
Segmentation Vault: Cloning Thick Client Access
Overview I started out this research having taken some inspiration from @buffaloverflow‘s Chlonium tool for easily exfiltrating and using a victim’s Chromium based web browser cookies. I was working on… - ActiveBreach
Covert Web Shells in .NET with Read-Only Web Paths
In a recent red team engagement, we discovered a SharePoint instance that was vulnerable to CVE-2020-1147. I was asked to build a web shell without running any commands to avoid… - ActiveBreach
I Like to Move It: Windows Lateral Movement Part 3: DLL Hijacking
Overview In the past two posts of this series, we’ve covered lateral movement through WMI event subscriptions and DCOM, detailing approaches to improve the OpSec of our tradecraft. In the… - ActiveBreach
I Like to Move It: Windows Lateral Movement Part 2 – DCOM
Overview In part 1 of this series, we discussed lateral movement using WMI event subscriptions. During this post we will discuss another of my “go to” techniques for lateral movement,… - ActiveBreach
I Like to Move It: Windows Lateral Movement Part 1 – WMI Event Subscription
Overview Performing lateral movement in an OpSec safe manner in mature Windows environments can often be a challenge as defenders hone their detections around the indicators generated by many of… - ActiveBreach
Massaging your CLR: Preventing Environment.Exit in In-Process .NET Assemblies
At MDSec it not uncommon to need to develop custom post-exploitation tooling to meet the requirements of an engagement; this is especially true for the red team where the techniques employed for tasks such as information gathering and lateral movement often need to be adapted to the target environment. - ActiveBreach
FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking
Introduction During red team engagements, it is not uncommon to encounter Endpoint Defence & Response [EDR] / Prevention [EDP] products that implement user-land hooks to gain insight in to a… - ActiveBreach
Detecting and Advancing In-Memory .NET Tradecraft
Introduction In-memory tradecraft is becoming more and more important for remaining undetected during a red team operation, with it becoming common practice for blue teams to peek in to running… - All
Analysis of CVE-2020-0605 – Code Execution using XPS Files in .NET
Introduction Microsoft patched a number of deserialisation issues using the XPS files. Although the patch for CVE-2020-0605 was released in January 2020, it was incomplete and an additional update was released in… - All
Mattermost Enterprise Denial of Service
Introduction LaTeX is a document typesetting system that takes a plaintext file, stylised using mark-up tags similar to HTML or CSS, and converts this into a high-quality document for displaying… - ActiveBreach
T1111: Two Factor Interception, RSA SecurID Software Tokens
Introduction During Red Team Operations, it is not uncommon to find systems or applications related to the engagement objectives being protected by Two Factor Authentication. One of the solutions that… - Exploitation
Introducing YSoSerial.Net April 2020 Improvements
The YSoSerial.Net project has become the most popular tool when researching or exploiting deserialisation issues in .NET. We have recently invested some research time to improve this tool to help ourselves and… - ActiveBreach
Abusing Firefox in Enterprise Environments
Introduction In this blogpost, we will describe a technique that abuses legacy Firefox functionality to achieve command execution in enterprise environments. These capabilities can be used for lateral movement, persistence… - ActiveBreach
Designing The Adversary Simulation Lab
As some of you will know, we have recently entered into the Red Team training space. Before deciding to create our course now known as “Adversary Simulation and Red Team… - ActiveBreach
Hiding Your .NET – ETW
After the introduction of PowerShell detection capabilities, attackers did what you expect and migrated over to less scrutinised technologies, such as .NET. Fast-forward a few years and many of us… - ActiveBreach
Offensive Development with GitHub Actions
Introduction Actions is a CI/CD pipeline, built into GitHub, which was made generally available back in November 2019. Actions allows us to build, test and deploy our code based on triggers… - All
A Security Review of SharePoint Site Pages
Introduction If you have worked with SharePoint, you have seen two types of ASPX pages: Application pages Site pages Application pages are not customisable. They are stored on the file… - ActiveBreach
Getting What You’re Entitled To: A Journey Into MacOS Stored Credentials
Introduction Credential recovery is a common tactic for red team operators and of particular interest are persistently stored, remote access credentials as these may provide an opportunity to move laterally… - All
IIS Raid – Backdooring IIS Using Native Modules
Introduction Back in 2018, PaloAlto Unit42 publicly documented RGDoor, an IIS backdoor used by the APT34. The article highlighted some details which sparked my interest and inspired me to write… - ActiveBreach
Testing your RedTeam Infrastructure
As RedTeaming has grown with the industry, so has our need to build dependable environments. In keeping with the cat-and-mouse game we find ourselves in, it’s essential to possess the… - All
