Recently there have been tweets about Windows Attack Surface Reduction (ASR) rules and I wanted to take the chance to dive into a topic that I have discussed in my Offensive WMI workshops given at Wild West Hackin Fest and BSidesDC. Matt Graeber wrote an excellent white paper on the topic for BlackHat USA, and…
If you didn’t make it to Wild West Hackin Fest 2018, be sure to bookmark their page, www.wildwesthackinfest.com, for 2019 tickets. This event was loaded with elite talent, high level training, quality speakers, and plenty of shenanigans. Notably, the keynote was given by Ed Skoudis, who’s presentation titled “The Top Ten Reasons it’s GREAT to…
I (@ChrisTruncer) had the opportunity to speak at Wild West Hackin Fest last week along with Harley LeBeau (@r3dQu1nn) on a topic we called “Aggressive Autonomous Actions – Operating with Automation”. This was a talk that we have been working on for a few months allowing us to write code, or identify existing code that…
tldr; Here’s the link – https://github.com/FortyNorthSecurity/CLM-Base64 Following in the footsteps of those I originally learned from (@mattifestation and @harmj0y), when I first began to learn PowerShell, I tried to force myself to only write PowerShell v2 code. Even if the system I was using had v3 or higher, developing in version 2 ensured that I could…
I’ve recently begun using Terraform to automate infrastructure deployment as both a means to save time and ensure the systems are configured in the manner we specify. Prior to utilizing Terraform, I researched other methods to automate infrastructure deployment, but chose Terraform based on the described ease of using or switching between multiple providers (Azure,…
When on an assessment, one of the steps that a red teamer, or pen tester, might take is to search for files containing sensitive data. The sensitive data could contain credit cards, passwords, social security numbers, or more. There are numerous locations to search for files including: Searching for network shares Looking in a user’s…
Immediately after reading Matt Graeber’s blog post on Microsoft.Workflow.Compiler.exe, I wanted to dive into this technique and understand how I can use this on an assessment. Matt wrote an extremely detailed blog post which allowed me to modify what he documented for my purposes. As documented in Matt’s post, you can take essentially any C#…
Last week, we covered how to enumerate anti-virus configurations on remote systems. The information that you could gather would allow you to create a much more targeted attack against any system you are targeting. The natural next questions might be: What happens if there are no exception paths? What if no extensions are whitelisted? Is…
There are a variety of reasons why a pen tester would want to obtain the anti-virus configurations of the system they are targeting. The ability to capture this information remotely can allow a pen tester to customize their actions for the computer they are targeting. In my last post, I talked about how to copy…
WMI (Windows Management Instrumentation) is a service that is installed and enabled by default since Windows 2000. It provides administrators the ability to perform a large number of actions on systems they control, ranging from system monitoring, starting or stopping processes, managing system services, file operations, and more. This is the first of a series…
When developing WMImplant, I wanted to ensure I would have some of the same capabilities on a Device Guard (now Windows Defender Application Control) protected system as I would on a non-protected when utilizing Beacon or Meterpreter. WMImplant is a stepping stone for creating the same capabilities, but also presented some of its own engineering problems…
I recently met with the owner of a large real estate brokerage to discuss the scope and value of offensive security services. It was a great meeting and I thought they really understood the importance of protecting their network and digital assets. As we were wrapping up, they remarked “I don’t think we need anything…
In our first blog post on Windows Defender Application Control (WDAC), we created a code integrity policy that was built by scanning a gold imaged system (via the New-CIPolicy cmdlet) to generate the base rules for our code integrity policy. When we ran the sweep, we did so using the PCACertificate level to have a middle-ground…
I made certain assumptions regarding Veil-Evasion’s payload naming scheme, and how Veil-Ordnance works, only to discover that understanding these tool variations is not as intuitive as I thought. This post aims to help provide more clarity regarding Veil-Evasion and Veil-Ordnance. Veil-Evasion has different payloads which are organized by different attributes. The best way to think…
Despite an abundance of “building your own lab” articles available online, there really is only one collection of articles that document Windows Defender Application Control (Device Guard), hereby referred to as WDAC: Matt Graeber’s Exploit Monday posts on the topic. I dove into playing with WDAC a year back while developing WMImplant, and I quickly realized that there is pretty limited…
WMImplant can be used to compromise Windows systems within a domain in an agent-less manner. However, every tool that exists also provides opportunities to detect their use. WMImplant is no different. I’d like to provide an under-the-hood look at how WMImplant works and give opportunities for detection (similar to others who have looked into this same…
When it comes to searching for different offensive security services, you may find that each company has a different definition of a vulnerability assessment, penetration test, and/or red team. The team at FortyNorth Security thinks that the easiest way to know what you’re getting from us, is to define it! We do have some information available…
Up to this point in time, I’ve talked about how WMImplant can be useful when attempting to operate on Device Guard protected systems. If the entire environment is Device Guard protected, you will still need to solve the problem is getting code execution, but once you have it, WMImplant can help. However, I’ve not really talked or…
Whether it be through phishing, or some other means, waiting for your incoming beacons can be an anxious moment. Every time I send off phishing e-mails, I anxiously await to receive the incoming beacons. I personally want to know and be alerted the second that I receive a beacon, so I figured this would be a…
Github Link – https://github.com/ChrisTruncer/Egress-Assess Steve Borosh (@424f424f) and I have been working on adding a new type of module into Egress-Assess for a month or two now. Currently, Egress-Assess lets you exfiltrate faux or real data over a variety of different protocols on both Linux and Windows systems. However, Steve had the idea to create malware…
Note: Be sure to check out Sean Metcalf’s (@Pyrotek3) post about this technique available here! He talked about this at BlackHat USA 2015! Benjamin Delpy (@gentilkiwi) recently tweeted about adding External SIDs into Mimikatz’s golden tickets which was quickly followed up by Skip Duckwall (@Passingthehash) also tweeting how devastating this addition can be to defenders. Skip said it…
