• Josh Abraham

    Using Slack as a C2 Channel: MITRE ATT&CK – Web Service (T1102)


    Posted by Josh Abraham

    Our proof of concept (PoC) blends in with normal business activities such as user-to-user or user-to-group communications. Detecting this type of activity requires sophisticated network analysis capabilities, such as the ability to intercept and decrypt SSL messages. Future versions may add additional encryption on top of SSL. In our PoC, we also configure a random sleep between 1m and 5m to further obfuscate our activity. These sleep times can help our C2 fly under the radar, but will also impact the ability of the attack operator to execute rapidly depending on how aggressively the timeouts are configured.


    read more »



  • Daniel Wyleczuk-Stern

    Why Praetorian Benchmarks to MITRE ATT&CK™ and Why You Should Too


    Posted by Daniel Wyleczuk-Stern

    When it came to improving our Purple Team service line, which maps to “Detect” and “Respond” in the NIST CSF, we wanted to provide a similar high quality of data and metrics to our clients. In our experience, it is hard to drive change in any organization unless those changes can be tied to measurable results. After conducting a survey of known frameworks, we settled on the ATT&CK™ framework from MITRE.


    read more »



  • Praetorian Staff

    Safely Conduct Security Assessments of Industrial Control System (ICS) Environments


    Posted by Praetorian Staff

    Our current standard of living is made possible due to the massive scale of critical infrastructure that supports our needs as a society. Electricity, Oil, Gas, Water, and Security are a few of the well-known industries whose infrastructure is managed by Industrial Control Systems (ICS). Few systems have the potential for catastrophic consequences from a security incident as is possible with an ICS breach.


    read more »



  • Thomas Hendrickson

    Running a .NET Assembly in Memory with Meterpreter


    Posted by Thomas Hendrickson

    In this blog post I will discuss leveraging Meterpreter’s powershell module to execute .NET assemblies in-memory. Metasploit and Meterpreter are effective and useful tools, but occasionally one encounters a situation where they lack features. Cobalt Strike (a different Command and Control framework) contains an execute-assembly command providing in-memory .NET execution for situations where it lacks built in commands. Meterpreter contains the features required to perform the same behavior, albeit slightly less polished.


    read more »



  • Andrew Cook

    Active Directory Visualization for Blue Teams and Threat Hunters


    Posted by Andrew Cook

    As a network defender, it can be easy to attribute a certain degree of omnipotence to attackers. Advanced threats have an uncanny knack for figuring out how to move through an environment without regards for passwords, roles, permissions, or what “should” be possible.


    read more »



  • Josh Abraham

    Signed Binaries Proxy Execution - T1218


    Posted by Josh Abraham

    The MITRE ATTACK April release included is a new TTP known as 'Signed Binaries Proxy Execution' which is T1218. This TTP is based on an attacker using signed binaries to perform malicious activities.


    read more »



  • Josh Abraham

    Signed Scripts Proxy Execution - T1216


    Posted by Josh Abraham

    Many organizations trust all signed code from Microsoft. Unfortunately, there are many ways in which attackers can use this trust against them. Previously, we covered using signed binaries to perform malicious activities. In this post, we will be covering how to use signed scripts.


    read more »



  • Josh Abraham

    How to use Kerberoasting - T1208 for Privilege Escalation


    Posted by Josh Abraham

    In our experience, Kerberoasting is an attack that is similar to others in that defenders need to fully under it to be able to properly migrate the risks. It’s our goal that through pushing this content into the MITRE ATT&CK framework we have increased the awareness of this TTP so that organizations can be better protected in the future.


    read more »



  • Josh Abraham

    Summary of April MITRE ATT&CK RELEASE


    Posted by Josh Abraham

    MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.


    read more »



  • Kesten Broughton

    Privilege Escalation in AWS with PassRole Attacks


    Posted by Kesten Broughton

    All instances launched by AWS by default have instance credentials supplied by the AWS metadata service. AWS operators can attach PassRole policies given to an instance at launch time.


    read more »




Your World, Secured.


Tech Puzzles

Try our Puzzles

Test your problem solving skills. Do you have what it takes?

Try puzzles »