Introduction Recently, I presented this topic to an audience of post-secondary students and I thought it might be valuable to share this content with a broader audience.
This information is based on my (and my team’s) experience building, operationalizing, and running a purple team program in a global enterprise. My hope is that this information is useful to the reader in understanding applicability, approach, engagement models, and value.
What is Purple Teaming?
cslogwatch is a tool designed to help Cobalt Strike users get handle on the logs generated by the tool. While we can certainly spend our time grepping for data across myriad of beacon session log files, wouldn’t it be nice if we had a tool that could reliably track Cobalt Strike log files for changes, parse the entries, and then store them in a database or return them in some kind of structured fashion?
A few weeks ago I published a blog post titled Stealthy & Targeted Implant Loaders. There are a couple of caveats to the aforementioned points that I would like to address in this brief addendum, in addition to introducing a few new ideas.
On-Target Analysis In the last post we discussed a number of target-specific conditions that can be used as cryptographic key material input. The result of these conditions is a payload that will only successfully decrypt only on the intended target(s).
Implant targeting can be a useful tool in your arsenal; instead of developing weaponized malcode that will execute on arbitrary systems, we can take precautions to protect the confidentiality of our payloads while ensuring deployment occurs only on targeted (intended) assets.
Why should we, as red teams, care that our payloads are executed on targeted systems? While there are arguably many reasons, the most obvious is to ensure that they do not end up being executed on unintended targets.
A number of researchers have recently been looking at lateral movement methods that leverage Microsoft’s Distributed Component Object Model (DCOM), with some great articles put together by @enigma0x3 at https://enigma0x3.net/. These articles walk through the overall approach of discovering DCOM based lateral movement techniques as well as demonstrating a number of examples.
In this post, we will analyze another DCOM based lateral movement technique that I have recently discovered.
COM / DCOM Overview COM is described by Microsoft as:
Overview For those of us that have had the chance to play around with it, docker is pretty awesome. While primarily designed with development / deployment / continuous integration in mind, it is also pretty awesome for offense related tasks.
I have put together a docker build for PowerShell Empire. You can grab the dockerfile and such from GitHub or just pull the image directly from Docker Hub. I intend on configuring automated builds to ensure that a fresh and fully updated version can be pulled down regularly