ath0#hack100days : day11d : More #cobaltstrike. Watched a couple of videos on artifact kit. Weird how Mudge said in one of the videos to not use or stay in rundll32 or svchost, but that's exactly how artifact kit rolls. I've got some more to figure out with that one. Also watched a couple of viddys on beacon object files--I suspect *that* is going to be something to explore more of. #redteam #infosec
#hack100days : day 12d : Banged around on #hackthebox release arena's stocker box. It's rated easy, but the foothold was new territory for me, so not too easy. Learned some new stuff, so that's good. #infosec #ctf #sharpenthesaw
#hack100days : day 13d : Took a crack at #hackthebox Fortress lab Jet. I'm about a third of the way through. I keep breaking the box trying to get the next flag. Reckon that's a hint what I'm doing is the wrong path for this one. #redteam #sharpenthesaw #infosec
#hack100days : day 14d : Watched Mudge’s lateral movement video for #cobaltstrike. #activedirectory and #windows refresher. #redteam #infosec
#hack100days : day 15d : Watched Alh4zr3d twitch stream. PHP assert is interesting. Read up on #redteaming #azuread Phishing is out of scope, so spending time thinking through additional threat vectors. #infosec
#hack100days : day 16d : Looked at establishing #persistence w/via registry run and runonce and via Startup. Only the beginning, really. #blueteamers are you watching these keys and folders?:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup (I was able to write here and use it in stock lab machine.)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Requires elevated privileges to save here.)
#hack100days : day 17d : Poking around some more at #windows #persistence. Scheduled Tasks is fun. Out of the box, users can do this. Should they in a business environment? Extra fun, via Scheduled Tasks or via Event Viewer, a task can be set up to trigger of Event IDs. Like event id 4800, which is when a user unlocks their workstation... Me likey. #redteam #infosec
#hack100days : day 18d : Looked at MITRE ATT&CK framework technique T1547.001 (https://attack.mitre.org/techniques/T1547/001/) for more scoop on scheduled tasks and run keys. Poked at schedtsk and the powershell commands for manipulated tasks. Not seeing how to use cli to set up a task triggering off of eventid 4800. I found this article, https://cyber.wtf/2022/06/01/windows-registry-analysis-todays-episode-tasks/, which suggests I could do it manually on a lab box, export it, and then import via cli on the target. So, this will be something to lab up. #redteam #infosec #persistence
#hack100days : day 19d : Worked on #hackthebox new release, investigation, and managed to get user and root. I used to be strong in perl... ...it was in the last century, though! LOL. #ctf #infosec
#hack100days : day 20d : Worked on #hackthebox Jet fortress. Got another flag. More php tricks. #ctf #infosec
#hack100days : day 21d : Tinkered with schedtask and eventviewer. Exported a task set to go off of 4801--unlocked wkstation (Previous post said 4800, which worked on another Windows 10 implementation had this. So, gonna have to unpack that weirdness...) When I imported it on another box, no joy. Permissions issue. Redid it from the context of the schedtask app and the import worked, but stuck it in an unexpected location. Tried to run as system instead of my defined user... ...so, that's interesting. ...? #redteam #windows #persistence
#hack100days : day 22d : Figured out my goof on 4800/4801. It's Lock/Unlock. Played around with schedtask to get a valid task on unlock. Took some experimentation, but got there. Got a good example exported as xml, so the next trick is writing a script to establish persistence after initial access. Concurrently I need to write the info gathering script(s). #redteam #windows #persistence
#hack100days : day 23d : Confirmed pktmon was not going to be in-play for my objective tooling. Wireshark is in the software catalog, so explored ways to use sccm at the command line. Still have a ways to go. Was able to enumerate part of the software catalog, but a lot of it wasn't visible. Including wireshark--I think tshark is installed with it, so that's my goal. #redteam #executeonobjectiv #infosec
#hack100days : day 24d: Today was research day. Attended a webinar on web hacking with some good links to resources. This one gave me a lot of good threads: https://github.com/dafthack/CloudPentestCheatsheets/tree/master Which is good, I've got some scope to nail down the next week or so, so this should help. #redteam #sharpenthesaw #infosec
GitHub - dafthack/CloudPentestCheatsheets: This repository contains a collection of cheatsheets I have put together for tools related to pentesting organizations that leverage cloud providers.
This repository contains a collection of cheatsheets I have put together for tools related to pentesting organizations that leverage cloud providers. - GitHub - dafthack/CloudPentestCheatsheets: Th...
