Remote kernel debugging "lateral movement" via WMI. An example of one of the many use cases for new #PowerShell BCD module (still in very early stages).
https://github.com/mattifestation/BCD
https://github.com/mattifestation/BCD
Db_hEGSVMAIPcbb.jpg
260.9 KB
Run a CobaltStrike beacon from a Microsoft Signed Binary vsjitdebugger.exe
https://vincentyiu.co.uk/cobaltsplunk/
Cobalt Strike Splunk Application for CobaltStrike available here https://github.com/vysec/CobaltSplunk. It parses Cobalt Strike logs, and has some predefined dashboards and queries
Cobalt Strike Splunk Application for CobaltStrike available here https://github.com/vysec/CobaltSplunk. It parses Cobalt Strike logs, and has some predefined dashboards and queries
if youre CS instances under attack, block public atttackers:
curl -X POST -d "tag=COBALT_STRIKE_SCANNER_HIGH" https://api.greynoise.io/v1/query/tag | python -m json.tool | grep "ip" | cut -d ":" -f 2 | cut -d '"' -f 2 | sort -u | grep -e '^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}$' | sed -e 's/^/sudo iptables -I INPUT -s /g' | sed -e 's/$/\/32 -j DROP/g'