Process Hollowing Explained: How Malware Hides in Trusted Processes

 Process Hollowing

Process hollowing (also called RunPE) is a technique used in malware and offensive security in which a legitimate process is created in a suspended state, its memory is replaced (or “hollowed out”) with malicious code, and execution is then resumed so the malicious code runs under the guise of a trusted process.

Below is a detailed but safe, high-level explanation of how it works, why attackers use it, and how it’s detected.

What Process Hollowing is

Process hollowing is a code injection/evasion technique that allows attackers to:

• Run malicious code inside a legitimate process
• Avoid detection by antivirus and behavioral monitoring
• Blend into normal system activity

Instead of launching a suspicious executable directly, malware makes it appear as though a trusted application (e.g., explorer.exe, svchost.exe) is running normally, while its actual code has been replaced.

Conceptual Workflow (High-Level)

Here’s a simplified conceptual flow of how process hollowing works:

1. Create a Legitimate Process in Suspended Mode

• A trusted executable is launched (e.g., Notepad, svchost)
• It is intentionally paused immediately after creation
• At this moment, it has:
• Valid structure
• No meaningful execution yet

2. Remove or Unmap Original Memory

• The attacker (malware) removes the legitimate executable's code from memory
• This creates an empty “shell” process

This is where the “hollowing” name comes from; the process is emptied internally, but still exists externally

3. Allocate Memory for Malicious Code

• The malware allocates memory inside the hollowed process
• This memory is used to store the attacker’s payload

4. Inject Malicious Payload

• The attacker’s code is written into the target process memory
• The process now contains malicious instructions instead of legitimate ones

5. Adjust Execution Context

• The instruction pointer (CPU execution location) is modified
• So when resumed, it executes attacker-controlled code instead of the original program

6. Resume Execution

• The suspended process is resumed
• From the OS perspective:
• It looks like a normal, trusted application running
• In reality:
• It is executing malicious logic inside

Why Attackers Use Process Hollowing

1. Stealth

• Appears as a trusted system process
• Reduces suspicion from users and security tools

2. Evasion

• Many security solutions trust system binaries
• Helps bypass signature-based detection

3. Persistence and Privilege Abuse

• If targeting privileged processes, attackers can inherit higher permissions
• Helps escalate impact without obvious triggers

Technical Characteristics (Detection Clues)

Even though it is stealthy, process hollowing leaves behavioral artifacts:

Memory Behavior

• Memory regions with:
• Executable permissions
• Unexpected content not matching the original file

API Usage Patterns

Malicious programs often use sequences like:

• Process creation in suspended state
• Memory unmapping/allocation
• Writing to another process's memory
• Thread/context manipulation

Mismatch Indicators

• Executable image on disk ≠ memory image in RAM
• Process name doesn’t match its behavior

Defensive Mitigation Strategies

1. Behavioral Detection

• Monitor suspicious sequences of API calls
• Look for:
• Suspended process creation + memory modification

2. Memory Integrity Checking

• Compare process memory vs. the original executable file
• Detect anomalies in loaded code segments

3. Endpoint Detection & Response (EDR)

• Modern EDR tools flag:
• Process injection patterns
• Context manipulation

4. Least Privilege Principle

• Prevent malware from manipulating high-privilege processes

5. Application Control

• Restrict execution of unknown binaries
• Enforce signed code policies

Comparison to Related Techniques

Important Context

Process hollowing is widely used by:

• Malware families (banking trojans, RATs)
• Advanced persistent threats (APTs)
• Red team/penetration testing tools (for simulation)

However, it's also studied in defensive cybersecurity to understand attacker techniques.

Summary

Process hollowing is a stealthy code injection technique that:

• Creates a legitimate process
• Empties it internally
• Inserts malicious code
• Executes it under a trusted identity

It’s powerful because it exploits trust relationships in operating systems, making malicious activity appear legitimate.

ntlmrelayx Explained: Mechanics, Attacks, and Defenses

 ntlmrelayx

ntlmrelayx is a well-known tool from the Impacket suite used in cybersecurity, primarily for penetration testing and red-team exercises. It exploits weaknesses in Microsoft’s NTLM (NT LAN Manager) authentication protocol to perform what’s called an NTLM relay attack.

