7MS #477: Cobalt Strike for Newbs
7 Minute Security21 Juli 2021

7MS #477: Cobalt Strike for Newbs

Today we're talking about Cobalt Strike for newbs - including how to get it up and running, as well as some tools that will help you generate beacons while evading EDR at the same time!

Some helpful things mentioned in today's episode:

  • Wherever you spin up your CS instance, it's probably a good idea to lock down the firewall to only specific IPs. With Digital Ocean, I found this article helpful.

  • When generating CS listeners, the C2Concealer from FortyNorth helped me get malleable C2 profiles generated while creating a LetsEncrypt cert at the same time!

  • My CS beacons kept getting gobbled by AV, but the following resources helped me get some stealthy ones generated: Artifact Kit, PEzor and ScareCrow. Here's a specific ScareCrow example that flew under the EDR radar:

Scarecrow -I myrawshellcode.bin -etw -domain www.microsoft.com

  • PowerUpSQL is awesome for finding servers where you can run stored procedures to send your attacking box a priv'd hash to pass/capture/crack. Check out this presentation on PowerUpSQL to find vulnerable targets, then use mssql_ntlm_stealer module in Metasploit to have fun with the account hashes. Be sure to set your domain when configuring the Metasploit module!

  • When trying to pop an SMB shell with relay tools, I've had problems recently with those attempts being stopped by defensive tools. Then I found this gem which talks about tweaking smbexec.py to evade AV. It worked a treat!

  • When you use MultiRelay, I had no idea that it includes an upload function so you can simply upload your beacon.exe from a SYSTEM shell and fire it right from a command line. Cool!

  • Once my beacons started firing around the pentest environment, I temporarily allowed all IPs to talk to my Digital Ocean box - just because the IP I grabbed from a "what is my IP?" Google search didn't always match the actual beacons that called home. Once the beacon connectivity was established, I tweaked the beacon firewall rules to just let certain IPs in the door.

  • This Cobalt Strike Extension Kit was FREAKING sweet for adding "right click > do awesome stuff" functionality to CS like dump hashes, search for Kerberoastable accounts, setup persistence, etc.

  • Got a SYSTEM level shell but need to abuse a DA's privs? Tell the beacon to pull back a list of running processes, then click one (like explorer.exe) running under a DA's account and then impersonate it to add your account to the DA group!

  • Having issues dumping LSASS? This article from Red Canary gives you some great ideas to do it in a way that doesn't make AV throw a fit!

  • Trying to RDP using PtH? This article will help you out. And if you get warnings about not being able to RDP in because of some sort of login restriction, try adjusting this reg key with CME:

cme smb 10.1.2.3 -u Administrator -H THE-HASH-YOU-CAPTURED -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f'

Avsnitt(705)

7MS #625: A Peek into the 7MS Mail Bag - Part 4

7MS #625: A Peek into the 7MS Mail Bag - Part 4

Road trip time! I've been traveling this week doing some fun security projects, and thought all this highway time would be a perfect opportunity to take a dip into the 7MS mail bag! Today's questions include: How do you price internal network penetration tests? Have you ever had to deal with a difficult client situation, and how did you resolve it? Are you done going after certs? Spoiler: no – I'm interested in doing the XINTRA labs (not sure if it includes a cert) Do you provide managed services or just stick with more "one and done" assessment work? You said the "smart business people" tell you to form reseller partnerships, otherwise you're leaving money on the table – so why don't you? I'm thinking of starting my own cybersecurity consultancy – what type of insurance do I need to protect me in case of a digital "oops?"

24 Maj 202444min

7MS #624: Tales of Pentest Pwnage – Part 57

7MS #624: Tales of Pentest Pwnage – Part 57

Today's tale of pentest pwnage is all about my new favorite attack called SPN-less RBCD. We did a teaser episode last week that actually ended up being a full episode all about the attack, and even step by step commands to pull it off. But I didn't want today's episode to just be "Hey friends, check out the YouTube version of this attack!" so I also cover: Our first first impressions of Burp Enterprise Why I have a real hard time believing you have to follow all these steps to install Kali on Proxmox

17 Maj 202429min

7MS #623: Prelude to a Tale of Pentest Pwnage

7MS #623: Prelude to a Tale of Pentest Pwnage

Today's prelude to a tale of pentest pwnage talks about something called "spnless RBCD" (resource-based constrained delegation). The show notes don't format well here in the podcast notes, so head to 7minsec.com to see the notes in all their glory.

10 Maj 202424min

7MS #622: Migrating from vCenter to Proxmox - Part 1

7MS #622: Migrating from vCenter to Proxmox - Part 1

Sadly, the Broadcom acquisition of VMWare has hit 7MinSec hard – we love running ESXi on our NUCs, but ESXi free is no longer available. To add insult to injury, our vCenter lab at OVHcloud HQ got a huge price gouge (due to license cost increase; not OVH's fault). Now we're exploring Proxmox as an alternative hypervisor, so we're using today's episode to kick off a series about the joys and pains of this migration process.

5 Maj 202416min

7MS #621: Eating the Security Dog Food - Part 6

7MS #621: Eating the Security Dog Food - Part 6

Today we revisit a series about eating the security dog food – in other words, practicing what we preach as security gurus! Specifically we talk about: We're going to get a third-party assessment on 7MinSec (the business) Tips for secure email backup/storage Limiting the retention of sensitive data you store in cloud places

26 Apr 202423min

7MS #620: Securing Your Mental Health - Part 5

7MS #620: Securing Your Mental Health - Part 5

Today we're talking about tips to deal with stress and anxiety: It sounds basic, but take breaks – and take them in a different place (don't just stay in the office and do more screen/doom-scrolling) I've never gotten to a place in my workload where I go "Ahhh, all caught up!" so I should stop striving to hit that invisible goal. Chiropractic and back massages have done wonders for the tightness in my neck and shoulders For me, video games where you punch and kick things relieves stress as well (including a specific game that's definitely not for kids!)

21 Apr 202422min

7MS #619: Tales of Pentest Pwnage – Part 56

7MS #619: Tales of Pentest Pwnage – Part 56

We did something crazy today and recorded an episode that was 7 minutes long! Today we talk about some things that have helped us out in recent pentests: When using Farmer to create "trap" files that coerce authentication, I've found way better results using Windows Search Connectors (.searchConnector-ms) files This matrix of "can I relay this to that" has been super helpful, especially early in engagements

14 Apr 20247min

7MS #618: Writing Savage Pentest Reports with Sysreptor

7MS #618: Writing Savage Pentest Reports with Sysreptor

Today's episode is all about writing reports in Sysreptor. It's awesome! Main takeaways: The price is free (they have a paid version as well)! You can send findings and artifacts directly to the report server using the reptor Python module Warning: Sysreptor only exports to PDF (no Word version option!) Sysreptor has helped us write reports faster without sacrificing quality

5 Apr 202438min

Populärt inom Politik & nyheter

svenska-fall
motiv
aftonbladet-krim
p3-krim
fordomspodden
flashback-forever
rss-viva-fotboll
rss-krimstad
aftonbladet-daily
rss-sanning-konsekvens
spar
blenda-2
rss-vad-fan-hande
rss-krimreportrarna
rss-frandfors-horna
dagens-eko
olyckan-inifran
krimmagasinet
rss-expressen-dok
svd-nyhetsartiklar