CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿 @_EthicalChaos_ Twitter profile

Pinned Tweet

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

1 month

Time to be terrified. I've just dropped my Okta Terrify tool which I demonstrated as part of my @BSidesCymru talk last week. You can now backdoor compromised Okta accounts via Windows Okta Verify using attacker controlled passwordless keys. Enjoy -

GitHub - CCob/okta-terrify: Okta Verify and Okta FastPass Abuse Tool

Okta Verify and Okta FastPass Abuse Tool. Contribute to CCob/okta-terrify development by creating an account on GitHub.

github.com

8

124

265

Last Seen Profiles

@the__tega

@Jyo_CS

@themehmooni

@Rash77861172

@shadesofacheeka

@KhaosanGju

@pengen_stw

@defythetyrants

@rosihyq

@0_1_2

@ManasPredita

@x_rsvu

@lissomskinnyy

@franklin_nykel

@BbynaMizz

@22icko

@BearBullyfx

@consulmexsanbe

@Lucinda28475113

@SHINee

@civnide

@MasterChickenn

@drrtnal

@stw_pdg

@cTaLUCexAxuBxTb

@lutacchetti

@mytklovely

@SinnraMecha

@rowphoto

@WebIslandNantes

@Knucklepuck23

@purpl_exce

@ancoir

@jandakembangstw

@stw_pdg

@pengen_stw

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Been a few months in development on and off, but finally got an end to end POC working for lsarelayx. System wide NTLM relay from Windows which relays all incoming NTLM authentications without affecting the original target application. Silent relay if you will.

15

273

927

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

Want to authenticate to RDP/Citrix using your abused ADCS certificate and live of the land? PIVert has got your back. Will be releasing soon!

13

150

600

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Well here it it is, the initial release of lsarelayx. Considered alpha at this stage, so I recommended lab use only for now. Appreciate any feedback, especially non working environments.

GitHub - CCob/lsarelayx: NTLM relaying for Windows made easy

NTLM relaying for Windows made easy. Contribute to CCob/lsarelayx development by creating an account on GitHub.

github.com

8

279

580

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Here is part 2 of the EDR bypass series which introduces SharpBlock. Enjoy!

Lets Create An EDR… And Bypass It! Part 2 - Ethical Chaos

A 2 part series on creating a basic EDR detection system and then a bypass implementation. In part 2 I introduce SharpBlock, a tool for bypassing EDR's.

ethicalchaos.dev

4

221

521

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

BeaconEye: My first defensive tool release for my #DFIR friends. Detects and monitors beacon command output. Should be considered alpha at this stage and appreciate any feedback on undetected beacons.

GitHub - CCob/BeaconEye: Hunts out CobaltStrike beacons and logs operator command output

Hunts out CobaltStrike beacons and logs operator command output - CCob/BeaconEye

github.com

8

156

401

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

7 months

Working on a new tool that will be ready soon. One thing I can say from the research.... if your environment leverages Windows Hello without TPM's, DO NOT allow the default setting of a digit only based pin. Windows stores the pin length and can be brute forced in seconds.

11

99

423

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

Happy Easter everyone. I've just published the article and code for the In-Process Patchless AMSI bypass for those that are interested.

In-Process Patchless AMSI Bypass - Ethical Chaos

Some of you may remember my patchless AMSI bypass article and how it was used inside SharpBlock to bypass AMSI on the child process that SharpBlock spawns. This is all well a good when up against...

ethicalchaos.dev

10

175

360

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

The next blog post should be a good one. Dumping LSASS in memory using a new C# port of MinHook. Dynamic DLL assembly generation using Boo thrown in too, negating the need for opening the LSASS process handle directly.

5

111

356

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Dumping lsass completely in memory without touching disk. Need an exfil BOF added to now to get that 55MB dump straight into #CobaltStrike .

6

90

320

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Look ma, printer bug DC sync from low privileged service by merging @itm4n PrintSpoofer and @tifkin_ SpoolSample. How MS continue to say this is a feature is ridiculous.

5

84

313

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Another weekend or so left and lsarelayx should be at least ready for lab testing. In the meantime checkout the latest feature. Kerberos -> NTLM downgrade, so even clients attempting to connect with Kerberos will be forced to use NTLM.

4

91

314

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Just got a POC of BeaconEye working (WIP) - My first blue team tool for my #DFIR friends. Scans processes for Cobalt Strike's beacon and then spits out a real time log of the activity.

11

71

267

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

10 months

Thanks to everyone who came to my DEF CON talk yesterday. I should have submitted for a 45 minute talk as I didn't have time to cover the DNS update capability of gssapi-abuse tool. DNS mode is super handy if you want to apply instant updates to AD DNS

GitHub - CCob/gssapi-abuse: A tool for enumerating potential hosts that are open to GSSAPI abuse...

A tool for enumerating potential hosts that are open to GSSAPI abuse within Active Directory networks - CCob/gssapi-abuse

github.com

1

116

239

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

New blog post out introducing PinSwipe along with the new PKINIT support within Rubeus.

Attacking Smart Card Based Active Directory Networks - Ethical Chaos

Using a new Rubeus feature and a PIN swiping DLL, I will demonstrate obtaing Kerberos TGT's with leaked private keys or physical smart cards.

ethicalchaos.dev

5

106

219

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Came across Blackbone today. Why have I not found this before. Wow, just wow.

GitHub - DarthTon/Blackbone: Windows memory hacking library

Windows memory hacking library. Contribute to DarthTon/Blackbone development by creating an account on GitHub.

github.com

4

62

208

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

Sneak preview of Volumeiser. Final version will allow listing and extraction of OS files from common hard disk image formats. My favourite so far is AWS EBS snapshots. Extracting registry hives now takes seconds + a few MB of data instead of unworkable 100G images.

6

51

200

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

1 year

Vegas baby!

27

4

199

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Plot thickens with #PrinterNighmare . Whilst SMB paths are not allowed for driver files for remote hosts, they are allowed for the target host or IP. So file servers with writable shares are particularly vulnerable now since you don't even need a valid driver root path.

1

46

178

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

As promised folks. New blog post and PIVert tool release for ADCS and living off the land.

Pen Test Partners

@PenTestPartners

2 years

Last week our @_EthicalChaos_ promised something tasty: "Want to authenticate to RDP/Citrix using your abused ADCS certificate and live off the land? PIVert has got your back. Will be releasing soon!" Well, here it is - Living off the land, AD CS style

8

79

187

9

68

179

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Well took a bit longer than a weekend but here it is, in memory execution support for SharpBlock's child process. Places a breakpoint on implanted entry point to hide signs of implant. Implant process can be loaded over file, http or pipe. Enjoy!

5

79

167

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Here is a sneak preview of an upcoming PR to Rubeus. PKINIT Support for both Smartcard and PFX certificates with private keys for obtaining Kerberos TGT's. Hopefully have chance to finish it this weekend! #RedTeam #InfoSec

1

61

159

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

SweetPotato now supports the latest Windows 10 and Server 2019. I have added @itm4n 's excellent PrintSpoofer EoP. Thanks to @tiraniddo 's brill NtApiDotNet library which enabled the C# code to interface with the ALPC port of print spooler.

GitHub - CCob/SweetPotato: Local Service to SYSTEM privilege escalation from Windows 7 to Windows...

Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019 - CCob/SweetPotato

github.com

0

83

163

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Well here it is. The first release of for #CobaltStrike . Likely to have a few bugs etc... but hopefully enough for you all to have a play with. Look forward to seeing all your BOFNET's.

GitHub - CCob/BOF.NET: A .NET Runtime for Cobalt Strike's Beacon Object Files

A .NET Runtime for Cobalt Strike's Beacon Object Files - CCob/BOF.NET

github.com

1

83

155

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

I have been so busy with renovations I haven't had a lot of infosec time. With that in mind I decided to start a new article this evening....

5

17

158

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Wrote a new tool over the long bank holiday weekend, an upgrade to JuicyPotato compatible with #cobaltstrike 's execute-assembly.

SweetPotato - Local Service to SYSTEM - Ethical Chaos

Upgraded JuicyPotato performing Local Service to SYSTEM privilege escalation on Windows 7 to the latest Windows 10 / Server 2019.

ethicalchaos.dev

0

76

151

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Hmmm, EDR vendors now trying to bypass SharpBlock? Using KiUserApcDispatcher to call an exported function for applying the patches instead of their DLL entry point. 🤔💡😈

1

39

150

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

7 months

update: Uses Cobalt Strike 4.9's key value store for AppDomain. In-memory file system (VFS), web server BOF that hosts files from the VFS, also simple C# implementation of Screenshot. VFS great for integration with other BOFS.

