1
00:00:01,500 --> 00:00:04,060
My tool is, uh, Adam and Eve.

2
00:00:04,060 --> 00:00:09,400
The name came after the tool, actually, so there's no religious backdrop or anything.

3
00:00:09,400 --> 00:00:10,520
It just, it was cool.

4
00:00:10,520 --> 00:00:12,160
At first, it was just going to be Adam.

5
00:00:12,160 --> 00:00:17,400
And then, you know, somebody told me, uh, a friend of mine was like, who is Adam?

6
00:00:17,400 --> 00:00:19,200
And why do we care?

7
00:00:19,520 --> 00:00:20,940
You add the Eve.

8
00:00:20,940 --> 00:00:23,620
And then everybody's like, what?

9
00:00:23,980 --> 00:00:25,780
So here we go.

10
00:00:26,020 --> 00:00:29,020
I literally had to make up the exchange piece of it.

11
00:00:29,020 --> 00:00:30,160
That was part of Adam.

12
00:00:31,300 --> 00:00:34,380
I'm like, shit, how do I make Eve work?

13
00:00:34,600 --> 00:00:35,480
I guess a lot.

14
00:00:35,480 --> 00:00:39,220
So just be ready, young people, children in the back.

15
00:00:40,360 --> 00:00:41,180
All right.

16
00:00:41,180 --> 00:00:48,120
So I said, it was just some guy with questions and, uh, clearly not a PowerPoint, uh, degree.

17
00:00:48,480 --> 00:00:51,100
So it was just some guy with questions.

18
00:00:51,140 --> 00:00:55,100
And I wanted to know, so everybody's coming down with all these C2s, right?

19
00:00:55,100 --> 00:00:56,680
And like, you see them everywhere you go.

20
00:00:56,680 --> 00:01:02,160
I don't care if you do OSCP or, you know, you do like, like red team stuff.

21
00:01:02,160 --> 00:01:04,600
Like it comes up over and over again.

22
00:01:04,740 --> 00:01:09,020
And it's like, okay, so we get it.

23
00:01:09,020 --> 00:01:09,620
It's a C2.

24
00:01:09,620 --> 00:01:17,560
You're going to get some weird data that comes across some port to me as a, as a blue teamer, that's just going to stick out.

25
00:01:17,560 --> 00:01:21,500
I'm like, why are you even touching port 57, 300?

26
00:01:21,500 --> 00:01:22,440
Give me a number.

27
00:01:23,580 --> 00:01:24,380
52,004.

28
00:01:24,380 --> 00:01:25,820
52,004.

29
00:01:25,820 --> 00:01:25,920
Right.

30
00:01:25,920 --> 00:01:29,540
Like what's we have no services that are sitting on that.

31
00:01:29,540 --> 00:01:30,060
Right.

32
00:01:30,060 --> 00:01:33,320
And then like, you're constantly giving data back and forth.

33
00:01:33,320 --> 00:01:33,600
Right.

34
00:01:33,600 --> 00:01:46,360
So my thing was like, okay, so working on working and doing what I do, what I wanted to do was like, try to figure out a way to make native traffic be more, more interesting.

35
00:01:46,360 --> 00:01:46,640
Right.

36
00:01:46,640 --> 00:01:49,240
We all know how to pop a fishing.

37
00:01:49,880 --> 00:01:52,660
Some, some person is going to sit at some company.

38
00:01:52,660 --> 00:01:55,340
They've been there for so long, they're complacent and they're going to click a link.

39
00:01:55,340 --> 00:01:56,300
They're going to do whatever.

40
00:01:56,300 --> 00:02:01,160
We already know that almost everything that we talk about, we already assume that like the breach has happened.

41
00:02:01,160 --> 00:02:01,560
Right.

42
00:02:01,560 --> 00:02:02,740
And so we start from here.

43
00:02:02,740 --> 00:02:06,160
So to me, I'm not trying to recreate something.

44
00:02:06,160 --> 00:02:11,980
I want to use what we already know that people's natural behavior is going to be.

45
00:02:12,020 --> 00:02:17,980
So if I'm in a Microsoft environment, which is 90% of all environments, right.

46
00:02:18,860 --> 00:02:21,100
I know, Hey, you're probably using that directory.

47
00:02:21,100 --> 00:02:22,300
You're probably gonna be in the cloud.

48
00:02:22,300 --> 00:02:23,000
You're probably gonna do this.

49
00:02:23,000 --> 00:02:28,260
So why would I do something that's going to pop all of your alerts, all of your EDRs, whatever we're having this room PowerShell.

50
00:02:29,520 --> 00:02:40,700
So let's go PowerShell, even from a, even from a Python centric framework, we send it as a string, execute that as an expression.

51
00:02:40,700 --> 00:02:41,920
And, and here we are.

52
00:02:41,940 --> 00:02:42,380
All right.

53
00:02:42,380 --> 00:02:43,560
So my name is Daryl.

54
00:02:44,000 --> 00:02:45,400
I work for Trimark.

55
00:02:45,400 --> 00:02:46,600
I'm a security consultant.

56
00:02:46,600 --> 00:02:47,960
Our people are in the back.

57
00:02:47,960 --> 00:02:49,320
We're doing our thing.

58
00:02:49,460 --> 00:02:50,780
We are the best at what we do.

59
00:02:50,780 --> 00:02:52,020
And that's just what it is.

60
00:02:52,020 --> 00:02:53,100
Look us up.

61
00:02:53,100 --> 00:02:53,800
All right.

62
00:02:54,920 --> 00:02:57,980
Trimark, I'm kind of purple team-esque.

63
00:02:58,040 --> 00:03:05,580
I don't really make hacker tools, but sometimes my tools are useful for the other side.

64
00:03:06,700 --> 00:03:07,360
Let's go.

