PowerShell: In-Memory Injection Using CertUtil.exe
May 31, 2018, Shane Rudy, Senior Security Consultant, Coalfire Labs
Have you ever heard the old saying, “The only constant in life is change?” Nothing is truer in the world of penetration testing and information security than the certainty of change. New defenses are always emerging, and the guys and gals in the red team game are always having to evolve our efforts to evade defenses. This week was one of those weeks for me.
I was ramping up for an internal engagement and had another one on the way when I discovered that Microsoft had just stepped up their game recently with Windows Defender, which is now present on just about every recent Microsoft operating system we run into. I started to panic a little. I had a good run for a few years using PowerShell cradles with Invoke-Shellcode to rein shells rather easily, but not anymore. Like all good things, my tried and true method had now been demolished.