NOP

NOP

I am a penetration tester specializing in internal network assessments with a strong interest in Red Teaming and Exploitation Development.

Recent Posts

Can Shellcode be Stored Anywhere to Avoid Detection?

16 minute read

The purpose of this post is to research and show how the detection of shellcode has evolved over time and if there are best practices today to avoid being detected if using raw shellcode. Shellcode, often written in machine code or assembly, is essentially a payload crafted to exploit a vulnerability within a targeted application. The payload can range from something simple as opening calculator.exe or something complex such as spawning a reverse remote shell. First I will go over disk vs memory shellcode and the various detection rates of each of them. I will create a simple client/server application that will send shellcode over the network from the client and be executed on the server in memory.

Admin to SYSTEM via Token Stealing

9 minute read

For this research project I wanted to figure out how I could get from Administrator to SYSTEM. Although being apart of the Administrators group grants you a lot of privileges, there are still some things that Windows prevents you from doing. A good example is trying to view HKLM\SAM or HKLM\SECURITY via Registry Editor.

Timestomping 101

4 minute read

Basics of Timestomping This post will try and be all encompassing about timestomping such as what it is, how it is used, who it is used by, and various ways to detect it. Time stomping is a anti-forensics red team tactic centered around changing the time attribute of various objects such as files, directories, registries, etc. Various red teams and APTs will use timestomping to try and blend into their environment. Defenders can be given a false sense of security if a malicious file has the same timestamp as other files in the same directory, indicating that the malicious file has always been there. This blog will cover how to change the created, modified, accessed times of a file.

Win32 API Callstack

4 minute read

This blog post will walk through the complete user-mode call stack process of calling a Win32 API function and how it transitions to kernel mode. Knowing the callstack process of Windows API functions can help a red teamer better understand how and at what level various AVs and EDRs are implemented. This project is compiled with Visual Studio 2022 and run on a standard Windows 11 system.