I'll be speaking at Skytalks at DEF CON this Friday at 13.00 about conducting practical attack simulations in critical national infrastructure. defcon.outel.org/dc26-consolida… Skytalks

I’m going to really enjoy presenting this with William Knowles blogs.technet.microsoft.com/bluehat/2018/0… #Microsoft #BlueHat v18.

Finally got round to releasing part two. Thought I’d use the excellent GhostPack by SpecterOps/Will Schroeder as an example countercept.com/blog/detecting…

About to head to #BlueHatv18. If you’re around, do come along to hear myself & William Knowles from MWR Infosecurity mwrlabs talk about “Overt C2: The Art of Blending In” on Thursday at 16:10 PM. There will be demos of new shiny #RedTeam tooling C3 \0/

Looking forward to sharing new #RedTeam shiny C3 tooling from mwrlabs William Knowles tomorrow with the #BlueHatV18 attendees.

Very happy to say I'll be presenting at TROOPERS Conference #TR19 along with my colleague James Coote this coming March. The topic will be practical attack simulations in industrial environments.

A C# tool to enumerate remote access policies via GPO. Useful for targeted lateral movement!! based on prior work of Jon Cave and William Knowles github.com/mwrlabs/SharpG…

labs.mwrinfosecurity.com/tools/c3/ github.com/mwrlabs/C3

Exploring code coverage for module stomping - injecting into unused code areas in legitimately loaded DLLs - williamknowles.io/living-dangero…

C3 now supports C2 over LDAP for all your egress and lateral movement needs. Looks like LDAP, quacks like LDAP, must be LDAP? labs.f-secure.com/blog/introduci…

Abusing Windows section object permissions for privilege escalation. An interesting case that permitted application-specific environment variables to be modified resulting in arbitrary DLL loads. Affects GE iFIX < 6.1 (industrial HMI product). applied-risk.com/resources/ge_i…

Porting existing .NET projects for use with the fantastic BOFNET from CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿 (in-process .NET assembly execution in Cobalt Strike for when you need to avoid fork and run). williamknowles.io/quickly-portin…

bofnet_executeassembly - integrating in-process standard .NET assembly execution into BOF.NET. No modifications to executed assemblies required (unlike my last tweet). Thanks CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿 for pointing me in the right direction! github.com/CCob/BOF.NET/p…

Fetching SharpHound data entirely in-memory (no dropped ZIP or JSON files) using BOF.NET and Cobalt Strike. williamknowles.io/fetching-sharp…

Re: SAM permissions, a possible cause: interestingly if you re-enable "RegBack" (auto-backup of these sensitive files, which was disabled by default in Windows 10 1803) it *corrects* the permissions after a reboot (removing "Read" for "Users"). Tested on 20H2 and 1909.

Little OPSEC TIL. For dumping processes with MiniDumpWriteDump, it doesn't matter if your initial handle only has query and read memory permissions, it goes fully rogue, and opens a new handle with full access rights (inc. w/ duplicated handles - and from your current process).

.NET GAC and NIC hijacking for lateral movement: williamknowles.io/net-gac-and-ni…