65
00:03:07,360 --> 00:03:09,840
So why, why did I even like create this tool?

66
00:03:09,840 --> 00:03:10,520
Right.

67
00:03:10,920 --> 00:03:11,760
I was bored.

68
00:03:11,760 --> 00:03:19,820
I was researching some stuff, wanted to really understand why the C2 framework still comes up.

69
00:03:19,820 --> 00:03:28,120
I mean, there are so many of them that come up, you know, and like people talk about Metasploit and all this other, that's cool, whatever.

70
00:03:28,440 --> 00:03:40,920
But generally speaking, at least in the junior levels, when you're, you're first starting off and you're trying to get into this red thing, it's like, yeah, the C2, you got to figure out, yeah, get them to pop that thing.

71
00:03:40,920 --> 00:03:43,820
Did you get the calc, what?

72
00:03:43,820 --> 00:03:44,660
Yeah.

73
00:03:44,740 --> 00:03:47,920
But I mean, cool, whatever.

74
00:03:47,920 --> 00:03:52,660
My thing is more of like, what, what services do you allow to run in your environment?

75
00:03:52,660 --> 00:03:53,320
That's cool.

76
00:03:53,320 --> 00:03:54,600
This is a Microsoft environment.

77
00:03:54,600 --> 00:03:56,360
Okay, cool, cool, cool, cool, cool, cool.

78
00:03:56,360 --> 00:04:00,920
What's the execution level that you allow things to run natively?

79
00:04:01,480 --> 00:04:03,100
So I'm not trying to break something.

80
00:04:03,100 --> 00:04:08,000
I just want to use what you already have and you're leveraging in a way that you might not have thought about.

81
00:04:08,720 --> 00:04:11,660
So that's, that's why I created this tool.

82
00:04:14,980 --> 00:04:16,000
What is it?

83
00:04:16,280 --> 00:04:19,600
Again, it's just, it's literally just a socket server.

84
00:04:19,820 --> 00:04:29,180
A lot of times when I see, at least in the training world and some people that do other things, but like, at least in the training world and stuff like that, right?

85
00:04:29,180 --> 00:04:35,860
You have your server that sits somewhere, you send out your client, your agent, your whatever, right?

86
00:04:35,860 --> 00:04:48,400
You send your malicious code out somewhere and you wait for it to pop and you have to sit there on your server or wait for your server to get that, that receive to do something and then you can move on.

87
00:04:48,440 --> 00:04:50,560
But realistically, right?

88
00:04:50,560 --> 00:04:54,660
So again, this is a Microsoft world and I'm just trying to blend in.

89
00:04:54,660 --> 00:04:56,000
Hey man, I'm wearing a blue shirt.

90
00:04:56,000 --> 00:04:58,040
It's got little, little circles and stuff on it.

91
00:04:58,040 --> 00:04:59,240
It's Chrome right now.

92
00:04:59,240 --> 00:05:00,340
Hey, I work for Microsoft.

93
00:05:02,220 --> 00:05:09,640
So that is not necessarily going to be the easiest way for me to execute some code in your environment.

94
00:05:09,640 --> 00:05:16,660
Why would I try to reinvent what Microsoft has already leveraged down to the system level?

95
00:05:16,680 --> 00:05:23,740
Because by the way, you can call DLLs, you can call C code, you can call anything on a PowerShell.

96
00:05:23,740 --> 00:05:29,980
So from a PowerShell centric standpoint, it's all about like what the execution level is, right?

97
00:05:29,980 --> 00:05:38,480
So absolutely, you can make sure that you can't just like run native code or it has to be signed or whatever else like that.

98
00:05:38,480 --> 00:05:47,980
But if you don't know that that's even an option, in most environments that I see, I mean, you just PowerShell script and all you get is the little, the UAC of like, are you sure?

99
00:05:47,980 --> 00:05:49,980
I'm like, yeah, I'm definitely sure.

100
00:05:49,980 --> 00:05:51,400
I can run that script.

101
00:05:51,400 --> 00:05:52,340
Yeah, thank you.

102
00:05:52,680 --> 00:05:54,800
So that's what we do.

103
00:05:54,940 --> 00:05:58,580
So the way that this thing works is based on Flask.

104
00:05:58,600 --> 00:06:00,940
I don't know if you guys are familiar with Flask.

105
00:06:01,060 --> 00:06:04,240
It's just a web API, Python based.

106
00:06:04,280 --> 00:06:10,880
So if you hit a certain URL, you can get specific types of code to run, right?

107
00:06:10,880 --> 00:06:13,240
So my idea was awesome.

108
00:06:13,240 --> 00:06:26,620
I don't want to sit at a Linux machine or even if I go to somebody else's company and I'm doing a pen test or something like that, like I don't, what are the odds that they just have a Kali box and they go log into your Kali box?

109
00:06:26,620 --> 00:06:28,920
Like that's not a thing, right?

110
00:06:28,980 --> 00:06:32,840
So I'm like, how do I get around that?

111
00:06:32,840 --> 00:06:48,840
So the thing is you can have any box that you want anywhere that does anything that runs Python and you can throw up this Flask server and now you hit any API on the Flask server, it will take

112
00:06:51,940 --> 00:06:53,400
a string of objects.

113
00:06:53,400 --> 00:06:56,840
I don't really know the best way to say it, but it will take text, right?

114
00:06:56,840 --> 00:07:05,880
So you can have a whole code, page, like a PowerShell script, a Python script, a C program, it doesn't matter.

115
00:07:05,880 --> 00:07:21,940
It'll take it, mention down to one liner, send it as a string via Python to the agent that is then running the native PowerShell thing, because it's just like a Windows machine at work or whatever.

116
00:07:22,410 --> 00:07:26,980
And with the PowerShell thing, what we do is we invoke expression.

