And, last week, I was on This Week in Enterprise Tech, a second time, to pre-record episode 72, their Christmas special. This time, we went through covert communication and how a low and slow attacker would keep and use a beachhead in a compromised network.
But first, a story:
I usually go on the show with two laptops. One for screensharing and another for Skype video. I wasn’t able to do so this time and we had to get creative. This led to some troubleshooting during the live recording of the episode. The folks on the irc.twit.tv/twitlive chatroom were very gracious and good spirited as we worked through these things. The in-between time of the episode allowed for some fun banter, so it wasn’t all bad. I watched the episode in its edited form and I’m pleasantly surprised. I think it came out really well.
Here’s the episode:
In the video, I use Cobalt Strike’s Beacon to demonstrate this beachhead. To dig more into Beacon, here are the blog posts on this topic:
Last night I was a guest on This Week in Enterprise Tech. This time, we opted to focus on core material and talk about SMTP. Phishing is a concept most are comfortable with. In this episode, rather than paint the doom and gloom picture, we focused on SPF, DKIM, and DMARC standards. Our goal–clarify what these standards are, what they do for you, and how they force an attacker to change their approach.
Yesterday, I had a lot of fun hanging out with the This Week in Enterprise Tech crew. We had a chance to talk about penetration testing in its various forms, best practices, and a demonstration of Armitage and Cobalt Strike. I’m getting ready to push something big in Cobalt Strike in a few days… the end of the episode has a demo of it. You don’t want to miss it.
With this in mind, Jim and David invited me back to demo Cobalt Strike in its current state. We did this entire interview and demonstration over Amazon’s EC2, attacking parts of my local training lab. Here it is, in all of its glory:
Before developing Cobalt Strike, I conducted interviews with several penetration testing practitioners. I wanted to dig into their process, the tools they used, the gaps they saw, etc. Three folks from the Veris Group sat down with me for three hours to go over these very questions. It was at this time, I became familiar with David McGuire and Jason Frank.
Our relationship has evolved, to the point where they advise on Cobalt Strike, teach the product, and Veris Group is also a Cobalt Strike customer.
Last year, David and Jason approached me and offered to include Cobalt Strike on the DVD they provide to the students of their course. This then evolved to including a lab with Cobalt Strike. Which then evolved to them opting to use Cobalt Strike as the platform to demonstrate their Adaptive Penetration Testing process.
I have my own course offerings, but my offerings are focused only on my toolset. These courses will give you the foundation to setup a complete red team and penetration testing assessment process using Cobalt Strike and other tools. Their perspective is available once a year at BlackHat USA, I highly recommend that you take advantage of it.
To give you some more insight into these courses, I’d like to share an interview I conducted with Jason and David on their BlackHat courses:
1. How many times have you taught at Black Hat and what made you want to teach there?
David and Jason: We’ve had the opportunity to teach the class twice at Black Hat USA and once at Black Hat UAE. Black Hat provides smaller independent trainers like us, who don’t do this full time, with a great venue to reach a broad potential audience. They handle all the logistical work (such as securing a venue, billing and marketing) so we can focus on delivering quality course material that benefits our students. We are very appreciative of the opportunity they give small trainers and the working relationship we’ve been able to establish.
2. In your words, what are the differences between the Adaptive Penetration Testing and Adaptive Red Team Tactics courses?
David and Jason: The focus of Adaptive Penetration Testing (APT) is to provide students with a framework for providing comprehensive assessments with the objective of demonstrating the risk, in terms of business impact, of potential system breeches. The end goal is for students to be able to take the techniques, procedures, and methodologies we have developed through our experience and implement them in their own operational environments. Assessments utilizing the methodology we discuss in APT are targeted to take one to two weeks to execute effectively.
Adaptive Red Team Tactics (ARTT) is meant as a follow on to APT and focuses on emulating a more advanced threat. This course covers more advanced tactics, techniques and procedures (TTPs) that enable our students to provide a more realistic assessment of defense, detection, and response capabilities in organizations with mature IT security programs. Red Team assessments generally have an extended assessment window and incorporate techniques for providing a more covert, “low and slow,” assessment with a heavy focus on intelligence gather and long term post-exploitation activities. Stealth, evasion, robust persistence, and data exfiltration are some of the main themes of ARTT.
