I’m spending a lot of time with mimikatz lately. I’m fascinated by how much capability it has and I’m constantly asking myself, what’s the best way to use this during a red team engagement? A hidden gem in mimikatz is its ability to create a trust relationship from a username and password hash. Here’s the […]
Cornerstone: Red Team
An unnecessary addiction to DNS communication
I regularly hear stories from my users about how they got past a tough situation and had success that they claim was not possible without Cobalt Strike. As a developer, these emails are fun to read, and they give me a lot of job satisfaction. One of the features these users love is DNS Beacon. […]
Read More… from An unnecessary addiction to DNS communication
2015’s Red Team Tradecraft
“There is a theory which states that if ever anyone discovers exactly what the Universe is for and why it is here, it will instantly disappear and be replaced by something even more bizarre and inexplicable. There is another theory which states that this has already happened.” ― Douglas Adams, The Restaurant at the End […]
So, you won a regional and you’re headed to National CCDC
The 2015 National CCDC season started with 100+ teams across 10 regions. Now, there are 10 teams left and they’re headed to the National CCDC event next week. If you’re on one of those student teams, this blog post is for you. I’d like to take you inside the red team room and give you […]
Read More… from So, you won a regional and you’re headed to National CCDC
Reverse Port Forward through a SOCKS Proxy
I had a friend come to me with an interesting problem. He had to get a server to make an outbound connection and evade some pretty tough egress restrictions. Egress is a problem I care a lot about [1, 2, 3]. Beacon is a working option for his Windows systems. Unfortunately, the server in question […]
Training Recommendations for Threat Emulation and Red Teaming
A few weeks ago, I had someone write and ask which training courses I would recommend to help setup a successful Red Team program. If you find yourself asking this question, you may find this post valuable. First things first, you’ll want to define the goals of your red team and what value it’s going […]
Read More… from Training Recommendations for Threat Emulation and Red Teaming
The First Five Minutes
March and April are CCDC season. This is the time of the year when teams of college students get to compete against each other as they operate and defend a representative enterprise network from a professional red team. CCDC events are the most interesting for the blue teams and red teams when the red team […]
My Favorite PowerShell Post-Exploitation Tools
PowerShell became a key part of my red team toolkit in 2014. Cobalt Strike 2.1 added PowerShell support to the Beacon payload and this has made an amazing library of capability available to my users. In this post, I’d like to take you through a few of my favorite collections of PowerShell scripts. PowerSploit Let’s start […]
Read More… from My Favorite PowerShell Post-Exploitation Tools
Another Night, Another Actor
Earlier last year, I had a frantic call from a customer. They needed to make a small change to Beacon’s communication pattern and quickly. This customer was asked to spend a week with a network defense team and train them on different attacker tactics. Each day, my customer had to show the network defense team […]
DNS Communication is a Gimmick
I added DNS Communication to Cobalt Strike in June 2013 and refined it further in July 2013. On sales calls and at conferences I get a lot of questions and compliments on this feature. That’s great. I’ve also heard the opposite. I’ve heard folks say that DNS Command and Control is noisy. It’s “easy to […]