Infosec

Now that Microsoft is blocking macros for internet and externally sourced documents, I feel its safer to talk about some of the EDR evading Word macro techniques I have used in the past. Particularly for delivering Cobalt Strike beacons.

Cactus Torch is a great tool as a starting point. It takes some basic concepts such as a encoding the CS payload in memory, starting a process and injecting the payload into memory. Unfortunately, Cactus Torch is heavily signatured, but with a bit of modification, you can easily bypass most EDR solutions, including Windows Defender. Cactus Torch gets flagged because of a few function calls and variable names, but if you change those, you’ll find EDR no longer detects it. That’s the first step towards EDR evasion.

A while ago I earned my OSCP certification. Before that I had my GPEN and Pentest+. The Pentest+ I obtained during the beta program for the certification since the test was only $50 and I figured there was not much harm in trying. I took it practically blind (no preparation), and found out I passed in August. Shortly after I was given the opportunity to take the SpectreOps Red Team Training and after that scheduled to take OSCP training.

Back when CompTIA had a temporary beta program for the Pentest+, I took advantage of it, and the cheap cost of the test just to give it a shot. I didn’t study for it and kind of went in blind since no study materials existed and most of what was out there for it was pure speculation. It took a while to learn the results but I’m happy to report that I passed.

I’ve recently been using radare2 for a bit of reverse engineering and have used it a little bit in the past for CTF competions. (Side note: scaleway.com is a great cloud/VPS service if you need an ARM based server/machine for a something like a CTF to analyze ARM binaries and do not have a Raspberry Pi, ODroid or similar ARM based computer handy.)

I discovered Cutter recently, which has some instructions to compile it using cmake (also qmake but I had and used cmake).

2018 came with a big transition for me, a new opportunity came up that allowed me to pivot into InfoSec full time. Without going into too much detail I’ll be doing a bit of offensive security. This is very exciting for me to say the least.

One of the things I am working on that I have had plans to build out eventually for some time is a home pentesting lab. I’ve managed to setup a multi-core CPU PC with about 32 GB of RAM. I’ve setup a virtual environment using KVM that I plan to be managing with RHEL based tools. For now I’m using the Gnome Boxes and/or virt-manager. My plan is to simulate a fully functional environment networked VM’s to act as an attack range for both known and new exploits that I’ll use for practice or research.

Iworked another year as staff for CarolinaCon 2017. This year I helped run the hardware hacking village with my friends and fellow members of FALE which was mostly if not completely used to assemble badges for the conference which where Atmel based hardware badges that communicated wirelessly with RF modules on the ~900+Mhz frequency range. The badges were designed by my friend melvin2001 whom I miss badly now that he’s moved across country. The code for the badges are located on the FALE GitHub.

I’m sitting on a plane waiting for my delayed flight to Boston listening to Adam Savage rant about Apple’s lack of ease of use (of which I totally agree). I figured it was the perfect time to finish this blog. Oh yeah, why am I on a plane? I’m heading to Red Hat Summit 2017. I might write about that later. In like a year or so. Yes, I back dated this if you realize the RH Summit is in May, but I’ve been meaning to write this post for over a month.

2016 has been another crazy year for me, and 2017 is just as crazy. I’ve been putting off updating my site for a while (a whole year). So here is a summary update of just some of the things I’ve been working on for 2016 and the first few months of 2017.

Certifications: I am now a Puppet Certified Professional 2016, I guess if its not obvious, I’ve been working even more heavily with Puppet, going to training, writing modules, etc. This was my first certification and I will say the test is very difficult testing you on every obscure area of Puppet, and it changes a lot between versions. If you’re studying for this exam, you need to practically read all their documentation on top of training and having real life experience. Their are study guides, I also just recently obtained certification as an IBM Certified System Administrator for WebSphere Application Server Network Deployment V8.5.5 and Liberty Profile. Mostly because I’ve been working with it heavily for a while so the certification was just a formality, I barely studied for that one.

I gave another talk for this year’s CarolinaCon 12 called “Never Go Full Spectrum Cyber”. For this talk I focused on mistakes “hackers” and even some InfoSec professionals have made and then a short summary at the end of OpSec lessons that could have prevented the mistakes covered earlier in the talk.

The talk slides are here. [UPDATE: The talk video is here.]

I referenced OpSec work and talks done by the grugq. You can find his site I mentioned in my talk at grugq.github.io. The grugq’s talk I also mentioned is called OPSEC: Because Jail is for wuftpd.

I’m still recovering from Vegas even a week later. So I’m just going to link a bunch of things you should check out and mention a few cool things that happened or that I saw.

• PowerShell Empire - written in my two favorite scripting languages, may replace Meterpreter someday.
• Modern Honeypot Network - build your own cloud based network of honeypots that feed results back into a centralized server.
• HoneyDrive - an okay honeypot VM image (if you for some reason want to run your honeypot in VirtualBox or VMWare)

I also put together a DarkNet badge, walked until my knee gave out, attended a lot of events. DefCon itself was overcrowded, I stayed out of the talks and main halls and focused on SkyTalks, and the villages and competition areas. The DefCon biohacking village was to me the most interesting new thing this year.