Home
Tony Lambert
Cancel

Analyzing an Empire macOS PKG Stager

Command and control (C2) frameworks often support multiple platforms, and PowerShell Empire is no different. In older days, there was a Python Empyre version that eventually merged into the full Em...

How Qbot Uses Esentutl

A colleague asked me a question today about the relationship between Qbot and a Windows system utility: esentutl.exe. It’s been sparsely documented via tweet, and I want to more fully explain why Q...

Linux EDR Evasion With Meterpreter and LD_PRELOAD

Everyone has their favorite adversary technique to research and mine is LD_PRELOAD process injection because it’s pretty versatile. It lets you hook functions to manipulate output, and it can also ...

Exploiting Yum and DNF Plugins for Persistence

Two Metasploit Framework modules have held my interest in the last few weeks: the ones for persistence using Linux package managers apt and Yum. While they require root privileges to exploit, they ...

When Local Password Resets Aren't Local

When You Reset a Domain Administrator Instead of Local During an IR engagement, one of my colleagues identified malicious activity where an adversary reset the password for a local administrator a...

Whitelisting LD_PRELOAD for Fun and No Profit

If you’ve been around the Linux/BSD/Solaris/Other UNIX ecosystem for a while you’ve probably heard of the fabled LD_PRELOAD trick. If you haven’t heard of it, let me introduce you to one of the lon...

Adding Process Hiding to Merlin

Sometimes red team tools need a little bit of extra love to address certain platforms. As I researched Merlin for detection strategies on the blue team side, I noticed that it could use some extra ...

Making Meterpreter Look Google Signed

In this post I’ll use some of the information made public by VirusTotal in a recent blog post and show how you can easily create a Metasploit Meterpreter payload and append it to a signed MSI file....

My SANS DFIR NetWars Experience

At SANSFIRE 2018 in Washington, DC I had the awesome opportunity to compete in SANS DFIR NetWars with a coworker from Red Canary. This was my first experience with NetWars, and I wasn’t sure what t...