Overview​

During a Red Team engagement, performing detailed Situational Awareness (SA) or enumeration on initial and subsequent host compromises is vital. Every good pen-tester or red teamer has their list of go-to scripts, commands, or "pasties" to run once initial shell access is achieved. The goal is to quickly learn as much about your environment as possible; including defenses, system configuration, interesting files, and opportunities for persistence and lateral movement. Moreover, when working in large and/or distributed teams, a common tool-base and procedure set is crucial to ensure that necessary enumeration is accomplished no matter who's behind the keyboard.

Overview​

Domain name selection is an important aspect of preparation for phishing scenarios, penetration tests, and especially Red Team engagements. It is increasingly common to be faced with web filtering in a network based on domain reputation and categorization. Often traffic to very new and/or uncategorized domains is completely blocked by such appliances – stopping your phishing payload or C2 agent in their tracks. There's been a lot of talk about Domain Fronting and High Trust Redirectors in the security community lately to deal with this same issue, but that's an extra layer of configuration and complexity that's probably not necessary for every engagement. See MDSec – Domain Fronting via Cloudfront Alternate Domains and Raphael Mudge's blog for more on those techniques.

We've seen several great incoming agent/shell notification mechanisms for Metasploit and Empire recently and the utility of being notified when new shells appear is without question. This is especially true when conducting phishing and social engineering style attacks or while waiting for a persistence mechanism to trigger. A recent example is SlackShellBot by @Ne0nd0g. We really like it, but often use Cobalt Strike heavily and thus need another notification method for CS.

Web applications continue to be a valuable door for attackers to use to gain remote access to a network. If a web application is compromised, the webserver itself can be used to enable a command and control (C2) channel and provide a platform for post exploitation. The use of web shells is a common method to provide this capability. Like other malicious code, security protections must be considered and understood to bypass their protections. Specific Tools, tactics and procedures (TTPs) must be designed into a web shell to minimize detection. Many current web shells have no protection against common network security defenses.

Welcome to the Threat Express information security blog by the Red Team at MINIS LLC. The primary website remains , but this is our new platform for the release of security research, tools, and other Red Teaming related information.