CVE-2020-0618: RCE in SQL Server Reporting Services [SSRS]
SQL Server Reporting Services [SSRS] provides a set of on-premises tools and services that create, deploy, and manage mobile and paginated reports. Functionality within the SSRS web application allowed low privileged… - Penetration testing
Code injection in Workflows leading to SharePoint RCE [CVE-2020-0646]
Description A remote code execution issue in SharePoint Online via Workflows code injection was reported to Microsoft in November 2019 which was addressed immediately on the online platform. However, the… - ActiveBreach
Deep Dive in to Citrix ADC Remote Code Execution, CVE-2019-19781
Last month, a critical vulnerability in Citrix ADC and Citrix Gateway was published under CVE-2019-19781. The vulnerability caught our attention as it suggested that an unauthenticated adversary could leverage it to… - ActiveBreach
MacOS Filename Homoglyphs Revisited
Last year I posted a few tricks to help when targeting MacOS users, and included a technique useful for spoofing file extensions with the aim of taking advantage of Finder’s… - ActiveBreach
RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients
Introduction Remote Desktop is one of the most widely used tools for managing Windows Servers. Admins love using RDP and so do attackers. Often the credentials that are used to… - ActiveBreach
Introducing the Office 365 Attack Toolkit
During our red team operations, we frequently come in contact with organisations using Office 365. The present tooling targeted at this environment is somewhat limited meaning that development is often… - ActiveBreach
Persistence: “the continued or prolonged existence of something”: Part 3 – WMI Event Subscription
In my previous two posts I covered persistence using both Microsoft Office and COM hijacking, in this post I’ll discuss my third favourite technique for persistence; WMI event subscription. Unlike… - ActiveBreach
Persistence: “the continued or prolonged existence of something”: Part 2 – COM Hijacking
In the first post I talked about my favourite persistence technique using Microsoft Office add-ins and templates. My second favourite technique for persistence is using COM hijacking which will be… - ActiveBreach
Persistence: “the continued or prolonged existence of something”: Part 1 – Microsoft Office
During a red team engagement, one of the first things you may want to do after obtaining initial access is establish reliable persistence on the endpoint. Being able to streamline… - ActiveBreach
Silencing Cylance: A Case Study in Modern EDRs
As red teamers regularly operating against mature organisations, we frequently come in to contact with a variety of Endpoint Detection & Response solutions. To better our chances of success in… - ActiveBreach
External C2, IE COM Objects and how to use them for Command and Control
Background Cobalt Strike 3.6 introduced a powerful new feature called External C2, providing an interface for custom Command and Control channels. Being a fan of custom C2 channels I started… - ActiveBreach
Macros and More with SharpShooter v2.0
In March 2018 we released SharpShooter, a framework for red team payload generation. We followed up with further updates and new techniques in June. Like many offensive tools, the framework… - ActiveBreach
Abusing Office Web Add-ins [for fun and limited profit]
Background The Office add-ins platform allows developers to extend Office applications and interact with document content. Add-ins are built using HTML, CSS and JavaScript, with JavaScript being used to interact… - ActiveBreach
ActiveBreach, powered by Ethereum Blockchain
No matter where you turn, it’s hard to miss just how much of an effect the Blockchain has had on our daily lives. Being the backbone of the digital currency… - News
SharpPack: The Insider Threat Toolkit
Introduction We recently performed an Insider Threat red team engagement, posing as employees within the company. We were provided with all the benefits of a regular employee [except salary :]]… - ActiveBreach
Cisco AMP – Bypassing Self-Protection
Sometimes when you are in the middle of an engagement, you will come across a hurdle which requires a quick bit of research, coding, and a little bit of luck…. - ActiveBreach
AppLocker CLM Bypass via COM
Constrained Language Mode is a method of restricting PowerShell’s access to functionality such as Add-Type, or many of the reflective methods which can be used to leverage the PowerShell runtime… - ActiveBreach
Serverless Red Team Infrastructure: Part 1, Web Bugs
During a red team engagement, it is often beneficial to have the ability to quickly and programatically deploy infrastructure. To date, most existing literature has focussed on deploying the server… - Exploitation
Advisory: CVE-2018-7572 – Pulse Secure Client Authentication Bypass
Overview Title: Pulse Secure Client Authentication Bypass Version: Pulse Desktop Client 9.0R1 and 5.3RX before 5.3R5. Researcher[s]: Nassar Amin, Ricardo Ramos, Russel Crozier and Dominic Chell Disclosure Date: 01-03-2018 Public Disclosure… - News
Advisory: CVE-2018-8007 – Apache CouchDB Remote Code Execution
Overview Title: CouchDB Arbitrary Write Local.ini Configuration Authenticated Remote Code Execution Version: