This post focuses on creating Cobalt Strike Beacon Object Files using the MinGW compiler on Linux. We will discuss several ideas and best practices that will increase the quality of your BOFs.
While writing a BOF is great, it’s always worth making the code compile to both BOF and EXE.
Ekoparty began as an underground hacking event, but has grown into one of the foremost cybersecurity conferences in Latin America. This year was the 20th anniversary of the incredible infosec event, which takes place every year in Buenos Aires. In order to discover insights from this year’s conference, we talked with two experts from Core Security who attended, and also served as trainers at the Hackademy portion of the event.
It’s a well-known fact that TV shows and movies pride themselves on their complete and total accuracy when it comes to portraying historical events, illnesses, or jobs. That’s how we know that everyone in olden times spoke in British accents no matter what country they were in, people with tuberculosis casually cough up blood while otherwise carrying on as normal, and all doctors wander about in form fitting scrubs with only one patient to treat—right?
In part 10, we started exploring different protections and mitigations that we may find. In this part, we’ll continue this exercise, completing the ROP bypass of the DEP.
Typically, there are tools that, in simple cases can automatically build a ROP. However, in difficult cases, these tools generally can’t fully build one, or can only partially do so, leaving one to complete by hand the work that the tool could not do.
IT environments have grown increasingly sophisticated, giving individuals and businesses capabilities they never could have dreamed of 20 years ago. However, the only thing growing faster than technology are the threats to it.
Having your Active Directory breached is bad enough, but an attacker who gains persistence is even more dangerous. The longer they are able to hide in your Active Directory forest, the better chance they have of gaining access to your organization’s crown jewels. Undetected, they can comfortably wait for the most opportune time to take control, stealing your organization’s most sensitive data and do with it what they please.
In the previous parts of this series, we went through some basic examples of exploitation and reversing. Now we’ll take a step forward, gradually adding different protections and mitigations that we will find.
In the first two parts of this series, we covered how attackers may attempt to gain persistence in Active Directory by forging Kerberos tickets or through domain replication abuse, and also discussed strategies to detect these methods.