Cortana: Rise of the Automated Red Team...Title Cortana: Rise of the Automated Red Team Author Raphael Mudge Subject Cortana: Rise of the Automated Red Team Keywords Defcon, DEF CON,

!"#$%&%'()*+'",'$-+''

./$"0%$+1'(+1'2+%0'

!"#$"%&'()*+%',"-./0"+%$"12%-'

!"#$"%#&'

!  !"#$%&'()*+!  ,'&-")"+!  ./0-&/1(-2*+!'-0+!  3'0-42567'/-"-/')+!  !28"9/'&+:'*/;#"-/')+!  <02&+=)-2&>"#2+

?8/0+@'&$+@"0+A"*2+6'00/172+-8&'(%8+.BC3BD0+,E12&+F"0-+?&"#$+6&'%&"AG+

()*+'+)%,'+*-.'%,'/0+'

!  H'-+"+,'&-")"+-(-'&/"7++!  I'A2+>2"-(&20+"&2+0$/662*+2)-/&27E+!  B)+2567'&"-/')+'>+-82+0'>-@"&2+"%2)-+6&'%&"AA/)%+6"&"*/%A+"  ?8/0+/0+0"*+"  !2#"(02+/-+/0+>()+"  #+

102*34,'50*-,'

!  .2A')0-"-2+@8"-+,'&-")"+#")+*'+!  ,'92&+A"J'&+>()#-/')"7/-E+!  K)#'(&"%2+E'(+-'+-&E+/-G+

6/+$0278+%0/9':*;)*#-'<72=#'

!  F'&A2&7EL+=C,+M":2C+! .2927'62&L+J=C,//+=C,+,7/2)-+! .2927'62&L+I7226+I#&/6-/)%+M")%("%2+! .2927'62&L+B&A/-"%2+!  F'()*2&L+I-&"-2%/#+,E12&+MM,+

6/+$0278+%0/9'>6:?%%'

6/+$0278+%0/9'@-##;'

!  32&7+/)06/&2*+0E)-"5+!  !(/7-+')+N"9"+!  K5-2)0/172+!  IA"77O+PQRSTU!V+!  KA12**2*+/)+J=C,//+

6/+$0278+%0/9'A$B%+*=#'

A$B%+*=#'?0--*C0$*+%0/'

?0$+*/*9'()*+'%,'%+D'

! B+I#&/6-/)%+M")%("%2+-'W+" B(-'A"-2+:2-"067'/-+F&"A2@'&$+" K5-2)*+B&A/-"%2+

?0$+*/*9'()*+'%,'%+D'

1)#'@0E+&*$#'A=#/+'F#/,#G'

!  ,'&-")"+/0+"+*'A"/)4062#/;#+7")%("%2+-'+*2927'6+XB%2)-0Y+-8"-+#')*(#-+#E12&+'62&"-/')0Z+

!  ?2"A+02&92&+6&'9/*20+*/0-&/1(-2*+#'AA()/#"-/')++!  :2-"067'/-+'[2&0+#"6"1/7/-/20+")*+*"-"+A'*27+!  ,'&-")"+'[2&0+A2")0+-'+#&2"-2+7')%+&())/)%+"%2)-0+-8"-+62&#2/92+#')-25-+")*+&206')*+-'+/-G++

!  ,'&-")"+"70'+6&'9/*20+-''70+-'+*21(%L+()*2&0-")*L+")*+"00(&2+6'0/-/92+#')-&'7+'>+"%2)-0+

?0$+*/*9'()*+'%+'20#,'

! :2-"067'/-+,')-&'7+! ."-"+:")"%2A2)-+! 3'0-4K567'/-"-/')+! ?2"A+I2&92&+3"&-/#/6"-/')+! :'*/>E+B&A/-"%2+!28"9/'&+! K5-2)*+B&A/-"%2+<02&+=)-2&>"#2+

?0$+*/*9'A-+#$/*+%"#,'

!  K5-2)*+:2-"067'/-+F&"A2@'&$++" :'*(720+"  37(%/)0+"  C,+;720+

! :2-"067'/-+C3,+I2&92&+! A0>#7/+

3)*$#)4/$+1'5"$*'

H$0C-#BIII'

!  N'77EW+=-D*+12+)/#2+/>+-82&2+@"0+"+@"E+-'+$)'@+@82)+)2@+8'0-0\02&9/#20+6'6+(6+

!  ,8&/0W+=DA+#')0-")-7E+&())/)%+0#")0L+=D77+6(-+-82+*"-"+@82&2+292&+E'(+7/$2Z+

!  :2W+=+-8/)$+=+#")+8276Z+!  ,8&/0W+=+*')D-+@")-+-'+/A6'&-+AE+0#")0+292&E+A/)(-2G+,")+@2+"(-'A"-2+-8/0]+

J*8.=$07/29'K"#/+'F%,+#/#$,'

