Mythic v3.2 Highlights: Interactive Tasking, Push C2, and Dynamic File Browser
TL;DR; Mythic v3.2 has Push C2, Interactive Async Tasking, TypedArray parameters, new graphing libraries in the UI, database migrations, dynamic file browser groupings, and more! Image Generated by https://hotpot.ai/art-generator Mythic v3.2 It’s been a few months since the last Mythic update, so it’s time to release a new version! This version has many major updates from […]
Merlin’s Evolution: Multi-Operator CLI and Peer-to-Peer Magic
Image Generated by https://hotpot.ai/art-generator Over the past year, I’ve been working on making significant updates to Merlin in my free time. Today, I’m ready to release version 2 of Merlin. Some of the more significant updates include: A new command-line interface (CLI) application which allows multiple operators to use Merlin at the same time Peer-to-peer (p2p) agent […]
On Detection: Tactical to Functional
Part 11: Functional Composition Introduction Welcome back to part 11 of the On Detection blog series. This next article serves as a conceptual foundation upon which we will build over the next few posts. It may not be immediately obvious why this is important, but understanding this concept will make many subsequent ideas much easier […]
Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Introduction Earlier this year, I submitted a pull request to SharpSCCM’s repository. SharpSCCM is a tool that Chris Thompson developed with the purpose of demonstrating possible attacks against Microsoft Configuration Manager (ConfigMgr, formerly Microsoft Systems Center Configuration Manager [SCCM]) deployments. The submitted PR was meant to extend SharpSCCM’s functionality by implementing the option of executing […]
On Detection: Tactical to Functional
Part 10: Implicit Process Create Introduction Welcome back to another installment of the On Detection: Tactical to Functional series. In the previous article, I argued that we perceive actions within our environment at the Operational level (especially when it comes to endpoint events), which means that we should “conceive” of attacker tradecraft at the Operational level […]
Lateral Movement: Abuse the Power of DCOM Excel Application
In this post, we will talk about an interesting lateral movement technique called ActivateMicrosoftApp() method within the distributed component object model (DCOM) Excel application. This technique is built upon Matt Nelson’s initial research on “Lateral Movement using Excel.Application and DCOM”. What is DCOM? DCOM is a Microsoft solution that allows software components to communicate remotely. Its predecessor, […]
On Detection: Tactical to Functional
Part 9: Perception vs. Conception The concepts discussed in this post are related to those discussed in the 9th session of the DCP Live podcast. If you find this information interesting, I highly recommend checking the session out! https://medium.com/media/89a600d7731c06c483f9d3c89ddc5ff7/href At this point in the series, we understand that attack techniques are abstract concepts that must be […]
Bloodhound Enterprise: securing Active Directory using graph theory
BloodHound Enterprise: securing Active Directory using graphs Prior to my employment at SpecterOps, I hadn’t worked in the information security industry- as a result, many security related terms and concepts that were tossed around casually (not just within SpecterOps, but also by the open source community using BloodHound) befuddled me, as did trying to apperceive how […]
Perfect Loader Implementations
Thank you to SpecterOps for supporting this research and to Lee and Sarah for proofreading and editing! Crossposted on GitHub. TLDR: You may use fuse-loader or perfect-loader as examples for extending an OS’s native loader to support in-memory libraries. Some software applications require the ability to load dynamic libraries from the memory of the application’s own […]
One Site to Rule Them All tl;dr: There is no security boundary between sites in the same hierarchy. When an administrative user is granted a security role in SCCM, such as Full Administrator or Infrastructure Administrator, in any primary site, the underlying database changes propagate upward to the central administration site (CAS) and then to other […]