Intro The wireless security landscape has remained largely unchanged since the development of Wi-Fi Protected Access (WPA/WPA2) in the early 2000s. However, in recent years the Wi-Fi alliance has made significant efforts to address long standing issues within these standards. In this entry I will shed some light on common infrastructure configurations, their associated...Read More

In the 11+ years Depth has been in business we’ve had the opportunity to see some less than stellar work as far as assessment services go. Our clients often send us assessment reports they’ve received from other security firms. Sometimes they want us to check remediation status on a single item. Other times they aren’t...Read More

TL;DR The current state of password spraying Office 365 accounts could benefit from new approaches to bypassing Azure AD conditional access policies and other techniques that make it difficult to detect password spraying techniques. Built with Python 3 using Microsoft’s Authentication Library (MSAL), Spray365 makes password spraying more effective by identifying insecure conditional access policies and allows...Read More

Intro This blog post will be covering the classic technique used to unhook Windows APIs from EDR solutions. API hooking is a technique that is used by anti-virus and EDR solutions in an attempt to monitor process and code behavior in real time. Commonly, EDR solutions will hook Windows APIs in NTDLL.dll because the APIs...Read More

TL;DR Implant with our encrypted DLL -> allocates memory for the DLL -> put the decrypted DLL into that memory space -> find the offset of the exported ReflectiveLoader function in the DLL -> call the ReflectiveLoader function -> ReflectiveLoader searches backward for the start of the DLL in memory -> allocates a new memory...Read More

In last week’s blog, I started outlining some of the considerations when choosing a penetration testing provider, including a list of general questions you should ask during your early correspondence with a prospective provider. As mentioned in my previous post, procuring offensive security services is a relatively new undertaking for many companies, and the complexities can make...Read More

Recently, I received a call from a long-time friend of mine with who I had never had the opportunity to work professionally. His company was launching a new online store, and after hearing his plans, we conducted an application penetration test to ensure it was secure for launch. This was the last person I thought...Read More

Introduction The  last blog post I wrote got way more recognition than I expected and because of that, I was inspired to continue writing and sharing my experiences/research. This blog will be about the short journey I took to hone bypasses relating to Constrained Language Mode in PowerShell and AppLocker Policies. My goal was to...Read More

Overview I was working on my OSEP certification when I was inspired to stop studying for a bit to deep-dive into malicious word documents. The OSEP certification inspired a lot of the content you’ll see here and gave me a base to work up from. If you’re looking for your next cyber security knowledge binge,...Read More

We perform hundreds of offensive security engagements such as penetration testing and red teaming every year.  During these engagements, we commonly exploit vulnerabilities to obtain some initial level of access and perform post-exploitation to demonstrate what an attacker could do and how far they could go.  Along the way, we have encountered just about every...Read More