1. Background: NTLM Authentication

Before understanding ntlmrelayx, you need to know how NTLM works.

NTLM basics

NTLM is a challenge-response authentication protocol used in Windows environments when Kerberos isn’t available.

Simplified flow:

1. Client requests authentication to a server

2. Server sends a challenge (random value)

3. Client encrypts the challenge using its password hash → sends response

4. Server verifies response

Important property:

• The password is never sent directly, but the response can still be reused in certain contexts.

2. What Is an NTLM Relay Attack?

An NTLM relay attack takes advantage of:

• NTLM’s lack of binding between authentication and the target service
• The ability to reuse authentication messages across services

Concept:

An attacker:

1. Tricks a victim into authenticating to them

2. Intercepts the NTLM authentication

3. Relays it to another service/server

4. Gains access as the victim

Key point:

The attacker does NOT crack the password; they just reuse the authentication.

3. What ntlmrelayx does

ntlmrelayx is a tool that:

• Receives incoming NTLM authentication
• Relays it to another target system or service
• Optionally performs post-authentication actions

It essentially automates NTLM relay attacks.

4. High-Level Architecture

ntlmrelayx acts as a multi-protocol relay server.

Components:

• Listener(s):
• SMB
• HTTP/HTTPS
• LDAP
• MSSQL
• Relay engine
• Targets list
• Attack modules (post-auth actions)

Logical flow:

• Victim → ntlmrelayx (attacker) → Target server

5. Step-by-Step Conceptual Flow

Step 1: Trigger authentication

The attacker causes a victim machine to authenticate via:

• SMB (file share)
• HTTP (web request)
• Other protocols

Step 2: Capture NTLM handshake

The victim sends:

• Username
• NTLM challenge/response

Step 3: Relay to the target

ntlmrelayx forwards the authentication to a target system:

• File server (SMB)
• Active Directory (LDAP)
• Web app (HTTP)
• SQL server

Step 4: Target accepts authentication

If protections are not enabled:

• The target believes it’s talking directly to the victim
• Grants access

Step 5: Perform actions

Depending on the configuration, ntlmrelayx can:

• Dump data
• Execute commands (if privileges allow)
• Modify LDAP objects
• Add users or privileges

6. Supported Protocols

ntlmrelayx is powerful because it supports many protocols:

Input (incoming authentication):

• SMB
• HTTP/HTTPS

Relay targets:

• SMB
• LDAP / LDAPS
• HTTP / HTTPS
• MSSQL
• IMAP / SMTP (limited cases)

7. Common Use Cases (High-Level)

In authorized testing environments, it is used to:

1. Lateral movement

• Reuse one machine’s authentication to access another system

2. Privilege escalation

• Relay a domain admin’s authentication to LDAP to modify AD

3. Active Directory attacks

• Abuse LDAP to:
• Add computer accounts
• Modify delegation settings
• Change permissions

4. Data access

• Access SMB shares without credentials

8. Why NTLM Relay Works

The vulnerability exists because:

NTLM lacks:

• Mutual authentication (client verifies server, but not vice versa)
• Channel binding (authentication isn’t tied to a specific connection)
• Integrity protection across services

9. Defenses against NTLM Relay

Modern environments can mitigate these attacks with:

Protocol-level protections

• SMB signing
• LDAP signing and channel binding
• Kerberos instead of NTLM

Network protections

• Disable NTLM where possible
• Restrict outbound authentication
• Use firewalls to block unnecessary protocols

Identity protections

• Privileged Access Management
• Least privilege

10. Important Security Note

ntlmrelayx is a legitimate security tool, but:

• It is also used in real-world attacks
• It should only be used in authorized environments (labs, pentests, training)

11. Relationship to Other Techniques

ntlmrelayx is often used alongside:

• Responder → captures and triggers NTLM authentication
• MitM6 → forces IPv6 NTLM authentication
• PetitPotam / PrinterBug → coerces authentication
• Impacket tools in the general ecosystem

12. Key Takeaways

• ntlmrelayx does not crack passwords; it reuses authentication
• It exploits weaknesses in the NTLM protocol design
• It enables powerful lateral movement and AD attacks
• Modern defenses can largely mitigate it if properly configured

DCShadow: A Deep Dive into Stealthy Active Directory Replication Attacks

DCShadow

DCShadow is an advanced Active Directory (AD) attack technique used by adversaries to stealthily modify directory data by impersonating a domain controller (DC). It is considered highly dangerous because it bypasses many traditional security controls and blends in with legitimate replication traffic.

