‘These waifus aren’t going to farm themselves’ day late edition


File-based p2p comms for Posh

Link: Introducing FComm - C2 Lateral Movement - Nettitude Labs

I have a big soft spot for PoshC2, as it was the first framework I did substantial work with and took the time to really understand. The result was integrated into the Post OSCP series. It’s always been a featureful piece of software, and they’ve clearly continued to improve upon it. This release blog covers the ‘FComm’ lateral movement technique. I personally think it falls more under p2p communications and have labeled it as such. Essentially, it handles a situation where two implants on a compromised network cannot directly communicate with each other, but instead must rely on an intermediary. This would be tough to do under most circumstances, and this technique only works if there is a fileshare that both hosts can access.

In that case, they use a dumpfile as way of passing instructions between the implants. Each implant checks for changes, and can write the result of commands to the file. The implant that has access to the internet can then relay the results to the C2 server and thus the operator.

I’ve though about strange nonstandard ways of trying to hide commands and command results in an active directory specifically, and had toyed with the idea of using extended attributes of certain LDAP records. I shelved the idea when I couldn’t find a consistent resource that would tell me what the maximum size of those records were, and didn’t have the time to methodically figure it out myself. This acts as a reasonable alternative and can even blend in nicely in other environments where there isn’t the direct connection prohibition, but where such connections would stick out as being uncommon or rare.

SameSite cookie attributes

Link: The great SameSite confusion :: jub0bs.com

I like this article a lot, because it didn’t just go over the mechanics of the SameSite attribute, but also how it can be confusing to understand what it is protecting (or what it isn’t protecting that you think it is).

Grab bag of binary analysis stuff

Link: Testing Compiled Applications - Secarma Cybersecurity Company

This certainly isn’t in-depth on any given topic but does cover the things you might do when confronted with a compiled binary, if all you know is strings and maybe some quick binary examination.