My Favorite PowerShell Post-Exploitation Tools
PowerShell became a key part of my red team toolkit in 2014. Cobalt Strike 2.1 added PowerShell support to the Beacon payload and this has made
Modern Defenses and YOU!
Part 9 of Advanced Threat Tactics covers a lot of my thoughts on evasion. The ideas in that lecture are still relevant, the defenses discussed
Models for Red Team Operations
Recently, I had an email from someone asking for a call to discuss different models of red team operations. This gentlemen sees his team as
Migrating Your Infrastructure
I’ve written about infrastructure for red team operations before. Infrastructure are the servers, domains, and other assets that support your ongoing operation against a target
Linux, Left out in the Cold?
I’ve had several folks ask about Linux targets with Cobalt Strike 3.0 and later. Beacon is a Windows-only payload. The big question becomes, how do
Learn Pipe Fitting for all of your Offense Projects
Named pipes are a method of inter-process communication in Windows. They’re used primarily for local processes to communicate with eachother. They can also facilitate communication
Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM
This is a joint blog written by William Burgess (@joehowwolf) and Henri Nurmi (@HenriNurmi). In our ‘Cobalt Strike and YARA: Can I Have Your Signature?’
Infrastructure for Ongoing Red Team Operations
Recently, I’ve had several questions about how to set up infrastructure for long running red team operations with Cobalt Strike. This is an ideal use
In-Memory Evasion
Many analysts and automated solutions take advantage of various memory detections to find injected DLLs in memory. Memory detections look at the properties (and content)
HOWTO: Port Forwards through a SOCKS proxy
Recently, I’ve had multiple people ask about port forwards with Cobalt Strike’s Beacon payload. Beacon has had SOCKS proxy pivoting support since June 2013. This feature