Phishing for “Access”

Changing Phishing Tactics Require Closer User and Defender Attention Steve Borosh A few interesting and concerning phishing methods appeared this year. Just search Google for “DDE attack” or check out the InfoPath payloads to see what I mean. It’s pretty cool stuff if you’re on the offensive side of the house, while giving those of […]

Empire 2.2 – Maintaining an Empire

Maintaining an Empire All great empires require maintenance. As we move towards the next major release (Empire 3.0), we continue to receive great support from the Empire community. From git issues to pull requests, the improvements keep flooding in. The core developers of Empire could not appreciate this more! We are certainly grateful for the […]

SSL Domain Fronting 101

If you’re new to the domain fronting concept, I suggest you start by reading Simplifying Domain Fronting by @malcomvetter. Once you’ve read that, you should have a good understanding of what domain fronting is and why it matters to both offensive and defensive teams. Also, this post is basically an extension from @armitagehacker’s video. This […]

Attack Infrastructure Log Aggregation and Monitoring

This post was co-written by Steve Borosh (@424f424f) and Jeff Dimmock (@bluscreenofjeff). Monitoring attack infrastructure can prove to be as important as our attacking. Quickly hiding from investigating blue teamers can mean the difference between keeping our interactive command and control (C2) sessions and burning our infrastructure. If you’ve read the Red Team Infrastructure Wiki […]

Bypassing Windows Attachment Manager

Starting with Windows XP Service Pack 2, Microsoft introduced the “Windows Attachment Manager”. This feature will “block” certain file types from being executed after downloading over the Internet. “If the attachment is in the list of high risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If […]

Phishing Against Bromium

The purpose of this post is to re-iterate that no single solution should be relied upon as a one-stop solution against all attackers. I respect the advances Bromium has made in security however, a defense-in-depth approach should always be taken regarding enterprise security. Note: This information represents a snapshot in time. The Bromium suite has […]

Interacting with MacOS terminal windows for lateral movement

Recently, I had a situation where the possibility of manipulating a MacOS terminal window through Empire might lead to lateral movement to a restricted area. Typically, I may “backdoor” an ssh configuration file as described here in order to “ride” an ssh connection to a high-value target. Sometimes, this may not be possible if time does […]

Redirecting Cobalt Strike DNS Beacons

While conducting a Red Team assessment, many factors come into play that result in success or failure of the operation. One such factor is keeping your Command and Control (C2) infrastructure hidden from the opposing (Blue) team. If your C2 is found and blocked, that may be the end of your assessment. At least, it’ll […]

EmPyre:Engaging Active Directory

This post is part of the ‘EmPyre Series’ with some background and an ongoing list of series posts [kept here]. This post will cover utilizing EmPyre to enumerate and engage Active Directory services. We’ll cover how to find the domain controller, enumerate users and groups, and inject Kerberos tickets into our session. EmPyre provides modules to […]

Bug Hunt: Out of Band Resource Loading

On a recent bug hunt targeting *.adobe.com, I found a small flaw in one of their external-facing web servers. While enumerating publicly available web servers belonging to Adobe, I found a web application labeled “Target DB Browser”. This interface looked to be a front-end application to query a database. Unfortunately, every query I performed resulted […]