Abusing Microsoft Warbird for Shellcode Execution - from 2024 but recently utilised in the Notepad++ payloads

cirosec.de

Abusing Microsoft Warbird for Shellcode Execution - from 2024 but recently utilised in the Notepad++ payloads

cirosec.de

digicatM to

blueteamsecEnglish · 2 days ago

Abusing Microsoft Warbird for Shellcode Execution - cirosec

cirosec.de

November 7, 2024 - In this blog post, we’ll be covering Microsoft Warbird and how we can abuse it to sneakily load shellcode without being detected by AV or EDR solutions. We’ll show how we can encrypt our shellcode and let the Windows kernel decrypt and load it for us using the Warbird API. Author: Jan-Luca Gruber and Frederik Reiter

You must log in or # to comment.

Chat

blueteamsec

Create a post

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !blueteamsec@infosec.pub

For [Blue|Purple] Teams in Cyber Defence - covering discovery, detection, response, threat intelligence, malware, offensive tradecraft and tooling, deception, reverse engineering etc.

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

15 users / day
111 users / week
260 users / month
917 users / 6 months
220 local subscribers
611 subscribers
2.27K Posts
175 Comments
Modlog

mods:
digicat