TL;DR Implant with our encrypted DLL -> allocates memory for the DLL -> put the decrypted DLL into that memory space -> find the offset of the exported ReflectiveLoader function in the DLL -> call the ReflectiveLoader function -> ReflectiveLoader searches backward for the start of the DLL in memory -> allocates a new memory...Read More

In last week’s blog, I started outlining some of the considerations when choosing a penetration testing provider, including a list of general questions you should ask during your early correspondence with a prospective provider. As mentioned in my previous post, procuring offensive security services is a relatively new undertaking for many companies, and the complexities can make...Read More

Recently, I received a call from a long-time friend of mine with who I had never had the opportunity to work professionally. His company was launching a new online store, and after hearing his plans, we conducted an application penetration test to ensure it was secure for launch. This was the last person I thought...Read More

Introduction The  last blog post I wrote got way more recognition than I expected and because of that, I was inspired to continue writing and sharing my experiences/research. This blog will be about the short journey I took to hone bypasses relating to Constrained Language Mode in PowerShell and AppLocker Policies. My goal was to...Read More

Overview I was working on my OSEP certification when I was inspired to stop studying for a bit to deep-dive into malicious word documents. The OSEP certification inspired a lot of the content you’ll see here and gave me a base to work up from. If you’re looking for your next cyber security knowledge binge,...Read More

We perform hundreds of offensive security engagements such as penetration testing and red teaming every year.  During these engagements, we commonly exploit vulnerabilities to obtain some initial level of access and perform post-exploitation to demonstrate what an attacker could do and how far they could go.  Along the way, we have encountered just about every...Read More

A few months ago, our CTO and hacker-in-chief, Jake Reynolds, bought a glucometer online along with all the necessary stuff to make it work. He thought it would make for an interesting project, as researching this device and its related infrastructure could help improve security in a worthwhile field: health / medical devices. During a...Read More

TLDR; We are introducing Armory, a tool that adds a database backend to dozens of popular external and discovery tools. This allows you to run the tools directly from Armory, automatically ingest the results back into the database and use the new data to supply targets for other tools. Why? Over the past few years...Read More

Everyone who works in or is tasked with hiring for the InfoSec industry understands that one of the biggest challenges is acquiring and keeping talent. There is a deficit of good people, and that includes senior executives.  In the case of CISOs, the average tenure (according to industry research) is 24 to 48 months, with...Read More

Overview During a recent internal penetration test, the need arose to exploit a Java two-stage deserialization vulnerability. This post will walk through how to twist a Nessus plugin, meant to test only for the existence of an RCE vulnerability, into a weaponized exploit that can be utilized to attain a reverse shell on your own...Read More