ITSEC Newsletter
Posts
ITSEC Newsletter 2023-05-11

ITSEC Newsletter 2023-05-11

Red team is best team

Henrik Falk
May 11, 2023

Exploring Impersonation through the Named Pipe Filesystem Driver

Introduction

posts.specterops.io/exploring-impersonation-through-the-named-pipe-filesystem-driver-15f324dfbaf2

"This post covers file system drivers, specifically the named pipe driver (npfs.sys), as well as shows a proof of concept for calling NtFsControlFile directly to perform named pipe impersonation instead of calling the Win32 API, ImpersonateNamedPipeClient."

Fantastic Rootkits and Where to Find Them (Part 2)

Know Your Enemy In the previous post (Part 1), we covered several rootkit technique implementations. Now we will focus on kernel rootkit analysis, looking at two case studies of rootkits found in...

www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-and-where-to-find-them-part-2

“In the previous post (Part 1), we covered several rootkit technique implementations. Now we will focus on kernel rootkit analysis, looking at two case studies of rootkits found in the wild: Husky Rootkit and Mingloa/CopperStealer Rootkit.Through these case studies, we’ll share our insights about rootkit analysis techniques and methodology."

AppDomain Manager Injection: New Techniques For Red Teams | Rapid7 Blog

This article details a variety of ways to perform and utilize AppDomain Manager Injection during red team operations.

www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams

"AppDomain Manager Injection is a very versatile and useful technique for red team operators. This technique allows you to effectively turn any Microsoft.NET application on a Windows host into a lolbin (Living Off the Land Binary) by forcing the application to load a specially crafted .NET assembly, using its assembly full name."