detection

Detecting Cobalt Strike

David Johnson

27 Dec 2022

Cobalt Strike is threat emulation software. It is a proprietary product used by... well who ever can afford it. However, it has been reverse engineered and some code leaked. Also, security researchers have extensively scrutinized it. For example, some people have noticed a pattern in Cobalt Strike use of Named Pipes.
When Cobalt Strike created a named pipe is tends to the following naming.

\\.\pipe\\MSSE-XXXX-server

\\.\pipe\\postex-XXXX-server

\\.\pipe\\msagent-XXXX-server

\\.\pipe\\statust-XXXX-server

Here the XXXX is a random number from 0-9. Pattern matching on this is rather trivial using tools such as Sysmon.

Supporting the Security Parthenon: How the Five Pillars of Information Security Work Together and Why Authorization Deserves Its Place

Like the pillars of the great Parthenon the five pillars of information security hold up and support a comprehensive security program. In this essay I will discuss the five pillars and how they are connected by providing specific examples of how they support and rely on each other within a

Firewalls, IDS, IPS and Nmap

To prevent unathorized access and malitious attacks on a network system administrators have a few options in their arsinal. Firewalls and Intrusion Detection/Prevention Systems are the main line of defense in this situation. These defenses are effective when configured properly. However, every defense has its weakness. Understanding the limitations

Golden Ticket

Golden Ticket This document covers how to create a Golden Ticket. An Active Directory Domain server is required for this to work. Connected clients are useful but not required. Creating the Ticket To create a Golden Ticket the NT Hash for KRBTGT will need to be aquired as well as

Bash Breakout

Breaking out of a restricted shell is a significant step in ethical hacking and penetration testing. However, sometimes you find yourself in a limited or non-interactive shell environment where essential features like command history navigation and screen clearing don't work. In such cases, upgrading to a fully interactive

Read more

Supporting the Security Parthenon: How the Five Pillars of Information Security Work Together and Why Authorization Deserves Its Place

Firewalls, IDS, IPS and Nmap

Golden Ticket

Bash Breakout