+ +')+292)-^)"A2+_++ +`+*'+-8/0+0-([++ +`+ab+c+;&0-+"&%(A2)-+

+ + +`+aR+c+02#')*+"&%(A2)-++ + +`+a)+c+)-8+"&%(A2)-+

+d+

L*+*'K"#/+,''

L*+*'K"#/+,'

!  ,&2*2)-/"70+!  e'0-0+!  M''-0+!  C'(-20+!  I2&9/#20+!  I200/')0+

e'0-\I2&9/#2+H'-/>E+!'-+e'0-+=A6'&-+!'-+

A7+0'6B;0$+'

6"*$7+89:")$%$)"&'

H$0C-#B'

!  =+@")-+-'+#')-&'7+0200/')0+"  f/-8+A(7-/672+"#-'&0+(0/)%+-82A+"  f/-8+"00(&")#2+-8"-+-82+0#&/6-+@')D-+7'02+#')-&'7+

J*8.=$07/2'

!  =)-2&"#-/)%+@/-8+"+:2-2&6&2-2&+0200/')W+

!on meterpreter_command {!! !# $1 = session id!! !# $2 = command and arguments!! !# $3 = output }!

!m_cmd(session id, “command”);!

J*8.=$07/2'

!  =)-2&"#-/)%+@/-8+"+6&'#200+-8&'(%8+"+A2-2&6&2-2&+0200/')W+

!on exec_command {!! !# $1 = session id!! !# $2 = command and arguments!! !# $3 = output }!

!m_exec(session id, “command”);!

J*8.=$07/2'

!  =)-2&"#-/)%+@/-8+"+I8277+0200/')W+

!on shell_command {!! !# $1 = session id!! !# $2 = command and arguments!! !# $3 = output }!

!s_cmd(session id, “command”);!

B+#''7+*2A'+

5+-%;)"#'<"1),)=%$)"&'

H$0C-#B'

!  =+@")-+-'+"7-2&+8'@+B&A/-"%2+*'20+g+"  <02+"+*/[2&2)-+6"E7'"*+>'&+#2&-"/)+"--"#$0+"  =)-2%&"-2+"+*/[2&2)-+252#(-"172+@/-8+60252#+"  :'*/>E+B&A/-"%2+/#')+*/067"E+

J*8.=$07/2'

!  F/7-2&0L+8''$+")+"#-/')+")*+#8")%2+-82+6"&"A2-2&0+

filter some_filter_name { # inspect $1, $2, $3, etc.!!return @_;!} !

B)'-82&+#''7+*2A'+

>*+#'?&$+#,%=+'

H$0C-#B'

!  =+@")-+-'+25-2)*+B&A/-"%2+@/-8+)2@+>2"-(&20+"  =)-2%&"-2+-8/&*46"&-E+-''70+"  K56'02+:2-"067'/-+F&"A2@'&$+>2"-(&20+"  ,')-&'7+,'&-")"+#"6"1/7/-/20+

J*8.=$07/2'

!  ,'&-")"+0#&/6-0+A"EW+"  .2;)2+$2E1'"&*+08'&-#(-0+"  .2;)2+6'6(6+A2)(0+"  ,&2"-2+#')0'72+-"1+/)-2&>"#20+"  ,&2"-2+-"172+/)-2&>"#20+

?82+7"0-+#''7+*2A'+

?0$+*/*9'()*+'%,'%+D'

! B+I#&/6-/)%+M")%("%2+-'W+" B(-'A"-2+:2-"067'/-+F&"A2@'&$+" K5-2)*+B&A/-"%2+

@7BB*$3'

!  !"#$%&'()*+!  ,'&-")"+!  ./0-&/1(-2*+!'-0+!  3'0-42567'/-"-/')+!  !28"9/'&+:'*/;#"-/')+!  <02&+=)-2&>"#2+

?8/0+@'&$+@"0+A"*2+6'00/172+-8&'(%8+.BC3BD0+,E12&+F"0-+?&"#$+6&'%&"AG+

()#$#'+0'=0'E$0B')#$#G'

!  ?@/--2&W+h"&A/-"%28"#$2&+!  KA"/7W+&0A(*%2h%A"/7G#'A+

,'&-")"+/0+6'0-2*+"-W+

!  fffW+8--6W\\@@@G>"0-")*2"0E8"#$/)%G#'A+

Documents

Cortana: Rise of the Automated Red Team...Title Cortana: Rise of the Automated Red Team Author Raphael Mudge Subject Cortana: Rise of the Automated Red Team Keywords Defcon, DEF CON,