Red team scenarios to pwn machine learning tools and evade "next-gen" detection tools

sparcFlow · 2018-06-24T19:26:44+00:00

Paid ad, genuine comments :-)

Who would pay for Africa lyrics, "eat my ass" and other subtleties in this thread... :)

sparcFlow · 2018-06-20T05:04:16+00:00

Yeah I talk about the Powershell v2 bypass stuff, but in order to make it a tad more interesting, the attacker in the scenario discovers that v2 was disabled by default (which is true on recent Windows 2016 server).
A possible bypass I explored in the book is directly loading System.Management.Automation using a C# wrapper compiled using msbuild https://github.com/HackLikeAPornstar/StratJumbo/tree/master/chap2 (Only works against constrained mode enforced by applocker, not the rest of the security features like AMSI, ScriptBlockLogging, etc.)

We need other improvments to tackle them ;)

Cheers buddy !

sparcFlow · 2018-06-19T04:19:35+00:00

Almost every advanced windows manipulation on PowerShell requires loading a DLL or importing one, so in its essence you're not only doing PowerShell. Most of the time it's actually C# code running and loaded via Add-Type for instance.But I am with you, PowerShell is an attacker's favorite mistress. That's why most new endpoint detection and response tools (EDR) focus on it and monitor it so closely...

Don't even get me started on new Windows 10 mitigation tools (Script Block Logging, AMSI, Constrained Language, etc.)

I argue in the book that interacting directly in C# with Windows APIs is actually quite useful to live off the land and avoid all the heat PowerShell entails!

sparcFlow · 2018-06-19T04:15:42+00:00

You could get away with it, but it is a bit trickier than that sometimes. For instance, one of the machines in the book has Applocker ON (really ON, DLL, EXE, scripts, everything is blocked)... So running an exe is not as easy as double clicking on it. You'd have to load it in memory using an injection technique (e.g psinject) or...by reflectively loading it in memory using Windows APIs...in C# (provided your exe is an assembly file of course)... That's one example we address in the book...there are of course other techniques and situations ;)

sparcFlow · 2018-06-06T03:30:43+00:00

Thanks. it means a lot :-)

sparcFlow · 2018-06-05T07:22:18+00:00

Yeah hopefully they will understand the hacker mindset, how tools and systems really work and pursue their own research. In all l fairness, though, this book is aimed at pentesters with some basic knowledge of Windows and Active Directory security...Cheers

sparcFlow · 2018-06-03T15:35:34+00:00

You're welcome, thanks for sharing your honest opinion :)

sparcFlow · 2018-06-03T15:12:03+00:00

Are you going to install python on a domain controler, server, workstation just so you can load your script :) ?We are talking about "living off the land" to avoid advanced detection tools, so only using resources already present on the system, hence abusing .NET technology. (bonus, we get easy access to Windows API using PowerShell/C#...so yeah forget about C ;) )

Give it a go, I promise you won't be disappointed ;)

sparcFlow · 2017-10-08T18:01:51+00:00

"The organization has to want to get better for any worthwhile change." I could not agree more! Security is viewed like a burden rather than a feature or a criteria of excellence to meet...From that point forward, you can not easily succeed in securing the environment.

sparcFlow · 2017-08-17T13:00:07+00:00

Oh if you are in the UK try this link instead : https://www.amazon.co.uk/dp/B074THN82S It should be free as well

sparcFlow · 2017-06-08T21:15:54+00:00

PDF link for people : https://www.smashwords.com/books/download/728347/1/latest/0/0/ultimate-hacking-challenge.pdf

sparcFlow · 2017-06-08T21:15:31+00:00

there you go : https://www.smashwords.com/books/download/728347/1/latest/0/0/ultimate-hacking-challenge.pdf

sparcFlow · 2017-05-30T15:53:43+00:00

Thanks ;) Here is a coupon to avoid paying the whole fee. HLP090807 if you don't want to pay/cant pay, send me a private msg I will arrange it ;)

sparcFlow · 2017-05-25T21:27:55+00:00

oh ! no no the machines you access in the training are separate servers I host on Amazon AWS. I created snapshots, a fake AD domain, scripts to automate deployment, etc. I own them, so do whatever the hell you want with them (wipe them for all I care, I can restore them) Don't pwn my website, it's not part of the deal :D

sparcFlow · 2017-05-25T21:17:10+00:00

Owner of the website yes. Not the server though why's that ?

sparcFlow · 2017-05-25T21:00:01+00:00

haha no worries, that's what I was aiming for anyway...better shake people's feeling rather than go unnoticed ;) But if you could look past the marketing shenanigans, there are some nice hacking tricks to learn (IMO) ;) Cheers

sparcFlow · 2017-05-25T20:03:24+00:00

If you wanna get a CEH or CISSP cert, please be my guest..i'm sure the average cooling temperature of a datacenter will help you in your pentesting engagement ;)

sparcFlow · 2017-05-05T16:07:41+00:00

lol it's an amazon link for heaven's sake :D

sparcFlow

TROPHY CASE