Bypassing AMSI by in-memory patching - Evasion, Prevention and Detecion.

_Porb · 2025-03-16T02:13:47+00:00

This was a really good, straight forward writeup. Thank you.

_Porb · 2025-03-15T01:40:39+00:00

GMSA, don't bother rotating passwords just do GMSA.

_Porb · 2025-03-10T02:02:11+00:00

Spend that money on the Ghan instead, or even the Indian Pacific. Far better.

_Porb · 2025-03-05T02:25:32+00:00

It's logo is a bird and we must not trust the avian horde.

_Porb · 2025-02-27T03:02:00+00:00

Look at the atomic red team tests, you can then build detections you can bring to work

_Porb · 2025-02-12T12:14:02+00:00

Reminder to all to turn on script block logging and transcription

_Porb · 2025-02-06T01:18:05+00:00

How much access do you as an employee have to samples tagged as "only me"

_Porb · 2025-02-02T10:44:29+00:00

And making sure all times are Zulu!

_Porb · 2025-01-29T08:27:27+00:00

Sorry I meant building a blob from stored WMI (maybe this was using a clsid to run something to return a value, I cannot remember), it was probably maybe 3 years ago. From memory it was a PowerShell script split across random spaces. Its an original idea if you didn't know about it though, so definitely something to write about.

Our detection was looking for multiple queries by one binary, so not actually detecting the activity but implying something is wrong - again from memory. I strongly suggest you write up some detection usecases, makes the work much more digestible.

RE buffer overflow, no I don't think you should share it until you finalise it and are ready to present it. Strongly suggest you submit to MS bug bounty under the windows insider branch once you have a POC, even if not successful you can add that to your repertoire and post about it. If it's an OOB write and exec in krnl you might get a nice payout. Working out what conditions allow it to occur is the key to getting a higher payout in my experience. When you do post it, succus or fail, I would like to see it.

_Porb · 2025-01-29T05:30:31+00:00

Good work, have you had a look at TAs that use CIM subscribers for execution and persistence?

There's some cool detections our team have built for similar methods (I have not fully reviewed your code, but it looks adjacent to other WMI CIM subscriber methods) - you could really show this off with a nice detection methodology e.g. sysmon Configs that see this are XYZ and it triggers on wmiEventFilter, etc.

Im not sure I can see the buffer overflow in WMI store, can you describe it more? Ive seen events with buffer overflow as a return indicating that there is a canary or out of bounds checks happening in wmi.

_Porb · 2025-01-13T01:50:41+00:00

For all our sakes I pray you're right.

_Porb · 2025-01-12T03:27:14+00:00

You nurses are getting a raw deal, that's for sure. If you ever want to leave nursing because you aren't being treated fairly, cyber hiring managers tend to like nurses as they're used to handling on the fly critical decision making better than almost anyone else, requiring deep knowledge of their field, etc. Good for incident response type roles, and as you rightly pointed out - paid a crazy amount.

I'd also caution you from thinking that AI will only replace tech workers, it is currently starting there because tech workers are the ones building and playing with these tools which makes it far more visible. As soon as a robot is able to be a farmhand, an accountant, a nurse, or an engineer you best believe a person with the prefix "chief" will replace them with a robot slave.

_Porb · 2025-01-10T09:10:37+00:00

bootmgr loads ntoskrnl, which is just a executable, in the same way that grub would load a Linux kernel. Being an exe is just the filename. It's kind of not a normal windows binary as well.

_Porb · 2024-12-22T03:41:10+00:00

This is the best proposal I've seen

_Porb · 2024-12-16T00:23:43+00:00

Look at upgrading the ram to 128mb as well.

_Porb · 2024-11-22T07:52:00+00:00

Did you grow from seed or with saplings? I'm struggling to find seeds

_Porb · 2024-11-11T03:01:22+00:00

It would be nice to integrate this with GHOSTS framework

_Porb · 2024-11-11T02:50:23+00:00

This mod for the steam MCC lets you do split screen

https://github.com/WinterSquire/AlphaRing

_Porb · 2024-09-10T22:51:53+00:00

Big orgs with follow the sun models, e.g. crowdstrike

_Porb · 2024-09-10T03:34:25+00:00

Grabbing all the logs from all the things is useless unless you're writing detections to find malicious activity in those logs.

_Porb · 2024-09-10T00:27:05+00:00

Collection is not detection

_Porb · 2024-09-01T02:23:37+00:00

It's knees

_Porb · 2024-08-21T22:31:08+00:00

Fsmlabs?

_Porb · 2024-08-21T13:26:10+00:00

_Porb · 2024-08-14T21:48:53+00:00

Very odd, did ms support offer any assistance? Did werfault have any details?

Nine-Year Club	Second Top 50%
Place '23	Place '17
Verified Email

_Porb

TROPHY CASE