ADExplorer on Engagements

ADExplorer is a tool I have always had in my backpack. It can be useful for both offensive and defensive purposes, but in this post, I am going to focus more on its offensive use. The tool itself can be found here: https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer A typical scenario I often face on engagements is that I have…

The post ADExplorer on Engagements appeared first on TrustedSec.

Continue reading ADExplorer on Engagements

Azure Application Proxy C2

With the ever-tightening defensive grip on techniques like domain fronting and detections becoming more effective at identifying common command and control (C2) traffic patterns, our ability to adapt to different egress methods is being tested. Of course, finding methods of pushing out C2 traffic can be a fun exercise during a Red Team engagement. A…

The post Azure Application Proxy C2 appeared first on TrustedSec.

Continue reading Azure Application Proxy C2

Front, Validate, and Redirect

In the age of threat hunting, automated mass scanning, and the occasionally curious SOC, properly securing your command and control (C2) infrastructure is key to any engagement. While many setups today include a CDN Domain Front with a custom Nginx or Apache ruleset sprinkled on top, I wanted to share my recipe for success. Fully…

The post Front, Validate, and Redirect appeared first on TrustedSec.

Continue reading Front, Validate, and Redirect

Tailoring Cobalt Strike on Target

We’ve all been there: you’ve completed your initial recon, sent in your emails to gather those leaked HTTP headers, spent an age configuring your malleable profile to be just right, set up your CDNs, and spun up your redirectors. Then it’s time, you send in your email aaaaaand…nothing. You can see from your DNS diagnostic…

The post Tailoring Cobalt Strike on Target appeared first on TrustedSec.

Continue reading Tailoring Cobalt Strike on Target

4 Free Easy Wins That Make Red Teams Harder

In this post, I will cover some easy things that defenders can do to make it harder for attackers to succeed. As you all know, there is never a silver bullet when it comes to security, so these tips will only make it harder for attackers by focusing on the basics, and sometimes, that helps…

The post 4 Free Easy Wins That Make Red Teams Harder appeared first on TrustedSec.

Continue reading 4 Free Easy Wins That Make Red Teams Harder

MacOS Injection via Third-Party Frameworks

Since joining the TrustedSec AETR team, I have been spending a bit of time looking at tradecraft for MacOS environments, which, unfortunately for us attackers, are getting tougher to attack compared to their Windows peers. With privacy protection, sandboxing, and endless entitlement dependencies, operating via an implant on a MacOS-powered device can be a minefield….

The post MacOS Injection via Third-Party Frameworks appeared first on TrustedSec.

Continue reading MacOS Injection via Third-Party Frameworks

Weaponizing Group Policy Objects Access

Recently, I was on an engagement where I discovered I had plaintext credentials to an account that could modify Active Directory Group Policy Objects (GPOs). This proved to be a fun challenge, as Group Policy files and properties can be bent to our will even when hacking through a straw (SOCKS only, in this case)….

The post Weaponizing Group Policy Objects Access appeared first on TrustedSec.

Continue reading Weaponizing Group Policy Objects Access

Red Teaming With Cobalt Strike – Not So Obvious Features

Since beginning work as a red teamer almost two years ago, I’ve had to learn a lot of new information and tooling. I had never worked with Cobalt Strike before and there were features not obvious to me until I had used it for a while and gained some experience with it. This post will…

The post Red Teaming With Cobalt Strike – Not So Obvious Features appeared first on TrustedSec.

Continue reading Red Teaming With Cobalt Strike – Not So Obvious Features

Thycotic Secret Server: Offline Decryption Methodology

On offensive engagements, we frequently encounter centralized internal password managers that are used by various departments to store incredibly sensitive account information, such as Domain Admin accounts, API keys, credit card data, the works. It used to be that these systems were implemented without multi-factor authentication. “Hacking” them was as simple as finding somebody that…

The post Thycotic Secret Server: Offline Decryption Methodology appeared first on TrustedSec.

Continue reading Thycotic Secret Server: Offline Decryption Methodology

Automating a RedELK Deployment Using Ansible

As the red team infrastructure needs continue to expand (and grow more complicated), so does the need for infrastructure automation. Red teams are adopting DevOps to improve the speed at which their infrastructure is deployed, hence the rise in usage of tools such as Terraform and Ansible for red teams. In this post, we will…

The post Automating a RedELK Deployment Using Ansible appeared first on TrustedSec.

Continue reading Automating a RedELK Deployment Using Ansible