PowerShell Shellcode Injection on Win 10 (v1803)
Cobalt Strike’s process to inject shellcode, via PowerShell, does not work with the latest Windows 10 update (v1803). While it’s possible to work without this
Process Injection Update in Cobalt Strike 4.5
Process injection is a core component to Cobalt Strike post exploitation. Until now, the option was to use a built-in injection technique using fork&run. This
Pushing back on userland hooks with Cobalt Strike
When I think about defense in the current era, I think of it as a game of instrumentation and telemetry. A well-instrumented endpoint provides a
Puttering my Panda and other Threat Replication Case Studies
Cobalt Strike 2.0 introduced Malleable C2, a technology to redefine network indicators in the Beacon payload. What does this mean for you? It means you
Raffi’s Abridged Guide to Cobalt Strike
This blog post is a fast overview of Cobalt Strike. I assume that you are familiar with Meterpreter, Mimikatz, and make use of Offensive PowerShell in
Raphael’s Transition
Friday was my last day at HelpSystems. I spent the day on the #Aggressor channel on Slack, put some final touches on a 12 month
Raphael’s Magic Quadrant
BlackHat is about to start in a few days. I think this is an appropriate time to share a non-technical, business only post. There is
Real-Time Feed of Red Team Activity
There are several research projects to collect raw data from red team activity, process this data, and try to turn it into information. In this
Red Team Data Collection
In 2011, I participated in an exercise. The exercise ran for 60 hours straight, forcing the red team to work in shifts. The event was
Red Team Operations Lifecycle
Walk through a typical red team operation lifecycle, from initial access through post-operation cleanup. A disciplined red team lifecycle transforms offensive work from isolated engagements