#hack100days : day 25d : New hacktop from work today. Setting it up, trying stuff out. WSL is still sub-optimal. Gonna work on getting more facile w/Docker and Ubuntu's Multipass. Oh, something interesting... ...an EICAR dropped into a WSL image doesn't get flagged by Defender. #labitup #infosec
#hack100days : day 26d : New release on #hackthebox, but it's not coming easily. Found a thing to help with enumeration, but I need to do some more reading on php to get to the next bit. #ctf #infosec
#hack100days : day 27d : Took another look at the #hackthebox new release. Making some progress. #ctf #infosec
#hack100days : day 28d : Doing some Attack Chain threat modeling. After getting a #flipperZero and playing with BadUSB, I've gotten my hands on a #Hak5 Rubber Duckie. Looking at #mitreattack I notice the only BadUSB references are in footnotes! I think it fits as either Hardware Additions or as a Phishing technique. What say you #redteam and #blueteam, since it's not explicitly called out as a technique, do I infer this as "not likely"? #infosec
#hack100days: day 29d : Bashed at new hacktop's wifi. Going in to work tomorrow, chance to isolate issue to laptop or my network and their interaction--other devices are behaving as expected. Watched a bit of @Alh4zR3d@twitter's N00bie Tuesday. Also found this site: https://www.zaproxy.org/docs/docker/webswing/ Which means I don't have to pollute the new hacktop w/Java! Another opp to get more touches w/#docker. #infosec #labitup
#hack100days: day 30d : Pretty busy day, putting pressure on hacking for myself. Looked into "coding"--Red Teamer have to code(?). I'm down with bash and fairly comfortable with python and PowerShell. After looking at CobaltStrike, I can kind of connect the dots. So, nim, .Net/C#, go, rust? I'm not diving into c/c++, looked at K&R ages ago and it didn't take. Got a nudge to the .Net/C# direction, it *is* the "guts" of PowerShell and Windows. #redteam #coding
#hack100days : day 31 : Forgot to post yesterday. Pretty busy day. Got caught up on @thegrugq newsletters--I was a couple of days behind. Also read a recent Bellingcat newsletter and article. Octosuite looks interesting: https://www.bellingcat.com/resources/2023/01/20/octosuite-a-new-tool-to-conduct-open-source-investigations-on-github/ Might be useful for internal appsec and dfir teams, as well. #infosec
#hack100days : day 32 : Moved C2 server vm from old hacktop to new hacktop. Updated the vm. Went looking for resources for aggressor scripts and C2 profiles. Near and intermediate planned exercises will use https, but the use of DNS is still looking too much like a dark art. I've got the pieces I can put together to do it, but I'm still fuzzy on how to put them together. It isn't urgent, so I'll block a couple of days down the road to lab it up. #lab #redteam #infosec
#hack100days : day 33 : Took it easy today. Looked at some open-source projects from fortynorthsecurity.com Came across them looking for CobaltStrike info. PersistAssist (https://github.com/FortyNorthSecurity/PersistAssist) looks interesting. It's written in C#, so I took some time to look through the code to see if it makes any kind of sense to me. Maybe tinkering with that would be a good way to start getting acquainted. I think I want to play around with Egress-Assess (https://github.com/FortyNorthSecurity/Egress-Assess) a bit, as well. #redteam #infosec
#hack100days : day 34 : Spent some time playing around with https://github.com/initstring/cloud_enum #infogathering #redteam #infosec
GitHub - initstring/cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. - GitHub - initstring/cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cl...
