rsmudge – WindowsTechs.com

Learn Pipe Fitting for all of your Offense Projects

Posted on February 9, 2021 by rsmudge

Named pipes are a method of inter-process communication in Windows. They’re used primarily for local processes to communicate with eachother. They can also facilitate communication between two processes on separate hosts. This traffic is encapsulated in the Microsoft SMB Protocol. If you ever hear someone refer to a named pipe transport as an SMB channel, […] Continue reading Learn Pipe Fitting for all of your Offense Projects→

Pushing back on userland hooks with Cobalt Strike

Posted on January 13, 2021 by rsmudge

When I think about defense in the current era, I think of it as a game of instrumentation and telemetry. A well-instrumented endpoint provides a defense team and an automated security solution with the potential to react to or have visibility into a lot of events on a system. I say a lot, because certainly […] Continue reading Pushing back on userland hooks with Cobalt Strike→

Agent Deployed: Core Impact and Cobalt Strike Interoperability

Posted on December 15, 2020 by rsmudge

Core Impact 20.3 has shipped this week. With this release, we’re revealing patterns for interoperability between Core Impact and Cobalt Strike. In this post, I’ll walk you through these patterns and provide advice on how to get benefit using Cobalt Strike and Core Impact together. A Red Team Operator’s Introduction to Core Impact Prior to […] Continue reading Agent Deployed: Core Impact and Cobalt Strike Interoperability→

2021 Cobalt Strike Renewal COLA Price Increase

Posted on December 10, 2020 by rsmudge

At HelpSystems we are committed to investing in continuous improvement by enhancing existing solutions, developing new technologies, and retaining the best employees. Maintenance and subscription fees for your HelpSystems software licenses provide access to regular software updates, our world-class technical support, and other entitlements as applicable. In order to maintain the highest standards, an annual […] Continue reading 2021 Cobalt Strike Renewal COLA Price Increase→

A Red Teamer Plays with JARM

Posted on December 8, 2020 by rsmudge

I spent a little time looking into Saleforce’s JARM tool released in November. JARM is an active tool to probe the TLS/SSL stack of a listening internet application and generate a hash that’s unique to that specific TLS/SSL stack. One of the initial JARM fingerprints of interest relates to Cobalt Strike. The value associated with […] Continue reading A Red Teamer Plays with JARM→

verify.cobaltstrike.com outage summary

Posted on November 11, 2020 by rsmudge

Cobalt Strike’s update process was degraded due to a data center outage that affected https://verify.cobaltstrike.com. The verify server is back up and the functionality of our update process is restored. Here’s the timeline of the incident: November 10, 2020 – 5:15pm EST The Cobalt Strike update process is degraded. You may still download and update […] Continue reading verify.cobaltstrike.com outage summary→

Cobalt Strike 4.2 – Everything but the kitchen sink

Posted on November 6, 2020 by rsmudge

Cobalt Strike 4.2 is now available. This release overhauls our user exploitation features, adds more memory flexibility options to Beacon, adds more behavior flexibility to our post-exploitation features, and makes some nice changes to Malleable C2 too. User Exploitation Redux Cobalt Strike’s screenshot tool and keystroke logger are examples of user exploitation tools. These capabilities […] Continue reading Cobalt Strike 4.2 – Everything but the kitchen sink→

Beacon Object File ADVENTURES: Some Zerologon, SMBGhost, and Situational Awareness

Posted on September 17, 2020 by rsmudge

Cobalt Strike can use PowerShell, .NET, and Reflective DLLs for its post-exploitation features. This is the weaponization problem set. How to take things, developed outside the tool, and create a path to use them in the tool. One of the newest weaponization options in Cobalt Strike are Beacon Object Files. A Beacon Object File is […] Continue reading Beacon Object File ADVENTURES: Some Zerologon, SMBGhost, and Situational Awareness→

Cobalt Strike 4.1 – The Mark of Injection

Posted on June 25, 2020 by rsmudge

Cobalt Strike 4.1 is now available. This release introduces a new way to build post-ex tools that work with Beacon, pushes back on a generic shellcode detection strategy, and grants added protocol flexibility to the TCP and named pipe Beacons. Beacon Object Files Cobalt Strike has weaponization options for PowerShell, .NET, and Reflective DLLs. These […] Continue reading Cobalt Strike 4.1 – The Mark of Injection→

SSL certificate verification for failed

Posted on May 12, 2020 by rsmudge

TL;DR a certificate for part of the Cobalt Strike update infrastructure changed. Download the 20200511 distribution package to avoid certificate verification errors. If you recently ran the Cobalt Strike update program (version 20191204); you may see a nice message about the failed SSL certificate verification for verify.cobaltstrike.com: verify.cobaltstrike.com hosts a text file with SHA256 hashes […] Continue reading SSL certificate verification for failed→