“of the radicalrijndael class. as we didn ’ t see any explicit constructors in dnspy, we should expect to see only the default constructor, and indeed this is the case. since the getconstructors method returns a list, we can get the default constructor by saving the zeroth element…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
93%
“, and the knowledge that the necessary cryptographic materials were baked into the compiled dll, we now needed to decrypt our encrypted password value. after a quick naive attempt at decryption using a variety of different tools failed, we had an idea on how to proceed. by loadin…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
91%
“environments that have restrictive application control mechanisms but do not restrict powershell access, but it requires target classes to be public and target methods to be both public and static. from the cryptographic routines in cryptkeeper, we have a non - public, internal c…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1620Reflective Code Loading
90%
“the exfiltration, modification, and reflective assembly technique, something about it had been nagging at me in the few years since our original discovery : could we possibly bypass. net visibility checks and access private or internal code directly? if we were able to do that, w…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1574.001DLL
83%
“documentation for the overload shown below. maybe we can use gettype ( string ) to get a handle on classes in our dll using the absolute names … $ greeter = $ asm. gettype ( " cryptkeeper. security. greeter " ) $ radical = $ asm. gettype ( " cryptkeeper. security. radicalrijndael…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
68%
“however, we get stopped when we try to access the internal radicalrijndael class. now, we just need to figure out how to get access to the radicalrijndael class. take and bake the first way that i thought of to get access to our target class was to exfiltrate the dll to a machine…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
35%
“see our public encrypt and decrypt methods! which means that we can decrypt our password without having first modified our dll. ok, so taking this from the top, we end up with the following sequence of powershell commands. $ asm = [ system. reflection. assembly ] : : loadfrom ( "…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
32%
“, and the knowledge that the necessary cryptographic materials were baked into the compiled dll, we now needed to decrypt our encrypted password value. after a quick naive attempt at decryption using a variety of different tools failed, we had an idea on how to proceed. by loadin…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
by moth Hard-coded cryptographic secrets? In my commercially purchased, closed-source software? It’s more likely than you think. Like, a lot more likely. This blog post details a true story of […]
