I see mimikatz as one of the most significant collections of offensive capability available today. Because there’s so much capability, folks are often interested in how to detect its use on their network. For example, one blog post recommends that use of Honey Hashes to detect mimikatz use. Others might recommend that you look for […]
CTA Type: Resource
How do I psexec without an initial Beacon?
Here and there, I’m getting questions that are variants of this post’s title. The inquiry usually goes like this: Dearest Raphael, I do a lot of internal engagements. I don’t expect that I will always have a Beacon on target due to a phishing or client-side attack. How do I launch a psexec attack directly […]
Connection Refused Error in Cobalt Strike
I’ve had several folks write to me asking about the Connection Refused error when they try to use Cobalt Strike. This one: Cobalt Strike 3.0 requires you to start a team server before you attempt to connect a client to it. If you connect a client to 127.0.0.1 and no server is present, you will […]
Migrating Your Infrastructure
I’ve written about infrastructure for red team operations before. Infrastructure are the servers, domains, and other assets that support your ongoing operation against a target network. Sometimes, your infrastructure will become known and understood by the blue audience you’re working to train. At these times, it’s usually prudent to take steps to extend or change […]
The Cobalt Strike Trial’s Evil Bit
RFC 3514 proposes an IPv4 flag to allow traffic to flag itself as malicious or not. This RFC’s authors reason that if malicious programs opt into this standard, it will become easier for IDS and other security products to distinguish between packets with good and evil intent. Naturally, this RFC was written in jest. If […]
Named Pipe Pivoting
One of my favorite features in Cobalt Strike is its ability to pivot over named pipes. A named pipe is a way for two programs on a Windows system to communicate with each other. From a programming perspective, working with a named pipe is a lot like working with a file. I use named pipes […]
Advanced Threat Tactics – Course and Notes
The release of Cobalt Strike 3.0 also saw the release of Advanced Threat Tactics, a nine-part course on red team operations and adversary simulations. This course is nearly six hours of material with an emphasis on process, concepts, and tradecraft. If you’d like to jump into the course, it’s on YouTube: Here are a few […]
Cobalt Strike 3.0 – Advanced Threat Tactics
Cobalt Strike’s mission is to help security professionals emulate “advanced threat tactics” during their engagements. I’ve executed on this since the product’s 2012 release. Cobalt Strike 3.0 is the next iteration of this. Cobalt Strike 3.0 is a ground-up rewrite of the client and server components in this product. Notably, Cobalt Strike no longer directly depends […]
Rethinking Reporting for Red Team Operations
Cobalt Strike 3.0 is coming in a few weeks. This upcoming release is the result of a large engineering effort that paralleled my existing efforts to maintain Cobalt Strike 2.x. One of the big motivators for this parallel effort was to take a fresh look at logging and reporting. Today’s Cobalt Strike produces reports that […]
Read More… from Rethinking Reporting for Red Team Operations
The Aggressor Project (Preview)
If you’ve run into me at a conference during the 2015 calendar year, there’s a strong chance you’ve heard about or saw the Aggressor project. Aggressor is a ground-up rewrite of Cobalt Strike’s team server and client to better serve its Red Team Operations and Adversary Simulation use cases. I expect to ship this work […]