117
00:07:27,280 --> 00:07:31,100
And with that, you can take that whole string code, doesn't matter what it was natively in, right?

118
00:07:31,120 --> 00:07:37,340
We take away those exterior quotation marks.

119
00:07:37,380 --> 00:07:45,800
And then next thing you know is we've sent an entire script that sits in memory, never was written to disk to do stuff.

120
00:07:46,860 --> 00:07:52,650
All right, let's get to the breakdown.

121
00:07:54,310 --> 00:07:56,110
Sorry, guys, I'll be honest with you.

122
00:07:56,110 --> 00:07:59,990
For the last few days, I've been struggling with the Wi-Fi here.

123
00:07:59,990 --> 00:08:01,670
I don't know if you guys have dealt with it.

124
00:08:01,670 --> 00:08:03,270
It is ridiculous.

125
00:08:03,430 --> 00:08:12,770
And so I had a live thing that was going to do stuff, kind of going off of some like old recorded stuff, but we'll talk about it and we can do it.

126
00:08:12,770 --> 00:08:14,010
This is all on GitHub.

127
00:08:14,090 --> 00:08:15,590
And it's kind of fantastic.

128
00:08:15,590 --> 00:08:17,990
So this all started, right?

129
00:08:17,990 --> 00:08:21,330
So it started with just a multi-threaded socket server.

130
00:08:21,330 --> 00:08:22,330
Are you guys hackers?

131
00:08:22,330 --> 00:08:23,310
Who hacks here?

132
00:08:23,730 --> 00:08:24,690
Okay, cool.

133
00:08:24,690 --> 00:08:25,750
Not those guys.

134
00:08:25,750 --> 00:08:28,330
The ones that didn't raise their hands, that's what I'm looking at.

135
00:08:28,550 --> 00:08:29,430
No.

136
00:08:29,670 --> 00:08:31,250
All right, go.

137
00:08:31,250 --> 00:08:33,010
So socket server, right?

138
00:08:33,010 --> 00:08:34,630
This is just simple Python stuff.

139
00:08:34,630 --> 00:08:36,170
We define the socket server.

140
00:08:36,190 --> 00:08:36,570
Cool.

141
00:08:36,570 --> 00:08:37,350
It can be anything.

142
00:08:37,350 --> 00:08:41,970
And actually in the, look at that, I can't, I'm moving around too much.

143
00:08:41,970 --> 00:08:45,890
In the actual source code now, that's V2.

144
00:08:45,890 --> 00:08:50,390
So if you go to GitHub and you grab it down now, that's something that pops up, right?

145
00:08:50,390 --> 00:08:54,070
So in the server, you get to define what the server is in the port.

146
00:08:54,070 --> 00:08:59,470
Also in the client, you could predefine it or you could ask it, right?

147
00:08:59,750 --> 00:09:01,690
So it's, this is like normal stuff.

148
00:09:01,990 --> 00:09:09,330
For the Python people, this is probably boring, but if you're not a Python person, let's get into it for a second, right?

149
00:09:09,330 --> 00:09:10,750
So we define it.

150
00:09:10,750 --> 00:09:12,110
This is going to be my function.

151
00:09:12,110 --> 00:09:14,670
This is my socket server object right here.

152
00:09:15,070 --> 00:09:15,670
AFINet.

153
00:09:15,670 --> 00:09:17,650
That's just IB4.

154
00:09:17,890 --> 00:09:19,070
That's what it is.

155
00:09:19,070 --> 00:09:20,610
And then we're going to send it to a stream.

156
00:09:20,890 --> 00:09:25,090
So we then bind, and I say I want an IB address, I want a port, and that's cool.

157
00:09:25,210 --> 00:09:46,210
So what's cool about this, what makes it multi-threaded is the fact that here, on this socket listen, versus any other way that like you were to define any kind of C2 Python this way, this number here, right, that goes into this method, okay, you can give the parameter of any number that you want.

158
00:09:46,210 --> 00:09:50,810
And that's how many multi-threaded connections it can have at once.

159
00:09:50,810 --> 00:09:54,130
And you don't have to handle those connections, right?

160
00:09:54,130 --> 00:10:01,390
So if I sent this email out to 50 people and they all click the same link, that's cool.

161
00:10:01,410 --> 00:10:06,390
This code will handle all that as long as I have at least 50 that's in here, all right?

162
00:10:06,590 --> 00:10:08,650
So I just did one.

163
00:10:09,070 --> 00:10:10,730
It is what it is.

164
00:10:10,730 --> 00:10:12,430
It tells me it's listening.

165
00:10:12,850 --> 00:10:13,670
Cool.

166
00:10:13,670 --> 00:10:16,230
And then it accepts every single one.

167
00:10:16,230 --> 00:10:16,610
Okay.

168
00:10:16,610 --> 00:10:31,890
So the reason why I actually pull this up is because the programmers in the room are like, how are you handling something that's like multi-function that's here and something that's defined in a singular function, if that makes sense, right?

169
00:10:31,890 --> 00:10:43,130
And the reason why it's here in this accept, it's because I have a separate function that's also a handler and it's, this will pass that to the socket listener.

170
00:10:43,130 --> 00:10:49,610
And so I have another function that's just there and it goes for anything that comes and hits that socket listener.

171
00:10:49,710 --> 00:10:50,290
Cool.

172
00:10:50,290 --> 00:10:51,950
We'll just do it.

173
00:10:51,950 --> 00:10:57,130
We'll give it some arbitrary identifier and we'll keep on running.

174
00:10:57,130 --> 00:11:00,650
That's essentially what happens here in the threading thread target handle client.

175
00:11:00,650 --> 00:11:02,070
It's all variables.

176
00:11:02,070 --> 00:11:03,070
I don't need to know what they are.

177
00:11:03,070 --> 00:11:03,590
I don't care.

