S4E01: KEGTAP-ing Out: Don't be a One Trickbot Pony
about 13 hours ago.
Updated about 1 year ago.
Christopher Glyer and Nick Carr are back with an extremely offensive episode with red teamers Evan Pena (@evan_pena2003) and Casey Erikson (@EriksocSecurity). They get right into why they use shellcode (any piece of self-contained executable code) and some of the latest shellcode execution & injection techniques that are working in-the-wild.
In previous episodes, the gang has discussed attackers - both authorized and unauthorized - shift away from PowerShell and scripting-based tooling to C# and shellcode due to improved visibility, detection, and prevention provided by more logging, AMSI, and endpoint security tooling. In this episode, they explore how FireEye's Mandiant Red Team has responded to this pressure and the techniques they've used to continue to operate.
Casey and Evan share their research around the benefits & drawbacks of the three primary techniques for running shellcode and a project they just released - DueDLLigence - to enable conversion of any shellcode into flexible DLLs for sideloading or LOLbin'ing: https://github.com/fireeye/DueDLLigence
If you want to learn more, check out their blog and #DailyToolDrop at: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Shellabrate good times come on!