RUAG Breach – A lesson in cyber espionage tradecraft tools & techniques

Following a successful data breach of Swiss defense contractor RUAG – specialising in aerospace technology – the Swiss Governmental Computer Emergency Response Team (GovCERT) took the unusual step of publishing a comprehensive data breach report. The reasons given for publishing the report: …to give organizations the chance to check their networks for similar infections, and to show the modus operandi of the attacker group. You can download the summary technical report here (PDF) – 2 pages And the full espionage report here (PDF) – 34 Pages If the full report is a little TL;DR for your time or taste – or even Read More

Command and Control Using Powershell and Twitter

Initially I wanted to update and extend @obscuresec‘s Powershell Twitter Bot, the problem is this was written in early 2013 and relied on Twitter’s API 1 which required no authentication. The current Twitter API 1.1 does require authentication and encryption and although doable from the perspective of Powershell, the code is far too verbose for my purposes. With these hurdles I took a closer look at the modus operandi of the Russian criminal group using Hammertos and they avoided using the API and had the code simply reach out to the URL of the Twitter handle and look for a hashtag. I though this Read More

Raphael Mudge’s Advanced Threat Tactics Course

Going through Raphael Mudge’s Advanced Threat Tactics Course videos and blog post is akin to rummaging through treasure. Although this is a showcase for Cobalt Strike which is a *must have* tool for IT security Red Team operations and Adversary Simulation, it is so much more. For me, this course catapulted and solidified my thinking and is the pre-eminent single source of information for not only the tools of advanced threat simulation, but the underlying methodology and tradecraft. I’ll make no bones about it, I consider Cobalt Strike a masterpiece put together by a craftsman, and In case you think I’m going overboard, harmj0y described Read More

Powershell Remote Access Trojan – PoshRat

I’ve been going through @nikhil_mitt‘s 5-part blog series on Powershell Shells. It’s beautifully and meticulously laid out and covers: Day 1 – Interactive PowerShell shells over TCP (Click here) Day 2 – Interactive PowerShell shells over UDP (Click Here) Day 3 – Interactive PowerShell shells over HTTP/HTTPS (Click Here) Day 4 – Interactive PowerShell shells with WMI (Click Here) Day 5 – Interactive PowerShell shells over ICMP and DNS (Click Here) Nikhil is the author of offensive security Powershell tools Nishang and Kautilya and his blog post series is ideal if you want to roll up your sleeves and play with these tools manually, Read More

A Few Good Infosec Blog Post Links

The below are some links posted over the last few days by my Infosec Blogs Twitter account that I found particularly interesting: Missing Context Is The Greatest Cybersecurity Threat To Every Company In The World – By @S_Clarke22 Well, That Escalated Quickly.. Common Windows Privilege Escalation Vectors – By @icanhazshell Appropriate Covert Channels – By @armitagehacker Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync – By @PyroTek3 Exploiting JBoss with Empire and PowerShell – By @424f424f Introducing WMIOps – By @christruncer Lifehack: Treat your passwords as delicately as you treat your underwear – By @e_kaspersky I’m sorry, but your email address is not as valuable as you think it Read More

Powershell Tools for IT Security Operations

In truth I simply needed a place to store and sort all of the Powershell tools I find and thought it might be of use for others: PowerShell Empire – Pure PowerShell post-exploitation agent. Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. Powertools – A collection of PowerShell projects with a focus on offensive operations. This contains both PowerUp (tool to assist with Read More

Tool agnostic fundamentals for Red Team operations

It was so tempting to call this post “Moving beyond Metrepeter” as the below video entitled Flying a Cylon Raider features Raphael Mudge talking about taking our knowledge of Meterpreter and mapping this to new tools. Quite coincidently – and before this talk was published – I asked Raphael the following: @armitagehacker I've been going thru comparing Tradecraft 2013 to 2015. With all the new Powershell developments do we need Metasploit? — Stuart Winter-Tear (@StegoPax) November 13, 2015 Raphael responded today with these salient Tweets: @StegoPax my $.02: red team ops/adv. sims are not pen testing. These activities really require focused toolsets. Those Read More

Criminals increasingly using social media as command-and-control (C2)

A paper entitled: C&C-AS-A-SERVICE: ABUSING THIRD-PARTY WEB SERVICES AS C&C CHANNELS caught my attention yesterday which looks at the growth in criminals leveraging popular web services for Command & Control (C2). The web services cited are: Google Docs, Twitter, Facebook, Microsoft Technet, YouTube, VKontakte, Jaiku, Tumblr, Google+, Yahoo Mail, Gmail, Google Talk, MSN Messenger, Skype, Google Calender So, quite a few options for the criminal as you can see. Why do criminals use Third-party web services for C2? One benefit for the criminal in utilising this strategy is that traffic to these websites looks legitimate, is often encrypted (HTTPS) and will blend in with legitimate use Read More

IT Security Red Team Post Exploitation Methodology

I want to share a talk given by @davidpmcguire and @harmj0y entitled: Passing the Torch Old School Red Teaming New School Tactics. The premise of the talk is to explain their take on Red Team operations and methodology. An important feature of this is the notion of emulation of threat techniques independent of the toolkit. In other words, the ability to use multiple tools, to perform the same function. The important point being that Red Teams do not need to use the exact tools of adversary’s, but can use any means to accomplish the job, as long as the techniques are mirrored. In terms Read More