High Output Management by Andy Grove is the best management book I’ve read. It is also the only one, but I don’t think that matters; it’s a classic for a reason. Written before I was born, the advice is timeless even if some of the terms aren’t. I had to look up what a “tickler” file was (a low tech reminder system).
Your job as a manager starts to make more sense if you change your thinking to consider how you and your team can be leveraged, i.e. making your team more effective. Prior experience leaves me realizing many managers don’t think in this way.
During a recent red team engagement I was looking into options for VB macro execution on MacOS. The enterprise system I was investigating had Adobe Acrobat installed along with Microsoft Office integrations basically adding an Adobe tab to Word and Excel to convert documents to PDF.
On whim, I decided to take a look at how this might be working, and started poking around the file system. Turns out Adobe installs an AppleScript file to ~/Library/Application Scripts/com.microsoft.{Word,Excel,Powerpoint}/AcrobatUtils.scpt.
This post covers some notes on writing a small Go program to getsystem using named pipe impersonation.
If calling Windows APIs from Golang is relatively new to you, this Breaking All the Rules: Using Go to Call Windows API is basically required reading. This how to is a good intro as well. I also appreciate ropnop’s blog on Hosting CLR in GoLang both for its technical info and his willingness to show his learning progression.
If an unwitting user runs a malicious macro-enabled document on a macOS system that has Sublime Text installed, an attacker can seamlessly escape the Office sandbox.
In effect
The MS Office sandbox allows writing files to arbitrary locations as long as they begin with ~$, with some exceptions
The Sublime Text editor automatically loads (outside the sandbox) Python plugins from a user writable file path
After reading Patrick Wardle’s Office Drama on macOS which outlined a persistence method leveraging a sandbox escaped discovered by Adam Chester (see Escaping the Microsoft Office Sandbox), I did some rudimentary experimenting. Recent patches have precluded directly writing to LaunchAgents or Application Scripts but files can still be written to other user writable paths as long as they start with ~$.
Over the past few years I’ve run into vulnerable Jenkins backups with anywhere from half a dozen to several hundred encrypted passwords, secrets, and keys to critical infrastructure. While there are a multitude of tools out there none of them behaved quite like I wanted, so I wrote my own and learned some Golang in the process.
The tool isn’t groundbreaking but it does do something I haven’t seen available else where, and that is the ability to decrypt files encrypted with Jenkins’ SecretBytes implementation offline - not using the Groovy console.
There’s not a lot written about creating new Hashcat modules. This is a brief tour of how I went about adding a new module and something I wish I had available a week ago. Hopefully after reading this you have a better understanding of how the pieces work and will enable you to more easily add new Hashcat modules.
For what it’s worth, this is written from the perspective of someone who care barely read C. And while I refer to OpenCL a few times, if your crypto primitives aren’t supported already, this article probably won’t help you.
This is a quick post mostly for refreshing my memory in the future. I recently wanted to download the data Shodan had on a large corporate IP space with disparate ranges and several hundred thousand IP addresses for post processing.
As far as I can tell the Shodan help docs are scattered across too many pages and domains and subdomains. There are a few guides out there on the basics of Shodan CLI and API but I didn’t see anything that documented things at a slightly larger scale so here are a few quick notes on gathering this data. Shodan needs no introduction, and the basics are well covered so I’ll dive in.
Several times now I’ve run across password hashes created by 389-ds, RedHat’s open source LDAP Directory Server solution. During a red team past operation I discovered a backup LDIF file which included hashed user passwords (think NTDS.dit but not as catastrophic). A number of the hashes were in prepended with PBKDF2_SHA256.
While hashcat and john the ripper have support for most algorithms, they are at the moment lacking support for 389-ds’s PBKDF2_SHA256 implementation. And as far as I can tell, nothing currently exists to easily verify or check passwords against these hashes. Base64 decoding the hashes I discovered didn’t immediately point to quick solutions either. But 389-ds is open source, so when you need to crack passwords, the source is good place to turn.
A while back I was playing around with Empire (before it was shuttered, RIP) and bypassing a certain antivirus software. There were decent signatures for the basic powershell usage, but knowing Python was installed on the target Windows endpoints, I tried to run the Empire Python payload on Windows. It didn’t work. Turns out, it’s trivial to get things working again.
If you generate a basic Python stager with stock Empire, we see an initial checkin to the server
I was recently doing some testing in AWS with some “obtained” access keys. Part of this engagement was to identify some threshold at which the blue team was noticing and engaging with suspicious activity and as such we were running some automated tooling. In AWS this can mean bruteforcing services and creating quite a bit of logs.
