In our previous blog post, we talked about how you can obtain the password hashes from a Domain Controller within Azure without ever needing to interact with the system itself. We walked through each step when interacting with the Azure web portal to take a snapshot, convert it to a disk, and mount it on…
Extraction without Interaction A while back, I read this article from @_StaticFlow_ about a tool release for stealing hashes from a domain controller running in AWS. I tested the process manually and was able to extract the password hashes without ever needing to interact with the domain controller itself. The general process for doing this…
Microsoft Applications and Blocklist Note: This blog post contains the details from Casey Smith and Ross Wolf’s BlackHat USA 2019 presentation Most application whitelisting bypasses that are used today abuse built-in functionality of the offending application to execute code which would otherwise be blocked. Due to most bypasses leveraging legitimate functionality in an unforeseen manner,…
It’s no secret that Casey Smith’s research into bypasses has changed how nearly everyone in the industry approaches testing and circumventing application whitelisting solutions. You could argue that one of his more prolific findings is how to abuse MSBuild’s inline tasks as a method of executing code. We at FortyNorth Security commonly face application whitelisting…
WMImplant is a powerful PowerShell based tool that enables its users to conduct nearly any post-exploitation action and exclusively using WMI to do so. We’ve blogged about out-of-the-box detection opportunities for WMImplant, how to copy files, searching for sensitive files, and more, but now we want to talk about how WMImplant actually invokes PowerShell on…
Why Jenkins For a while, FortyNorth Security has been exploring different options that will automate building internal tools and running tests against code as it is pushed to a repository. The primary goal is to have an automated system easily and quickly ensure that the latest version of our code works (compiles) and does what…
Learn About Advanced Red Teaming And Malware Customization Have you ever struggled conducting a red team assessment against an organization with mature security programs? Or, maybe, your blue team encountered scenarios where an environment seemed appropriately protected… until it wasn’t. If you know exactly what we are talking about, then our BlackHat red team training…
A few months ago, we had a need for an easy Remote Desktop Protocol gateway (RDP gateway), and we weren’t sure what would be best to use. However, a quick Google search brought up an open source option – Apache Guacamole. Apache Guacamole is self-described as clientless remote desktop gateway. Guacamole supports the standard protocol…
It’s been quite some time since there’s been an Egress-Assess update and multiple developers have contributed code that helped expand its capabilities. We use Egress-Assess almost every assessment our testers are on: it helps us simulate different methods that attackers use to sneak data out of a network, without actually sending sensitive data. It allows…
Recently there have been tweets about Windows Attack Surface Reduction (ASR) rules and I wanted to take the chance to dive into a topic that I have discussed in my Offensive WMI workshops given at Wild West Hackin Fest and BSidesDC. Matt Graeber wrote an excellent white paper on the topic for BlackHat USA, and…
If you didn’t make it to Wild West Hackin Fest 2018, be sure to bookmark their page, www.wildwesthackinfest.com, for 2019 tickets. This event was loaded with elite talent, high level training, quality speakers, and plenty of shenanigans. Notably, the keynote was given by Ed Skoudis, who’s presentation titled “The Top Ten Reasons it’s GREAT to…
I (@ChrisTruncer) had the opportunity to speak at Wild West Hackin Fest last week along with Harley LeBeau (@r3dQu1nn) on a topic we called “Aggressive Autonomous Actions – Operating with Automation”. This was a talk that we have been working on for a few months allowing us to write code, or identify existing code that…
TLDR – Here’s the link: https://github.com/FortyNorthSecurity/CLM-Base64 Why Writing CLM-Compliant V2 Code? Following in the footsteps of those I originally learned from (@mattifestation and @harmj0y), when I first began to learn PowerShell, I tried to force myself to only write PowerShell v2 code. Developing in version 2 ensured that I could use what I wrote on…
I’ve recently begun using Terraform to automate infrastructure deployment as both a means to save time and ensure the systems are configured in the manner we specify. Prior to utilizing Terraform, I researched other methods to automate infrastructure deployment, but chose Terraform based on the described ease of using or switching between multiple providers (Azure,…
When on an assessment, one of the steps that a red teamer, or pen tester, might take is to search for files containing sensitive data. The sensitive data could contain credit cards, passwords, social security numbers, or more. There are numerous locations to search for files including: Searching for network shares Looking in a user’s…
