Showing Posts From

Red Team

Scheduled Task Tampering

This article explores techniques for manipulating Windows scheduled tasks through direct registry modifications. Multiple methods were demonstrated to create and modify tasks without generating standard Task Scheduler logging and event records. The techniques include registry manipulation and Event Tracing for Windows (ETW) tampering, which can be used to establish persistence or execute malicious actions while evading detection.

  • 3 Aug 2021

Playing with PuTTY

This article explores techniques for manipulating PuTTY's source code and session sharing mechanism to capture credentials and execute remote commands. Multiple methods are demonstrated for backdooring PuTTY, including capturing user commands, stealing authentication details, and hijacking SSH sessions through named pipe communications. The techniques provide creative approaches for bypassing security controls during adversarial simulations without traditional keylogging methods.

Using and detecting C2 printer pivoting

A novel Command & Control (C2) technique using printer infrastructure for covert communication is explored in this article. The method involves placing print jobs in a paused state and using document names for data transfer. Multiple detection opportunities are detailed across endpoints, networks, and print servers to identify this stealthy communication method.

Operationalising Calendar Alerts: Persistence on macOS

A novel macOS persistence technique leverages calendar alerts in Automator.app to execute arbitrary applications at specified times. The method exploits an undocumented API in EventKit to programmatically create calendar events with executable alerts. By using JavaScript for Automation (JXA), attackers can establish stealthy persistence on macOS systems through calendar event manipulation.

Introducing LDAP C2 for C3

A new Command & Control (C2) channel for C3 has been introduced using LDAP for covert communication within networks. The technique enables lateral movement by leveraging user attributes with minimal account compromise. A quick start guide is provided to help deploy LDAP-based C2 channels in network environments.

  • 1 May 2020

Bypassing Windows Defender Runtime Scanning

This article details techniques for bypassing Windows Defender's runtime memory scanning by exploiting memory permission limitations. A method was developed using PAGE_NOACCESS memory permissions to prevent detection during suspicious API calls. A custom Metasploit extension called Ninjasploit was created to implement these bypass techniques.

  • 10 Mar 2020

Making Donuts Explode – Updates to the C3 Framework

The C3 framework's "Exploding Donut" release introduces significant updates to cybersecurity operations. Key improvements include integration with the Covenant C2 framework and Donut for compressed shellcode generation. The ChannelLinter project was added to simplify channel development for cybersecurity professionals.

Rethinking Credential Theft

Physmem2profit is a novel red team tool for credential theft that bypasses traditional LSASS process monitoring. The tool allows remote extraction of credential material by exposing and analyzing physical memory without directly interacting with the LSASS process. It provides an alternative approach to credential theft by leveraging memory forensics techniques on Windows systems.

Forging SWIFT MT Payment Messages for fun and pr... research!

A proof-of-concept attack demonstrated how a fraudulent SWIFT MT103 payment message could be forged and injected directly into a message queue. By leveraging system trust relationships and compromising a Message Queue administrator's access, a payment message could be introduced upstream in the payment processing system. The attack bypassed traditional security controls by targeting the message queue infrastructure rather than payment operators or application interfaces.

  • 22 Feb 2019

AutoCAD - Designing a Kill Chain

A detailed analysis of potential cybersecurity vulnerabilities in AutoCAD reveals multiple attack vectors across the cyber kill chain. The research demonstrates how malicious actors can exploit AutoCAD's features like ActionMacros, AutoLisp scripts, and remote text functionality to gain code execution, establish persistence, and perform lateral movement. Multiple attack techniques were identified that could potentially compromise users in high-value industries through targeted AutoCAD-specific exploitation methods.

Bypassing Memory Scanners with Cobalt Strike and Gargoyle

A novel technique for bypassing memory scanners using the Gargoyle method with Cobalt Strike is demonstrated. The approach involves periodically staging and removing a beacon payload from memory to evade detection by endpoint security solutions. By moving in and out of executable memory at timed intervals, the technique aims to avoid traditional memory scanning techniques.

Enumerating remote access policies through GPO

This article details techniques for enumerating remote access policies in Windows environments through Group Policy Objects. It explores how User Account Control (UAC) and User Rights Assignment (URA) settings impact remote authentication and lateral movement opportunities. PowerView extensions were introduced to help map computer objects with specific remote authentication configurations.

