Hacking With Your Nemesis

Hacking With Your Nemesis

In the first post in this series, On (Structured) Data, we talked about the gap area of offensive structured data and ended with the question, “If all of our offensive tools produced and worked with structured data, what would be possible?” The second post, Challenges In Post-Exploitation Workflows, covered several ... Read More
Challenges In Post-Exploitation Workflows

Challenges In Post-Exploitation Workflows

In our previous post, we talked about the problem of structured data in the post-exploitation community. We touched on the existing relationship between our tools and data and covered some of the domain-specific challenges that come with offensive data collection. We ended with the question “If all of our offensive ... Read More
On (Structured) Data

On (Structured) Data

IntroductionThe offensive security industry is a curious one. On the one hand, we are ahead in various trends (or “thought leadership,” as some would have us term it) and are used to literally “moving fast and breaking things.” On the other hand, we’re far behind similar disciplines. One major area ... Read More
Certificates and Pwnage and Patches, Oh My!

Certificates and Pwnage and Patches, Oh My!

| | Active Directory, PKI
This post was written by Will Schroeder and Lee Christensen.A lot has happened since we released the “Certified Pre-Owned” blog post and whitepaper in June of last year. While the paper details a LOT of tradecraft ranging from credential theft to domain persistence, the part that caught most people’s attention ... Read More
Koh: The Token Stealer

Koh: The Token Stealer

| | Red Team, Windows
Years ago I was chatting with a few experienced red teamers and one was lamenting token abuse. Specifically, they wanted to be able to automatically “harvest” tokens on a host as people connected, keeping the tokens usable for operators even after the associated account logged off. I knew very little ... Read More
DeepPass — Finding Passwords With Deep Learning

DeepPass — Finding Passwords With Deep Learning

DeepPass — Finding Passwords With Deep LearningOne of the routine tasks operators regularly encounter on most engagements is data mining. While exactly what operators are after varies from environment to environment, there is one common target that everyone’s always interested in: passwords.After diving into machine learning from an adversarial perspective I started to ... Read More
"Adversarial Machine Learning" with Ian Goodfellow

Learning Machine Learning Part 3: Attacking Black Box Models

In the first post in this series we covered a brief background on machine learning, the Revoke-Obfuscation approach for detecting obfuscated PowerShell scripts, and my efforts to improve the dataset and models for detecting obfuscated PowerShell. We ended up with three models: a L2 (Ridge) regularized Logistic Regression, a LightGBM ... Read More
Learning Machine Learning Part 2: Attacking White Box Models

Learning Machine Learning Part 2: Attacking White Box Models

In the previous post, I went through a very brief overview of some machine learning concepts, talked about the Revoke-Obfuscation project, and detailed my efforts at improving the dataset and models for detecting obfuscated PowerShell scripts. That resulted in three separate tuned models for obfuscated PowerShell script detection: a Logistic ... Read More
Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science

Learning Machine Learning Part 1: Introduction and Revoke-Obfuscation

For the past two years I’ve been trying to get a grasp on the field of machine learning with the hopes of applying it to both offense and defense. At the beginning of this journey I had no idea what Random Forests were, the tradeoffs of underfitting and overfitting, what ... Read More