A few months ago, I was having lunch at a favorite Italian restaurant in Washington, DC. I work in a residential area, which means lunch time is slow and there’s no crowd. This leads to many conversations with the staff. This particular conversation drifted to Time Magazine’s July World War Zero article about the sale […]
Read More… from Give me any zero-day and I will rule the world
I often get asked about red team skills and training. What should each team member know how to do? For exercises or long running attack simulations, I believe it’s fruitful to put junior members into the post-exploitation role first. This post describes the post-exploitation team, where they fit into the overall engagement, and their core […]
Recently, I’ve had several questions about how to set up infrastructure for long running red team operations with Cobalt Strike. This is an ideal use case for Cobalt Strike. In this post, I will reiterate the advice I’ve shared with these users. System Requirements You will need to set up infrastructure to use for your […]
Read More… from Infrastructure for Ongoing Red Team Operations
Cobalt Strike 2.0 introduced Malleable C2, a technology to redefine network indicators in the Beacon payload. What does this mean for you? It means you can closely emulate an actor and test intrusion response during a penetration test. In this blog post, I’ll take you through three threat replication case studies with Cobalt Strike. In […]
Read More… from Puttering my Panda and other Threat Replication Case Studies
Back in May, I wrote up some impressions about Meterpreter’s Kiwi extension. It’s Mimikatz 2.0, complete with its ability to generate a Kerberos “Golden Ticket” with domain-admin rights offline. I’ve had a very positive experience with this capability since May. My best practice is to create a Golden Ticket catalog. When you capture a domain controller, […]
Read More… from Pass-the-Golden-Ticket with Cobalt Strike’s Beacon
The Veil Framework is a collection of red team tools, focused on evading detection. The Veil Evasion project is a tool to generate artifacts that get past anti-virus. It’s worth getting to know Veil. It has a lot of capability built into it. Cobalt Strike 2.0’s Payload Generator includes an option to output a Cobalt […]
Read More… from Use Cobalt Strike’s Beacon with Veil’s Evasion
I define threat replication as a penetration test that looks like an attack from an APT actor. Assessments that involve threat replication are more than a test of technical controls. Threat Replication is a full exercise of a customer’s analytical process and ability to attribute and respond to an APT. These definitions are all well […]
Read More… from Cobalt Strike 2.0 – Malleable Command and Control
When I participate in an exercise, with multiple target networks and a large red team, I favor splitting the team up into cells. Each cell owns a target network and is responsible for any objectives that must occur in that target network. These cells are supported by an access management team. The access management team […]
I see egress as one of the biggest pains in the offensive space. If your target has zero egress controls—don’t worry about anything I have to say here. If you’re up against a harder target, read on—I think I’m close to cracking this problem. You need different payloads for different phases of your engagement. I […]
High latency communication allows you to conduct operations on your target’s network, without detection, for a long time. An example of high-latency communication is a bot that phones home to an attacker’s web server to request instructions once each day. High latency communication is common with advanced threat malware. It’s not common in penetration testing […]
Read More… from Covert Lateral Movement with High-Latency C&C