What is DCShadow?

DCShadow is a post-exploitation technique (introduced publicly by researchers at Black Hat 2018) that allows attackers to:

• Register a rogue machine as a fake domain controller
• Push malicious changes into Active Directory via replication
• Avoid detection by traditional logging mechanisms

Instead of modifying AD objects via standard administrative APIs (which generate logs), DCShadow injects changes as if they originated from a legitimate DC replication process.

Key Concept: Active Directory Replication

Active Directory uses a multi-master replication model, meaning:

• All domain controllers can make changes
• Changes are synchronized using replication protocols (DRSUAPI)
• Normally:
• DC1 updates an object → replicates to DC2, DC3, etc.
• With DCShadow:
• Attacker introduces a fake DC → pushes malicious changes → other DCs accept them as legitimate

How DCShadow Works (High-Level)

This is a conceptual overview for understanding and defense (not operational instructions).

1. Initial Compromise

An attacker first gains high privileges, typically:

• Domain Admin
• Enterprise Admin
• Or equivalent rights

2. Register Rogue Domain Controller

The attacker:

• Adds a fake domain controller object in AD (configuration partition)
• Uses directory services APIs to make it appear legitimate

3. Prepare Malicious Changes

Examples include:

• Adding a user to Domain Admins
• Modifying ACLs (permissions)
• Injecting persistence mechanisms

4. Trigger Replication

The attacker:

• Uses replication protocols to push changes
• Mimics legitimate DC-to-DC synchronization

Other DCs accept these changes without suspicion.

5. Remove Evidence

After execution:

• The rogue DC object can be removed
• Minimal logs remain compared to normal admin activity

Why DCShadow is Dangerous

Stealth

• Changes happen via replication, not standard AD modification APIs
• Avoids many event logs like:
• Event ID 4728 (group membership changes)
• Event ID 5136 (directory object changes)

Persistence

• Attackers can grant themselves:
• Replication rights
• Hidden backdoor accounts
• Hard to detect and remove

Trust Exploitation

• AD inherently trusts replication from domain controllers
• DCShadow exploits this design assumption

Common Attack Goals

DCShadow is often used for:

• Privilege Escalation
• Add the attacker account to privileged groups
• Persistence
• Modify ACLs to maintain long-term access
• Backdoor Creation
• Grant DS-Replication rights (similar to DCSync capability)
• Identity Manipulation
• Change attributes like:
• adminCount
• SIDHistory

DCShadow vs DCSync

They are often used together in sophisticated attacks.

Detection Challenges

Detecting DCShadow is difficult because:

• Replication traffic is expected behavior
• Logs are minimal or indirect
• Attack duration is often short

Detection Indicators

Defenders should monitor for:

Suspicious DC Registrations

• Unexpected domain controller objects
• Changes in:
• nTDSDSA
• serverReference

Unusual Replication Activity

• Replication from non-standard hosts
• Unexpected invocation of replication APIs

Directory Changes Without Logs

• Privilege changes with no corresponding event logs

Network Monitoring

• Look for replication traffic (DRSR) from non-DC systems

Mitigation Strategies

Limit Privileges

• Reduce the number of Domain Admin accounts
• Use Just-In-Time (JIT) access

Enable Advanced Logging

• Directory Services auditing
• Replication event monitoring

Monitor AD Changes

• Use tools like:
• Microsoft Defender for Identity
• SIEM solutions

Harden Domain Controllers

• Restrict who can:
• Add DC objects
• Modify replication permissions

Detect Replication Abuse

• Alert on:
• Non-DC systems initiating replication
• Changes to replication permissions

Summary

DCShadow is a sophisticated attack that:

• Exploits Active Directory replication trust
• Enables stealthy domain-wide modifications
• Is difficult to detect using traditional logging

It highlights a critical reality:

• In Active Directory, replication is trust, and trust can be abused.