178
00:11:03,590 --> 00:11:06,290
The program takes care of it and we're good.

179
00:11:06,290 --> 00:11:10,690
But if you're doing anything in Python, very useful.

180
00:11:10,690 --> 00:11:14,250
The threading that thread method is a very powerful method.

181
00:11:18,860 --> 00:11:19,780
All right.

182
00:11:19,820 --> 00:11:21,620
Now we have our client handler.

183
00:11:21,620 --> 00:11:22,580
All right, cool.

184
00:11:22,600 --> 00:11:25,180
So they have a client.

185
00:11:25,180 --> 00:11:29,280
It's an agent because we're all blue teamers here, but don't do anything nefarious.

186
00:11:30,700 --> 00:11:33,080
Essentially all it does, it's just, it's sitting there.

187
00:11:33,080 --> 00:11:40,820
This is all going to be interacting with a PowerShell agent that's on the backside, right?

188
00:11:40,820 --> 00:11:42,020
So it's in here.

189
00:11:42,100 --> 00:11:43,300
It's waiting for a queue.

190
00:11:43,300 --> 00:11:52,840
I am using PowerShell queues because using a multi-thread handler, I don't know how many connections are happening necessarily, or I don't really care, right?

191
00:11:52,840 --> 00:11:55,140
They don't necessarily care, right?

192
00:11:55,140 --> 00:12:03,620
But if I have a queue here, I can send 50 commands all at once and they will execute sequentially.

193
00:12:03,640 --> 00:12:07,440
Or if I hit 50 end users, right?

194
00:12:07,440 --> 00:12:14,860
And they come back and they tell me, this is what we received back from what you requested, right?

195
00:12:16,400 --> 00:12:17,260
That's cool.

196
00:12:17,260 --> 00:12:21,340
But I want to see them sequentially, one by one by one by one, because I'm a human.

197
00:12:21,340 --> 00:12:23,620
I can't see them all at the same time.

198
00:12:23,620 --> 00:12:25,140
So I decided to go with queues.

199
00:12:25,140 --> 00:12:28,120
Also too, queues have an embedded weight.

200
00:12:28,560 --> 00:12:34,220
So let's say I'm cloning, I'm cloning this place here.

201
00:12:34,220 --> 00:12:34,840
Okay.

202
00:12:34,880 --> 00:12:42,360
And my wifi sucks here, whether it's my wifi, their wifi, like whatever, but I've already sent it down the chain.

203
00:12:42,540 --> 00:12:45,360
It's just, it just sits in that queue until it goes.

204
00:12:45,360 --> 00:12:46,000
All right.

205
00:12:46,000 --> 00:12:52,100
And like where most of us are probably aware of like FIFO and all that stuff, like first in first out.

206
00:12:52,260 --> 00:12:55,920
So this is not that it's actually the opposite.

207
00:12:55,920 --> 00:13:00,360
So like with a queue, it's like it's first and last out and that's, that's what happens.

208
00:13:00,360 --> 00:13:13,640
So I can send, I can have a whole bunch of commands that I send out and then they will one by one by one be sent to every single client that's sitting here talking to the server.

209
00:13:13,640 --> 00:13:18,780
I can also receive every command back from all of those servers.

210
00:13:18,780 --> 00:13:19,680
Doesn't matter.

211
00:13:19,680 --> 00:13:20,060
Right.

212
00:13:20,060 --> 00:13:28,840
And I put in a nice, you know, a sequential manner of like this one came in and this one came in and this one came in and this one came in.

213
00:13:28,840 --> 00:13:31,300
So that's what we did.

214
00:13:34,960 --> 00:13:35,720
All right.

215
00:13:35,720 --> 00:13:53,820
So from my, my issue again, like I said, was I didn't want to sit at a Linux machine or a Kali machine or anything like that, because unless, unless you're a red teamer or whatever, like what are the odds that when somebody gets up and, you know, by the way,

216
00:13:53,820 --> 00:13:56,500
I do different types of villages and stuff like that.

217
00:13:56,500 --> 00:14:06,560
And it's always realistic, but what are the odds that you're going to sit down and like, Oh man, he has Kali Linux and he's domain joined and he's like, that's come on, man.

218
00:14:06,560 --> 00:14:07,460
That's not what's up.

219
00:14:07,460 --> 00:14:07,940
Right.

220
00:14:08,040 --> 00:14:14,000
That's not going to happen, but I can set up, especially if I already know something about the environment, right?

221
00:14:14,000 --> 00:14:21,480
Like I can set something up anywhere, run that server, that I'm going to sit down anywhere.

222
00:14:21,740 --> 00:14:30,320
And from that, using Flask, I can use endpoints and based on the endpoints that I hit, I'm able to run specific code, right.

223
00:14:30,320 --> 00:14:38,240
And it'll run against that, that pwned, I'm sorry, where it, that the agent is installed.

224
00:14:39,080 --> 00:14:40,400
So cool.

225
00:14:44,480 --> 00:14:47,920
The second thing that I did was so that, so that's cool.

226
00:14:49,040 --> 00:14:58,280
I'm using HTTP awesome to interact with another server anywhere else in the world, but it's still a C2 server.

227
00:14:58,280 --> 00:15:00,680
So what happens if that port gets killed, right?

228
00:15:00,680 --> 00:15:05,060
Like I use a port like 1, 3, 3, 7, like that's stupid.

229
00:15:05,060 --> 00:15:06,540
And they kill that port off.

230
00:15:06,540 --> 00:15:07,180
Right.

231
00:15:07,520 --> 00:15:09,820
You could actually just go to a website.

232
00:15:09,820 --> 00:15:11,320
So can you browse the internet?

233
00:15:11,960 --> 00:15:13,120
That's cool.

234
00:15:13,700 --> 00:15:14,040
Yeah.

235
00:15:14,280 --> 00:15:18,500
Based on the types of methods that you've sent to, to this website, right.

236
00:15:18,800 --> 00:15:21,580
So I've got this slash pwned.

237
00:15:21,580 --> 00:15:33,080
So whatever your, your URL is like, whatever your IP address is slash pwned, you can send any command as a and it doesn't need to, at this point be a one line string.

238
00:15:33,080 --> 00:15:38,520
And if anybody wants to help me with some of that, all right, but it doesn't need to be one line string.

239
00:15:39,320 --> 00:15:44,400
You can have that in the body of your, of your get request, or I'm sorry, of your post request, right?

240
00:15:44,400 --> 00:15:46,520
And you can just post it to pwn.

241
00:15:47,300 --> 00:15:48,200
And guess what?

242
00:15:48,200 --> 00:15:49,920
It sits there in the command queue.

243
00:15:50,020 --> 00:15:54,480
And now everything else that's pwned is waiting for that command to also come down.

244
00:15:54,480 --> 00:16:01,560
So you don't ever have to be sitting at your Linux box, your Italia box, your any other box.

245
00:16:01,560 --> 00:16:07,640
You can just, oh, I know the IP address of this arbitrary server that I set up and I hit it here.

246
00:16:07,920 --> 00:16:08,720
And that's cool.

247
00:16:08,720 --> 00:16:09,540
It does stuff.

248
00:16:11,780 --> 00:16:13,120
That's basically that page.

249
00:16:13,140 --> 00:16:14,040
I'll tell you that.

250
00:16:14,940 --> 00:16:20,660
So I am not a front end guy and you're going to see in a minute, like I am not a front end guy.

251
00:16:20,840 --> 00:16:37,560
So I don't make stuff the most pretty, but everything that, that happens, you do get in real time, you get feedback back from a command that you send, but we have a log file that's created and then the log file, it's beautiful.

252
00:16:37,560 --> 00:16:39,220
You open log file, you cap that thing.

253
00:16:39,220 --> 00:16:40,820
It's, it's amazing.

254
00:16:40,980 --> 00:16:41,740
Just that.

255
00:16:41,740 --> 00:16:44,600
And that's all this Microsoft, just like object handling shit.

256
00:16:44,600 --> 00:16:44,880
Right.

257
00:16:44,880 --> 00:16:46,140
It's very cool.

258
00:16:46,200 --> 00:16:48,280
Again, I apologize for the children in the back.

259
00:16:48,280 --> 00:16:49,360
That was another cuss word.

260
00:16:49,360 --> 00:16:50,640
Man, I'll put it in my jar.

261
00:16:50,640 --> 00:16:51,400
Thank you, Rochelle.

262
00:16:51,400 --> 00:16:52,280
I'll put it in my jar.

263
00:16:56,230 --> 00:16:56,950
Cool.

264
00:16:57,710 --> 00:16:58,970
Sending commands.

265
00:16:59,310 --> 00:17:00,030
They're important.

266
00:17:01,490 --> 00:17:07,290
So the way that it kind of works is, for instance, that's just PowerShell, right?

267
00:17:07,290 --> 00:17:10,950
This line on here, all red, that's just, just normal PowerShell command.

268
00:17:10,950 --> 00:17:14,830
Let's, let's get some information about some object that exists somewhere.

269
00:17:14,830 --> 00:17:21,510
So what we do is we throw that, we throw that into the, the, uh, the queue and it sits there, right?

270
00:17:21,510 --> 00:17:22,490
We get a feedback.

271
00:17:22,490 --> 00:17:23,030
Sure.

272
00:17:23,030 --> 00:17:24,270
It's sitting in the queue.

273
00:17:24,370 --> 00:17:25,790
We don't really care.

274
00:17:25,790 --> 00:17:26,870
That doesn't give us anything.

275
00:17:26,870 --> 00:17:27,510
Okay.

276
00:17:27,510 --> 00:17:28,490
That's fine.

277
00:17:28,490 --> 00:17:36,970
But that's when the normal C2 stuff happens because the C2 was sitting there with a listener, always waiting to see if the variable is null or not.

278
00:17:36,970 --> 00:17:41,030
And if not null, send it.

279
00:17:41,690 --> 00:17:43,270
So that's what we do.

280
00:17:44,170 --> 00:17:45,550
I got too excited.

281
00:17:45,550 --> 00:17:46,270
I'm sorry.

282
00:17:46,870 --> 00:17:49,570
I feel like my voice is big enough for this room.

283
00:17:49,570 --> 00:17:52,370
I'm just letting you know, but we'll do it.

284
00:17:54,050 --> 00:17:54,830
Can you hear me now?

285
00:17:54,910 --> 00:17:55,670
Cool.

286
00:17:55,910 --> 00:17:57,390
So that's, that's what we do.

287
00:17:57,390 --> 00:17:59,210
We just, we just send it, dog.

288
00:17:59,290 --> 00:18:01,310
Um, and that's exactly what we do.

289
00:18:01,310 --> 00:18:06,490
So like, this is an example of how you can read from a file, both locally and in remotely.

290
00:18:06,490 --> 00:18:07,110
That's it.

291
00:18:11,190 --> 00:18:11,790
Cool.

292
00:18:11,790 --> 00:18:13,390
Let's get into some code.

293
00:18:13,390 --> 00:18:23,110
Uh, so this is our agent and this is just a, an example of what you could use with a server because my tool is the server.

294
00:18:23,110 --> 00:18:24,530
My tool is not the agent.

295
00:18:24,830 --> 00:18:28,250
How you want to send data back and everything else like that.

296
00:18:28,250 --> 00:18:29,670
And if you go to my GitHub, it's fine.

297
00:18:29,670 --> 00:18:35,810
There's, it's parameterized and you can throw in, you can, you can test around, right?

