Skip to main content


Showing posts from 2017

Thoughts on C2 Designs and Tradecraft

Howdy folks!

This post is basically me trying to get out some thoughts regarding design concepts for command and control infrastructures. As a red operator who is also responsible for managing our teams infra, this is one of my favourite topics.

I'm also currently working on a talk that I will be shopping around in 2018 on this very topic so I'm using this blog platform as one more tool to collect ideas and work out what will probably end up in the talk.

I want to start off by mentioning something that a wise man said to me recently when I posted the following question on Twitter:

Justin "@sixdub" Warner, someone I greatly respect, said:

Whether you agree or not, I think it's a valid point worth some thought. Red teams and the infosec community in general do very much like to push the envelope in ideas, complexity, tradecraft and the like. Threat actors do the same. A question I like to ask myself from time to time is, "Do offensive tactics and strategy driv…

Simple PowerShell One-Liners

In this post, I want to go over some basic recon-style commands in PowerShell, which complements a talk I gave recently at the DefCon 416 meetup. A good chunk of my demonstration consisted of various ways to accomplish simple recon and post-exploitation tasks by leveraging what is already installed throughout Windows environments.
I'm going to keep things very basic and simple just in case PowerShell is brand new to you. These "one-liners" are meant to show things you can incorporate into a script that, when placed onto a targeted machine, executed in memory, can spit the output into a file or send it back to a C2 server.

Let's begin :)

I am using a Windows 7 virtual machine running PowerShell v2, but feel free to use Win8 or higher.
Open up a PowerShell prompt (no need to run as an admin, but may be required later).

I create a folder on the desktop called "hello" with a single text file called "hello.txt" inside. Feel free to do the same and use…