GitHub - CCob/BOF.NET: A .NET Runtime for Cobalt Strike's Beacon Object Files

A .NET Runtime for Cobalt Strike's Beacon Object Files - CCob/BOF.NET

github.com

1

59

152

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

10 months

I hope you can all join me next week at DEF CON for my talk. A Broken Marriage: Abusing Mixed Vendor Kerberos Stacks. It's at Track 4, 4pm on Saturday. I'll cover an interesting vector for impersonating AD users on *nix based hosts. See you all state side ✈️🎉🍾

13

40

147

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Coming soon to a GitHub repository near you. 100% managed port of the awesome MinHook library.

1

22

139

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Want to implement your own custom screen shot, key logger or file upload implementation for Cobalt Strike but retain integration with the GUI. I just pushed a version of BOFNET that will allow you to do just that. Shout out to @cr0eax for the hint.

GitHub - CCob/BOF.NET: A .NET Runtime for Cobalt Strike's Beacon Object Files

A .NET Runtime for Cobalt Strike's Beacon Object Files - CCob/BOF.NET

github.com

0

51

138

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

Here you go folks, initial release of Volumiser. Dealing with those 100G virtual disc images during red team ops just got easier. Limited testing so far so would love to hear about any problems that pop up.

GitHub - CCob/Volumiser

Contribute to CCob/Volumiser development by creating an account on GitHub.

github.com

4

63

133

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

For the beady eyed, even on patched machines this should open up a new lateral movement technique too.

Pen Test Partners

@PenTestPartners

2 years

Our @_EthicalChaos_ found that you could remotely install Windows Store apps and execute privileged services on the latest versions of Windows. This post has all the juicy CVE-2022-35841 details #rce #cve

1

56

149

4

52

129

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

Just pushed a small change for the recently released Volumiser tool. You can now read files directly al a NinjaCopy style from physical disk and volume handles. Handy for exfiltrating registry hives or ntds.dit on hosts with EDR's.

1

34

134

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Next version of SharpBlock just pushed. Command line spoofing and patchless ETW bypass now implemented.

GitHub - CCob/SharpBlock: A method of bypassing EDR's active projection DLL's by preventing entry...

A method of bypassing EDR's active projection DLL's by preventing entry point exection - CCob/SharpBlock

github.com

4

64

128

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Just pushed a small update to SharpBlock. syscall's now used for DLL entry point patch on EDR DLL's (to combat some protections now seen) and console output now works for processes launched with PPID spoofing. Thanks for testing @ShitSecure

GitHub - CCob/SharpBlock: A method of bypassing EDR's active projection DLL's by preventing entry...

A method of bypassing EDR's active projection DLL's by preventing entry point exection - CCob/SharpBlock

github.com

0

49

128

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

9 months

My #DEFCON31 talk, A Broken Marriage: Abusing Mixed Vendor Kerberos Stacks is live. Hope you enjoy watching as much as I did presenting. Thank you @defcon for having me.

1

48

130

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

1 year

Now I can relax. My first public talk competed at @BSidesCymru , my home town. Here's are the slides and the POC released as part of the talk for those who couldn't make it in person

7

29

125

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

SharpBlock now supports parent PID spoofing. Implemented a little while ago, but I forgot to push it. Woops.

GitHub - CCob/SharpBlock: A method of bypassing EDR's active projection DLL's by preventing entry...

A method of bypassing EDR's active projection DLL's by preventing entry point exection - CCob/SharpBlock

github.com

0

34

110

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

1 year

Been prepping the POC for my potential talk at DEF CON this year (if accepted). A side affect of this is that I now have the ability to do direct instant Secure DNS updates to AD DNS over port 53 using any authenticated account, yay.

6

22

115

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Beginning fall in love with Boo. A dynamically generated .NET assembly ready for persistence via COM hijacking.

1

18

107

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

Do I or don't I submit my first ever conference talk? 😬💩

25

2

112

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

7 months

Recently tried a friend of mine's ( @_nickzer0 ) O365 brute forcer. Rotating IP's via AWS gateway. Works really well.

GitHub - nickzer0/RagingRotator: A tool for carrying out brute force attacks against Office 365,...

A tool for carrying out brute force attacks against Office 365, with built in IP rotation use AWS gateways. - nickzer0/RagingRotator

github.com

2

28

108

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Nothing ground breaking, a couple of months ago I wrote a new MSBuild plugin called dnMerge for merging .NET assemblies. For those interested in C# offensive tooling compilation and specifically smaller binaries for execute-assembly then check it out.

