Press "Enter" to skip to content

Month: July 2014

Pass-the-Hash is Dead: Long Live Pass-the-Hash

[Edit 3/16/17] Many elements of this post, specifically the ones concerning KB2871997, are incorrect. I have an updated post titled “Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy” that contains the most up-to-date and accurate information.   [Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-EnumerateLocalAdmins  ->  Invoke-EnumerateLocalAdmin Get-NetLocalGroups  ->  Get-NetLocalGroup -ListGroups You may have heard the word recently about how a recent Microsoft patch has put all of us pentesters out of a job. Pass-the-hash is dead, attackers can no longer spread laterally, and Microsoft has finally secured its authentication mechanisms. Oh wait: This is…

A Brave New World: Malleable C2

Last week, Raphael Mudge released an awesome update to Cobalt Strike’s asynchronous agent, Beacon, in the form of new fully customizable/malleable command and control communications. Beacon’s initial communications channel with its C2 server was with HTTP, with a DNS control channel added soon after. This allowed Beacon to behave similarly to most documented crimeware strains. The ability to communicate using SMB pipes was added at the end of last year, enabling the emulation of like some of the more advanced APT agents like Red October and Duqu. However, there still wasn’t a way to make the network traffic really look like the specific C2 for any of these samples. With this update, communication profiles for Beacon can…