After not so long we got a request asking if we were up to anything - success! Blue had noticed something was up! But to be honest, I hadn’t expected them to be on to us so quickly. And when we debriefed we discovered Amazon GuardDuty had alerted that someone was making requests from Kali (PenTest:IAMUser/KaliLinux). This feature was released late December, 2018. Now how did GuardDuty know this? Their documentation states the following.
I like Jenkins. It’s a good orchestration tool and provides remote code execution as a service.
If your user permissions give you access to the script console /script it’s trivial to obtain a shell. The developers explicitly call this out in their documentation as well so it’s a feature, not a bug. Of course if you can create a job you can run shell commands as well, but I’ll leave that for another time.
I haven’t seen this specifically outlined anywhere so I figured I’d write a short post to go over using subTee’s Katz2.0 program to create a custom binary that loads mimikatz (or whatever executable you’d like) into memory. Casey Smith (subTee) and company have created some incredible tools that have made my life easier, so hats off to them.
Reflective Injection
The following steps will create a custom binary with an encrypted and encoded mimikatz binary string which will load mimikatz into memory through reflective PE injection.
I recently came across a good reminder to double check listening ephemeral ports. The organization in question was using the Informacast Singlewire Desktop Notifier v2.0 application. It allows organizations “to display a pop-up window on top of other running applications to inform users of important information” or to send desktop alerts to users in geographic regions.
After some enumeration, it looked like it was exposing a JMX Remote management port of we’ll say port 42424. Nmap won’t identify the service version in a normal scan, but if you request --version-all, you should see the port listed as rmiregistry.
I recently took the CTP course by Offensive Security and passed the OSCE exam. Now there are a few dozen reviews on this thing, but I’ll add my own take here anyway.
Pre Course
You can’t just register for the CTP - you need to solve a small challenge first: http://fc4.me/. When I initially thought about taking this course, part of this challenge was beyond me. But to quote g0tmi1k:
“There isn’t any shame in not being able to complete this. It simply means you’re not ready… yet! If you look up the solution online, you’re just cheating yourself and wasting both time and money. It’s been put there for a reason. Offsec is trying to protect you from yourself (in their own frustrating but necessary way!).”
Recon is close to step one in any pentest. When it comes to passively pulling data on infrastructure assets you have a number of options. ARIN can help identify an organization’s registered net blocks, but that’s only part of the picture. With many organizations based in or using cloud services, those assets won’t necessarily be registered to your target.
And when AWS for example can tie directly into a datacenter, these servers become quite valuable. As an aside to AWS, check out Gone in 60 Milliseconds by Rich Jones - awesome talk. Now if a developer stands up a server with HTTPS using a corporate certificate it’s likely going to be picked up and indexed by someone, Shodan, or Censys - so let’s make use of that.
Occasionally an environment has strict outbound rules with all traffic going through an authenticated proxy. This hampers exfiltration, especially if you don’t currently have valid credentials but need a foothold into an environment without phishing for instance. If we can find a live network jack in some accessible place and the switch hands out an IP address via DHCP along with DNS servers, we can more than likely obtain a foothold into the network.
I came across OpenDNS Security Ninjas AppSec Training Lab not too long ago and found its simplicity rather enjoyable. It’s a simple web app written in PHP which illustrates each of the OWASP Top 10 categories. As I was going through the exercises I found myself checking to see how the vulnerable code was written and how the issues could be remediated.
Since the lab is geared towards beginners, I thought it might be helpful to provide brief explanations along with links to the relevant lines of source code. For each level/OWASP vulnerability, I simply added a “Why” section to each “Solution” area linking to the sink on Github along with a brief explanation.
Much has been said on this course and I’ll only briefly go over my experience and takeaways. The following reviews were helpful in making the decision to take the course.
For a little preview of what's involved, check out the free [Metasploit Unleashed](http://www.offensive-security.com/metasploit-unleashed/Main_Page) course.
A brilliant software engineering friend and I were recently discussing with another mutual friend the inefficiencies of employees filling out paper forms after completion of a construction job and the inefficiencies of transferring said forms to excel and so on. Said friend and I figured we could probably fix this with a web app for a nominal fee, but which would greatly increase our mutual friends’ productivity. A win win situation if there ever was one.
Since I’ve forgotten how to do this over the past year, here are the directions for posterity.
Startcom sends you a reminder after 50 weeks and opens a window for a renewal. Log in and validate your email and domain using the Validation Wizard. Note, you need to ensure your email is going to forward properly.
