FortyNorth Security Blog

21 April 2023 How to Proxy VM Traffic through Burp Suite

By Adam Rose Recently, I was troubleshooting some Cobalt Strike C2 infrastructure in a Windows VM lab. To get a deeper understanding of the bugs I

17 April 2023 Extending (and Detecting) PersistAssist: Act II

In the previous PersistAssist post, we looked at how to create a new persistence module to automate backdooring a PSProfile at a user level. In this

13 April 2023 Introducing AutoFunkt: Automated Cloud Redirector Generation

By Adam Rose - During recent research into C2 traffic redirection techniques, we found the process of manually editing serverless cloud function code and configuration files

04 April 2023 Obfuscating C2 Traffic with Google Cloud Functions

IntroductionIn a previous article Maldoc Transfers in the Google Cloud, I wrote about using a Google Cloud Provider serverless function to serve malicious documents from a

27 March 2023 A Hacker's Journey

IntroductionTwo years ago I decided I wanted to be a penetration tester. Judging by the hundreds of posts I see on subreddits and Discord servers, this

02 March 2023 Maldoc Transfers in the Google Cloud

On a recent red team engagement, we faced the challenge of serving a backdoored Excel document as part of a social engineering campaign against an environment

24 January 2023 Extending PersistAssist: Act I

In our previous blog post, we introduced PersistAssist and briefly covered how to extend it. In this post, we'll go into more detail and walk through

10 November 2022 Finding Empty Systems

We've been on penetration tests before and have found the need to find a system that doesn't have a user currently logged in. Why, you might

05 September 2022 PersistAssist: Your Persistence Assistant!

Persistence is a vital aspect of a pentest or red team and ensures you don't lose your access after you've worked so hard to get it.

06 July 2022 net.exe vs C# - Adding Users and Changing Passwords

On a penetration test, we were performing for a customer, an odd scenario popped up, which caused us to write some code. We found an account

14 March 2022 Quickly Modify Shellcode Formats

tl;dr: Quickly and easily convert your raw binary output from Cobalt Strike (or any other source) into a variety of shellcode formats with either script

01 March 2022 Removing PowerShell Comments, Whitespace, and Handles

tl;dr: Python script that automates removing comments and newlines from PowerShell scripts https://github.com/FortyNorthSecurity/RandomScripts/blob/main/Cobalt Scripts/remove_comments.py It's

17 February 2022 HTTPSC2DoneRight (and Working)

tl;dr If you want an updated and working copy of httpsc2doneright, grab it here - https://github.com/FortyNorthSecurity/RandomScripts/blob/main/Cobalt Scripts/httpsc2doneright.

02 August 2021 Customizing C2Concealer - Part 2

Are you ready for further C2Concealer customization? Let's dive in.

12 July 2021 Customizing C2Concealer - Part 1

About a year ago, we publicly released our C2 malleable profile generator for Cobalt Strike, C2Concealer. You can read the initial blog post here. In the

08 June 2021 Ordinal Values, Windows Functions, and C#

There's many different techniques that an offensive security professional could use to try to have their code avoid detection by various AV and EDR products. Various

18 May 2021 What the F#*%

Check out our repo which has multiple F# injection routines, evasion techniques, and an unmanaged F# loader.

10 May 2021 Deploying a Hash Cracker in Azure

Before we begin, I know, yet another "guide to creating a hash cracker in [insert popular cloud service here]". Well, I was on a

26 April 2021 Meet EDD - He Helps Enumerate Domain Data

PowerView is by and far the defacto domain enumeration tool. We still use it on assessments and will likely do so where appropriate in the future.

06 April 2021 CIMplant Part 3: Good Ol' maxEnvelopeSize to Ruin the Day

This is the last part in the three part series on CIMplant. If you haven't seen the previous two, you can find them here: CIMplant Part

22 March 2021 A Limitation of Penetration Tests: Part 1

Penetration testing and other offensive cybersecurity assessments form an important component of most enterprise information security programs; indeed, many cybersecurity frameworks, such as PCI, require the

08 March 2021 CIMplant Part 2: A Deeper Look into the Creation

In the second part of our CIMplant series we'll take a deeper dive into the code of CIMplant and go over some of the more interesting

16 February 2021 CIMplant Part 1: Detection of a C# Implementation of WMImplant

Introduction Windows Management Instrumentation (WMI) has been around for several years as a way to gather information from and manage remote or local computers. WMImplant written

15 December 2020 Fastly and Fronting

Domain fronting has been around for some time now. It has its legitimate use cases for bypassing censorship along with use by pen testers, red teams,

07 December 2020 A CVE in our Executive Summary

What would you say the difference between an "operational" summary and an "executive" summary is? Find out our take on it in this quick read.

FortyNorth acquired by Red Siege!

We are happy to announce that FortyNorth Security has been acquired by Red Siege! Riskatto remains a separate product owned and operated by the creators of the product. Details on the announcment can be found here. Check out 👇 Red Siege Riskatto

FortyNorth Security Blog

We are happy to announce that FortyNorth Security has been acquired by Red Siege! Riskatto remains a separate product owned and operated by the creators of the product. Details on the announcment can be found here.

Check out 👇

Red Siege

Riskatto