Covenant Donut

by Vince
in Blog
Hits: 727

I've been using Covenant for over three years now and I still have mixed feelings about it.  That being said, I'm still using it so I probably shouldn't complain about open source products when an alternative pay product, Cobalt Strike, is $6k.  My biggest gripe about Covenant is that it's quirky.  I feel like I'm always working around something.  For example, Covenant has the ability to generate Shellcode directly from launchers but when I try to process inject, it fails against Defender.  But when I convert the binary launcher with Donut, I can defeat Defender.  

Read more

Process Injection

by Vince
in Blog
Hits: 761

Let's say we have a modern system and when we drop a malicious executable onto that system, we get caught.  We can use a technique called "process injection" which will inject our malicious code into the memory space of a running process.  To show how effective this technique is, we're going to use a meterpreter reverse shell on a Windows 10 system with Defender enabled.  

Read more

DIY Web Bugs

by Vince
in Blog
Hits: 426

If you're not familiar with Canarytokens, they are web bugs that you can embed into various forms.  From their website:  "You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests.  Imagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots."

Read more