This blog post is inspired by a question sent to a local mailing list. The original poster asks, what’s the go-to phishing technique or exploit in a blackbox situation? Here’s my response: I’ve had to do this before, I sell tools to do it now, and I’ve seen how others teach and go about this […]
Read More… from What’s the go-to phishing technique or exploit?
TL;DR This is my opinion on Threat Intelligence: Automated Defense using Threat Intelligence feeds is (probably) rebranded anti-virus. Threat Intelligence offers benefit when used to hunt for or design mitigations to defeat advanced adversaries. Blue teams that act on this knowledge have an advantage over that adversary and others that use similar tactics. Threat Intelligence […]
Cobalt Strike’s Covert VPN feature now supports ICMP as one of its channels. Covert VPN is Cobalt Strike’s layer-2 pivoting capability. If you’re curious about how this technology works, I released some source code a few weeks ago. The ICMP data channel is a turn-key way to demonstrate ICMP as an exfiltration channel if you […]
Read More… from Cobalt Strike 2.2 – 1995 called, it wants its covert channel back…
There is a growing chorus of folks talking about simulating targeted attacks from known adversaries as a valuable security service. The argument goes like this: penetration testers are vulnerability focused and have a toolset/style that replicates a penetration tester. This style finds security problems and it helps, but it does little to prepare the customer for the […]
Cortana is the scripting engine built into Armitage and Cobalt Strike. It’s based on my Sleep scripting language. Most scripting languages have a REPL (Read, Eval, Print Loop) that allows users to experiment with the technology in an interactive way. I didn’t build an REPL into Cortana natively, but one is available as a script. […]
A few months ago, I was having lunch at a favorite Italian restaurant in Washington, DC. I work in a residential area, which means lunch time is slow and there’s no crowd. This leads to many conversations with the staff. This particular conversation drifted to Time Magazine’s July World War Zero article about the sale […]
Read More… from Give me any zero-day and I will rule the world
I wrote Cobalt Strike and I take it for granted that my users know where things are. This doesn’t come from nowhere though. The users who get the most from this tool have read the documentation, watched my videos, or had a lot of trial and error. If you’re new to Cobalt Strike, consider this […]
Read More… from Map of Cobalt Strike Features for Armitage Users
A VPN pivot is a virtual network interface that gives you layer-2 access to your target’s network. Rapid7’s Metasploit Pro was the first pen testing product with this feature. Core Impact has this capability too. In September 2012, I built a VPN pivoting feature into Cobalt Strike. I revised my implementation of this feature in September 2014. […]
A user-driven attack is an attack that relies on a feature to get code execution. Most penetration testers I know rely on user-driven attacks over public memory corruption exploits. User-driven attacks are less likely to see a patch and they usually target an application in a way that works across many versions. What’s not to […]
For a long time, I’ve wanted the ability to use PowerUp, Veil PowerView, and PowerSploit with Cobalt Strike. These are useful post-exploitation capabilities written in PowerShell. You’d think that it’s easy to run a script during the post-exploitation phase, especially when this script is written in the native scripting environment for Windows. It’s harder than […]