298
00:18:35,810 --> 00:18:37,310
But I'm not just going to put something out there.

299
00:18:37,310 --> 00:18:39,590
That's like, let's do it.

300
00:18:39,590 --> 00:18:40,090
Okay.

301
00:18:40,210 --> 00:18:43,710
Um, but here let's forget about all this.

302
00:18:43,710 --> 00:18:44,590
This is a client.

303
00:18:44,590 --> 00:18:46,190
The client is this pops it.

304
00:18:46,190 --> 00:18:47,110
This is some code.

305
00:18:47,110 --> 00:18:48,330
This is native PowerShell code.

306
00:18:48,330 --> 00:18:56,630
So unless you have like a, an EDR or something else that's like looking for specific types of parameters inside of PowerShell, like this is not going to pop.

307
00:18:56,630 --> 00:18:57,370
It's not malicious.

308
00:18:57,370 --> 00:18:58,390
It's not malware.

309
00:18:58,390 --> 00:19:04,250
This is just native PowerShell code interacting with the internet, the way that computers do.

310
00:19:04,550 --> 00:19:08,830
So, um, what we've done, we create a new object.

311
00:19:08,830 --> 00:19:10,650
It's a stream in the stream.

312
00:19:10,650 --> 00:19:12,250
We're able to take stuff in.

313
00:19:12,250 --> 00:19:14,850
We read the lines from the stream, right?

314
00:19:14,850 --> 00:19:16,910
We break it after it's done.

315
00:19:16,970 --> 00:19:23,150
Um, assuming that we get an exit command, exit command comes in, the entire connection is done.

316
00:19:23,150 --> 00:19:25,530
Everything is out of there.

317
00:19:25,530 --> 00:19:30,650
So from the, from the client and from the server, you can make sure that that's gone.

318
00:19:30,650 --> 00:19:32,970
And here, this is the, the golden ticket.

319
00:19:33,490 --> 00:19:38,150
Sorry, I did touch your screen, but this is the golden ticket, right?

320
00:19:38,150 --> 00:19:39,310
The invoke expression, right?

321
00:19:39,310 --> 00:19:43,770
We all know the IEX that is that that's pretty hot stuff that's happening right now.

322
00:19:43,770 --> 00:19:49,030
So IEX will take a string, any string doesn't matter how long.

323
00:19:49,030 --> 00:19:55,150
I do think there's a character limit, but generally speaking, it doesn't matter how long it will take that string.

324
00:19:55,390 --> 00:19:58,710
It'll write it out into a terminal shell.

325
00:19:58,710 --> 00:19:59,670
Okay.

326
00:19:59,670 --> 00:20:01,330
And then I'll run it as is.

327
00:20:01,330 --> 00:20:09,170
So all of your, all of your like, like one ticks, your double ticks, your apostrophes, your semi-colons, whatever, doesn't matter.

328
00:20:09,170 --> 00:20:10,570
It took it as a string first.

329
00:20:10,570 --> 00:20:13,290
And then now it's reading us all in memory.

330
00:20:13,290 --> 00:20:16,270
Nothing gets written down to disk or anything else like that.

331
00:20:16,270 --> 00:20:23,230
So if you have EDR or, you know, you, you have some system that's, that's looking for stuff.

332
00:20:23,230 --> 00:20:27,630
This is something that runs in memory, because again, this is not malicious.

333
00:20:27,630 --> 00:20:30,550
The agent is not malicious at all.

334
00:20:38,130 --> 00:20:39,010
Oh, look at that.

335
00:20:39,010 --> 00:20:39,690
I have graphics.

336
00:20:39,690 --> 00:20:40,750
I don't even know, man.

337
00:20:40,930 --> 00:20:42,670
Wait, does it do the thing?

338
00:20:42,750 --> 00:20:43,510
Let's do it again.

339
00:20:43,510 --> 00:20:44,470
Oh, it does it again.

340
00:20:44,470 --> 00:20:45,210
Let's go.

341
00:20:45,830 --> 00:20:46,430
Cool.

342
00:20:46,450 --> 00:20:46,750
All right.

343
00:20:46,750 --> 00:20:47,890
So what's next?

344
00:20:48,230 --> 00:20:51,850
So the, too many, too many.

345
00:20:51,870 --> 00:20:52,210
All right.

346
00:20:52,210 --> 00:20:53,270
So what's next?

347
00:20:53,270 --> 00:20:53,650
All right.

348
00:20:53,650 --> 00:20:56,530
So what we're doing, man, you guys have been deadwood for three days.

349
00:20:56,530 --> 00:20:57,490
Come on, relax.

350
00:20:57,830 --> 00:20:59,230
I drank with you last night.

351
00:20:59,230 --> 00:21:00,230
I'm pretty sure, man.

352
00:21:03,570 --> 00:21:05,330
So, so what's next?

353
00:21:05,330 --> 00:21:08,530
So I actually do have an HTTP cradle that's there.

354
00:21:08,530 --> 00:21:08,990
Right.

355
00:21:08,990 --> 00:21:13,250
So let's say your C2 ports get knocked out.

356
00:21:13,250 --> 00:21:13,930
You can't do that.

357
00:21:13,930 --> 00:21:20,430
Or it's in an environment where like ports are very, very much locked down, but like 80 or 80, 80, they're usually good.

358
00:21:20,530 --> 00:21:22,010
443 is a pretty good.

359
00:21:22,110 --> 00:21:36,270
So you can absolutely come into this exact same framework and you can, you can post things into, into a URI, URI endpoint, and it'll take the command.

360
00:21:36,270 --> 00:21:38,330
It'll send it down, add it to the queue.

361
00:21:38,910 --> 00:21:46,570
Same thing is everything that comes out, every response that comes out, you can go to URI and you can also get that information.