Generate a key and CSR on the server with the following two commands
openssl genrsa -out ./www.thesubtlety.com.key 2048openssl req -new -key www.thesubtlety.com.key -out www.thesubtlety.com.csr
Things have been busy lately, but I’ve been doing some reading, learning, and playing around in a small VM lab, and thought to briefly document what I’ve done. There is unfortunately nothing groundbreaking here, and nothing too interesting beyond a demonstration.
For this example I’ve got Kali Linux, Metasploitable, Windows XP SP2, and Security Onion running. (Time to add some RAM…) There are a ton of good reference resources out there, and most of this is simply plug and play. The Kali distro isn’t packaged with Nessus, so that may need downloaded and installed, although certainly not required for our purposes. Nothing fancy here as all machines are on the same subnet and bridged via my host NIC, making traffic sniffing trivial and allowing us to see the (mostly Snort rule) results of this nefarious-ness.
I recently attended my first security conference: BSidesDC. This isn’t a write up of that experience, although it was quite interesting and I learned a lot via some great sessions. One talk I really enjoyed by @grecs was Malware Analysis 101. Very well presented with lots of great getting started material.
Anyways, the badges. Pretty cool badges; bottle openers in fact, with fourteen binary bytes all with leading zeroes around the circumference: ascii encoded binary. The message is trivially found via google, but where’s the fun in that? And wanting to play around with Python some more I decided to write something that could decode the binary. My first stab looks like this.
I’ve played around with Security Onion in the past, but have never set up my network to capture or monitor traffic. And while installing Security Onion in a VM and only looking at only local or inter-VM traffic is quite interesting, especially if a person is playing around with Metasploit or something, I wanted to see all network traffic, including my other devices. I also had a laptop lying around, not being frequently used; perfect for dedicated monitoring. So I finally got around to working through the details and going through the setup and configuration. This is a little essay on how I did that.
I recently bought a Raspberry Pi and installed Arch Linux ARM on it. I came across a rather amusing blog post of someone using the honeypotKippo and thought what fun. See here to watch elite hackers and their mad skillz. That’s the great thing about Kippo - it records user sessions for playback.
Anyways, this post basically walks through what I did to get Kippo and kippo-graph up and running on my RPi. This isn’t a walk-you-through-every-step guide, so if you’re following along your mileage may vary. Of course, the Wiki pages over on Google Code are a good place to start. Or here. Or here. Everyone’s done this! But without further adieu…
I read this article by Patrick McKenzie a while back, came across it again, and decided it’s worth reading weekly. I’ve pulled out some of his bolded points. But seriously, read the article in it’s entirety. Again. And again.
Don’t Call Yourself a Programmer, And Other Career Advice
I was fortunate enough to get a good job in IT right out of college. Not in InfoSec, but in telecom, and in specific, service delivery. I’m learning an incredible amount - from enterprise telephony environment to working in a highly complex work environment to leading delivery on new intent projects. But it’s not InfoSec.
In my search for ways to break into InfoSec, I’ve come across numerous posts, advice, and tips to do just that. And this is great stuff - I’m working on the learning and the doing covered in those posts. But I really enjoyed the clear, common sense advice on building a resume, the job search, interview techniques, brand building, and general career advice given by Rob Fuller. Watch the presentation here. (About 50 minutes)
Back when computer networks were still in their infancy, there were few avenues for attack. With those avenues turned off, all else was allowed. Hence “default permit.” Another area is code execution: anything clicked is permitted to run, unless stopped by antivirus or the likes. The proper solution here is default deny, but this, according to Ranum, takes dedication, thought, and understanding, and so is seldom done. And it allows one to sleep better at night.
This blogging thing is harder than it seems - the what to write, the time to write. I came across another interesting blog post from Krebs on Security, who interviewed Thomas Ptackek, founder of Matasano Security, on how to get into the field of computer security. As this is precisely my intent, I gave it a quick read through and thought to post a to-do for myself.
Learn how to program. Plugging away with Ruby. Get dabbling in Python and C.
Here, shall I attempt to document some random doings related to computers, security, linuxstuff, windowsstuff, and most likely miscellany.
Apparently typing all this out helps the mind become better at communicating, and who doesn’t want that?
So whether you or another read these ramblings, or I myself re-read them later on in my ever so awe-inspiring, galvanic, exhilarating life, let this be a place for learning and perusing.
Noah is an offensive security engineer with experience red teaming at several Fortune 500 companies in software and financial industries.
