Kerberoasting is a technique that allows an attacker to extract the encrypted part of a TGS-REP and brute force it offline to recover the plaintext password of the associated service account. The most common method of obtaining TGS-REPs is for the attacker to send TGS-REQs to the KDC for one
The CS 4.10 update saw the introduction of the Postex Kit. This was a bit overshadowed by BeaconGate, which was also added in 4.10 (I wrote about this in my last post). The intention of this post is to highlight what this kit is about and how it
I've been looking into Cobalt Strike's UDRL, SleepMask, and BeaconGate features over the last couple of days. It took me some time to understand the relationship between these capabilities, so the aim of this post is to provide a concise overview for those looking into these
I enjoy learning about new programming languages, so I decided to have a look at Crystal - a general purpose, object-oriented language. Unfortunately, the title is complete clickbait - this will just be a short post about my first impressions of the language and some of the things I found
I have been quietly working on some new Kerberos course content, and although it’s not complete yet, I wanted to take a small segue to write this post. My approach to tackling the content required capturing and decrypting legitimate Kerberos traffic on the wire, so that readers could understand
If you’re an experienced Cobalt Strike user, you will already know what roll the artifact kit plays in customising its binary (executable and DLL) payload artifacts (artefacts for the British). If not, here’s a tl;dr: Beacon is a reflective DLL that needs to be loaded into memory
YARP: Yet Another Reverse Proxy is a .NET library developed by Microsoft designed to run on top of ASP.NET Core infrastructure. The intended use case for YARP is to sit between backend and frontend services to provide reverse proxy and load balancing services. The content of this blog post
There are multiple structures in Windows that contain fixed sized arrays. The instance I came across recently was the KERB_QUERY_TKT_CACHE_RESPONSE struct, which looks like this: typedef struct _KERB_QUERY_TKT_CACHE_RESPONSE { KERB_PROTOCOL_MESSAGE_TYPE MessageType; ULONG CountOfTickets; KERB_TICKET_CACHE_INFO Tickets[ANYSIZE_ARRAY]
C# is a popular language in both the commercial space (think ASP.NET Core, MVC, Blazor, WPF, MAUI, etc) and the infosec space. The most well known offensive C# tools are probably those in GhostPack (Rubeus, Seatbelt, Certify, SharpUp, etc). A lot of offensive tools that target Windows use interop
The Cobalt Strike 4.9 release introduced support for registering Aggressor callbacks for several functions including bexecute_assembly, bpowerpick, and binline_execute. Prior to this feature, there was no practical way of tasking Beacon and then performing further actions based on the output (other than reading it on the console
Melkor is a C# POC written by FuzzySec to simulate a TTP employed by InvisiMole. The concept is that post-ex assemblies are loaded into a payload/implant and kept encrypted using DPAPI whilst at rest. They are decrypted on demand and executed in a separate AppDomain. The AppDomain is unloaded
Introduction C# Source Generators made their first appearance around the release of .NET 5 and now ship as part of the .NET Compiler Platform (“Roslyn”) SDK. They allow developers to inspect user code as it is being compiled and even create new C# source files on the fly and add