Merging C# Assemblies using dnMerge - Ethical Chaos

Windows based C# offensive tool building on Linux can be problematic. Using dnMerge will remove the headaches of building merged assemblies on Linux.

ethicalchaos.dev

4

33

107

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

10 months

I have wrote a blog for the GSSAPI abuse vector covered in my #DEFCON31 talk. I've also covered some DNS shenanigans that I did not have time to cover during my 20 minute slot. Hopefully those that couldn't attend can enjoy too.

Pen Test Partners

@PenTestPartners

10 months

Following his #DEFCON31 #DC31 talk our @_EthicalChaos_ has written a follow up including further research on abusing mixed vendor Kerberos stacks, so that any user can be spoofed against any service hosted over GSSAPI

1

16

41

1

43

105

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Anyone fancy writing #CobaltStrike BOF's in .NET? WIP, but the majority of the POC is proven. Needs some polishing up now, then hopefully a release of soon.

4

23

100

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

1 year

For those who wanted to see the talk but could not attend in person, my threadless injection talk is now available online. The demo stage is a little quiet as I needed put the mic down and of course I screwed up the screen switcheroo too😬

Needles Without The Thread: Threadless Process Injection - Ceri Coburn

null

www.youtube.com

3

38

101

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

@tiraniddo my friend, I keep saying it but NtApiDotNet is just *the* best library on the internet. A simple web server with full NTLM authentication in 50 lines of code.

2

16

101

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Minidump support now added to BeaconEye if anyone is interested. Thanks to @cube0x0 for his managed Minidump reader port to C# which was used as a reference.

Releases · CCob/BeaconEye

Hunts out CobaltStrike beacons and logs operator command output - CCob/BeaconEye

github.com

1

27

98

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Stage 1 complete. System wide NetNTLMv2 capture on Windows, independent of protocol used and no packet capture needed. Now for stage 2, system wide relay. I fear the next phase is going to be a little more complex than the first 🧐

4

24

98

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

As @bugch3ck and @gentilkiwi has already stated, confirmed that the latest #PrinterNightmare fix is not fully patched for an RCE. You can use an alternate UNC path for the config file and still use a writable share on the target host for the DriverStore root.

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Plot thickens with #PrinterNighmare . Whilst SMB paths are not allowed for driver files for remote hosts, they are allowed for the target host or IP. So file servers with writable shares are particularly vulnerable now since you don't even need a valid driver root path.

1

46

178

2

33

90

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

1 year

@SkelSec @BSidesCymru FFS. Let's try again .

GitHub - CCob/ThreadlessInject: Threadless Process Injection using remote function hooking.

Threadless Process Injection using remote function hooking. - GitHub - CCob/ThreadlessInject: Threadless Process Injection using remote function hooking.

github.com

3

31

94

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

I'd love to know how MSRC come to these conclusions. I sent 3 lines of working exploit code as the POC.

6

13

90

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

For those who want to get started quickly with MinHook for .NET, I have published Nuget packages for .NET 4.0 and 4.5

MinHook.NET 1.0.0

A fully managed C# port of the MinHook hooking library for native functions

www.nuget.org

0

31

90

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Great addition to SweetPotato. PR merged and ready to rock. Thanks @bugch3ck .

GitHub - CCob/SweetPotato: Local Service to SYSTEM privilege escalation from Windows 7 to Windows...

Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019 - CCob/SweetPotato

github.com

Jonas Vestberg

@bugch3ck

3 years

Implemented PetitPotam/EfsPotato into the awesome SweetPotato project by @_EthicalChaos_ . It bypasses the latest MS patch by using EfsRpcEncryptFileSrv. Escalate to SYSTEM from SeImpersonatePrivilege on a fully patched Windows system.

4

189

460

0

33

90

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

As promised, standalone PoC for Citrix Workspace app vulnerability (CVE-2020-8207)

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

You should be updated already with automatic updates enabled on Workspace. Will share a more specific PoC soon.

2

11

18

0

46

87

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

1.1.3 just pushed to GitHub and NuGet. Minor changes, but patchless AMSI bypass integrated and the BOFNET AppDomain name is now random. Further changes coming soon, but enjoy for now!

GitHub - CCob/BOF.NET: A .NET Runtime for Cobalt Strike's Beacon Object Files

A .NET Runtime for Cobalt Strike's Beacon Object Files - CCob/BOF.NET

github.com

0

34

88

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

It seems a few were interested in implementing an EDR and then bypassing it. So here is part 1, creating a basic active protection EDR.

