{"version":"1.0","provider_name":"cirosec","provider_url":"https:\/\/cirosec.de\/en\/","title":"Abusing Microsoft Warbird for Shellcode Execution - cirosec","type":"rich","width":600,"height":338,"html":"<blockquote class=\"wp-embedded-content\" data-secret=\"nXpd3Prky2\"><a href=\"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/\">Abusing Microsoft Warbird for Shellcode Execution<\/a><\/blockquote><iframe sandbox=\"allow-scripts\" security=\"restricted\" src=\"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/embed\/#?secret=nXpd3Prky2\" width=\"600\" height=\"338\" title=\"&#8220;Abusing Microsoft Warbird for Shellcode Execution&#8221; &#8212; cirosec\" data-secret=\"nXpd3Prky2\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" class=\"wp-embedded-content\"><\/iframe><script>\n\/*! This file is auto-generated *\/\n!function(d,l){\"use strict\";l.querySelector&&d.addEventListener&&\"undefined\"!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!\/[^a-zA-Z0-9]\/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll('iframe[data-secret=\"'+t.secret+'\"]'),o=l.querySelectorAll('blockquote[data-secret=\"'+t.secret+'\"]'),c=new RegExp(\"^https?:$\",\"i\"),i=0;i<o.length;i++)o[i].style.display=\"none\";for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(\"style\"),\"height\"===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):\"link\"===t.message&&(r=new URL(s.getAttribute(\"src\")),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(\"message\",d.wp.receiveEmbedMessage,!1),l.addEventListener(\"DOMContentLoaded\",function(){for(var e,t,s=l.querySelectorAll(\"iframe.wp-embedded-content\"),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(\"data-secret\"))||(t=Math.random().toString(36).substring(2,12),e.src+=\"#?secret=\"+t,e.setAttribute(\"data-secret\",t)),e.contentWindow.postMessage({message:\"ready\",secret:t},\"*\")},!1)))}(window,document);\n\/\/# sourceURL=https:\/\/cirosec.de\/wp-includes\/js\/wp-embed.min.js\n<\/script>\n","thumbnail_url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/alexander-sinn-YYUM2sNvnvU-unsplash-scaled.jpg","thumbnail_width":2560,"thumbnail_height":1710,"description":"November 7, 2024 - In this blog post, we\u2019ll be covering Microsoft Warbird and how we can abuse it to sneakily load shellcode without being detected by AV or EDR solutions. We\u2019ll show how we can encrypt our shellcode and let the Windows kernel decrypt and load it for us using the Warbird API. Author: Jan-Luca Gruber and Frederik Reiter"}