Red Teaming for Pacific Rim CCDC 2017

A few weeks, ago I had the pleasure of participating on the Red Team for Pacific Rim CCDC. This is my third year doing the competition, and I feel like I have more fun each year. This year, I was on the Windows Meta Team and a Red Cell Team with Lee Christensen (@tifkin_) and Andy Robbins (@_wald0). I’ve previously written two posts about the competition, in 2015 and 2016, and don’t want to rehash the same points I’ve already covered. In this post, I will focus on the Windows Meta Team infrastructure design, Cobalt Strike Aggressor scripts, and provide some tips for the Blues. Infrastructure Design While designing the Windows Meta Team’s infrastructure, we considered the response we’d expect... [Read More]

Slack Bots for Trolls and Work

In the (belated) spirit of April Fool’s Day, I wanted to slightly diverge from a strictly infosec topic and talk about something that can be used for good (work) or evil (trolling coworkers): Slack bots. Incoming WebHooks Incoming Webhooks allow external applications to post into Slack. The webhook processes HTTP requests sent to a provided URL. The data is stored in a JSON payload and processed by Slack on receipt. Incoming webhooks are a good choice when you want to post data into Slack from an external source that wasn’t requested by a user. Incoming webhooks can currently only post in public channels, they do not support direct messages, group chats, or private channels. To use incoming... [Read More]

How to Make Communication Profiles for Empire

In a recent post, I detailed how to make a Malleable C2 profile for Cobalt Strike. Malleable C2 profiles provide an operator with the ability to shape how defenders will see, and potentially categorize, C2 traffic on the wire. Communication Profiles in Empire provide similar functionality. This increases our chances of evading detection, allows us to emulate specific adversaries, or masquerade as widely-used applications on our target’s network. Empire Communication Profiles With Communication Profiles, we can customize options for Empire’s GET request URIs, user agent, and headers. A basic profile consists of each element, separated by the pipe character, like this: GET request URI | User Agent | Header #1 Here is a sample profile for Comfoo:... [Read More]

How to Write Malleable C2 Profiles for Cobalt Strike

It’s not fun to get caught on an assessment because your target has your toolset signatured. It’s even less fun if that signature is easily bypassed. Cobalt Strike’s Malleable C2 is a method of avoiding that problem when it comes to command and control (C2) traffic. Malleable C2 provides operators with a method to mold Cobalt Strike command and control traffic to their will. For instance, if you determine your target organization allows employees to use Pandora, you could create a profile to make Cobalt Strike’s C2 traffic look like Pandora on the wire. Alternatively, if a client wants to test detection capabilities, you could make your traffic look like a well-known malware toolkit like Zeus. Raphael Mudge (@armitagehacker) previously covered Malleable... [Read More]

Apache mod_rewrite Grab Bag

Apache mod_rewrite provides conditional redirection and obfuscation to a red teamer’s infrastructure. I’ve previously written about mod_rewrite in a few posts. In this post, I will cover a few quick tricks you can use in conjunction with techniques from my earlier posts while phishing or red teaming. Be sure you read the first-time setup instructions for mod_rewrite to configure your server to work properly. Payload Hot-Swapping We’ve all been in a situation where, just after sending out a large phishing batch, we realize that some aspect of the payload doesn’t work in the target environment. Previously, the batch would be burned. With mod_rewrite, we can create a ruleset to redirect requests for the original payload and redirect it to a new payload.... [Read More]