August 4, 2023

Meterpreter: Bypassing Defender

In this post I’ll describe the approach taken to be able to get a meterpreter session in a default updated installation of windows 10 with all the security features enabled. This is not new and there’s a lot of info out there if you google for it, so it’s more of an exercise to practice evasion techniques using one of the most fingerprinted hacking frameworks out there (or at least I think so).

January 27, 2023

Customize the Loader

First I would like to mention that this is more about my own learning process other than a proper tutorial. I’ve been playing around with Sliver framework a lot lately, if you’ve done it too then you know you can generate beacons in different formats including shellcode, this is cool, right? Because you can just inject it into memory and the shellcode will reflectively load a DLL that conatins the actual beacon payload, but this process leaves some memory artifacts that can be detected by AVs, EDRs or memory scanners like PE-sieve.

August 28, 2022

DLL proxying & sideloading

While studying DLL injection techniques, specifically DLL sideloading, I found this article by Palo Alto Network’s Unit 42 When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. The article describes how the dropper was using using a technique known as DLL search order hijacking to sideload a malicious crafted DLL that will inject a Brute Ratel agent (badger) into a remote process’s memory space, in this case RuntimeBroker.