SlideShare a Scribd company logo

There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE

Download as PPTX, PDF
J
Jeff Beley

Cobalt Strike for blue teamers

Technology
1 of 33
THERE'S ALWAYS MONEY IN THE BANANA STAND: A BLUE TEAMER’S GUIDE TO COBALT STRIKE Jeff Beley Katrina Hill
2 • Intro • Threat actors • Detection methods • Demo-ish • Questions NOTE: All images credit 20th Century Fox except where noted AGENDA
INTRO TO COBALT STRIKE 3
FEATURES • Post exploitation framework • So many lateral movement techniques • Collaboration with IRC like interface • Automation and Extension via Aggressor Scripts • 21-day free trial • Varying C2 Profiles • Keylogger • Detailed logging • Customizable payloads • Chaining of beacons • SMB beacons • SOCKS proxies
5 HISTORY released in 2012 … in use by threat actors since 2012 :) @dotmudge, from the L0pht
6 CRACKS • An intentionally backdoored “cracked” version was published by the authors • Binary patched versions on hacking forums “might” be safe
THREAT ACTORS
8 RELATIONSHIP TO RANSOMWARE • FIN6 and Revil have used Cobalt Strike as part of their intrusion sets in numerous campaigns • Part of a wave of “Human-operated ransomware attacks”
9 WHO USES COBALT STRIKE ( A PARTIAL LIST) ID Name G0073 APT19 G0079 DarkHydrus G0052 CopyKittens G0050 APT32 G0080 Cobalt Group G0016 APT29 G0065 Leviathan G0037 FIN6
10 FIN6 IN 2016 • Ransomware: CryptoWall • Deployment: Logon scripts • Whitelisting of payloads in AV • Domain compromise: Golden ticket • C2: Cobalt Strike • C2: Method HTTP Beaconing
11 FIN6 IN 2019/2020 • Ransomware: Ryuk • Deployment: PSExec • Whitelisting of payloads in AV • Domain compromise: DCSync • C2: Cobalt Strike • C2: Method HTTP Beaconing • Anti-forensics: USNJrnl Nerfing • Sounds very familiar
DETECTION METHODS 12
ENDPOINT
14 ARTIFACTS IN EVENT LOGS • rundll32 with ordinal load • Encoded PowerShell • “bxor” • Hope Sysmon is enabled – more on that later
MEMORY 15
16 MEMORY: POWERSHELL NETSTAT
17 MEMORY: YARA
18 MEMORY: PUTTING IT ALL TOGETHER
NETWORK
20 FINDING NEEDLES IN THE NETWORK NEEDLESTACK • Generic beaconing • Ngrok • DNS entropy • HTTP URI Entropy • Bad sigs (AKA dumb luck) • Palo Alto sometimes classifies as China Chopper
21 OSINT PROFILING • Shodan • #cobaltstrike on Twitter • Censys • PassiveTotal • ZoomEye
22 SSL/TLS CERTIFICATE HASH FOR V3 MD5 950098276a495286eb2a2556fbab6d83 SHA1 6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c SHA256 87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c
23 USER AGENT PROFILING • Fixed now, but extraneous space in User-Agent string due to upstream bug in NanoHTTPd • Fun with supply chain bugs
24 LOGS • Sometimes we get logs from LE • Splunk app
OTHER METHODS
26 SYSMON/SIGMA Sigma
27 IMPHASH – SYMON/EDR MD5 dc25ee78e2ef4d36faa0badf1e7461c9
28 NAMED PIPES – SYSMON/EDR • Some additional common named pipes: %spipesrvservice %spipespoolsvc.<chars>%x %spipemsagent_%x<chars> %spipemojo.<chars>%x %spipeinterprocess_%x %spipeeventlog_%x
29 CYBERCHEF DEMO LPT: UPDATE YOUR CYBERCHEF FROM TIME TO TIME
QUESTIONS
31 LINKS About Cobalt Strike https://www.cobaltstrike.com/downloads/csmanual313.pdf https://ired.team/offensive-security/red-team-infrastructure/cobalt-strike-101-installation-and- interesting-commands https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike https://blog.cobaltstrike.com/2016/03/02/a-history-of-cobalt-strike-in-training-courses/9/ https://attack.mitre.org/software/S0154/ https://cybershafarat.com/2020/04/26/cobalt-strike-4-0/ https://blog.cobaltstrike.com/2019/12/05/cobalt-strike-4-0-bring-your-own-weaponization https://hub.packtpub.com/red-team-tactics-getting-started-with-cobalt-strike-tutorial/amp/ OSINT & Profiling https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/amp/ https://www.recordedfuture.com/cobalt-strike-servers/ https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/identifying- cobalt-strike-team-servers-in-the-wild/ https://medium.com/@80vul/identifying-cobalt-strike-team-servers-in-the-wild-by-using- zoomeye-debf995b6798
32 LINKS CONT’D Detections https://gist.github.com/69d12572520122cb9bddc2d6793d97ab https://github.com/JPCERTCC/MalConfScan https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html https://github.com/sjosz/CnC-detection https://github.com/RomanEmelyanov/CobaltStrikeForensic https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f Threat Actors https://www.digitalshadows.com/blog-and-research/threat-actors-use-of-cobalt-strike-why-defense-is- offenses-child/ https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target- healthcare-critical-services-heres-how-to-reduce-risk/ https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/ https://thedfirreport.com/2020/04/30/tricky-pyxie/ https://intelgraph.idefense.com/#/node/malware_family/view/46922f48-48cc-4060-9d4b- 07a81ab63229 https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html Other Links https://twitter.com/JubbaOnJeans/status/1257147866323120131?s=19 https://github.com/vysecurity/CobaltSplunk
There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE

Recommended

Responding to Cobalt Strike
Responding to Cobalt StrikeResponding to Cobalt Strike
Responding to Cobalt StrikeChristopher Gerritz
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
[AVTOKYO 2017] What is red team?
[AVTOKYO 2017] What is red team?[AVTOKYO 2017] What is red team?
[AVTOKYO 2017] What is red team?Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 

Recommended

Responding to Cobalt Strike
Responding to Cobalt StrikeResponding to Cobalt Strike
Responding to Cobalt StrikeChristopher Gerritz
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
[AVTOKYO 2017] What is red team?
[AVTOKYO 2017] What is red team?[AVTOKYO 2017] What is red team?
[AVTOKYO 2017] What is red team?Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon IntroMITRE ATT&CK
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİBGA Cyber Security
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Metasploit El Kitabı
Metasploit El KitabıMetasploit El Kitabı
Metasploit El KitabıBGA Cyber Security
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?WSO2
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
BGA CTF 2012 Ethical Hacking Yarışması Çözümleri
BGA CTF 2012 Ethical Hacking Yarışması ÇözümleriBGA CTF 2012 Ethical Hacking Yarışması Çözümleri
BGA CTF 2012 Ethical Hacking Yarışması ÇözümleriBGA Cyber Security
 
BGA CTF Ethical Hacking Yarışması Çözümleri
BGA CTF Ethical Hacking Yarışması ÇözümleriBGA CTF Ethical Hacking Yarışması Çözümleri
BGA CTF Ethical Hacking Yarışması ÇözümleriBGA Cyber Security
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Sudhanshu Chauhan
 
Cybersecurity awareness posters
Cybersecurity awareness postersCybersecurity awareness posters
Cybersecurity awareness postersNetLockSmith
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
The Ransomware Threat: Tracking the Digitial Footprints
The Ransomware Threat: Tracking the Digitial FootprintsThe Ransomware Threat: Tracking the Digitial Footprints
The Ransomware Threat: Tracking the Digitial Footprintsk3vb0t
 
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet BlueHat Security Conference
 

More Related Content

What's hot

GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİBGA Cyber Security
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?WSO2
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
BGA CTF 2012 Ethical Hacking Yarışması Çözümleri
BGA CTF 2012 Ethical Hacking Yarışması ÇözümleriBGA CTF 2012 Ethical Hacking Yarışması Çözümleri
BGA CTF 2012 Ethical Hacking Yarışması ÇözümleriBGA Cyber Security
 
BGA CTF Ethical Hacking Yarışması Çözümleri
BGA CTF Ethical Hacking Yarışması ÇözümleriBGA CTF Ethical Hacking Yarışması Çözümleri
BGA CTF Ethical Hacking Yarışması ÇözümleriBGA Cyber Security
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Sudhanshu Chauhan
 
Cybersecurity awareness posters
Cybersecurity awareness postersCybersecurity awareness posters
Cybersecurity awareness postersNetLockSmith
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 

What's hot (20)

ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team Exercise
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Metasploit El Kitabı
Metasploit El KitabıMetasploit El Kitabı
Metasploit El Kitabı
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
BGA CTF 2012 Ethical Hacking Yarışması Çözümleri
BGA CTF 2012 Ethical Hacking Yarışması ÇözümleriBGA CTF 2012 Ethical Hacking Yarışması Çözümleri
BGA CTF 2012 Ethical Hacking Yarışması Çözümleri
 