#hack100days : day 35 : Worked on the hacktop lab. Created a "Private" network for the targets to reside in. Build an OPNSense virtual firewall to govern access between the "External" network--where the attacking hosts are going to reside--and the target network. ...maybe I should rename them. Skimmed the DNS section of the OPNSense manual. Maybe DNSmask let's me try out DNS C2? Next step is to move my target vm from the old hacktop to the new and test fw config. #labitup #redteam #infosec
#hack100days : day 36 : More work on lab infra. Followed this cookbook on dockerizing CobaltStrike: https://ezrabuckingham.com/blog/containerizing-red-team-infra/ Worked! Docker networking is still a little weird for me, so I need to figure out how the beacons are going to get there. The client piece worked, so halfway there. Still need to test the fw--it seems to be grabbing my laptop's IP, which creates network weirdness. May bail and use something I'm more familiar with. #redteam #labitup #infosec
#hack100days : day 37 (delayed report) : More work on the lab. Migrated target vm from old hacktop to new. Poked at virtual firewall some more to get the lab network sorted. #labitup #infosec
#hack100days : day 38 : Not much direct hacking today. Read a couple of articles on Azure/M365 hacking. A family friend is making a career transition to software development. Their code made it into GitHub, so I looked through it to practice code-review skills-ish. #infosec
#hack100days : day 39 : *Now* I have a working virtual gateway in my virtual lab. Ubuntu w/iptables rules, ftw. Next, write a "shields up/shields down" script governing rules for the inside LANs. Time to grind on payloads! Ah, and it's beer o'clock. #redteam #labitup #infosec
#hack100days : day 40 : Took a crack at today #HtB new release, interface. Web app, natch. Started my process and used the usual tools. Didn't get very far at all. Based on tech found, did some research and found an article about one of the components. Calling it a day though and will take a look tomorrow. #ctf #infosec
#hack100days : day 41 : Tinkered around with Docker some more. Experimenting with building an image w/enumeration tools. Getting rust onto the system for feroxbuster has me a bit stymied. #infosec #enumeration
#hack100days : day 42 : Listened in on N00bie Tuesday by Alh4zr3d@twitter. Someone mentioned Zero Point Security has a "Rust for n00bs" [[https://training.zeropointsecurity.co.uk/courses/rust-for-n00bs]] class. I'm a n00b, so ran full-tilt into that rabbit hole. An inexpensive introduction. Rust has some interesting quirks. Tried it out on MacOS. Next up, Windows. #InfoSec #LearnToCode #Rust
#hack100days : days 43 & 44 : Forgot to post yesterday. Modified a BadUSB/Rubber Ducky script to run PowerShell and feed a file. Helping out a #BlueTeam analyst w/that one. Helped myself for a future #RedTeam exercise. Also spend some time w/'hello, world', Rust, and Windows OS. Baby steps, time will tell w/that one. Tried out a different format for attack trees, but haven't tried it out on anyone yet. #InfoSec #LabItUp #CamelCaseTags4OnScreenReaders
#hack100days : day 45 : Read about #rust in _Rust Programming Language, 2nd Ed._
#hack100days : day 46 : Read more rust. (Today was a travel day, so not so much hands on keyboard today)
#hack100days : day 47 : Read a bit more about rust. Started in on Chapter 4 of The Rust Programming Language. Still not grokking why there is a mutable/immutable setting for variables. Seems there's no difference between an immutable variable and a constant.
#hack100days : day 48 : even more #rust. Read some on chapter 5. Watched a couple of videos by @0atman on his No Boilerplate YouTube channel. Poked around on crates.io a bit and looked at some code.
#hack100days: day 50 : Grrr. Yesterday was actually day 49. Anyways. Signed up for zeropointsecurity.co.uk Certified Red Team Operator course. LFG! #RedTeam #infosec #PrimumNonNocere
#hack100days: day 51 : Spent some time going through CRTO. First two sections down. Spun up a new kali box to play around with some of the tooling covered in recon section. Reckon I'll do a once through the material before getting lab time and going after the lab exercises. #RedTeam #infosec
#hack100days: day 52 : Spent more time on CRTO, got through several sections. Looked at some of the tooling called out. If something tried to talk to lsass, there's a Windows Event 4656 generated. These events don't make it into Windows Defender Advanced Threat Hunting. Some KQL that *might* help a little bit: 'DeviceProcessEvents | where (FileName != "lsass.exe" and ProcessCommandLine has "lsass")' This could find where someone's trying to tinker with it from the command line. (Since lsass does get started in the normal day-to-day of things, filter out it itself being the running process, look for things trying to operate on it.) #redteam #blueteam #GetSmart
#hack100days : day 53 : Thin on the hacking today. Listened to risky.biz and got caught up on @thegrugq newsletters.
#hack100days : day 54 : Completed credential theft section for #CRTO, got some good ideas for #ThreatHuntThursday for log events and access patterns I hadn't though of before. #redteam #GetSmart
#hack100days : day 55 : Completed three more #CRTO sections, maybe about a 1/3 of the way through--so far, mostly review. Added another item to the #ThreatHuntThursday list. #redteam #GetSmart
#hack100days : day 56 : Read a CISA #RedTeam report: https://www.cisa.gov/sites/default/files/2023-02/aa23-059a-cisa_red_team_shares_key_findings_to_improve_monitoring_and_hardening_of_networks.pdf Definitely cribbing some report formatting and noting TTPs.