With varied experience leading and managing operations including social engineering and covert physical entry into office buildings to stealthily gaining access to high value financial systems, to troubleshooting corporate networks, to securing web and mobile applications, Noah has a strong track record of applying creative thinking and determination to solve challenging technical problems.
A collection of enduring references on security, risk, and adversarial thinking. In short:
We have no idea if anything we do actually works[1]. Measurement and root causes remain security’s fundamental unsolved problem
The industry thinks training fixes people but research shows it makes things worse [2]. Use passkeys/webauthn/yubikeys.
Most breaches don’t matter for most orgs. [3] 85% fail to meet accounting materiality thresholds and the median cost-to-revenue ratio: 0.37%
Only 12% of patches matter for APT defense. But immediate patching = 4.9x lower compromise odds vs. 1 month delay. [4]
While useful, EDRs are fundamentally ineffective against actual APT actors[5]
Red Teaming & Adversarial Assessment
An Adversary’s View of Your Digital System2015 [PDF] - Sandia National Labs - Adversary-based assessment methodology. Attack graphs and identifying critical paths. Nice Generic Threat Matrix (GTM).
Red Teaming Handbook (3rd Edition)2021 [PDF] - UK Ministry of Defence - Guide to red team mindset and formal methodologies. Apply fast, simple red teaming techniques as part of everyday routines rather than waiting for formal engagements
10 Red Teaming Lessons Learned Over 20 Years2015 [Website] - Matt Devost - Asymmetry, OODA loops, and avoiding artificial constraints. 10th man rule - if nine analysts reach the same conclusion, the tenth must disagree and explore unlikely scenarios. A red team should never compromise integrity to satisfy sponsors - speak truth to power even when findings are unpopular.
Adversarial Red Team Assessment Framework2017 [PDF] - Australian Defence Science and Technology Group. Cognitive bias mitigation strategy. Red Teaming Umbrella framework as a spectrum from simple critical analysis to complex field exercises - Critical Analysis, Tabletop, Functional/Attack pathing, Computational/Purple teaming, Cyber/“Red Teaming”, Wargaming (Physical element), Field Exercises (live tests)
Six Rules for Wargaming2015 [Website] - Lessons from Millennium Challenge 02’s red team victory. Validation should NEVER come from a single wargame. Never allow concept developers to run their own analysis, “akin to allowing students to grade their own tests.”"
Risk Measurement & Cybersecurity Economics
Cybersecurity is not very important2019 [PDF] - Andrew Odlyzko - Contrarian view on risk, resilience, and the muddle-through approach. Complexity and “security through obscurity” are essential elements of imperfect security. We haven’t suffered major tech catastrophes despite decades of insecurity, suggesting threats are manageable within acceptable risk tolerance.
Defense Acquisition and Operational Risk2011 [PDF] - Naval Postgraduate School - Risk management frameworks. Without knowledge of decision maker preferences, there is no risk. Kaplan-Garrick risk definition (eg what can go wrong, how likely, what consequences) is incomplete. A fourth question must be asked - “How do you feel about it?”
Measuring Security (And Risk) - Geer2006 [PDF] - Dan Geer- Foundational work on security measurement. Security metrics must be “decision support, possibly under fire”. Early investment pays exponentially - empirical data shows 21%/15%/12% returns on security investment at design/implementation/maintenance stages. Design-stage security being 100x more cost-effective than maintenance-stage fixes.
Next50: Measuring and Managing Organizational Security2018 [Medium] - Ryan McGeehan (Magoo) - Modern enterprise security measurement. Information security industry is stalling due to lack of a “measurement revolution” comparable to meteorology’s post-1950 transformation. Security teams operate irrationally because they lack classification methods for breach root causes, transparency into breach causation, and probabilistic forecasting.
Cost of a Cyber Incident2020 [PDF] - CISA systematic review - Per-incident costs, aggregate losses, and defensible estimates. Incident costs have extreme variability with heavy-tailed distributions where the mean is a poor indicator. 85% of cyber incidents fail to meet financial materiality thresholds (of 2-10%). The median cost-to-revenue ratio across all sectors is only 0.37%. Per-record cost estimates are flawed because breach costs don’t correlate strongly with breach size for large incidents.
Phishing & Security Awareness
On Fire Drills and Phishing Tests2024 [Google Blog] - Google Security - Why phishing tests don’t work and what to do instead. No evidence exists that phishing tests reduce successful phishing incidents. Traditional tests cause harmful side effects: they bypass systematic security controls, degrade trust between users and security teams, create incident response burden, and make employees feel “tricked.” Alternative: “phishing fire drills” - pre-announced training emails that clearly identify themselves, focusing on education and practicing reporting. Fix tools, not people - use phishing-resistant authenticators.
