Archive for the ‘Announcements’ Category

h1

SpecterOps acquires MINIS

November 1, 2017

Today, SpecterOps announces its acquisition of MINIS LLC. The company is doing its social media thing to spread the word. I wanted to take a moment to share the news and comment on it in my own words. If you want press release language, we have that too.

To evaluate an operation, military planners often discuss measures of performance and effectiveness.

Performance discusses the technical execution of the operation. How well did the operators adhere to the plan? How skillfully did they carry out the complex tasks asked of them? It’s quite possible to have perfect execution and fail to meet the objective of the operation. That’s why performance is one measure. Effectiveness is the other. Effectiveness is a measure of the success of the operation, overall.

In a highly technical role, like adversary simulations, it’s easy to lose ourselves in measures of performance. How many shells did you get? How many findings are there? Did we get DA? How evasive, scary, and cool is our malware? What kind of bypasses did we use? Our community is regularly abuzz with discussion of technical innovations. It’s good stuff.

There are too few voices discussing the big picture of red team operations and adversary simulations. How do we do this in a professional, safe, and repeatable way? How do these efforts directly benefit a program? How do we measure this benefit? This is the big picture “measure of effectiveness” stuff.

We care about this at SpecterOps. We don’t execute an engagement, write a report, and leave. We care about how to make this work have a lasting impact on our customers. We care about disseminating best practices to all.

And, that’s why I’m so excited about the MINIS LLC team joining SpecterOps.

Andrew Chiles, Derek Rushing, James Tubberville, and Joe Vest are skilled operators. All spent parts of their career with a Department of Defense red team. Today, they’re an important voice on the big picture topics related to red team operations and adversary simulations. How do we do this in an effective and impactful way?

Since MINIS LLC was founded, several firms sought them out to learn tradecraft and sharpen their red team offerings. This opportunity to influence expanded a great deal when James Tubberville and Joe Vest co-authored the SANS Red Teaming and Threat Emulation course. Their course focuses heavily on the big picture topics. MINIS LLC gets “threat emulation” and I’ve always seen them as a key ally, helping to drive these ideas forward.

They. Them. Not anymore! Us. I’m very excited to welcome Andrew, Derek, James, and Joe to SpecterOps. You’ve done so much under the MINIS banner. I’m very excited about what we’ll do together.

h1

Living the Ghost Life: Announcing Specter Ops, Inc.

July 10, 2017

Have you seen this cute ghost inside of a hexagon? The logo is for Specter Ops, Inc., a new cyber-security consulting firm. Today’s the company’s launch day. The press release is here. The website is here.

Today, Specter Ops, Inc. is 13 people who have given me technical guidance on Cobalt Strike, trained Cobalt Strike users, and made amazing contributions to the security community (to include open source projects and content Cobalt Strike users benefit directly from).

In terms of services: Specter Ops, Inc. has three focus areas: We offer adversary simulation services (red team ops), breach assessments (hunt), and adversary resilience assessments. The last one is particularly interesting. Resilience assessments help harden large Active Directory environments by identifying lateral movement vectors and measuring an organization’s adherence to the principle of least privilege. It’s good stuff. We offer assessments, staff augmentation, training, and program development in each of these areas.

The firm is new, but if you check out the team page, you’ll see there are several familiar faces. You’ll also note I said “we”. I have responsibilities at Specter Ops, Inc. as well. I’m the company’s President and my duties include: strategic guidance, mentoring, and starting conversations with “I remember when I was technical…”.

Day-to-day, I’m still in a Strategic Cyber LLC office space. I continue to argue with procurement people about contract details (yes, really), provide support to my users, and develop Cobalt Strike. This continues to happen under the Strategic Cyber LLC banner. Nothing’s changed here.

For Cobalt Strike users, this is exciting. Specter Ops, Inc. is an official “go to” for Cobalt Strike training and offers services that Strategic Cyber LLC never had the man-power to do. If you’d like engage Specter Ops, Inc., direct your queries to info@specterops.io.

