Intro In my previous post, we had a look at the Tradecraft Garden by integrating one of its PIC reflective loaders into a Beacon payload. One of the features I mentioned was that of passing additional arguments variables to Crystal Palace during its linking process. The example I cited was
Intro Raphael Mudge is the original creator of Cobalt Strike and now author/blogger at the Adversary Fan Fiction Writers Guild. His latest project is the Tradecraft Garden, which is a collection of resources centred around the development of position-independent DLL loaders. The tradecraft garden contains two main components: 1.
Kerberoasting is a technique that allows an attacker to extract the encrypted part of a TGS-REP and brute force it offline to recover the plaintext password of the associated service account. The most common method of obtaining TGS-REPs is for the attacker to send TGS-REQs to the KDC for one
The CS 4.10 update saw the introduction of the Postex Kit. This was a bit overshadowed by BeaconGate, which was also added in 4.10 (I wrote about this in my last post). The intention of this post is to highlight what this kit is about and how it
I've been looking into Cobalt Strike's UDRL, SleepMask, and BeaconGate features over the last couple of days. It took me some time to understand the relationship between these capabilities, so the aim of this post is to provide a concise overview for those looking into these
I enjoy learning about new programming languages, so I decided to have a look at Crystal - a general purpose, object-oriented language. Unfortunately, the title is complete clickbait - this will just be a short post about my first impressions of the language and some of the things I found
I have been quietly working on some new Kerberos course content, and although it’s not complete yet, I wanted to take a small segue to write this post. My approach to tackling the content required capturing and decrypting legitimate Kerberos traffic on the wire, so that readers could understand
If you’re an experienced Cobalt Strike user, you will already know what roll the artifact kit plays in customising its binary (executable and DLL) payload artifacts (artefacts for the British). If not, here’s a tl;dr: Beacon is a reflective DLL that needs to be loaded into memory
YARP: Yet Another Reverse Proxy is a .NET library developed by Microsoft designed to run on top of ASP.NET Core infrastructure. The intended use case for YARP is to sit between backend and frontend services to provide reverse proxy and load balancing services. The content of this blog post
There are multiple structures in Windows that contain fixed sized arrays. The instance I came across recently was the KERB_QUERY_TKT_CACHE_RESPONSE struct, which looks like this: typedef struct _KERB_QUERY_TKT_CACHE_RESPONSE { KERB_PROTOCOL_MESSAGE_TYPE MessageType; ULONG CountOfTickets; KERB_TICKET_CACHE_INFO Tickets[ANYSIZE_ARRAY]
C# is a popular language in both the commercial space (think ASP.NET Core, MVC, Blazor, WPF, MAUI, etc) and the infosec space. The most well known offensive C# tools are probably those in GhostPack (Rubeus, Seatbelt, Certify, SharpUp, etc). A lot of offensive tools that target Windows use interop
The Cobalt Strike 4.9 release introduced support for registering Aggressor callbacks for several functions including bexecute_assembly, bpowerpick, and binline_execute. Prior to this feature, there was no practical way of tasking Beacon and then performing further actions based on the output (other than reading it on the console