BGA CTF Ethical Hacking Yarışması Çözümleri
BGA CTF Ethical Hacking Yarışması ÇözümleriBGA CTF Ethical Hacking Yarışması Çözümleri
BGA CTF Ethical Hacking Yarışması Çözümleri
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
 
Cybersecurity awareness posters
Cybersecurity awareness postersCybersecurity awareness posters
Cybersecurity awareness posters
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
 

Similar to There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE

The Ransomware Threat: Tracking the Digitial Footprints
The Ransomware Threat: Tracking the Digitial FootprintsThe Ransomware Threat: Tracking the Digitial Footprints
The Ransomware Threat: Tracking the Digitial Footprintsk3vb0t
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
An Evolving Era of Botnet Empires @ BSides Las Vegas
An Evolving Era of Botnet Empires @ BSides Las VegasAn Evolving Era of Botnet Empires @ BSides Las Vegas
An Evolving Era of Botnet Empires @ BSides Las VegasAndrea Scarfo
 
A Blockchain Quest - Hacker House
A Blockchain Quest - Hacker HouseA Blockchain Quest - Hacker House
A Blockchain Quest - Hacker HouseCrypto Dashie
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道Austin Chou
 
RuCTFE 2015 Services Write-Ups
RuCTFE 2015 Services Write-UpsRuCTFE 2015 Services Write-Ups
RuCTFE 2015 Services Write-UpsMikhail Vyatskov
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
 
Interop 2017 - Managing Containers in Production
Interop 2017 - Managing Containers in ProductionInterop 2017 - Managing Containers in Production
Interop 2017 - Managing Containers in ProductionBrian Gracely
 
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...Codemotion
 
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Codemotion
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
GOTO Paris | @see Gopher
GOTO Paris | @see GopherGOTO Paris | @see Gopher
GOTO Paris | @see GopherJan Klat
 
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
OnionBots: Subverting Privacy Infrastructure for Cyber AttacksOnionBots: Subverting Privacy Infrastructure for Cyber Attacks
OnionBots: Subverting Privacy Infrastructure for Cyber AttacksAmirali Sanatinia
 
Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of AndromedaJose Miguel Esparza
 
Automating Security Tests in Development with Docker
Automating Security Tests in Development with DockerAutomating Security Tests in Development with Docker
Automating Security Tests in Development with DockerGabriel Schuyler
 
The Twelve Factor App - Pivotal Tracker
The Twelve Factor App - Pivotal TrackerThe Twelve Factor App - Pivotal Tracker
The Twelve Factor App - Pivotal Trackerlauriepino
 

Similar to There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE (20)

The Ransomware Threat: Tracking the Digitial Footprints
The Ransomware Threat: Tracking the Digitial FootprintsThe Ransomware Threat: Tracking the Digitial Footprints
The Ransomware Threat: Tracking the Digitial Footprints
 
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
An Evolving Era of Botnet Empires @ BSides Las Vegas
An Evolving Era of Botnet Empires @ BSides Las VegasAn Evolving Era of Botnet Empires @ BSides Las Vegas
An Evolving Era of Botnet Empires @ BSides Las Vegas
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
A Blockchain Quest - Hacker House
A Blockchain Quest - Hacker HouseA Blockchain Quest - Hacker House
A Blockchain Quest - Hacker House
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道
 
RuCTFE 2015 Services Write-Ups
RuCTFE 2015 Services Write-UpsRuCTFE 2015 Services Write-Ups
RuCTFE 2015 Services Write-Ups
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
 
Interop 2017 - Managing Containers in Production
Interop 2017 - Managing Containers in ProductionInterop 2017 - Managing Containers in Production
Interop 2017 - Managing Containers in Production
 
Bit coin
Bit coinBit coin
Bit coin
 
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...
 
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
GOTO Paris | @see Gopher
GOTO Paris | @see GopherGOTO Paris | @see Gopher
GOTO Paris | @see Gopher
 
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
OnionBots: Subverting Privacy Infrastructure for Cyber AttacksOnionBots: Subverting Privacy Infrastructure for Cyber Attacks
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
 
Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of Andromeda
 
Automating Security Tests in Development with Docker
Automating Security Tests in Development with DockerAutomating Security Tests in Development with Docker
Automating Security Tests in Development with Docker
 
The Twelve Factor App - Pivotal Tracker
The Twelve Factor App - Pivotal TrackerThe Twelve Factor App - Pivotal Tracker
The Twelve Factor App - Pivotal Tracker
 

Recently uploaded

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 

Recently uploaded (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 

There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE

Editor's Notes

  1. 1999 L0pht testifying in front of congress, stating they could take the internet down in less than 30 minutes
  2. where the host is (asns) maltego graphic Found one at at a three-letter agency