Summary On Friday, July 19, 2024 at 04:09 UTC, as part of regular operations, CrowdStrike released a content configuration update for the Windows sensor to gather telemetry on possible novel threat techniques. What caused the outage? The patch contained a logic error which resulted into a Blue Screen of Death (BSOD) for Windows 11 versions […]

Test Date: 2024/Jan/22 This documentation uses the AES encryption technique to evade EDR (Endpoint Detection and Response) tools which includes the following steps. Create a reverse_http listener Obtain a shellcode that spawns a shell Encrypt your shellcode Write a CSharp script that decrypt and executes the shellcode Compile the shellcode using Microsoft.Net CSC compiler in […]

The “Malleable C2” feature in Cobalt Strike allows you to customize the indicators of compromise (IOCs) and network traffic patterns generated by your Beacon implants. Malleable C2 allows you to make your communication patterns look like normal network traffic, making it harder for defenders to detect the activity. You can find many preconfigured profiles from […]

Staged Payloads A staged payload is a payload that is delivered in multiple stages. The first stage, known as the “stager,” is a small and simple piece of code whose purpose is to establish communication with the attacker-controlled infrastructure. The stager is responsible for downloading and executing the second stage, which is the main payload […]

Cobalt Strike is a security tool used by ethical hacker to assist security posture of their organization while also used by threat actors offensively to compromise a target environment. Cobalt Strike have many capabilities I.e Reconnaissance Weaponization Exploitation Post-Exploitation Persistence and more… How to install cobalt-stirke in linux? To download cobalt strike, please visit: https://www.cobaltstrike.com/download […]

What is Context_CPUID in metasploit? Context_CPUID is a an encoder that enables a threat actor to evade security detection tools or Anti-Viruses to be specific. How does Context_CPUID encoder work? Context_CPUID encoder uses the cpuid instruction to obtain the CPU information. This information then is scrambled with XORing operation and finally the scrambled CPU information […]

What is Shikata_ga_nai? Shikata_ga_nai is a Metasploit encoder used by threat actors to evade/bypass Anti-virus tools. How does Shikata_ga_nai work? In summary, shikata_ga_nai uses xoring methodology to evade AVs. Xoring is a bit wise operation that is commonly used in cryptography. Threat actors uses this technique to obfuscate the malware payload. for example, if you […]

Nmap Results: We can see that port 80 is serving HTTP services. Visiting the home page, we find that apache2 default page which is modified and contains some comments: We can see, there is someone called Jessie. It may be a username too. Running dirbuster against urp http://thm.ip/sitemap/ using /usr/share/wordlists/dirb/common.txt, we see a folder called […]

Nmap results: As you can see http is listening on port 80. So lets try to perform a directory scan using dirbuster: Looking at http://10.10.38.140/island/, we can there is an html “h2” tag with white color. Hmm, /island/2100/ seems interesting as well. Visiting the page source we see a comment recommending “.ticket” So lets try […]

Nmap scan results: Port 80 is serving HTTP service and by visiting the webpage, we find that the fuel CMC v1.4 is running. A quick searchsploit for “fuel” we find a bunch of RCE vulnerabilities as below but we will try 50477.py: Now, we simply run the exploit using python: To get a full interactive […]