top of page
Writer's pictureJames Honeycutt

Red Team - September 2019

I was asked to be on a red team for a blue team validation. Of course, I said yes because the alternative was to sit in the office and do nothing. I am not big on being on the red team, I have more fun on the blue team being a hunter. But, I did learn some things and created some tools during this experience. One tool I created was a script to create random files of random size and post them to a file server at a random time. This tool became necessary when we realized we were to exfiltrate data out of a database. This was not possible because our SQL Server had the services installed, but did not have a database configured. So, instead of exfiltrating data, we infiltrated data. I created a script that ran under one of our sim users' contexts. Every 30 seconds to 2 minutes it would grab a random Pokemon name, file extension and generate a random size and creates a file. It then moves the file to a file server share. It created around 500mb of files before it was caught and shut down. We know this because on week 2 we were validating a different team and exfiltrated that same data. There is still some work that needs to be done to the script to make if a full tool, but I published it on my GitHub at https://github.com/Honeycuttj/Generate-Files The other script I created was a script that would generate a 1000 users and add them to the default "Domain Admins" security group. This came about after we (the red team) got frustrated with the blue team forcing password changes and disabling the users we were using for our nefarious activities. I did create this script to run as a function so that it can be run with a single command. I do need to go back and create parameters that can be passed in and add some help to the file. Other than that, with a little tweaking of LDAP paths, it can be run in any environment. It too is on my GitHub at https://github.com/Honeycuttj/Invoke-RandomUser I was busy over the past few weeks. I also created a malicious task scheduler script. It disables the event log server every 60 seconds. This was one of our tasks, but the script only works in PowerShell 5 and not in PowerShell 2. We only had beacons on Win7 machines that did not have PowerShell updated. I need to write a PowerShell version check before I publish it. If you would like what I have, please reach out and give you what I have. Other than that, I am not going to publish it until I have the check done. I have a Test-WinRM script that still needs a lot of work that I am working on as well.

22 views0 comments

Recent Posts

See All

Comments


bottom of page