SSL Domain Fronting 101

If you’re new to the domain fronting concept, I suggest you start by reading Simplifying Domain Fronting by @malcomvetter. Once you’ve read that, you should have a good understanding of what domain fronting is and why it matters to both offensive and defensive teams. Also, this post is basically an extension from @armitagehacker’s video. This […]

Attack Infrastructure Log Aggregation and Monitoring

This post was co-written by Steve Borosh (@424f424f) and Jeff Dimmock (@bluscreenofjeff). Monitoring attack infrastructure can prove to be as important as our attacking. Quickly hiding from investigating blue teamers can mean the difference between keeping our interactive command and control (C2) sessions and burning our infrastructure. If you’ve read the Red Team Infrastructure Wiki […]

Phishing Against Bromium

The purpose of this post is to re-iterate that no single solution should be relied upon as a one-stop solution against all attackers. I respect the advances Bromium has made in security however, a defense-in-depth approach should always be taken regarding enterprise security. Note: This information represents a snapshot in time. The Bromium suite has […]

Interacting with MacOS terminal windows for lateral movement

Recently, I had a situation where the possibility of manipulating a MacOS terminal window through Empire might lead to lateral movement to a restricted area. Typically, I may “backdoor” an ssh configuration file as described here in order to “ride” an ssh connection to a high-value target. Sometimes, this may not be possible if time does […]

Redirecting Cobalt Strike DNS Beacons

While conducting a Red Team assessment, many factors come into play that result in success or failure of the operation. One such factor is keeping your Command and Control (C2) infrastructure hidden from the opposing (Blue) team. If your C2 is found and blocked, that may be the end of your assessment. At least, it’ll […]

Exploiting JBoss with Empire and PowerShell

When Empire was initially launched by @harmj0y and @sixdub at BSidesLV, I was immediately excited about the possibilities that a pure PowerShell RAT would bring to the offensive community. With what little free time I have, I’ve been working to add a few modules that have been inspired by recent engagements I’ve been on. This […]

Leveraging Adobe LiveCycle

Adobe LiveCycle is an enterprise document and form platform that is being widely adopted by businesses and government agencies who are looking to centralize processes and document management capabilities. As with many web-based applications that connect to back-end systems, this provides additional attack surface that may be leveraged to gain a foothold into the target […]

Point-Click-Powershell-Pwn

Powershell tools have become a must-have for security professionals in recent years. A few notable tools to mention are PowerSploit, Veil-PowerView, PowerUp and Nishang among others. These tools have each provided value to the Penetration Tester’s arsenal but, they require the tester to utilize some manual practices to employ them on target systems. It is […]