Lets Create An EDR... And Bypass It! Part 1 - Ethical Chaos

A 2 part series on creating a basic EDR detection system and then a bypass implementation. In part one we cover how to create a basic EDR.

ethicalchaos.dev

3

35

81

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

It's aliveeeee!

8

6

80

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Well hopefully this weekend I'll have time to finish of in-memory execution of SharpBlock's child process. But until then, a little teaser. powershell.exe hosted inside notepad.exe with patchless AMSI in place.

2

31

78

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Finally, a Cylance on disk sandbox and injection bypass for a stageless #cobaltstrike beacon. By far the hardest bypass so far. Still got Carbon Black and Defender ATP to look at yet though!

6

16

75

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Latest version of BOF[.]NET pushed. Mainly work around compiling on Linux and docker, but there is now a NuGet package for ease of writing your next .NET based BOF.

BOFNET 1.2.0

Package Description

www.nuget.org

1

24

77

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

Coming to a blog near you soon...

3

8

77

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

I needed to crack JBoss/Wildfly admin console passwords on a recent engagement. Seems hashcat doesn't support the format out of the box. Wrote a little script that will convert to mode 20 for hashcat cracking. Have at it you lot!

1

39

72

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Well here it is. Latest release of with Boo script execution via the bofnet_boo aggressor script alias. Shoutout to @byt3bl33d3r for some the ideas used within the executor.

GitHub - CCob/BOF.NET: A .NET Runtime for Cobalt Strike's Beacon Object Files

A .NET Runtime for Cobalt Strike's Beacon Object Files - CCob/BOF.NET

github.com

1

21

70

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

My son told me a joke today. Dad, what do you call a bee 🐝 from America.... A USB

4

66

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

The first issue opened on GitHub for Volumiser. Sure, I'll just get onto that for you sir 🫡

8

2

66

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Just pushed a new version of . Support for both .NET v4/v2 and an update to bofnet_load that supports arbitrary (large) size assembly loading. Boo script execution WIP.

GitHub - CCob/BOF.NET: A .NET Runtime for Cobalt Strike's Beacon Object Files

A .NET Runtime for Cobalt Strike's Beacon Object Files - CCob/BOF.NET

github.com

0

33

63

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Woohoo, now I can build a proper home lab instead of running VM's on an underpowered laptop. Cheers @bargainhardware

9

2

59

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

I dissapear from infosec and the twittersphere for a well needed holiday in the sun and I come back to LPE's from @jonasLyk via SAM hives and a new remote NTLM cohershion technique from @topotam77 . Damn this infosec world moves fast.

3

5

60

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Just published BeaconEye 0.2. Support for 32 bit beacon detection, initial support for 32 bit monitoring and substantial scanning speed improvements (~100 processes a second).

Release BeaconEye 0.2 · CCob/BeaconEye

Significant scanning speed improvements, ~100 processes per second Support for detecting 32bit beacons Initial support for 32bit monitoring Command line arguments to support verbose output, enablin...

github.com

0

22

62

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

4.5 weekends later, all finished. Now relax (until the wife has the next lockdown DIY idea)

10

0

59

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

1 year

It's happening, seems my talk was accepted by @BSidesCymru . Now I just need to accept 💩 😬.

3

5

62

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Another vendor putting far to much trust in the lower privilege helper app communicating with a SYSTEM service. Guess it's that time again, now where did I put that PSIRT email address.

3

11

58

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

I see privileged service RPC calls commonly expose methods to allocate and free new contexts. These are great vectors for leaking heap pointers which can often reduce the complexity involved in exploiting overflows.

1

6

56

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Just had a chance to play with #CobaltStrike BOF's. CMake template done for GCC, Visual Studio and cross compile from Linux. Now I need to invest the time to convert a load of code to be BOF compatible. Nice work @armitagehacker , brilliant feature!

0

14

47

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Although I have a small following of infosec friends, hopefully some may find my new blog post useful for future engagements. Thanks @ZephrFish for taking the time to review it for me prior to publishing.

Weaponizing your favorite Go program for Cobalt Strike - Ethical Chaos

How to convert a Go program to a reflective DLL for Cobalt Strike

ethicalchaos.dev

1

18

55

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

Oh shit, it's done!

4

1

56

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

We are finally done with the living/dining room reno. Some before and after shots for those who have been following. I've got a week off this week to start upstairs.

14

0

54

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

1 year

One hurdle complete, the next is getting the talk accepted at DEF CON

2

0

56

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Just pushed a wee little up to . You can now run a class as a background job on a seperate thread and dump the console output at a later date. This should open up the possibility of running services and other long running jobs.