3. What is the secret sauce of your courses? What will you teach that students can’t get elsewhere?
David and Jason: We focus heavily on the tools, techniques and methodologies that we have developed through our experience performing assessments and building internal penetration testing programs for our customers. While we thought there was some really great training out there, we felt there was an opportunity for us to fill a legitimate need in the industry by offering training that focuses on how to effectively conduct assessments in operational environments. In our courses, we want to make sure students understand the entire process of executing a Penetration Test or Red Team assessment, including everything from scoping to exploiting systems to delivering a comprehensive report. We structure and deliver our course material so students walk away from the course with something they can easily use as a reference when conducting their own assessments. We also include templates and other material that offer students a foundation for creating a program/service from the ground up.
We think another big differentiator in our courses is our incorporation of Cobalt Strike. We feel that one of the gaps in a lot of training out there is that they do not effectively cover the professional tools that can assist in delivering efficient, effective, and repeatable assessments. Cobalt Strike is a full-fledged toolset we use every day in our penetration tests and red team assessments. It enables us to save a lot of time in execution and have quick access to some powerful capabilities. We believe that when testers are in the middle of an assessment, they should be able to focus on assessing the risk/business impact of breeches for their customer, not wrestling with their tools. Tools don’t make the tester, but knowing which tools can best augment your capabilities is often as important as knowledge of great penetration testing techniques.
Raphael: *cough* *cough* Last year, I spent some time with David and Jason at the Veris Group headquarters. Jason constantly rolled his eyes at David and I. Apparently, when we sit down together, we’re like two Furbies going into an infinite loop. Once we broke out of our chat routine, I sat down to go through their labs. I couldn’t do them. David and Jason kept providing hints, but I really did not know. The labs were related to lateral movement and abusing trust relationships. This is a topic that I don’t feel is well covered in other places and their courses both address this topic with a lot of depth.
4. Why isn’t this material taught in other places?
David and Jason: Many courses seem to focus either on foundational knowledge of penetration testing, or technical intricacies of various advanced techniques. While a lot of these are really great courses, we felt they often didn’t leave students with the ability to go execute well-planned and comprehensive assessments on their own. We designed APT for students who don’t need more foundational knowledge, but do need to run effective assessments to add value for their customers. Many course also focus on tools and techniques that are freely available, but operational penetration testing teams use the most effective tools for the job, whether freely available or commercial. We wanted to train on tools and techniques that students would actually use in the field.
When it comes to ARTT, we felt there are few advanced penetration testing courses available, especially relative to the number of courses that teach the fundamentals. Those that are available typically focus on techniques such as exploit development, but few seem to focus on emulating the techniques of the advanced threats that are actually targeting organizations today. We bring our experience in conducting red team assessments for the Federal government, where the objective is to analyze systems the way an adversary would versus utilizing the latest and greatest exoteric technique.
5. How did Cobalt Strike end up in your courses?
David and Jason: When we first developed the APT course, we faced the same limitations most courses do in many of the tools we were teaching weren’t the ones we actually used on assessments. One of the only tools that came close to something we could use operationally was Armitage. As Cobalt Strike was a natural progression from Armitage, when it was released, we found it was the perfect fit to move to for our primary penetration testing platform. In keeping with our objective of training for operational testing, we also thought this was a great opportunity to showcase the capabilities a professional toolset can provide. We found Raphael had much of the same mindset for penetration testing and training we did and was enthusiastic about assisting us in improving our training offering. Cobalt Strike was exactly what the course intended to provide, a turn-key approach to accomplish common, sometimes tedious, tasks so the assessor can spend more time performing effective threat emulation.
Cobalt Strike was actually one of the primary reasons we were able to offer the ARTT course this year. One of the significant barriers to teaching (and conducting) red team assessments is the specialized toolsets red teams use. These toolsets are generally highly specialized, require a significant amount of support, and are almost never released. These issues make training red team tactics much more difficult. However, over the past year Raphael added many red team capabilities to Cobalt Strike. While Cobalt Strike is great for enabling a standard penetration testing team to emulate more advanced threats, it also gave us the opportunity to train on many of the more advanced tactics we use in our red team assessments.
