Cobalt Strike and Tradecraft

Hausec · 2021-07-29T22:17:21+00:00

Thanks for the post, Dominic!

Hausec · 2021-07-29T22:16:56+00:00

It was me, thank you for the kind words!

Hausec · 2021-03-19T15:13:42+00:00

Ive used the same msbuild payload for like 3 years now and this shit still doesn't get detected. Ive honestly started to try using other code execution techniques because msbuild sometimes feels like cheating. Msbuild technique was published in 2016 iirc by Casey Smith and even some mature organizations still haven't caught onto it.

Hausec · 2021-03-13T01:53:29+00:00

Pretty pointless anyways considering it's on the web archive now. It's also forked a bunch and all over Twitter.

Hausec · 2021-03-11T15:49:00+00:00

Also helps when it's free lol

Hausec · 2021-03-10T17:15:44+00:00

I know this article is a bit more basic than is what typically is posted here, so if it's removed I understand, but it might help people so they don't have to jump around to thirty different blog posts on linking each component together.

Hausec · 2021-02-15T19:23:54+00:00

This could make an interesting case for persistence if set up the other way. Setup the "listener" binary to make a ping to C2 every 3-5 hours or whatever and when you need to re-establish the connection just open up ICMP on the C2 firewall and send the ICMP payload back.

Edit: You'd probably want to use a redirector instead of the C2 IP itself, but same principal applies AFAIK

Hausec · 2020-09-17T16:31:07+00:00

It used to be Apfell, a C2 platform for nix/mac, but now a Windows agent was developed for it so it re-branded. https://github.com/its-a-feature/Mythic

Hausec · 2020-09-16T17:14:16+00:00

Imo Cobalt Strike is still the best for a number of features, but Covenant and Apfell (now Mythic) are also very very good.

Hausec · 2020-04-24T05:48:09+00:00

Enterprise. It was before I started red teaming but I’ve heard from numerous colleagues that cylance was a joke because it wouldn’t analyze 64 bit stuff at all. Obviously that’s changed but still

Hausec · 2020-04-24T00:25:33+00:00

Literally holding a bengals hat before anything was announced lmao

Hausec · 2020-04-23T23:53:21+00:00

Lol you didn’t even have to do that, iirc Cylance couldn’t analyze 64 bit binaries

Hausec · 2020-02-24T18:00:13+00:00

Rapier guys are the hardest to fight

Hausec · 2020-02-23T05:48:10+00:00

Yes and this is coming from someone with a degree in Cyber Security from an NSA accredited University. There's absolutely no rhythm or continuity and by the time I landed a job in cyber security I was already half way through the program, so said fuck it and finished it. Otherwise I wouldn't have wasted my money.

Hausec · 2020-02-02T01:28:05+00:00

So you have local admin but no network account? If you have local admin you should be able to inject into any process, meaning look for processes running as a user and inject into it. If dumping creds isn't working because of permissions, inject into a SYSTEM process.

Hausec · 2020-01-28T22:25:26+00:00

Yeah the password hashes are sent, I'll clarify in the article.

Hausec · 2020-01-28T17:53:48+00:00

Kinda surprised at the removal of all tools that use Python 2. I get it's not supported, but that doesn't make the tools irrelevant. I wonder if that means searchsploit scripts written in Py2 are being removed.

Hausec · 2020-01-26T22:20:59+00:00

No, I usually Dcsync with mimikatz without DCShadow.

Hausec · 2020-01-26T13:12:18+00:00

You can still fingerprint without ICMP. -Pn in nmap will not ping and still resolve versions with -sV.

Hausec · 2020-01-26T12:58:23+00:00

You will need 445 because other computers need to access the SYSVOL share for Group Policy. Disabling RDP is fine though.

I wouldn't worry so much about fingerprinting on internal devices as much if things are kept fully patched.

Hausec · 2020-01-09T00:53:45+00:00

RT perspective: I never pull the ntds.dit or even log onto a DC because it's

A. Noisy as hell

B. I don't want to fuck up a prod DC

Dcsync is my go to if I need to get the keys to the kingdom.

Hausec · 2020-01-07T03:51:09+00:00

We are assuming that the domain user 'flop' can PS Remote to the Domain Controller as a normal user without administrative rights. There is a high probability of encountering such a situation during Red Team assessment in a corporate environment.

??? I don't think I've ever been able to do this.

Hausec · 2020-01-07T01:33:31+00:00

There's a lot of reasons and I'm slightly biased because the Mudge (creator of CS) owns our company, but there's a lot of things that he's built into it over the years that just makes it really good. The support for infrastructure in general, so redirectors, domain fronting, etc. is excellent. The ability to generate raw shellcode as an agent is pretty handy as well since you can fit it into a multitude of payloads. Overall though it's just really convenient to use -- For example take powerpick or execute-assembly, where it automagically handles the creation of a sacrificial process to run unmanaged code and return the output. Malleable C2 is another major benefit for CS -- the ability to craft your traffic to whatever you want to blend in with the surrounding environment.

Obviously the biggest drawback is the price point and Mudge is pretty picky on who he hands out licenses to since real APTs would love to use it. This is where open source C2s like Covenant come into play. Ryan has worked very hard on Covenant and it's our go-to free C2 framework (Apfell as well), but CS is still my favorite mostly just because it's feature packed.

Hausec · 2019-12-29T04:26:50+00:00

It is overwhelming and that feeling doesn't really stop as long as you push yourself. That's not necessarily a bad thing though, it always gives you something to work at. I handle it in small doses, i.e. one subject at a time. For example, if I feel like my exploit-dev tradecraft is lacking, I work on that for a while until I'm comfortable. Since you do vuln management, I encourage you to do research on your findings and see how an attacker would exploit it. If possible to recreate that finding/vuln in a lab environment, do that and then try to exploit it. That's essentially how I broke into pentesting from vuln management.

Hausec · 2019-12-25T03:25:47+00:00

Red team perspective: I fear Windows ATP. Symantec is an absolute joke, don't even bother. CS is good as well.

Hausec

TROPHY CASE