"Tasking" Office 365 for Cobalt Strike C2

A novel Command and Control (C2) technique for Cobalt Strike was demonstrated using Office 365's Exchange Web Services. The technique leverages Outlook tasks as a communication channel to transmit malicious traffic through a legitimate service. The proof-of-concept shows how attackers can use the External C2 interface to create covert communication paths through enterprise collaboration tools.

Land, Configure Microsoft Office, Persist

This presentation explores native Microsoft Office add-in mechanisms that can be exploited for persistence on compromised workstations. Various techniques for abusing Office add-ins are analyzed from a red teaming perspective. The talk examines deployment complexity, privilege requirements, and effectiveness in different computing environments.

DLL Tricks with VBA to Improve Offensive Macro Capability

This article explores advanced VBA macro techniques for bypassing security controls using DLLs. Two key techniques are presented: executing remote COM scriptlets without regsvr32 and storing malicious DLLs as seemingly legitimate Office files. These methods enable attackers to execute payloads while evading traditional security detection mechanisms.

Add-In Opportunities for Office Persistence

This article explores multiple techniques for gaining persistence through Microsoft Office add-ins. Multiple methods are examined, including WLL, XLL, VBA, COM, Automation, VBE, and VSTO add-ins that can execute code when Office applications start. Each add-in type offers unique mechanisms for potential code execution with different technical advantages and limitations.

One Template To Rule 'Em All

A presentation explored how Microsoft Office VBA and templates can be exploited as a persistent malware delivery mechanism. The talk demonstrated vulnerabilities in locked-down environments through a proof-of-concept tool called WePWNise. VBA-enabled files remain an attractive attack vector due to business requirements and human factors in targeted attacks.

Malicious Outlook Rules

XRulez is a tool that enables programmatic creation of malicious Outlook rules by injecting rules directly into Exchange servers. The tool allows attackers to create persistent remote code execution mechanisms via email triggers without requiring direct credential access. By exploiting MAPI sessions, malicious rules can be set up to execute payloads when specific email conditions are met.

Visualising Organisational Charts from Active Directory

This article demonstrates techniques for extracting and visualizing organizational hierarchies from Active Directory using tools like Metasploit, SQLite, and Neo4j. The methods enable mapping of reporting structures and relationships within an organization by converting Active Directory data into a graph database. Complex queries about organizational relationships can be performed dynamically, revealing management chains and reporting structures.

Safer Shellcode Implants

This article discusses techniques for creating safer shellcode implants by implementing runtime security controls. The proposed methods include ensuring single execution through mutex checks, validating the target endpoint using host-specific identifiers, and adding an expiry time to control the implant's lifecycle. Implementation examples are provided in both assembly and C languages to demonstrate these security controls.

Masquerading as a Windows System Binary Using Digital Signatures

This article demonstrates a technique for creating fake digital certificates that mimic Microsoft's code signing certificates. By generating certificates that look like they are from Microsoft and installing a custom root CA, malicious Windows binaries can be signed to appear legitimate. The method allows attackers to create executables that blend in with system processes and potentially evade initial detection.

Egress Checking

The EgressCheck Framework is a tool designed to help penetration testers and system administrators identify network egress opportunities. It generates traffic across multiple ports and protocols, capturing connection attempts using tcpdump. The framework supports both TCP and UDP scanning, and can generate one-liner scripts for Python and PowerShell.

Persistence Architecture Matters

This article explores the Windows-on-Windows (WOW) redirection layer in 64-bit Windows systems. It explains how filesystem and registry paths are dynamically remapped depending on the process architecture. The technical explanation reveals how 32-bit and 64-bit processes interact with system directories and registry keys differently.

Incognito v2.0 Released

Incognito v2.0 is a Windows security tool for token enumeration and manipulation. The new version introduces multi-host input, multi-threading, grepable output, quiet mode, and improved handling of administrative privileges. Key improvements include better API compatibility, enhanced token discovery across multiple systems, and more flexible output options for security professionals.

  • 12 Dec 2011

Tell Us Your Incognito Ideas and Win One of 5 Lego Ninjas

Incognito, a tool for exploiting Windows access tokens launched in 2007, seeks community input on potential improvements. The project aims to enhance the tool's effectiveness by gathering feature suggestions from the information security community. As an incentive, five Lego Ninjas will be awarded to the best feature ideas submitted.

Security Implications of Windows Access Tokens

A whitepaper by Luke Jennings explores the security implications of Windows access tokens in enterprise environments. The document details how access token design can be exploited during penetration testing, highlighting systemic vulnerabilities in corporate security controls. The paper discusses the technical mechanisms of Windows access tokens and provides insights into potential post-exploitation techniques.