7MS #477: Cobalt Strike for Newbs
7 Minute Security21 Heinä 2021

7MS #477: Cobalt Strike for Newbs

Today we're talking about Cobalt Strike for newbs - including how to get it up and running, as well as some tools that will help you generate beacons while evading EDR at the same time!

Some helpful things mentioned in today's episode:

  • Wherever you spin up your CS instance, it's probably a good idea to lock down the firewall to only specific IPs. With Digital Ocean, I found this article helpful.

  • When generating CS listeners, the C2Concealer from FortyNorth helped me get malleable C2 profiles generated while creating a LetsEncrypt cert at the same time!

  • My CS beacons kept getting gobbled by AV, but the following resources helped me get some stealthy ones generated: Artifact Kit, PEzor and ScareCrow. Here's a specific ScareCrow example that flew under the EDR radar:

Scarecrow -I myrawshellcode.bin -etw -domain www.microsoft.com

  • PowerUpSQL is awesome for finding servers where you can run stored procedures to send your attacking box a priv'd hash to pass/capture/crack. Check out this presentation on PowerUpSQL to find vulnerable targets, then use mssql_ntlm_stealer module in Metasploit to have fun with the account hashes. Be sure to set your domain when configuring the Metasploit module!

  • When trying to pop an SMB shell with relay tools, I've had problems recently with those attempts being stopped by defensive tools. Then I found this gem which talks about tweaking smbexec.py to evade AV. It worked a treat!

  • When you use MultiRelay, I had no idea that it includes an upload function so you can simply upload your beacon.exe from a SYSTEM shell and fire it right from a command line. Cool!

  • Once my beacons started firing around the pentest environment, I temporarily allowed all IPs to talk to my Digital Ocean box - just because the IP I grabbed from a "what is my IP?" Google search didn't always match the actual beacons that called home. Once the beacon connectivity was established, I tweaked the beacon firewall rules to just let certain IPs in the door.

  • This Cobalt Strike Extension Kit was FREAKING sweet for adding "right click > do awesome stuff" functionality to CS like dump hashes, search for Kerberoastable accounts, setup persistence, etc.

  • Got a SYSTEM level shell but need to abuse a DA's privs? Tell the beacon to pull back a list of running processes, then click one (like explorer.exe) running under a DA's account and then impersonate it to add your account to the DA group!

  • Having issues dumping LSASS? This article from Red Canary gives you some great ideas to do it in a way that doesn't make AV throw a fit!

  • Trying to RDP using PtH? This article will help you out. And if you get warnings about not being able to RDP in because of some sort of login restriction, try adjusting this reg key with CME:

cme smb 10.1.2.3 -u Administrator -H THE-HASH-YOU-CAPTURED -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f'

Jaksot(706)

7MS #497: The Stress and Satisfaction of Offering Live Security Training

7MS #497: The Stress and Satisfaction of Offering Live Security Training

Hey friends, today I'm giving you a peek behind the curtain of our Light Pentest LITE training to talk about the software/hardware we use to make it sing, the growing pains - and OMG(!) moments - that forced us to build in more infrastructure redundancy, and the cool (and expensive!) cloud options we're considering to offer a self-paced version of the course.

2 Joulu 202151min

7MS #496: Tales of Pentest Pwnage - Part 30

7MS #496: Tales of Pentest Pwnage - Part 30

Today's tale of pentesting has a bunch of tips to help you maximize your pwnage, including: The new Responder DHCP poisoning module All the cool bells and whistles from CrackMapExec which now include new lsass-dumping modules! Speaking of lsass dumping, here's a new trick that works if you have Visual Studio installed (I bet it will be detected soon). I close out today's episode with a story about how my Cobalt Strike beacons got burned by a dating site!

24 Marras 202148min

7MS #495: Desperately Seeking a Super SIEM for SMBs - Part 5

7MS #495: Desperately Seeking a Super SIEM for SMBs - Part 5

Today we continue our SIEM/SOC evaluation series with a closer look at one particular managed solution and how it fared (very well) against a very hostile environment: the Light Pentest LITE pentesting course! Spoiler alert: this solution was able to detect: RDP from public IPs Password spraying Kerberoasting Mimikatz Recon net commands Hash dumping Hits on a "honey domain admin" account Users with non-expiring passwords Hits on the SSH/FTP/HTTP honeypot

17 Marras 202139min

7MS #494: Interview with Josh Burnham of Liquid Web

7MS #494: Interview with Josh Burnham of Liquid Web

10 Marras 202145min

7MS #493: 7MOIST - Part 2

7MS #493: 7MOIST - Part 2

Hey, remember back in episode #357 where we introduced 7MOIST (7 Minutes of IT and Security Tips)? Yeah, me neither :-). Anyway, we're back with the second edition of 7MOIST and have some cool pentesting and general IT tips that will hopefully make your life a little awesome-r: Stuck on a pentest because EDR keeps gobbling your payloads? SharpCradle might just save the day! CrackMapExec continues to learn new awesome tricks - including a module called slinky that plants hash-grabbing files on shares you have write access to! Browsing 17 folders deep in Windows Explorer and wish you could just pop a cmd.exe from right there? You can! Just click into the path where you're browsing, type cmd.exe, hit Enter and BOOM! Welcome to a prompt right at that folder!

4 Marras 20217min

7MS #492: Tales of Pentest Pwnage - Part 29

7MS #492: Tales of Pentest Pwnage - Part 29

Hello friends! We're long overdue for a tale of pentest pwnage, and this one is a humdinger! It's actually kind of three tales in one, focusing on pentesting wins using: Manual "open heart surgery" on the root of the Active Directory domain The new totally rad DHCP poisoning module of Responder An opportunity to abuse GPOs with SharpGPOAbuse (P.S. we talked about this tool about a year ago in episode 441)

28 Loka 202156min

7MS #491: Interview with Louis Evans of Arctic Wolf

7MS #491: Interview with Louis Evans of Arctic Wolf

Today we're joined by Louis Evans of Arctic Wolf to talk about all things cyber insurance, including: History on cyber insurance - who's buying it, what it does and doesn't cover, and when it started to be something you didn't want to leave home without What are insurance companies asking/demanding of customers before writing a cyber insurance policy? What basic things organizations can do to reduce malware/ransomware incidents (whether they are considering a cyber insurance policy or not)? How do I evaluate the various insurance carriers out there and pick a good one?

20 Loka 202152min

7MS #490: Desperately Seeking a Super SIEM for SMBs - Part 4

7MS #490: Desperately Seeking a Super SIEM for SMBs - Part 4

Hey friends! Today we're going to recap the SIEM/SOC players we've evaluated so far (Arctic Wolf, Elastic, Sumo Logic, Milton Security) and then talk about a new contender that was brought to our attention: Blumira (not a sponsor, but I'm really digging what I'm seeing/hearing/experiencing thus far)!

13 Loka 202142min

Suosittua kategoriassa Politiikka ja uutiset

rss-ootsa-kuullut-tasta
aikalisa
tervo-halme
ootsa-kuullut-tasta-2
politiikan-puskaradio
otetaan-yhdet
et-sa-noin-voi-sanoo-esittaa
rss-vaalirankkurit-podcast
aihe
rss-podme-livebox
rss-tasta-on-kyse-ivan-puopolo-verkkouutiset
linda-maria
rikosmyytit
viisupodi
rss-kuka-mina-olen
politbyroo
io-techin-tekniikkapodcast
rss-mina-ukkola
rss-hyvaa-huomenta-bryssel
rss-kuntalehti-podcast