BlueCrack Explained: How Bluetooth PIN Brute-Force Attacks Work

 BlueCrack Bluetooth Attack

A BlueCrack attack is a Bluetooth brute-force attack that attempts to guess the PIN (passkey) of a Bluetooth device, enabling unauthorized access.

It is typically considered an older Bluetooth attack, but it is important for understanding wireless security weaknesses in legacy systems.

How BlueCrack Works

Bluetooth devices pair using a PIN code (passkey). In older Bluetooth versions:

• The PIN is used to generate a link key for encryption
• If the PIN is weak (e.g., 0000, 1234), it can be guessed

Attack Process (Simplified)

1. Capture pairing process

• Attacker monitors Bluetooth communication during pairing
• Tools like sniffers capture authentication exchanges

2. Brute-force the PIN

• Try every possible PIN combination
• Compare generated keys against captured data

3. Recover the correct PIN

• Once matched, the attacker knows the valid PIN

4. Gain access

• Connect to the device
• Access services like:
• File transfers
• Contacts
• Audio channels

Tools Historically Used

• BlueCrack (tool) → designed specifically for brute-force PIN cracking
• Bluetooth sniffers → capture pairing traffic
• Often run on Linux with Bluetooth adapters

Example Scenario

• Target device uses PIN: 1234
• Attacker captures pairing handshake
• Runs brute-force tool:
• Tests 0000 → 9999
• Finds match at 1234
• Attacker now:
• Reconnects as a trusted device
• Accesses data or services

Limitations of BlueCrack

Requires:

• Captured pairing traffic
• Proximity (Bluetooth range ~10 meters typical)
• Weak or short PIN

Less effective today because:

• Modern Bluetooth uses:
• Secure Simple Pairing (SSP)
• Strong encryption (AES)
• Randomized keys

Difference from Other Bluetooth Attacks

How to Mitigate BlueCrack Attacks

• Use modern Bluetooth versions (v2.1+)
• Avoid weak/default PINs (0000, 1234)
• Use long, random passkeys
• Enable Secure Simple Pairing (SSP)
• Turn off Bluetooth when not in use
• Pair devices in trusted environments only

Key Takeaway

• BlueCrack is a brute-force attack on Bluetooth PINs
• It exploits weak pairing mechanisms in older Bluetooth
• Modern devices are largely protected, but legacy systems remain vulnerable

URL Spidering in Penetration Testing: A Complete Guide to Web Enumeration

URL Spidering?

URL spidering (also called web crawling) is an automated technique used in penetration testing, reconnaissance, and security assessment to discover all accessible pages, directories, endpoints, and resources on a web application.

Think of it like a bot that starts at a website and systematically follows every link it finds, just like how search engines index the web.

How URL Spidering Works

A spider typically follows this process:

1. Start with a target URL

• Example: https://target.comptia.org

2. Fetch the page content

• HTML is downloaded and parsed

3. Extract links and resources

• `` links
• Forms (``)
• JavaScript-generated URLs (advanced spiders)
• Images, scripts, APIs, etc.

4. Visit discovered URLs

• Each new link is added to a queue
• The spider continues recursively

5. Record findings

• URLs
• Parameters
• Status codes
• Inputs (GET/POST parameters)

Why URL Spidering is Important in Pen Testing

URL spidering helps testers:

1. Map the attack surface

• Identify:
• Hidden pages
• Admin panels (/admin, /dashboard)
• Backup files (.bak, .old)

2. Discover endpoints and parameters

• Example:

/search?q=term

/login?redirect=home

• These inputs are potential targets for:
• SQL injection
• XSS
• Command injection

3. Find unlinked or “hidden” resources

Files not visible in navigation but still accessible

• Example:

/test/

/backup.zip

/dev/

4. Understand application structure

• Learn how the site is organized:
• User flows
• API endpoints
• Authentication areas