362
00:21:46,570 --> 00:21:52,850
You never need to touch that original like Linux box or Kali box or whatever.

363
00:21:52,850 --> 00:21:58,670
You can be in your phone, your, I don't know, ATMs, calculators, everything's smart nowadays.

364
00:21:58,670 --> 00:21:59,110
Right.

365
00:21:59,610 --> 00:22:14,110
So what I want to do now, and like the biggest piece, and if anybody's here that has ideas or whatever, I am super open, is I'll say like HTTP with HTTPS, right?

366
00:22:14,110 --> 00:22:16,290
Like we're going to encrypt this and go through.

367
00:22:16,610 --> 00:22:19,450
Technically you can do this all the way through like CloudFlare now.

368
00:22:19,450 --> 00:22:23,970
You don't have to like, you can add HTTPS without adding HTTPS.

369
00:22:24,510 --> 00:22:26,050
So that's cool.

370
00:22:26,250 --> 00:22:32,950
But really what I want to do, it's, it's, it's this Azure, this, this open AI.

371
00:22:35,410 --> 00:22:40,570
I want to be able to leverage, leverage the open AI API.

372
00:22:40,770 --> 00:22:46,710
And what I mean by that is so, so far, sorry for Trimark, we have the Trimark checks.

373
00:22:46,710 --> 00:22:51,230
I don't know if you guys know about us, but want to know how your AD environment works?

374
00:22:51,890 --> 00:22:53,310
Run this PowerShell script.

375
00:22:53,310 --> 00:22:58,770
It's going to give you somewhat of an idea, and then you come to us and we make it better for you, right?

376
00:22:59,170 --> 00:23:08,770
So what I've done here is I have just created a nice, so this is using, um, Ling Chains, which is amazing.

377
00:23:08,770 --> 00:23:15,370
And it just, it's chat-gbt, it's leveraging that LLM and it's over Microsoft servers, all that stuff.

378
00:23:15,370 --> 00:23:19,090
But what's, what's cool about it is, uh, you can take a single PowerShell script.

379
00:23:19,310 --> 00:23:24,370
Doesn't matter if it's three lines or 50 lines or whatever.

380
00:23:24,370 --> 00:23:28,510
I have not yet been able to, to handle, um, modules.

381
00:23:28,510 --> 00:23:35,430
So if you have to import modules, I haven't done that yet, but here you can just copy and paste any PowerShell script.

382
00:23:35,430 --> 00:23:37,490
It'll one line it, right?

383
00:23:37,490 --> 00:23:49,770
It'll take out and, and, and do all, all of the things that are needed for the, for the strings in Python, like to send it as a Python string down to your PowerShell client and run that as an invoked expression.

384
00:23:54,860 --> 00:23:55,660
All right.

385
00:23:56,360 --> 00:24:01,720
And this, this is the point where normally I'm like, Hey, let's go answer the internet.

386
00:24:01,720 --> 00:24:03,260
Let me show you what's happening in my house.

387
00:24:03,260 --> 00:24:03,980
All right.

388
00:24:04,080 --> 00:24:07,900
Uh, you guys have been deadwood for the last few days.

389
00:24:07,900 --> 00:24:08,540
Internet sucks.

390
00:24:08,580 --> 00:24:16,760
So I am going to give you like a little, a little taste of something that, that I've shown a while back.

391
00:24:17,360 --> 00:24:18,180
All right.

392
00:24:18,180 --> 00:24:20,100
So here's what we're looking at.

393
00:24:20,100 --> 00:24:22,220
So this is, this is the file server that's running here.

394
00:24:22,220 --> 00:24:25,800
I apologize for, for how it looks now, but I'm dealing with technology.

395
00:24:26,180 --> 00:24:29,560
Um, and this, this is just a, this is the client server.

396
00:24:29,560 --> 00:24:36,940
So if you were to come out here, what, what I'm showing is that I have a parameterized, um, URL.

397
00:24:36,940 --> 00:24:46,440
So after you go to CMD and you have a you can type in any arbitrary, like power, PowerShell command, any CMD command, and it will run.

398
00:24:46,440 --> 00:24:46,900
All right.

399
00:24:46,900 --> 00:24:52,640
And it does pop up here to give you a nice little glance of like, what came back?

400
00:24:52,640 --> 00:24:53,380
Did I even work?

401
00:24:53,380 --> 00:24:54,280
Do I even care?

402
00:24:54,280 --> 00:24:54,760
Whatever.

403
00:24:54,760 --> 00:24:57,020
But every single thing that you do now, right.

404
00:24:57,020 --> 00:25:01,540
From the time that we had the connection is it's all locked and it's beautiful.

405
00:25:01,540 --> 00:25:05,120
It's JSONified for those that know JSONify.

406
00:25:05,260 --> 00:25:06,980
But it is, it is, it's a beautiful thing.

407
00:25:06,980 --> 00:25:07,300
Right.

408
00:25:07,440 --> 00:25:10,160
So here we are like, who am I?

409
00:25:10,160 --> 00:25:14,020
I'm just hitting, just, just, I'm throwing out random ass commands.

410
00:25:14,180 --> 00:25:21,280
And it's just to show that like anything that you could run natively within the context of the user that you're in the session that you're in.

411
00:25:21,280 --> 00:25:21,700
Yeah.

412
00:25:21,700 --> 00:25:23,000
You can throw that up in PowerShell.

413
00:25:23,000 --> 00:25:23,940
So here we go.

414
00:25:23,940 --> 00:25:24,280
Right.

415
00:25:24,280 --> 00:25:25,980
We're going to name some, some administrators.

416
00:25:26,240 --> 00:25:26,840
Okay.

417
00:25:26,840 --> 00:25:30,720
Like I can be in China right now and just hit in.

418
00:25:31,120 --> 00:25:32,800
I do have to refresh some mods.

