• Daniel Wyleczuk-Stern

    Getting Started with Praetorian’s ATT&CK Automation


    Posted by Daniel Wyleczuk-Stern

    Earlier this month, Praetorian released its automation for emulating adversary tactics, techniques, and procedures (TTPs) based on the MITRE ATT&CK framework. We've gotten a number of requests from users asking for more detailed instructions on how to get started with the tool. This blog post accompanies the recently released video tutorial.


    read more »



  • Jesse Somerville

    Cross-Site Websocket Hijacking (CSWSH)


    Posted by Jesse Somerville

    The WebSocket protocol is a fairly simple one; regardless, understanding how it works is essential to understanding how to secure (and exploit) it. The protocol is comprised of two parts: a handshake and the data transfer.


    read more »



  • Josh Abraham

    Process Injection and Process Hollowing (ATT&CK T1055 & T1093)


    Posted by Josh Abraham

    We are releasing Vulcan, a tool to make it easy and fast to test various forms of injection. All of the techniques included are already public. Vulcan brings them together in a single tool to test endpoint detection and response (EDR) coverage so that you can quickly identify detection gaps. This tool can be used as a test-harness to identify gaps so that efforts can be focused on detecting holes.


    read more »



  • Kesten Broughton

    Cloud Data Exfiltration via GCP Storage Buckets and How to Prevent It


    Posted by Kesten Broughton

    On a recent engagement, we gained the ability to execute code on a pod which we compromised through a SQL injection vulnerability. With the SQL injection, we could write pickled python objects to a table in a database and those objects would be unpickled and executed by a different pod. The customer was using a Private Kubernetes GKE cluster and had restricted all egress traffic to pass through a network proxy which denied general access to the Internet. This prevents standard exfiltration of data from the pod. However, the pods had permissions to write to GCP Storage Buckets, and therefore, the storage.cloud.google.com URL was whitelisted.


    read more »



  • Dallas Kaman

    Red Team Supply Chain Attacks in Modern Software Development Environments


    Posted by Dallas Kaman

    The future of red teaming not only requires updated adversarial tradecraft – although that's a big part of it – but also a shift in buyer mindset to scope realistic scenarios that continue to test and challenge their defences.


    read more »



  • Josh Abraham

    ICMP C2 Standard Non-Application Layer Protocol (ATT&CK T1095)


    Posted by Josh Abraham

    While ICMP may not be the answer for exfiltration, it can be very useful as a long-term C2 alternative channel. If all other communications channels didn’t work or failed or if persistence / access was terminated, we could always maintain a stealthy ICMP backup channel, which we could use to respawn primary C2 channel.


    read more »



  • Josh Abraham

    Using Slack Web Services as a C2 Channel (ATT&CK T1102)


    Posted by Josh Abraham

    Our proof of concept (PoC) blends in with normal business activities such as user-to-user or user-to-group communications. Detecting this type of activity requires sophisticated network analysis capabilities, such as the ability to intercept and decrypt SSL messages. Future versions may add additional encryption on top of SSL. In our PoC, we also configure a random sleep between 1m and 5m to further obfuscate our activity. These sleep times can help our C2 fly under the radar, but will also impact the ability of the attack operator to execute rapidly depending on how aggressively the timeouts are configured.


    read more »



  • Daniel Wyleczuk-Stern

    Why Praetorian Benchmarks to MITRE ATT&CK™ and Why You Should Too


    Posted by Daniel Wyleczuk-Stern

    When it came to improving our Purple Team service line, which maps to “Detect” and “Respond” in the NIST CSF, we wanted to provide a similar high quality of data and metrics to our clients. In our experience, it is hard to drive change in any organization unless those changes can be tied to measurable results. After conducting a survey of known frameworks, we settled on the ATT&CK™ framework from MITRE.


    read more »



  • Praetorian Staff

    Safely Conduct Security Assessments of Industrial Control System (ICS) Environments


    Posted by Praetorian Staff

    Our current standard of living is made possible due to the massive scale of critical infrastructure that supports our needs as a society. Electricity, Oil, Gas, Water, and Security are a few of the well-known industries whose infrastructure is managed by Industrial Control Systems (ICS). Few systems have the potential for catastrophic consequences from a security incident as is possible with an ICS breach.


    read more »



  • Thomas Hendrickson

    Running a .NET Assembly in Memory with Meterpreter


    Posted by Thomas Hendrickson

    In this blog post I will discuss leveraging Meterpreter’s powershell module to execute .NET assemblies in-memory. Metasploit and Meterpreter are effective and useful tools, but occasionally one encounters a situation where they lack features. Cobalt Strike (a different Command and Control framework) contains an execute-assembly command providing in-memory .NET execution for situations where it lacks built in commands. Meterpreter contains the features required to perform the same behavior, albeit slightly less polished.


    read more »




Your World, Secured.


Tech Puzzles

Try our Puzzles

Test your problem solving skills. Do you have what it takes?

Try puzzles »