Immediately after reading Matt Graeber’sblog post on Microsoft.Workflow.Compiler.exe, I wanted to dive into this technique and understand how I can use this on an assessment. Matt wrote an extremely detailed blog post, which allowed me to modify what he documented for my purposes. As he outlines in his post, you can take essentially any C#…
Last week, we covered how to enumerate anti-virus configurations on remote systems. The information that you could gather would allow you to create a much more targeted attack against any system you are targeting. The natural next questions might be: What happens if there are no exception paths? What if no extensions are whitelisted? Is…
There are a variety of reasons why a pen tester would want to obtain the anti-virus configurations of the system they are targeting. The ability to capture this information remotely can allow a pen tester to customize their actions for the computer they are targeting. In my last post, I talked about how to copy…
WMI (Windows Management Instrumentation) is a service that is installed and enabled by default since Windows 2000. It provides administrators the ability to perform a large number of actions on systems they control, ranging from system monitoring, starting or stopping processes, managing system services, file operations, and more. This is one of a series of…
When developing WMImplant, I wanted to ensure I would have some of the same capabilities on a Device Guard (now Windows Defender Application Control) protected system as I would on a non-protected when utilizing Beacon or Meterpreter. WMImplant is a stepping stone for creating the same capabilities, but also presented some of its own engineering…
I recently met with the owner of a large real estate brokerage to discuss the scope and value of offensive security services. It was a great meeting and I thought they really understood the importance of protecting their network and digital assets. As we were wrapping up, they remarked “I don’t think we need anything…
In our first blog post on Windows Defender Application Control (WDAC), we created a code integrity policy that was built by scanning a gold imaged system (via the New-CIPolicy cmdlet) to generate the base rules for our code integrity policy. When we ran the sweep, we did so using the PCACertificate level to have a middle-ground…
In order to effectively use cyber security tools we need to know, in detail, how they work. Only then we are able to leverage them to the best of their capabilities. In this post we will dive into Veil-Evasion and learn its payload naming scheme, different payload variations, and how to invoke Veil-Ordnance to generate…
Despite an abundance of “building your own lab” articles available online, there really is only one collection of articles that document Windows Defender Application Control (Device Guard), hereby referred to as WDAC: Matt Graeber’s Exploit Monday posts on the topic. I dove into playing with WDAC a year back while developing WMImplant, and I quickly realized that there is pretty limited…
WMImplant can be used to compromise Windows systems within a domain in an agent-less manner. However, every tool that exists also provides opportunities to detect their use. WMImplant is no different. There are other blog posts out there that talk about it, what it is and how it works. Our blog post doesn’t just stop…
When it comes to searching for different offensive security services, you may find that each company has a different definition of a vulnerability assessment, penetration test, and/or red team. The team at FortyNorth Security thinks that the easiest way to know what you’re getting from us, is to define it! We do have some information available…
Up to this point in time, I’ve explained in previous talks how WMImplant can be useful when attempting to operate on Device Guard protected systems. If the entire environment is Device Guard protected, you will first need to get code execution, but once you have it, WMImplant can help. However, I’ve not really talked or documented how…
Whether it be through phishing, or some other means, waiting for your incoming beacons can be an anxious moment. Every time I send off phishing e-mails, I anxiously await to receive the incoming beacons. I personally want to know and be alerted the second that I receive a beacon, so I figured this would be a…
Github Link – https://github.com/ChrisTruncer/Egress-Assess For a month or two now, Steve Borosh (@424f424f) and I have been working on adding a new type of modules into Egress-Assess. As of November 2015, Egress-Assess lets you exfiltrate faux or real data over a variety of different protocols on both Linux and Windows systems. However, Steve had the idea…
Note: Be sure to check out Sean Metcalf’s (@Pyrotek3) post about this technique available here! He talked about this at BlackHat USA 2015! Benjamin Delpy (@gentilkiwi) recently tweeted about adding External SIDs into Mimikatz’s golden tickets which was quickly followed up by Skip Duckwall (@Passingthehash) also tweeting how devastating this addition can be to defenders. Skip said it…