I want to say thank you to each member of the Specter Ops, Inc. team. Thank you for taking the next steps of your career with this firm. I look forward to building an amazing company with you and I’m very excited for the things that will come next. I’m also very proud of all of you for pulling together this launch.

Onwards!

h1

Cobalt Strike 3.0 – Advanced Threat Tactics

September 24, 2015

Cobalt Strike’s mission is to help security professionals emulate “advanced threat tactics” during their engagements. I’ve executed on this since the product’s 2012 release. Cobalt Strike 3.0 is the next iteration of this.

Cobalt Strike 3.0 is a ground-up rewrite of the client and server components in this product. Notably, Cobalt Strike no longer directly depends on the Metasploit Framework. Cobalt Strike 3.0 is a stand-alone platform for Adversary Simulations and Red Team Operations.

This release makes several strategic changes to support Cobalt Strike’s Red Team Operations and Adversary Simulation use cases. Here are the highlights…

Asynchronous Post Exploitation with Beacon

Beacon has completed its transition from stable lifeline to full-featured post-exploitation agent. This release includes features and workflows for user-exploitation at scale and a data model that populates itself with credentials and targets found with Beacon.

Logging and Reporting Designed for Red Team Operations

Logging and Reporting were completely overhauled. All logging now takes place on the team server. Each command is attributed to an operator. File uploads are hashed and the file hash is noted in the logs. Actions and output are captured whether a client is connected to the server or not. Cobalt Strike 3.0’s reports produce detailed timelines of red team activity and indicators of compromise.

sessions2

Intuitive Named-pipe Pivoting

The SMB Beacon is a first-class part of Cobalt Strike’s workflows. This Beacon variant uses a named pipe to receive commands from and send output through a parent Beacon. This effectively allows you to chain Beacons to tightly control your communication path and egress systems/elevated processes through another Beacon’s channel. Cobalt Strike 3.0 supports the SMB Beacon with visualization that shows this chaining in a beautiful and intuitive way.

Target Acquisition and Lateral Movement

Cobalt Strike 3.0 also provides tools and workflows to support target acquisition and lateral movement with Beacon. The new net module uses Win32 APIs to discover and interrogate targets. Beacon also gained a port scanner that operates on target and reports intermediate results when Beacon checks in. The workflows to repurpose trust material and jump to a target are efficient and intuitive.

Advanced Threat Tactics Training

Finally, Cobalt Strike’s online training was refreshed for this 3.0 release. The Advanced Threat Tactics course is nearly six hours of material on the modern offensive process Cobalt Strike 3.0 supports.

A 21-day trial of Cobalt Strike 3.0 is available. The 3.0 release uses new infrastructure for its updates. Licensed users will need to download a trial of 3.0 and use the update program to get the licensed version of Cobalt Strike.

h1

Introducing Morning Catch – A Phishing Paradise

August 6, 2014

Morning Catch is a VMware virtual machine, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks and post-exploitation.

On this virtual machine, you will find: a website for a fictitious seafood company, self-contained email infrastructure to receive phishes, and two desktop environments. One desktop environment is a vulnerable Linux client-side attack surface. The other is a vulnerable Windows client-side attack surface.

Morning Catch uses a bleeding edge version of WINE to run a few vulnerable Windows applications AND experiment with post-exploitation tools in a fun and freely re-distributable environment.

You can download it via this torrent.

Login Screen

Your use of Morning Catch starts with the login screen.

Boyd Jenius is the Systems Administrator and his password is ‘password’. Login as Boyd to get to the vulnerable Linux desktop.

Richard Bourne is Morning Catch’s CEO and his password is also ‘password’. Login as Richard to get to the vulnerable Windows desktop.

You can also RDP into the Morning Catch environment.

logon

Windows Desktop

Richard’s desktop includes the Windows’ versions of Firefox, Thunderbird, Java, and putty. Open up Thunderbird to check Richard’s email.

You can send a phish to him too. This VM includes a mail server to receive email for users at the morningcatch.ph domain. Open up a terminal and find out the IP address of the VM. Make sure you relay messages through this server. Use rbourne@morningcatch.ph as the address.