#hack100days : day 57 : Finished the next section of CRTO. Juuust shy of half-way. Checked out a couple of presos at the Antisyphon "Most Offensive Con That Ever Offensived" on-line conference. I like the personalities and some of the dialogue in the #RedTeam panel discussion at the beginning. However, it was a little too "let's be controversial for the sake of controversy" for my taste. (I hope to get a pizza delivered to me, one day.)
#hack100days : day 58 : Spent some time poking around log sources. Checked for logging and events matching oppsec warnings from CRTO. Created and tuned some queries for Defender ATH. There's signal in there about Registry run key creation and scheduled task creation. Good to know for #redteam and #blueteam!
#hack100days : day 59 : Two more sections of CRTO down. Tuned the registry run key search in Defender ATH. Noisy bugger, going to take some work to sort out "normal". Seems like a good place to hide for long-haul persistence. #RedTeam #BlueTeam
#hack100days : day 60 : Another section of CRTO done. Learned more about MSFT's Data Protection API, which was new to me. Otherwise, it was light today. #GetSmart
#hack100days : day 61 : Another light day. Read articles and another chapter in _Rust Programming Language_--was reminded to keep up on that via link from a @thegrugq newsletter to @buttplug.io (@twitter) thread, leading to @m_ou_se@twitter presence talking about her book _Rust Atomics and Locks_ (which is available at https://marabos.nl/atomics/, so I have some more reading and coding to do... #GetSmart #Rust
#hack100days : day 62 : Wasn't up for it yesterday, took a sick day. Did some poking around at a recent CVE. Not going to share which one at this time. Led to another thread, though. Something that could lead to finding weird... Look for instances of the Windows process WerFault.exe starting. What was the parent process? What was the user id for the process? You may find something that is well broken and needs fixing--that cleans up log files--or something that needs further research. #ThreatHunting #BlueTeam
#hack100days : day 63 : Lots of context switching today, articles, newsletters, and such. Going to unplug and finish another chapter of _Rust_Programming_Language_. #GetSmart
#hack100days : day 64 : read another chapter of _Rust_Programming_… Site visit today, learning and relearning about processes and tech used to make the firm money. Thinking hard about attack paths and drafting possibles exercises. #redteam #getsmart
#hack100days : day 65 : Kept chipping away at _Rust_Programming. Took at look at Defender and Advanced Threat. Created a query for finding admin users modifying registry run keys. I'm a fan of the 'project' command to grab only the columns I care about. #GetSmart
#hack100days : day 66 : Took a crack at #HackTheBox new release, Inject. I've gotten rusty.
#hack100days : day 67 : Read another chapter #rust. This one hurt my brain and will need to be revisited. #getsmart
#hack100days : day 68 : Watched some #rust videos by @valhalla_dev Watched him go over some chapters out of the Rust Book and a couple of videos on malware dev. #redteam #GetSmart
#hack100days : day 69 : Forgot to post last night. Watched @alh4zr3d @[email protected] "Newbie Tuesday" stream. Biggest take-away was older Logitech wireless devices speak wifi. So, "BadUSB"/RubberDucky is in-play during physical tests: https://github.com/insecurityofthings/jackit/tree/master/jackit #redteam
#hack100days : day 70 : Today was a day of json and powershell. Took a different approach than I usually do. Started with laying out a json schema for all the data elements I want. Then backed into into functions and code. I've coded in ksh and bash for so long, I'm more used to doing the functions first. This is more interesting, because now I hunt for LOLBAS to get the data. #redteam #LolBas
#hack100days: day 71 : Moar #powershell! Sorted a couple of functions. Figured out how to create an object to store the data in and to spit it out as a json "blob". Need to focus on getting the first MVP done and worry about edge-cases later.
#hack100days : day 72 : CRTO today. Eighty percent through first pass. Goal is to get through it over the weekend and start hitting the lab next week. #RedTeam #CRTO #PrimumNonNocere
#hack100days: day 72 : (yesterday I watched soccer.) Finished up the CRTO modules. Time to sign up for the lab and go through it again. #RedTeam #CRTO #PrimumNonNocere
the grugq@scottlink there’s a longer write up due this week too. I want to make sure to get it out