Collaborate Disseminate
What happens when your advantages become a disadvantage? That’s the theme of Fighting the Toolset. This lecture discusses Offensive PowerShell, staging, memory-injected DLLs, and remote process injection as technologies that deliver(ed) a universal advantage to attackers. Today, that’s not always the case. In some contexts, these technologies are the tell that gives you away. In […] Continue reading Fighting the Toolset
Cobalt Strike 3.11 is now available. This release adds to Cobalt Strike’s in-memory threat emulation and evasion capabilities, adds a means to run .NET executable assemblies without touching disk, and implements the Token Duplication UAC bypass attack. In-Memory Threat Emulation One of the things that makes Cobalt Strike different is its ability to emulate multiple […] Continue reading Cobalt Strike 3.11 – The snake that eats its tail
I often receive emails that ask about slow file downloads with the Beacon payload. Here are the symptoms: It takes multiple hours to grab a few megabytes The sleep time makes no difference File uploads are fast and not affected by this “slowness” When I get these emails, I usually ask the user about their […] Continue reading Beware of Slow Downloads
Many analysts and automated solutions take advantage of various memory detections to find injected DLLs in memory. Memory detections look at the properties (and content) of processes, threads, and memory to find indicators of malicious activity in the current process. In-memory Evasion is a four-part mini course on the cat and mouse game related to […] Continue reading In-Memory Evasion
Cobalt Strike 3.10 is now available. This release adds Unicode support to the Beacon payload, introduces a built-in report based on MITRE’s ATT&CK matrix, and performs endodontics on the Beacon payload. A Strategy for Unicode One of Cobalt Strike’s limitations is its ham-fisted handling of text. Cobalt Strike treats everything sent to and received from […]
Continue reading Cobalt Strike 3.10 – Хакер vs. 肉雞
Today, SpecterOps announces its acquisition of MINIS LLC. The company is doing its social media thing to spread the word. I wanted to take a moment to share the news and comment on it in my own words. If you want press release language, we have that too. SpecterOps is Proud to Announce Acquisition of […]
Continue reading SpecterOps acquires MINIS
Part 9 of Advanced Threat Tactics covers a lot of my thoughts on evasion. The ideas in that lecture are still relevant, the defenses discussed there didn’t go away! That said, there are other defenses and realities offensive operators must contend with today. This blog post discusses some of these and provides tips for adjusting […]
Continue reading Modern Defenses and YOU!
If I had to describe Cobalt Strike in one word, I’d say ‘flexible’. There are a lot of options to control Cobalt Strike’s features and indicators. In this post, I’ll introduce these options, explain the rationale for each, and point you to resources to explore them further. Aggressor Script Aggressor Script is Cobalt Strike’s built-in […]
Continue reading Kits, Profiles, and Scripts… Oh my!
Cobalt Strike 3.9 is now available. This release brings several additions to Malleable C2 with an emphasis on staging flexibility. Malleable HTTP/S Staging Stagers are tiny programs that download the Beacon payload and pass control to it. Stagers are a way to use a size-constrained attack to deliver a large payload like Beacon. While I […]
Continue reading Cobalt Strike 3.9 – Livin’ in a Stager’s Paradise
Have you seen this cute ghost inside of a hexagon? The logo is for Specter Ops, Inc., a new cyber-security consulting firm. Today’s the company’s launch day. The press release is here. The website is here. Today, Specter Ops, Inc. is 13 people who have given me technical guidance on Cobalt Strike, trained Cobalt Strike […]
Continue reading Living the Ghost Life: Announcing Specter Ops, Inc.