419
00:25:32,800 --> 00:25:34,740
That's a flask issue, but cool.

420
00:25:34,740 --> 00:25:36,240
So now I get all the admins.

421
00:25:36,240 --> 00:25:38,180
So in that like Azure directory environment, right.

422
00:25:38,180 --> 00:25:40,260
Or a name like admin.

423
00:25:40,260 --> 00:25:40,640
Okay.

424
00:25:40,660 --> 00:25:47,060
And so every, every single command that we send out, you're like, you're able to modify it and things like that.

425
00:25:47,060 --> 00:25:51,640
So here I've gone through the log file and you can see every single thing that's here.

426
00:25:51,640 --> 00:25:53,820
Bruce Wayne, cause I'm Batman.

427
00:25:54,880 --> 00:25:56,760
It's all there.

428
00:25:56,980 --> 00:26:00,960
And like I said, when you go to log file itself, it's beautiful.

429
00:26:01,440 --> 00:26:06,160
So this is help me help you help us.

430
00:26:06,340 --> 00:26:06,660
All right.

431
00:26:06,660 --> 00:26:08,180
So this is, this is the cool shit.

432
00:26:08,180 --> 00:26:08,840
All right.

433
00:26:08,840 --> 00:26:20,540
So what I'm trying to do now, and it works semi in that you can take a PowerShell script, a run PowerShell script, no modules that need to be imported or anything else like that.

434
00:26:20,540 --> 00:26:20,860
Right.

435
00:26:20,860 --> 00:26:23,460
And you can copy and paste your PowerShell script into this.

436
00:26:23,720 --> 00:26:24,980
It will try its best.

437
00:26:24,980 --> 00:26:26,840
And this is based on OpenAI.

438
00:26:26,900 --> 00:26:32,340
And I have a preset prompt for it.

439
00:26:32,340 --> 00:26:41,780
It'll try to one line it, flatten it down, send it across as a, well, it'll one line it, flatten it down, look at it as a string.

440
00:26:41,960 --> 00:26:45,520
Python will then escape out all the characters that need to be escaped out.

441
00:26:45,520 --> 00:26:47,960
And then it is sent down that C2 server.

442
00:26:47,960 --> 00:26:51,240
So like, you don't have to know like, Oh, I want to use powerup.

443
00:26:51,240 --> 00:26:55,980
I want to try my checks because you do.

444
00:26:56,020 --> 00:26:56,440
Right.

445
00:26:56,840 --> 00:27:00,040
And then you copy and paste and it works.

446
00:27:01,340 --> 00:27:02,820
So that that's really what it is.

447
00:27:02,820 --> 00:27:03,960
It's an ongoing project.

448
00:27:03,960 --> 00:27:16,160
And that's, that is what I, what I have worked on, what I'm building now is like, you can be anywhere else in the world, across the internet, anything HTTP, you have a browser and you can interact with a Microsoft environment.

449
00:27:16,160 --> 00:27:16,460
Okay.

450
00:27:16,480 --> 00:27:25,220
So one of the things that I have as well, and I wish I was able to show it to you now is the fact that we're, we're integrating with a bloodhound and Azure hound and all those things.

451
00:27:25,220 --> 00:27:34,140
So like you can literally throw anything that's in here and it will, it will just like 85% depends.

452
00:27:34,140 --> 00:27:36,040
It depends on how people write, write code.

453
00:27:36,040 --> 00:27:36,680
Right.

454
00:27:36,840 --> 00:27:41,180
But that is, that's what I've got going on guys is Adam and Eve.

455
00:27:41,180 --> 00:27:55,540
And I am so open for anybody that has any kind of like contribution to how to make it better or cooler, but I want to figure out how I could see to this specifically a Microsoft environment, because that's what we do.

456
00:27:55,540 --> 00:27:58,540
See to a Microsoft environment without being in the environment.

457
00:27:58,540 --> 00:28:00,280
And I can be anywhere in the world.

458
00:28:00,420 --> 00:28:06,660
And this runs as if I was sitting at a computer hardline and into like the DC.

459
00:28:06,940 --> 00:28:14,600
So you said you're integrated with bloodhound, but it's kind of as if it might, correct me if I'm wrong, but are they doing the same thing as bloodhound?

460
00:28:14,600 --> 00:28:14,920
All right.

461
00:28:14,920 --> 00:28:16,140
So that's a great question, man.

462
00:28:16,140 --> 00:28:18,480
So it's not bloodhound.

463
00:28:18,480 --> 00:28:20,020
It's not doing any of the work.

464
00:28:20,020 --> 00:28:22,560
It is facilitating the communication.

465
00:28:22,860 --> 00:28:24,660
So bloodhound, Rohan, good dude.

466
00:28:24,660 --> 00:28:26,200
I eat lunch with him every January.

467
00:28:26,200 --> 00:28:27,020
That's what we do.

468
00:28:27,020 --> 00:28:27,300
All right.

469
00:28:27,300 --> 00:28:30,340
So he came through TriMark, humble brag, right?

470
00:28:30,340 --> 00:28:34,120
He came to TriMark and he actually went through our training before he created bloodhound.

471
00:28:34,280 --> 00:28:36,480
So we know bloodhound very, very well.

472
00:28:36,480 --> 00:28:49,080
So what you would do is you would run bloodhound natively in an iPhone environment, and then you would send your commands and then you would receive your sharp, your sharp hound stuff essentially back through the C2.

473
00:28:49,360 --> 00:28:49,860
Okay.

474
00:28:49,860 --> 00:28:50,200
Right.

475
00:28:50,200 --> 00:28:58,440
And your, your database is running wherever you want your database and run, but like the commands back and forth, sharp hound, again, that's a PowerShell script.

476
00:28:58,520 --> 00:28:59,860
Send it.