Replies: 1 comment
-
Exploit capability may be achieved through proxying traffic from C2 out the agent host. No need to add eldritch features. Can bring your own exploits. Downside being lose some integration with the automation and logging. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Problem
Most teams don't have the ability to practice with a live red team.
solution
To help augment their practices we should build a leave behind to perform automated red teaming. Leveraging eldritch tomes we can build playbooks that perform initial access and deploy payloads in a teams test environment. After each event we can give them an "inital salvo" or "Low hanging fruit" playbook for future practice.
To make this possible eldritch will need to support initial access / deployment / pivoting methods: SSH, SMB, WinRM.
This will also give us the added values of:
A reach goal in this vein: If environments have vulnerable services we could build exploits into the eldritch language to take advantage of those natively. This is a bigger discussion though with many implementation considerations such as whether we want to build exploits in the language or exploit "building blocks". Specifically thinking about common web vulnerabilities and being able to build / modify them on the fly.
Workflow for teams
Additional considerations
if we achieve goals with the realm C2 recording all actions against targets we should be able to export that activity log to a single eldritch tome / bundle and hand that off to teams eliminating the need for red teamers to compile a playbook manually.
TL;DR
Doing:
• Add "access" methods to eldritch such as WinRM, SMB, and SSH.
Gives us:
• Able to give teams a leave behind so they can try detecting the actions we perform.
• Initial deployment written in eldritch
• Ability to ignore the worker concept opting instead to install an agent on our jump box.
• Pivoting using native code
Beta Was this translation helpful? Give feedback.
All reactions