Exploring Cobalt Strike's ExternalC2 framework

Posted on

As many testers will know, achieving C2 communication can sometimes be a pain. Whether because of egress firewall rules or process restrictions, the simple days of reverse shells and reverse HTTP C2 channels are quickly coming to an end. OK, maybe I exaggerated that a bit, but it's certainly becoming harder. So, I wanted to look at some alternate routes to achieve C2 communication and with this, I came across Cobalt Strike’s ExternalC2 framework. ExternalC2 ExternalC2 is a specification/framework introduced by Cobalt Strike, which allows hackers to extend the default HTTP(S)/DNS/SMB C2 communi…

Read more »

Moving jobs and exploiting flash (CVE-2018-4878)

Recently I joined the MDSec team after seeing many of the cool things that they had contributed to the community, and to hopefully pick up some of their awesome skills. Shortly after joining I was pointed to a small research project, CVE-2018-4878, a Flash vulnerability classified as a "Use-After-Free". This vulnerability was being exploited in the wild, however due to the way in which the malware was encrypted, it was not possible to recover a live sample of the exploit. Basing research on some redacted screenshots and snippets disclosed on Twitter, I was able to create a working de…

Read more »

Exploiting Windows 10 Kernel Drivers - Stack Overflow

Following on from my earlier post in which we walked through creating an exploit for the WARBIRD vulnerability, over the next few posts I'm going to be looking at Windows kernel exploitation. If you haven't had chance to read it, I'd recommend that you pause and give it a quick glance as some of this walkthrough will rely on concepts introduced previously. This post will start off by laying the groundwork for future posts, and walking through a simple stack overflow exploit in the Windows kernel. HackSys Extreme Vulnerable Driver If you want to learn about Windows driver exploitation, few reso…

Read more »