I added DNS Communication to Cobalt Strike in June 2013 and refined it further in July 2013. On sales calls and at conferences I get a lot of questions and compliments on this feature. That’s great. I’ve also heard the opposite. I’ve heard folks say that DNS Command and Control is noisy. It’s “easy to […]
CTA Type: Resource
How I tunnel Meterpreter through Beacon
I write so many blog posts about Beacon, I should just give up and call this the Beacon blog. Beacon is Cobalt Strike’s post-exploitation agent that focuses on communication flexibility and added covert channels. It’s also possible to tunnel Meterpreter through Beacon with the meterpreter command. In this blog post, I’ll explain how this feature […]
Cobalt Strike 2.3 – I’ve always wanted runas
Cobalt Strike 2.3 is now available. This release adds a runas command to Beacon. This command allows you to specify a username and password for any user and run a command as them. Useful for situations where you know credentials for an admin and want to use them to elevate. Care to know the alternative? Shell Escalation using […]
Read More… from Cobalt Strike 2.3 – I’ve always wanted runas
Pass-the-(Golden)-Ticket with WMIC
One of my favorite blog posts from last year was the Adversary Tricks and Treats post from CrowdStrike. They showed how one of the actors they track changed their tactics to cope with a more alert defender. This actor, DEEP PANDA, sometimes injects a Golden Ticket onto their local Kerberos tray. To move laterally, this […]
What’s the go-to phishing technique or exploit?
This blog post is inspired by a question sent to a local mailing list. The original poster asks, what’s the go-to phishing technique or exploit in a blackbox situation? Here’s my response: I’ve had to do this before, I sell tools to do it now, and I’ve seen how others teach and go about this […]
Read More… from What’s the go-to phishing technique or exploit?
When You Know Your Enemy
TL;DR This is my opinion on Threat Intelligence: Automated Defense using Threat Intelligence feeds is (probably) rebranded anti-virus. Threat Intelligence offers benefit when used to hunt for or design mitigations to defeat advanced adversaries. Blue teams that act on this knowledge have an advantage over that adversary and others that use similar tactics. Threat Intelligence […]
Cobalt Strike 2.2 – 1995 called, it wants its covert channel back…
Cobalt Strike’s Covert VPN feature now supports ICMP as one of its channels. Covert VPN is Cobalt Strike’s layer-2 pivoting capability. If you’re curious about how this technology works, I released some source code a few weeks ago. The ICMP data channel is a turn-key way to demonstrate ICMP as an exfiltration channel if you […]
Read More… from Cobalt Strike 2.2 – 1995 called, it wants its covert channel back…
Adversary Simulation Becomes a Thing…
There is a growing chorus of folks talking about simulating targeted attacks from known adversaries as a valuable security service. The argument goes like this: penetration testers are vulnerability focused and have a toolset/style that replicates a penetration tester. This style finds security problems and it helps, but it does little to prepare the customer for the […]
Interactive Cortana Programming
Cortana is the scripting engine built into Armitage and Cobalt Strike. It’s based on my Sleep scripting language. Most scripting languages have a REPL (Read, Eval, Print Loop) that allows users to experiment with the technology in an interactive way. I didn’t build an REPL into Cortana natively, but one is available as a script. […]
Give me any zero-day and I will rule the world
A few months ago, I was having lunch at a favorite Italian restaurant in Washington, DC. I work in a residential area, which means lunch time is slow and there’s no crowd. This leads to many conversations with the staff. This particular conversation drifted to Time Magazine’s July World War Zero article about the sale […]
Read More… from Give me any zero-day and I will rule the world