Cobalt Strike 2.0 introduced Malleable C2, a technology to redefine network indicators in the Beacon payload. What does this mean for you? It means you can closely emulate an actor and test intrusion response during a penetration test. In this blog post, I’ll take you through three threat replication case studies with Cobalt Strike. In […]
Read More… from Puttering my Panda and other Threat Replication Case Studies
Morning Catch is a VMware virtual machine, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks and post-exploitation. On this virtual machine, you will find: a website for a fictitious seafood company, self-contained email infrastructure to receive phishes, and two desktop environments. One desktop environment is a vulnerable Linux client-side attack surface. The […]
Read More… from Introducing Morning Catch – A Phishing Paradise
Back in May, I wrote up some impressions about Meterpreter’s Kiwi extension. It’s Mimikatz 2.0, complete with its ability to generate a Kerberos “Golden Ticket” with domain-admin rights offline. I’ve had a very positive experience with this capability since May. My best practice is to create a Golden Ticket catalog. When you capture a domain controller, […]
Read More… from Pass-the-Golden-Ticket with Cobalt Strike’s Beacon
The Veil Framework is a collection of red team tools, focused on evading detection. The Veil Evasion project is a tool to generate artifacts that get past anti-virus. It’s worth getting to know Veil. It has a lot of capability built into it. Cobalt Strike 2.0’s Payload Generator includes an option to output a Cobalt […]
Read More… from Use Cobalt Strike’s Beacon with Veil’s Evasion
I define threat replication as a penetration test that looks like an attack from an APT actor. Assessments that involve threat replication are more than a test of technical controls. Threat Replication is a full exercise of a customer’s analytical process and ability to attribute and respond to an APT. These definitions are all well […]
Read More… from Cobalt Strike 2.0 – Malleable Command and Control
I spend a lot of time thinking about what my tools can and can’t do. One of the weakest points for penetration testing tools is their (in-)ability to get past some egress restrictions. I previously wrote about why this is a problem and how you might get past different egress restrictions. My general advice is […]
When I participate in an exercise, with multiple target networks and a large red team, I favor splitting the team up into cells. Each cell owns a target network and is responsible for any objectives that must occur in that target network. These cells are supported by an access management team. The access management team […]
In June 2012, I announced Cobalt Strike to the world. Thanks to Cobalt Strike‘s users, I build and research offensive technologies, full-time, and have done so for the past two years. In this post, I’d like to show what has come from these two years of user-funded work. The Big Ideas Modeling Advanced Attackers with Beacon The Beacon payload is THE threat emulation […]
Read More… from Cobalt Strike – Innovative Offense or “just a GUI”?
I see egress as one of the biggest pains in the offensive space. If your target has zero egress controls—don’t worry about anything I have to say here. If you’re up against a harder target, read on—I think I’m close to cracking this problem. You need different payloads for different phases of your engagement. I […]
When a user launches Armitage or Cobalt Strike on Windows and presses Start MSF, they’re presented with a curious error. It states: You must connect to a team server hosted on Linux. Connecting to a Metasploit RPC server on Windows is not supported. This error generates a lot of requests for help in various forums […]
Read More… from Connecting to a Metasploit RPC server on Windows is not supported