Raphael: I know the real story. A few years ago, David and Jason were teaching Adaptive Penetration Testing. One of their students used Armitage to chewed through their entire exercise environment, like it was nothing (this is a very common Armitage story–in many classrooms). This is what got their attention and it’s part of what got us talking in the first place. 🙂
6. Who should take your courses?
David and Jason:
Penetration testers and/or managers with prior knowledge/training/experience who are looking to maximize their programs
Individuals interested in starting a penetration testing capabilities
Penetration testers and/or managers with prior knowledge and experience with penetration testing tools and techniques interested in emulating a more sophisticated threat capability
Individuals who would like a better understanding of the tactics, techniques and procedures of more advanced adversaries
Raphael: If you’re a prospective (or active) Cobalt Strike user, I highly recommend signing up for one of these courses. If you’re planning to use Cobalt Strike in a variety of engagements, take Adaptive Penetration Testing. If you’re primarily focused on threat emulation and red teaming, take Adaptive Red Team Tactics. David and Jason are very experienced in the subject matter they’re teaching. They know Cobalt Strike and we view threat emulation and penetration testing through the same lens.
Yesterday, I had the opportunity to attend and participate in the Washington Post Cybersecurity Summit. The purpose of the event was to discuss what the government’s role should be in assisting the private sector when responding to a crippling attack over the network, presumably from a nation state actor.
The other participants were several well known and established voices on the national stage for this discussion. The top of this list being Janet Napolitano, Secretary, U.S. Department of Homeland Security.
The event started with remarks and an interview with Secretary Napolitano. This was followed by a panel that role played how the FBI, Intelligence Community, Department of Homeland Security, and State Department would work with a victimized U.S. company under active attack by a nation state actor. Interestingly, the exercise focused on a sabotage scenario, not theft of information.
A short panel followed discussing policy implications of the role-playing exercise.
Finally, I participated on the last panel: Looking Forward with the CIO of NASA and Steven Bucci from the Heritage Foundation. This final panel contained the view points of an executive with a big job, a strategic thinker, and a hacking geek. Mary, the event moderator, did an excellent job steering the discussion into territory that overlapped our points of view.
This year, I had a chance to update this talk and show what is different about this year. At this talk, I emphasized the use of bots and how they helped us play the game. I also talked about the use of asynchronous command and control to better hide our presence on student systems. I released Raven, the asynchronous C2 agent I developed for this year’s CCDC event. Raven is the prototype of Cobalt Strike’s Beacon feature. I also released a few other Cortana scripts discussed in the talk. This talk also covers a neat Windows persistence trick using DLL hijacking against explorer.exe.
Thanks to Adrian “irongeek” Crenshaw‘s amazing speed, I’m able to share both videos with you today. It’s best to watch both videos in order.
Let me know what I should cover in next year’s Dirty Red Team Tricks III.
Vivek’s questions created a great opportunity to cover the Armitage and Cobalt Strike story to date. In the interview I talk a little about how I got started, the differences between Armitage and Cobalt Strike, and just what the heck is threat emulation. I also go more into the Cobalt Strike roadmap than I have done publicly before.
During DEFCON, I sat down with Boonsri, a journalist from BYTE to discuss Cobalt Strike and the hacker process in general. This interview was from the same day I lost my voice. During the demo, I used Cobalt Strike’s website clone tool to copy a site and add an exploit to it. From there, I started to log keystrokes of my “corporate victim”.
AudioParasitics is on the Offense – Dave and Jim welcome special guest Raphael Mudge!! Known far and wide as the creator and developer of Armitage, Raphael gives us the history behind the tool and touches on some exciting new efforts. We dig deep into the new Cobalt Strike tool, as well upcoming release of Cortana at DC20.
This is a great interview. In it, I get to share how Cortana was funded through the DARPA Cyber Fast Track program. I talk about the history of Armitage and I get a chance to discuss what Cobalt Strike is trying to accomplish. Check out the podcast for more: