Craig Vincent// This all started with a conversation I was having with a few other BHIS testers. At the time, I was testing a web application that used WebSockets. The app was giving me headaches, and I was venting my frustration. Penetration testers, red teams, and baddies are always looking for new ways to sneak […]
Darin Roberts// If you have been in the security field for any length of time at all you have heard the term C2. You might have heard it also called C&C or Command and Control. I will refer to it as C2 as here at BHIS, that is what we do. Some of you might […]
Lee Kagan* // Expanding upon the previous post in this series, I decided to rewrite C2K (find it here) to change its behavior and options for the user. In this post we will walk through the changes to C2K as well as re-deploy a demo C2 infrastructure with all the new features. It is worth […]
Dakota Nelson// The modern internet’s got a lot of places to hide. In this webcast, join Dakota as he shows how you can establish C2 channels and issue commands to implants over several different social media sites, including Google Sheets, Twitter, Tumblr, and Salesforce, in under 100 lines of Python. Slides can be […]
Carrie Roberts//* Is your employer reading all your sensitive information when you browse the internet from your work computer? Probably. But how can you be sure? It is common for companies to deploy an SSL decrypting proxy at work in an effort to better protect their assets from attack. It’s something you agree to when […]
Jordan Drysdale// Sacred Cash Cow Tipping Webcast 2018 follow-up The great Kaspersky Internet Security 2017 antivirus product lived up to and met all of my expectations in testing, so I cheated. At least it feels like cheating. Kaspersky, LIKE ALL OTHER host-based AV and endpoint protection products can be bypassed on Windows 10 by using […]
Joff Thyer // If you have been penetration testing a while, you likely have ended up in a Red Team situation or will be engaged in it soon enough. From a command channel perspective, the work that Raphael Mudge has put into Cobalt Strike makes it an attractive platform for teamwork. Unlike traditional methods of […]
Kent Ickler // A robot wearing boots… with straps…. Have you been tasked with automation in the Command and Control (C2) world? If so your goal is to shorten the overhead time on repetitive tasks related to procuring a valid control channel. This wasn’t my first rodeo in mundane automation and finding creative shorthand. Automating […]
John Strand// We just finished up a walk through of how we bypassed Cylance in a previous engagement. To conclude this exciting week, I want to share a few comments and notes with everyone. First, we are a penetration testing firm. We test what customers give us to test. We do not test what the […]