0

13

52

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

7 months

Microsoft Software Key Storage Provider doesnt isolate non-exportable keys. Keys are stored within %appdata%\Roaming\Microsoft\Crypto\Keys. Private key is encrypted with the users DPAPI key. Providing you know the DPAPI SHA1 or users password they can be exported without SYSTEM

1

16

53

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Problem solved. SharpBlock now prevents any VirtualProtect calls originating from the blocked DLL address space, preventing hooks from EDR vendors being applied, but still allows MirrorDump hooks to work 😈

2

5

51

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

6 months

Another room done. That's 3 rooms for the year and one more to go early next year. But first, time for some mulled wine and stuffing my face for a month.

6

0

54

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Not quite as exciting as the last release, but 32-bit support just pushed for SharpBlock

GitHub - CCob/SharpBlock: A method of bypassing EDR's active projection DLL's by preventing entry...

A method of bypassing EDR's active projection DLL's by preventing entry point exection - CCob/SharpBlock

github.com

1

6

49

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

10 months

I thought a DEF CON talk was a proud moment in my life, but it's amazing how your own kids achievements always come out on top no matter what. My son performing his own original song "Promise" with his band The Bridge at their debut gig.

0

1

53

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Didn't expect that. Probably the first and last time I ever make the GitHub trending repositories list.

3

1

52

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Been a pleasure working with @exploitph on this 2.0 release of Rubeus. Get forging people.

Charlie Clark

@exploitph

3 years

It's been a long road but it's finally here. It's been great working on this with @_EthicalChaos_ , I learned so much! Special thanks to @harmj0y for the original tool and putting up with me through development ;-) Say hello to Rubeus 2.0:

8

250

507

1

7

51

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

says Boo 👻👻👻

2

10

46

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Proud dad moment this weekend. Best part of a 1000 mile round trip in 3 days to watch my boy compete for his country in the British and Irish Mountain Running Championship. Team bronze was a bonus, but now I'm only good for one thing... bed.

3

0

47

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

PR submitted to Rubeus for PKINIT. In the meantime, if you fancy having a go of PKI (Smartcard/PFX) based Kerberos authentication using Rubeus you can get a version from my repo here .

GitHub - CCob/Rubeus: Trying to tame the three-headed dog.

Trying to tame the three-headed dog. Contribute to CCob/Rubeus development by creating an account on GitHub.

github.com

0

15

45

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

MiniDumpToMem integrated into along with an in-memory HTTP server for exfiltration. Still compression left to do. Do I take @Cneelis advice and use native API's to compress or compress within the managed world. That is the big question!

3

12

46

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

All done. Before and after shot.

1

0

44

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

4 years

Would anyone be interested in a 2 part blog post on writing a basic EDR solution to demonstrate how elements of them function, followed by an effective method for bypassing them?

5

2

42

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

9 months

And now the YT version is live too.

DEF CON 31 - A Broken Marriage Abusing Mixed Vendor Kerberos Stacks -...

The Windows Active Directory authority and the MIT/Heimdal Kerberos stacks found on Linux/Unix based hosts often coexist in harmony within the same Kerberos ...

www.youtube.com

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

9 months

My #DEFCON31 talk, A Broken Marriage: Abusing Mixed Vendor Kerberos Stacks is live. Hope you enjoy watching as much as I did presenting. Thank you @defcon for having me.

1

48

130

1

14

44

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

9 months

I'm not going to comment on how the actual race went, but I got the medal at least. 🏃🐢🐌

4

0

42

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

Happy New Year to the infosec peeps and beyond. Now for the new years resolution, learn to surf at my local break.

9

2

39

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

3 years

Day 2. Just needs the final coat of paint and a shelf to hang.

4

0

39

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

We finally moved into #theproject . It's a mess, windows falling out, everything needs replacing and I'm probably not going to see a weekend for the next gazillion years. But hey, we need something to do in the next lockdown, right?

7

0

35

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

1 year

@hackthebox_eu Military grade encryption

0

34

CCob🏴󠁧󠁢󠁷󠁬󠁳󠁿

@_EthicalChaos_

2 years

@vysecurity This should get you 90% of the way. Throw in Stephen Fewer's RDLL code and DInvoke to call the exported ReflectiveLoader function and you are good to go.

Weaponizing your favorite Go program for Cobalt Strike - Ethical Chaos

How to convert a Go program to a reflective DLL for Cobalt Strike

ethicalchaos.dev

1

19

35