How to defeat DEP on ARM - executing mprotect()
How to defeat DEP on ARM - executing system()
Intro to the setup and tools used this tutorial
How to exploit ARM devices with W ⊻ X memory protection: Return oriented Programming on ARM.
My first steps into reverse engineering embedded systems.
Short summary on my observations on the internet wide scans on Ethereum JSON RPC interfaces
My First insights into NoPetya and some of its Anti-Debug techniques.
The new (as of 10.05.2017) version of mimilib (a DLL with a subset of mimikatz features) supports the DNS serverlevel plugin API and the DHCP server Callout plugin API. In this post I will quickly cover how to inject the DLL into DHCP service and how to detect it using Windows Eventlogs and Sysmon.
The Windows DNS Server management protocol, which is based on RPC, allows DnsAdmins and higher privileged Users to load arbitary dlls as plugins into the DNS service via DnssrvOperation2. Here's how to monitor for that event.
Mimikatz is extensively using OpenProcess to access credentials and patch processes. This event can be monitored with sysmon (EventID 10). Here's a list of GrantedAccess values you can monitor.