#hack100days : day 36 : More work on lab infra. Followed this cookbook on dockerizing CobaltStrike: https://ezrabuckingham.com/blog/containerizing-red-team-infra/ Worked! Docker networking is still a little weird for me, so I need to figure out how the beacons are going to get there. The client piece worked, so halfway there. Still need to test the fw--it seems to be grabbing my laptop's IP, which creates network weirdness. May bail and use something I'm more familiar with. #redteam #labitup #infosec #cososec

#hack100days : day 35 : Worked on the hacktop lab. Created a "Private" net for the targets to reside in. Build an OPNSense virtual firewall to govern access between the "External" net--where the attacking hosts are going to reside--and the target network. ...maybe I should rename them. Skimmed the DNS section of the OPNSense manual. Maybe DNSmask let's me try out DNS C2? Next step is to move my target vm from the old hacktop to the new and test fw config. #labitup #redteam #infosec #cososec

#hack100days : day 34 : Spent some time playing around with https://github.com/initstring/cloud_enum #infogathering #redteam #infosec #cososec

#hack100days : day 33 : Looked at some open-source projects from fortynorthsecurity.com Came across them looking for CobaltStrike info. PersistAssist (https://github.com/FortyNorthSecurity/PersistAssist) looks interesting. It's written in C#, so I took some time to look through the code to see if it makes any kind of sense to me. Maybe tinkering with that would be a good way to start getting acquainted. I think I want to play around with Egress-Assess (https://github.com/FortyNorthSecurity/Egress-Assess) a bit, as well. #redteam #infosec #cososec

#hack100days : day 32 : Moved C2 server vm from old hacktop to new hacktop. Updated the vm. Went looking for resources for aggressor scripts and C2 profiles. Near and intermediate planned exercises will use https, but the use of DNS is still looking too much like a dark art. I've got the pieces I can put together to do it, but I'm still fuzzy on how to put them together. It isn't urgent, so I'll block a couple of days down the road to lab it up. #lab #redteam #infosec #cososec

#hack100days: day 30d : Pretty busy day, putting pressure on hacking for myself. Looked into "coding". Red Teamers have to code? I'm down with bash and fairly comfortable with python and PowerShell. After looking at CobaltStrike, I can kind of connect the dots. So, nim, .Net/C#, go, rust? I'm not diving into c/c++, looked at Kernighan and Ritchie ages ago and it didn't take. Thinking about .Net/C#, it is the "guts" of PowerShell and Windows. #redteam #coding #cososec

#hack100days : day 28d : Doing some Attack Chain threat modeling. After getting a #flipperZero and playing with BadUSB, I've gotten my hands on a #Hak5 Rubber Duckie. Looking at #mitreattack I notice the only BadUSB references are in footnotes! I think it fits as either Hardware Additions or as a Phishing technique. What say you #redteam and #blueteam, since it's not explicitly called out as a technique, do I infer this as "not likely"? #infosec

#hack100days : day 24d: Today was research day. Attended a webinar on web hacking with some good links to resources. This one gave me a lot of good threads: https://github.com/dafthack/CloudPentestCheatsheets/tree/master Which is good, I've got some scope to nail down the next week or so, so this should help. #redteam #sharpenthesaw #infosec #cososec

#hack100days : day 23d : Confirmed pktmon was not going to be in-play for my objective tooling. Wireshark is in the software catalog, so explored ways to use sccm at the command line. Still have a ways to go. Was able to enumerate part of the software catalog, but a lot of it wasn't visible. Including wireshark--I think tshark is installed with it, so that's my goal. #redteam #executeonobjectiv #infosec #cososec

#hack100days : day 22d : Figured out my goof on 4800/4801. It's Lock/Unlock. Played around with schedtask to get a valid task on unlock. Took some experimentation, but got there. Got a good example exported as xml, so the next trick is writing a script to establish persistence after initial access. Concurrently I need to write the info gathering script(s). #redteam #windows #persistence #cososec

#hack100days : day 21d : Tinkered with schedtask and eventviewer. Exported a task set to go off of 4801 (Previous post said 4800, because another Windows 10 used this. So, gonna have to unpack that weirdness...) I imported it on another box, but no joy. Perms issue. Redid it in the context of the schedtask app and import worked, but stuck it in an unexpected location. Tried to run as system instead of my defined user... ...so, that's interesting. ...? #redteam #windows #persistence #cososec

#hack100days : day 18d : Looked at MITRE ATT&CK technique T1547.001 (https://attack.mitre.org/techniques/T1547/001/) for more scoop on scheduled tasks and run keys. Poked at schedtsk and powershell commands for tasks. Not seeing how to use cli to set up a task triggering off of eventid 4800. I found this article, https://cyber.wtf/2022/06/01/windows-registry-analysis-todays-episode-tasks/, which suggests doing it manually on a lab box, export it, and then import via cli on the target. So, this will be something to lab up. #redteam #infosec #persistence #cososec

#hack100days : day 17d : Poking around some more at #windows #persistence. Scheduled Tasks is fun. Out of the box, users can do this. Should they in a business environment? Extra fun, via Scheduled Tasks or via Event Viewer, a task can be set up to trigger of Event IDs. Like event id 4800, which is when a user unlocks their workstation... Me likey. #redteam #infosec #cososec

#hack100days : day 16d : Looked at establishing #persistence w/via registry run and runonce and via Startup. Only the beginning, really. #blueteamers are you watching those keys and folders?

#redteam #windows #infosec #cososec

#hack100days : day 14d : Watched Mudge’s lateral movement video for #cobaltstrike. #activedirectory and #windows refresher. #redteam #infosec #cososec

#hack100days : day 13d : Took a crack at #hackthebox Fortress lab Jet. I'm about a third of the way through. I keep breaking the box trying to get the next flag. Reckon that's a hint what I'm doing is the wrong path for this one. #redteam #sharpenthesaw #infosec #cososec

#hack100days : day11d : More #cobaltstrike. Watched a couple of videos on artifact kit. Weird how Mudge said in one of the videos to not use or stay in rundll32 or svchost, but that's exactly how artifact kit rolls. I've got some more to figure out with that one. Also watched a couple of viddys on beacon object files--I suspect *that* is going to be something to explore more of. #redteam #infosec #cososec

#hack100days : day 10d : Banged around with #cobaltstrike some more today. Put my wrapper testing for userid and hostname around a call to get a payload and those bits worked--after disabling the protections on the target box. Need to troubleshoot my flags on pktmon to get that working right. Downloaded the arsenal scripts and next action will be to take that apart to understand. Must. Figure. Out. Obfuscation. #redteam #infosec #cososec

#hack100days : day 9d : Little thin today. Threat modelling galore. Some time at an #infosec meetup talking to a peer re: #cobaltstrike and #redteam #operations. Good to have a sounding board! #cososec

#hack100days : Day 8d : Watched more of Red Team Operations with #cobaltstrike from Raphael Mudge. Finished Initial Access and watched Post Exploitation. Likely going to need to watch that last one again. Some of the info is beyond what I've had to work with before. Malleable C2 profiles may take some time to get good at. #redteam #infosec #cososec