Kyle Avery
1,147 posts
- Introducing inject-assembly! Execute a .NET assembly in any existing process, including your current Beacon, and retrieve the output! - Patches Environment.Exit() - PE header stomping - Random pipe name generation - No blocking of the current Beacon
- Last week I ported TinyNuke HVNC to a Cobalt Strike BOF:
- Excited to announce that I’ll be presenting ‘Avoiding Memory Scanners: Customizing Malware to Evade YARA, PE-sieve, and More’ at #DEFCON30 !
- New DLL hijacking opportunities, triggered using DCOM for lateral movement:
god why are men so hard to get gifts for wtf do u people want- Check out my new blog post on Avoiding Memory Scanners:
- Just published my blog post on a Mythic use case that I find very interesting: multiple implant stages that use the same backend C2 server while still having separate network infrastructure. It includes a Terraform config to deploy the exact setup. blog.kyleavery.com/posts/multi-st…
- Besides BloodHound from @_wald0 + @SpecterOps and PingCastle from @mysmartlogon, what other open source or free tools should every organization be running on a regular basis?
- Just got .NET execution in an existing process working - needs some quality testing but I plan to open source it eventually
- I decided to try something besides Windows this weekend. Here is a Linux sleep obfuscation poc using POSIX timers:
- I've been getting questions about this again recently, so I wrote a small post. Patching .NET functions from an unmanaged CLR harness:
- Today’s outages are a great example of why @Apple kicked EDR out of the kernel. Sure, kernel dev is hard, QA should catch this, etc. - now imagine what would happen if EDR could collect the same data from user-mode. I’m not really an Apple fan, nor am I calling their solution