Are you looking for some attacks to try? Here are a few staples:

Morning Catch’s WINE environment runs post-exploitation payloads, to include Windows Meterpreter and Beacon, without too much trouble.

theattack

Linux Desktop

Boyd’s desktop is the vulnerable Linux attack surface. Boyd has the Linux versions of Firefox, Java, and Thunderbird. Boyd also has an SSH key for the Metasploitable 2 virtual machine. Try to ssh to Metasploitable 2 as root and see what happens.

Webmail

Morning Catch also includes RoundCube webmail for all of its users. Use this as a target to clone and harvest passwords from.

roundcube

Hopes and Dreams

Morning Catch isn’t a replacement for a vulnerable Windows lab. It’s a safe and freely redistributable target to experiment with phishing and client-side attacks. It’s my hope that this environment will help more people experiment with and understand these attacks better.

Are you in Las Vegas for BlackHat USA or DEF CON? Stop by the Black Hat Arsenal on Wednesday at 10am for a demo of this new environment and a Morning Catch sticker. I’m also giving away DVDs with a revised Cobalt Strike pen testing lab that uses Morning Catch. Find me at the Cobalt Strike kiosk in the Innovation City portion of the Black Hat USA Exhibitor Hall. I will also give away these DVDs at the Cobalt Strike table in the DEF CON vendor area.

h1

Cobalt Strike Boxed Set comes to ShmooCon

February 13, 2013

It’s the middle of February, love is in the air, and… I’m busy preparing for my favorite hacker conference ShmooCon.

This year, for the second year in a row, Strategic Cyber LLC is sponsoring ShmooCon.

Last year, I had intended to launch Cobalt Strike. Except, it wasn’t called Cobalt Strike and someone else beat me on filing a trademark application on the original name–by about five days. Pure coincidence and I learned a lesson about retaining an IP lawyer early in the business formation process. Anyways…

Cobalt Strike is having its first year at ShmooCon and I plan to make it a good one. I’m unveiling a Limited Edition Boxed Set and giving away more of the popular Pen Test Lab DVDs. Read on…

Cobalt Strike Boxed Set

Limited Edition Boxed Set (Seriously)

If you haven’t bought Cobalt Strike yet, now is your opportunity. Leading up to and during ShmooCon, a few Limited Edition Boxed Sets are available. If you buy a Cobalt Strike license now through this weekend and present the key at the Cobalt Strike table, I will issue a boxed set to you (while supplies last).

These sets are beautiful. They include a professionally bound copy of the Cobalt Strike manual, a DVD with the Cobalt Strike software, and a Cobalt Strike sticker.

Most big software companies ask for a big check. In exchange, you get some 1s and 0s transmitted to you over the internet. When’s the last time someone bothered to put those 1s and 0s into a box? I rest my case.

Penetration Testing Lab DVD

If you haven’t tried Cobalt Strike yet, we have a slight problem. I don’t want you to buy without putting the software through its paces. I’m quite serious about this. If you want to try Cobalt Strike, stop by the table and get a Penetration Testing Lab DVD.

[youtube http://youtu.be/nEa5SJbOTRs]

This DVD has everything you need to put Cobalt Strike through its paces from the comforts of your laptop. This DVD includes an attack virtual machine, a Cobalt Strike trial package, and two victim virtual machines with self-guided hacking labs. I think of it as a chemistry kit for learning hacking. You can follow the steps or invent your own experiments.

I plan to burn a few hundred of these. I’m doing it now. I will run out. I always do. If you want one, come get it as early into the conference as you can.

Come say Hi!

I work the Strategic Cyber LLC table the entire time. If you have questions about Armitage or Cobalt Strike or if you’d like to see a demonstration, come on by. I’m looking forward to seeing you at ShmooCon!

h1

Strategic Cyber at Derbycon

September 29, 2012

Day 2 of Derbycon 2.0 – The Reunion is about to start. Strategic Cyber LLC is near the Capture the Flag room exhibiting Cobalt Strike, answering questions, and talking about hacking.

