TripleAgent: Even Zeroer-Tay Code Injection and Persistence Technique

Overview We’d like to introduce a new Zero-Tay technique for injecting code and maintaining persistency against common advanced attacker toolkits dubbed TripleAgent. We discovered this by ourselves in our very advanced labs, and are in the process of registering a new vanity domain as we speak. TripleAgent can exploit: Every toolkit version Every toolkit architecture (x86 and x64) Every toolkit user (RED / PURPLE / APT / NATION STATE / etc.

Adding a Let's Encrypt Certificate to an Azure-Hosted Website

If you host your website in Azure, you might be interested in adding SSL support via Let’s Encrypt. Azure doesn’t offer any functionality to automate this or make it easy, but thankfully there are plenty of useful tools in the PowerShell community to make this easy. ACMESharp - A PowerShell module to interact with Let’s Encrypt. Azure PowerShell - A set of PowerShell modules to interact with Azure. What’s been missing (until now!

Why is SeDebugPrivilege enabled in PowerShell?

We sometimes get the question: Why is the SeDebugPrivilege enabled by default in PowerShell? This is enabled by .NET when PowerShell uses the System.Diagnostics.Process class in .NET, which it does for many reasons. One example is the Get-Process cmdlet. Another example is the method it invokes to get the current process PID for the $pid variable. Any .NET application that uses the System.Diagnostics.Process class also enables this privilege. You can see the .

Detecting and Preventing PowerShell Downgrade Attacks

With the advent of PowerShell v5’s awesome new security features, old versions of PowerShell have all of the sudden become much more attractive for attackers and Red Teams. PowerShell Downgrade Attacks There are two ways to do this: Command Line Version Parameter The simplest technique is: PowerShell –Version 2 –Command <…> (or of course any of the –Version abbreviations). PowerShell.exe itself is just a simple native application that hosts the CLR, and the –Version switch tells PowerShell which version of the PowerShell assemblies to load.

Differences between Visual Studio 2003, 2005, 2008, 2010, 2012, 2013, and 2015

If you’re interested in knowing when specific Visual Studio compiler options have been introduced, here you go. 2003 to 2005 Option Purpose ------ ------- /analyze Enable code analysis. /bigobj Increases the number of addressable sections in an .obj file. /doc Process documentation comments to an XML file. /errorReport Allows you to provide internal compiler error (ICE) information directly to the Visual C++ team. /favor Produces code that is optimized for a specific x64 architecture or for the specifics of micro-architectures in both the AMD64 and Extended Memory 64 Technology (EM64T) architectures.

TimeJournal: Time Profiling for Humans

Time Journal helps you analyze where you spend your time by infrequently asking the simple question: “What are you doing?

Setting Visual Studio Code to Auto-Update in the Background

Visual Studio Code has a built-in feature to check for and install updates, but I’ve always been frustrated by having to acknowledge the update, allow the browser to restart, watch an installer, and then get back to what I was about to do anyways (which is edit some text). As a solution, here’s a quick little PowerShell script to run. It will create a background task to run every night at 3:14 AM and update VS Code for you automatically if one is available.

Interactive Rosetta Stone Explorer

In 1799, Napoleon’s explorers discovered a 4-foot tall, 700 lb stone slab in Rosetta (Rashid), Egypt. Explore its hieroglyphics and their meanings with the Rosetta Stone Explorer.

Downloading Plain-Text Wikipedia

If you’ve ever been interested in having all of Wikipedia in a plain-text format, you might have been disappointed to learn that Wikipedia doesn’t actually make this format available. This PowerShell script will create a plain-text version of Wikipedia for you.

More Detecting Obfuscated PowerShell

Edit: If you want to see how deep this rabbit hole goes, check out our Black Hat / DEF CON presentation: In a recent post, we talked a little bit about detecting obfuscated PowerShell through the use of PowerShell’s tokenizer - tackling, as an example, the highly irregular variable names generated by MetaSploit’s PowerShell encoder. Obfuscation has been around as long as computer programs have, so the rise of obfuscated PowerShell scripts shouldn’t be much of a surprise.