Broken Promises and Malleable C2 Profiles
Red Team infrastructure is a detail-heavy subject. Take the case of domain fronting through a CDN like CloudFront. You have to setup the CloudFront distribution, have a valid
Fighting the Toolset
What happens when your advantages become a disadvantage? That’s the theme of Fighting the Toolset. This lecture discusses Offensive PowerShell, staging, memory-injected DLLs, and remote
Beware of Slow Downloads
I often receive emails that ask about slow file downloads with the Beacon payload. Here are the symptoms: When I get these emails, I usually
In-Memory Evasion
Many analysts and automated solutions take advantage of various memory detections to find injected DLLs in memory. Memory detections look at the properties (and content)
Modern Defenses and YOU!
Part 9 of Advanced Threat Tactics covers a lot of my thoughts on evasion. The ideas in that lecture are still relevant, the defenses discussed
Kits, Profiles, and Scripts… Oh my!
If I had to describe Cobalt Strike in one word, I’d say ‘flexible’. There are a lot of options to control Cobalt Strike’s features and
OPSEC Considerations for Beacon Commands
Update January 9, 2020 – This topic is now part of the Cobalt Strike documentation. Head over to the Beacon Command Behavior page for the
High-reputation Redirectors and Domain Fronting
Working on Cobalt Strike, I get some insight into what folks are trying to do with it. Recently, the use of domain fronting for redirectors
Scripting Matt Nelsonās MMC20.Application Lateral Movement Technique
This is a short blog post with a long title. A few weeks ago, Matt Nelson published Lateral Movement Using the MMC20.APPLICATION COM Object (there’s
My First Go with BloodHound
I finally had a chance to sit down and play with BloodHound. This was an item on my hacker todo list for awhile now. In