The airline destroyed my portable monitor (boo!), so we’re working off of laptops, but it’s OK.

We have several goodies that we’ree handing out too. Goodies include Armitage stickers, a limited number of Cobalt Strike stickers AND pen test lab DVDs.

Pen Test Labs

Yes, pen test labs. Our free pen test lab consists of three virtual machines.

  1. An attack virtual machine with a 21-day trial of Cobalt Strike that starts when you first run Cobalt Strike
  2. The awesome Metasploitable 2 virtual machine from the Metasploit Project
  3. A workstation victim virtual machine with self-contained email infrastructure

These virtual machines provide a quick and safe way for you to experiment with the offensive tools and techniques. The DVD also includes several step by step labs tied directly to the free Penetration Testing with Cobalt Strike course.

We have a limited number of DVDs available and they moved fast yesterday.

Beacon

The big topic around the table is Beacon, Cobalt Strike’s new covert command and control payload that mimics the C2 of advanced malware and RATs. This is an exciting capability leap for penetration testers. We will be answering questions and demoing aspects of Beacon at the table as well.

Dirty Red Team Tricks II

Sunday at noon, I will be delivering the Dirty Red Team Tricks II talk at Derbycon. Last year’s talk was quite a hit. I provided the kit and process we used at the Collegiate Cyber Defense Competition to work together as a red team and stay hidden on student systems. This update to the original talk will feature 2012’s tactics. You don’t want to miss.

That’s about it. I look forward to seeing you at the con.

h1

Cortana: real-time collaborative hacking… with bots

August 3, 2012

At BSides Las Vegas, I talked about Force Multipliers for Red Team Operations. In this talk, I shared several stories about how my evil bots stole passwords, instantly installed back doors, and generally wreaked havoc on college students defending (sometimes) unpatched systems. Today, I’d like to introduce you to the technology behind this havoc: Cortana.

You may know Armitage: a red team collaboration tool built on the Metasploit Framework. Cobalt Strike is Armitage’s commercial big brother. Both packages include a team server. Through this team server, multiple hackers may control compromised hosts and launch attacks through one instance of the Metasploit Framework.

Inspired by my days on IRC in the 1990s, I wondered what would happen if I added bots to this collaborative hacking setup. This wondering (and a DARPA contract) led to Cortana, a scripting language for Armitage and Cobalt Strike.

Cortana Architecture

What can I do?

Using Cortana, you may develop stand-alone bots that join your red team. Cortana bots scan hosts, launch exploits, and work on compromised hosts without stepping on each other or getting in the way of their human teammates. Think of this system as Google Wave Apache Wave for hacking.

Cortana scripts may also extend the Armitage and Cobalt Strike clients with new features. Cortana scripts can expose hidden Metasploit features, integrate third-party tools and agents, or control other Cortana bots.

Start Here…

If you’ve ever written scripts for an IRC client such as mIRC, irssi, BitchX, or even jIRCii–you’ll find yourself right at home with Cortana. The best place to start is the Cortana Tutorial. This document is a 55-page tutorial, reference, and collection of examples.

If you’d like to get involved writing Cortana scripts, head over to the Cortana Scripts Github repository. Fork the repository and start hacking away. Several example scripts are available, right now, for your copying and pasting pleasure.

Developer Support

If you have questions, join the Cortana Hackers Mailing list. Send a blank message to cortana@librelist.com and you will be subscribed. You may send a message to cortana-unsubscribe@librelist.com to unsubscribe from the list.

If you’d like to connect on IRC with other Cortana hackers, join #armitage on irc.freenode.net.

Get It

Cortana is now available in Armitage 08.02.12 shipped in the Metasploit Framework. Type msfupdate and you have it. I hope I didn’t freak anyone out with my mega-large pull request.

The latest trial of Cobalt Strike has it too.

Cortana is BSD-licensed and is co-developed with Armitage. This work was made possible by a DARPA Cyber Fast Track contract.

I first announced Cortana at DEFCON 20. The slides from this presentation are available as well.