7MS #477: Cobalt Strike for Newbs
7 Minute Security21 Heinä 2021

7MS #477: Cobalt Strike for Newbs

Today we're talking about Cobalt Strike for newbs - including how to get it up and running, as well as some tools that will help you generate beacons while evading EDR at the same time!

Some helpful things mentioned in today's episode:

  • Wherever you spin up your CS instance, it's probably a good idea to lock down the firewall to only specific IPs. With Digital Ocean, I found this article helpful.

  • When generating CS listeners, the C2Concealer from FortyNorth helped me get malleable C2 profiles generated while creating a LetsEncrypt cert at the same time!

  • My CS beacons kept getting gobbled by AV, but the following resources helped me get some stealthy ones generated: Artifact Kit, PEzor and ScareCrow. Here's a specific ScareCrow example that flew under the EDR radar:

Scarecrow -I myrawshellcode.bin -etw -domain www.microsoft.com

  • PowerUpSQL is awesome for finding servers where you can run stored procedures to send your attacking box a priv'd hash to pass/capture/crack. Check out this presentation on PowerUpSQL to find vulnerable targets, then use mssql_ntlm_stealer module in Metasploit to have fun with the account hashes. Be sure to set your domain when configuring the Metasploit module!

  • When trying to pop an SMB shell with relay tools, I've had problems recently with those attempts being stopped by defensive tools. Then I found this gem which talks about tweaking smbexec.py to evade AV. It worked a treat!

  • When you use MultiRelay, I had no idea that it includes an upload function so you can simply upload your beacon.exe from a SYSTEM shell and fire it right from a command line. Cool!

  • Once my beacons started firing around the pentest environment, I temporarily allowed all IPs to talk to my Digital Ocean box - just because the IP I grabbed from a "what is my IP?" Google search didn't always match the actual beacons that called home. Once the beacon connectivity was established, I tweaked the beacon firewall rules to just let certain IPs in the door.

  • This Cobalt Strike Extension Kit was FREAKING sweet for adding "right click > do awesome stuff" functionality to CS like dump hashes, search for Kerberoastable accounts, setup persistence, etc.

  • Got a SYSTEM level shell but need to abuse a DA's privs? Tell the beacon to pull back a list of running processes, then click one (like explorer.exe) running under a DA's account and then impersonate it to add your account to the DA group!

  • Having issues dumping LSASS? This article from Red Canary gives you some great ideas to do it in a way that doesn't make AV throw a fit!

  • Trying to RDP using PtH? This article will help you out. And if you get warnings about not being able to RDP in because of some sort of login restriction, try adjusting this reg key with CME:

cme smb 10.1.2.3 -u Administrator -H THE-HASH-YOU-CAPTURED -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f'

Tämä jakso on lisätty Podme-palveluun avoimen RSS-syötteen kautta eikä se ole Podmen omaa tuotantoa. Siksi jakso saattaa sisältää mainontaa.

Jaksot(730)

7MS #730: Baby's First Project Swarm

7MS #730: Baby's First Project Swarm

Hey friends! Still your grieving pal over here, but also your swarming friend and Protecting My Network Edge host — because this week I've been tinkering with something called Project Swarm and I've g...

10 Heinä 25min

7MS #729: Pwning Dracarys

7MS #729: Pwning Dracarys

Hey friends! Still your grieving pal over here, but also your happy hacking host — because today we're diving into baby's first Dracarys! (Yes, I'm probably pronouncing that wrong. Yes, I'm going to k...

4 Heinä 18min

7MS #728: Securing Your Family During and After a Disaster – Part 8

7MS #728: Securing Your Family During and After a Disaster – Part 8

Hey friends! This is a tough one to write. My dad passed away on Friday, and instead of the hacker-y tech episode I had planned, I pivoted to something more personal — another installment of our "Secu...

30 Kesä 38min

7MS #727: Securing Your Mental Health – Part 7

7MS #727: Securing Your Mental Health – Part 7

Hello friends! It's been over a year since we did a dedicated mental health episode, so today I'm doing a big catch-up and running through my 7-point plan for being a more mentally secure me. None of ...

19 Kesä 21min

7MS #726: Baby's First Hermes

7MS #726: Baby's First Hermes

Hello friends! I've been on a bit of an AI agent journey lately, and today I'm sharing my experience ditching OpenClaw and going all-in on Hermes — a self-hosted AI agent built by Nous Research. A Net...

12 Kesä 22min

7MS #725: Building a Bulletproof Backup Solution

7MS #725: Building a Bulletproof Backup Solution

Hey friends! Backups are not as cool as pentesting, but boy do they matter when things go sideways. This week I'm sharing how a Proxmox backup disk space meltdown led me to a completely overhauled — a...

5 Kesä 21min

7MS #724: Tales of Pentest Pwnage - Part 85

7MS #724: Tales of Pentest Pwnage - Part 85

Hey friends! Today we're going deep on external network pentesting — something I realize we've barely touched in however many episodes we've done. I'm currently in a long stretch of back-to-back exter...

29 Touko 30min

7MS #723: CARTP - Cloud Red Team Tactics for Attacking and Defending Azure - Part 1

7MS #723: CARTP - Cloud Red Team Tactics for Attacking and Defending Azure - Part 1

Hello friends! Today's a hybrid episode — some security content up top about a new certification I've kicked off, followed by an aggressively quick trip to Tangent Town. Feel free to bail after the se...

23 Touko 32min

Suosittua kategoriassa Politiikka ja uutiset

aikalisa
uutiscast
ootsa-kuullut-tasta-2
rss-ootsa-kuullut-tasta
rss-podme-livebox
otetaan-yhdet
rss-seksicast
politiikan-puskaradio
tervo-halme
aihe
rss-vaalirankkurit-podcast
rss-girls-finish-f1rst
rss-mina-ukkola
rss-aijat-hopottaa-podcast
rss-mita-tapahtuu
rss-merja-mahkan-rahat
rss-raha-talous-ja-politiikka
rss-tekoalyfoorumi
rss-asiastudio
rss-pinnalla