In part 11, we completed the ROP bypass of the DEP. In this part, we’ll begin our first exercise compiled in 64 bits. Before beginning, we’ll go over a few concepts in detail, because this exercise requires a new frame of reference. While the base is the same, it’s important to know the differences between 32 and 64 bits in order to be successful in reversing.
In The New Normal in Cybersecurity Part 1, we examined three leading trends in the cybersecurity community over the past year. In this installment, we will take a look into the future and make predictions about where the cybersecurity landscape is potentially headed in 2022 and beyond.
The past year has shown organizations that uncertainty and a transformed reality are the new normal in business. While remote work was intended as a temporary response to the global pandemic, it is now considered a regular part of the business environment—fundamentally altering the way companies operate. This means organizations have had to respond in real-time to shift their cybersecurity strategies and keep up with an expanding IT infrastructure, the explosion of IoT devices, and a new wave of threats from more sophisticated attackers.
This post focuses on creating Cobalt Strike Beacon Object Files using the MinGW compiler on Linux. We will discuss several ideas and best practices that will increase the quality of your BOFs.
Flexibility
Compiling to Both Object Files and Executables
While writing a BOF is great, it’s always worth making the code compile to both BOF and EXE.
Ekoparty began as an underground hacking event, but has grown into one of the foremost cybersecurity conferences in Latin America. This year was the 20th anniversary of the incredible infosec event, which takes place every year in Buenos Aires. In order to discover insights from this year’s conference, we talked with two experts from Core Security who attended, and also served as trainers at the Hackademy portion of the event.
Motivation
It’s a well-known fact that TV shows and movies pride themselves on their complete and total accuracy when it comes to portraying historical events, illnesses, or jobs. That’s how we know that everyone in olden times spoke in British accents no matter what country they were in, people with tuberculosis casually cough up blood while otherwise carrying on as normal, and all doctors wander about in form fitting scrubs with only one patient to treat—right?
In part 10, we started exploring different protections and mitigations that we may find. In this part, we’ll continue this exercise, completing the ROP bypass of the DEP.
Roping Step by Step
Typically, there are tools that, in simple cases can automatically build a ROP. However, in difficult cases, these tools generally can’t fully build one, or can only partially do so, leaving one to complete by hand the work that the tool could not do.
IT environments have grown increasingly sophisticated, giving individuals and businesses capabilities they never could have dreamed of 20 years ago. However, the only thing growing faster than technology are the threats to it.
Having your Active Directory breached is bad enough, but an attacker who gains persistence is even more dangerous. The longer they are able to hide in your Active Directory forest, the better chance they have of gaining access to your organization’s crown jewels. Undetected, they can comfortably wait for the most opportune time to take control, stealing your organization’s most sensitive data and do with it what they please.