Types of URL Spidering

1. Passive Spidering

• Observes traffic without actively exploring
• Uses proxies (e.g., Burp Suite passive crawl)
• Safe (low risk of detection)
• Limited discovery

2. Active Spidering

• Actively requests pages and follows links
• Finds more content
• Generates traffic → easier to detect

3. Authenticated Spidering

• Crawls after logging into the application
• Discovers:
• User dashboards
• Restricted APIs
• Admin panels

4. Recursive Spidering

• Follows links multiple levels deep
• Builds a full site map

Common Tools for URL Spidering

• Burp Suite Spider / Crawler
• Automatic crawling
• Handles sessions, forms, and authentication
• OWASP ZAP Spider
• Free and widely used
• Good for beginners
• DirBuster / Gobuster / ffuf
• Brute-force spidering (directory guessing)

Example:

gobuster dir -u https://target.com -w wordlist.txt

• wget (basic spidering)

wget --spider -r https://target.com

• Scrapy (Python framework)
• Advanced crawling and automation

Spidering vs. Directory Brute Forcing

Best practice: Use both together

Limitations of URL Spidering

1. Misses unlinked pages

• If no links point to them → not discovered

2. JavaScript-heavy apps

• Some spiders struggle with dynamic content

3. Authentication barriers

• Cannot access protected areas without credentials

4. Rate limiting / detection

• IDS/WAF may block crawling activity

Example Use Case in Pen Testing

1. Run spider:

https://target.com

2. Discover:

/login

/admin

/api/v1/users

/backup.zip

3. Analyze inputs:

/search?q=

/user?id=

4. Launch attacks on discovered endpoints:

• SQL injection
• XSS
• File download vulnerabilities

Key Takeaway

URL spidering is a core enumeration technique that:

• Maps the target website
• Identifies attack entry points
• Reveals hidden or sensitive resources

It is usually the first step before vulnerability scanning or exploitation.

Trivy for Pentesters: Identifying Weaknesses in Containers and Cloud Systems

 What is Trivy?

Trivy is an open-source security scanner developed by Aqua Security that identifies vulnerabilities, misconfigurations, secrets, and compliance issues in modern environments, especially containers and cloud-native systems.

It is widely used in penetration testing, DevSecOps, and cloud security because it is:

• Fast
• Easy to use
• Lightweight
• Highly versatile

What Trivy Scans

Trivy is not limited to one type of target; it supports multiple layers of modern infrastructure:

1. Container Images

• Scans Docker/OCI images for:
• Known vulnerabilities (CVEs)
• Outdated packages
• OS-level issues (Alpine, Ubuntu, Debian, etc.)

Example:

trivy image nginx: latest

2. File Systems

• Scans directories or local systems for:
• Vulnerable libraries
• Dependency issues

Example:

trivy fs /path/to/project

3. Infrastructure as Code (IaC)

• Scans configuration files like:
• Terraform
• Kubernetes YAML
• Dockerfiles

Detects:

• Misconfigurations (e.g., open security groups, no encryption)

Example:

trivy config

4. Kubernetes Clusters

• Analyzes:
• Cluster configurations
• Workloads
• RBAC settings

Example:

trivy k8s cluster

5. Repositories (GitHub, etc.)

• Scans repositories for:
• Secrets (API keys, passwords)
• Vulnerable dependencies

Key Features

1. Vulnerability Detection

• Uses vulnerability databases to detect known CVEs
• Covers:
• OS packages (apt, yum, apk)
• Language-specific deps (npm, pip, Maven, etc.)

2. Misconfiguration Detection

• Identifies insecure settings such as:
• Public S3 buckets
• Open ports
• Weak IAM policies
• Missing encryption

3. Secret Scanning

• Finds sensitive data like:
• API keys
• Tokens
• Hardcoded credentials

4. SBOM (Software Bill of Materials)

• Generates a list of all components in an application
• Useful for compliance and auditing

5. Fast & Lightweight

• Designed for speed (often faster than traditional scanners)
• No heavy setup required

Why Trivy is Important in Pen Testing

For a penetration tester, Trivy helps identify real attack opportunities quickly:

Common Findings

• Vulnerable libraries that can be exploited (RCE, privilege escalation)
• Misconfigured containers (running as root, exposed ports)
• Secrets that allow lateral movement
• Weak cloud configurations

How Trivy Fits Into Security Workflow

In DevSecOps:

• Integrated into CI/CD pipelines
• Automatically scans builds before deployment

In Pen Testing:

• Used during reconnaissance and vulnerability discovery
• Helps prioritize:
• High-risk vulnerabilities
• Misconfigurations that attackers can exploit first

Trivy vs Other Tools

Key Takeaways

• Trivy = container & cloud-native security scanner
• Detects:
• Vulnerabilities
• Misconfigurations
• Secrets
• Works across:
• Images, file systems, Kubernetes, IaC
• Widely used for modern penetration testing and DevSecOps

Impacket Explained: The Essential Toolkit for Network Protocol Testing and Active Directory Security

 Impacket

Impacket is an open‑source Python toolkit created by SecureAuth that provides low‑level network protocol implementations.

Its purpose:

Allow security professionals to craft, send, and manipulate network packets for testing, auditing, and research.

It’s widely used in:

• Penetration testing
• Red team operations
• Incident response
• Malware analysis
• Network protocol research

Impacket is especially known for its Windows network protocol support, including SMB, NTLM, Kerberos, LDAP, and more.

Why Impacket Is Important

Impacket is powerful because it lets you interact with network protocols the same way real systems do, not just through high‑level tools.

This gives security teams the ability to:

• Test authentication weaknesses
• Validate Active Directory configurations
• Simulate attacker behavior
• Reproduce real‑world attack chains
• Audit network exposure

It’s one of the most widely used toolkits in cybersecurity.

What Impacket Contains

Impacket includes two major components:

1. Python Libraries

These allow developers to write scripts that interact with:

• SMB (Server Message Block)
• NTLM authentication
• Kerberos
• LDAP
• RDP
• MSSQL
• DHCP
• SNMP
• And many more

These libraries give low‑level control over packets, fields, and protocol behavior.

2. Ready‑Made Command‑Line Tools

These are the most famous part of Impacket. They implement real attack and testing techniques.

Most Popular Impacket Tools (and What They Do)

1. psexec.py

• Runs commands on a remote Windows machine using SMB.
• Used for lateral movement.

2. wmiexec.py

• Executes commands over WMI with semi‑interactive shells.

3. smbexec.py

• Executes commands via SMB using a service‑based method.

4. secretsdump.py

Extracts password hashes, LSA secrets, and Kerberos keys from:

• Local SAM database
• NTD.dit (Active Directory)
• Remote registry

5. mimikatz.py

• A Python port of some Mimikatz functionality.

6. getTGT.py / getST.py

• Requests Kerberos tickets (TGT or service tickets).
• Useful for Kerberos attacks.

7. ticketer.py

• Creates forged Kerberos tickets (Golden/Silver tickets).

8. ntlmrelayx.py

• Relays NTLM authentication to other services.
• Used for NTLM relay attacks.

9. dcomexec.py

• Executes commands using DCOM.

10. rpcdump.py

• Enumerates RPC endpoints.

These tools are used in legitimate security testing, but they also mirror techniques used by real attackers, making them essential for defense teams to understand.

Is Impacket Legal?

Yes, Impacket is legal open‑source software.

However:

• It must be used ethically
• Only on systems you own or have permission to test
• Misuse can be illegal

Security professionals use it to identify and fix vulnerabilities, not exploit them.

Why Impacket Is So Common in Penetration Testing

Impacket is popular because it:

• Supports many Windows protocols
• Works well in Active Directory environments
• Provides realistic attack simulation
• Is scriptable and customizable
• Is maintained and widely trusted

It’s a core tool in frameworks like:

• Kali Linux
• BlackArch
• Security distributions
• Red team toolkits

What Impacket Helps You Learn About a Network

Using Impacket tools, you can discover:

• Weak authentication paths
• Misconfigured SMB shares
• Kerberos vulnerabilities
• NTLM relay exposure
• Password reuse
• Lateral movement paths
• Privilege escalation opportunities

This makes it invaluable for both offensive and defensive security.