The number of Lateral Movement techniques that an attacker can use in an Active Directory environment is limited. The most well-known techniques for executing code on a remote system with administrative privileges are as follows:| S3cur3Th1sSh1t
More than four years have passed since I wrote my first blog posts about bypassing the Antimalware Scan Interface (AMSI) via manual modification and the difference between Powershell and .NET-specific bypasses:| S3cur3Th1sSh1t
In 2018, Tenable published a blog post on how to get Remote Code Execution (RCE) on an Axis IP Camera with administrative credentials for the web application. By uploading a malicious APP file with the EAP extension, it’s possible to execute code on the operating system level for persistence or data exfiltration.| S3cur3Th1sSh1t
The security of WPA2 PSK-protected networks depends mainly on the complexity of the chosen PSK itself. Most attacks with the goal of getting unauthorized access to a WPA2 PSK WIFI network somehow do Offline Wordlist or Brute-Force attacks to retrieve the key either from a Handshake or PMKID. We at r-tec recommend companies to not use WPA2 PSK - even when a strong/complex PSK is chosen. On the one hand side, a complex PSK can easily be phished over Evil-Twin attacks.| S3cur3Th1sSh1t
A very common technique used by threat actors as well as Red Teams is Process Injection. By using Process Injection, any position-independent code (shellcode) can be written into a remote process and executed within that process, so that it afterward runs in the context of it.| S3cur3Th1sSh1t
Phishing attacks are still the most used attack vector for initial access and credential stealing from our perspective. As phishing attempts become more freq...| s3cur3th1ssh1t.github.io
This is a short post on how to use stageless HTTP Grunt’s in Covenant + some staged vs stageless thoughts from my side.| s3cur3th1ssh1t.github.io
This post is about common misconfigurations and attack szenarios that enable an attacker to access separated networks with critical systems or sensitive data...| s3cur3th1ssh1t.github.io
Last year I had the idea for a new approach to block EDR DLLs from loading into a newly spawned process. After several months this idea lead to a PoC, which ...| s3cur3th1ssh1t.github.io
Some days ago I woke up in the middle of the night - thinking about the Advapi32.dll/SystemFunction032 function. Really? Yes. Strange, this InfoSec folks. Th...| s3cur3th1ssh1t.github.io
In this blog post, the main difference between signature-based and behavior-based Detections are explained. In addition, examples are shown with respective D...| s3cur3th1ssh1t.github.io
This post will explain my trials&fails and road to success for building scripts to dump LSASS from memory. It’s nothing new, existing tools, existing tec...| s3cur3th1ssh1t.github.io
In the last years my team at r-tec was confronted with many different company environments, in which we had to search for vulnerabilities and misconfiguratio...| s3cur3th1ssh1t.github.io