The Ineffectiveness of Phishing Security Education2021 [arXiv PDF] - 14,000 participant study showing repeat clickers fail despite interventions. Embedded phishing training is counterproductive. Training fosters false sense of security or over-reliance on institutional defense. Use employees as collective detection mechanism is practical, efficient, and sustainable. Tested with 14,000 people over 15 months.
Incident Response & Detection
Empirical Assessment of EDR Systems Against APTs2021 [Journal Article] - Testing 11 endpoint detection tools against advanced attack vectors. State-of-the-art EDRs failed to prevent and log the bulk of APT attacks tested. 11 EDR products using 20 diverse attack vectors, 10 attacks were completely successful with no alerts issued, 3 were successful with low-significance alerts, and only 6 were detected correctly.
Incident Response Scenarios[Website] - Practical tabletop exercises for IR teams with scenarios from @Magoo, not affiliated
Canary Tokens at Scale (Tularosa Study)2021 [USENIX PDF] - USENIX research on deploying deception at enterprise scale. Cyber deception significantly impedes attacker progress (tested with 130 red teamers). Physical presence of deception and psychological awareness of deception technologies affected behavior - effective defensive strategy at scale
Thinkst Canary[Website] - Honeypot/canary tokens (free and paid)
Threat Intelligence
China’s Offensive Cyber Ecosystem2024 [PDF] - ETH Zurich - Analysis of Chinese bug bounty programs and hacking contests. Chinese security agencies gain exclusive access to zero-days granting them first access to vulnerabilities discovered by civilian researchers (who must report within 2 days under 2021 RMSV regulations), then outsources actual operations to private contractors.
Patch Management: Only 12% of Public Exploits Get Patched2022 [arXiv PDF] - Empirical study on patch deployment rates. Performing only 12% of all possible updates - only patching publicly known vulnerabilities exploited in documented APT campaigns wouldn’t significantly change compromise odds compared to organizations updating for all versions. Update immediately faces 4.9x lower odds of compromise than those waiting one month and 9.1x lower than those waiting three months.
Reference
APT Groups and Operations[Website] - VX-Underground comprehensive APT reference - largest publicly accessible collections of APT malware samples and campaign documentation,
Security Mindmaps[Website] - Aman Hardikar - Visual knowledge maps for security domains
Infosec Reference[Website] - Comprehensive knowledge base by rmusser - technical references
Leadership & Organizational Strategy
Doing a Job - Admiral Hyman Rickover1982 [Website] - Classic leadership text on responsibility and standards. “Ownership without formal structure” - eliminate job descriptions and organizational charts, giving subordinates authority and responsibility early while defining roles broadly so people are “limited only by their own ability.” “When doing a job—any job—one must feel that he owns it”
Trying Too Hard1981 [PDF] - Essay on organizational effectiveness. “Confidence in a forecast rises with the amount of information that goes into it, but the accuracy of the forecast stays the same.” Stop trying to forecast every threat scenario and instead focus on measuring current vulnerabilities and value
Turn the Ship Around (L. David Marquet) 2013 [Book] - “Intent-based leadership” uses language shift from “request permission” to “I intend to…” - forces subordinates to think like leaders while maintaining accountability.
Drive (Daniel Pink) 2009 [Book] - Great book on intent-based leadership and motivation. Extrinsic rewards (money, bonuses) actually reduce performance for complex cognitive work. Autonomy-Mastery-Purpose (AMP) shows that for complex work requiring creativity, the key is to “pay enough to take the issue of money off the table” then motivate through autonomy (control over time/technique), mastery (progress at meaningful skills), and purpose (contribution to mission larger than self).
Technical Papers & Detailed Analysis
This World of Ours2014 [USENIX PDF] - James Mickens - The security threat model spectrum. “Mossad or not-Mossad” threat model - security threat models should be binary rather than elaborate. Either you’re facing nation-state adversary (Mossad) who will defeat any defenses regardless, or you’re not (in which case basic security hygiene suffices)
Security Analysis of System2023 [USENIX PDF] - USENIX Security 2023 - Deep technical security analysis. Security managers are fully aware their measures cause significant friction reducing productivity and increasing vulnerability, and they can identify underlying causes. But organizations prioritize compliance with external standards over usability. Regulatory requirements prevent implementing more usable security solutions.
Measuring Information Security2025 [YouTube] - Video lecture on security metrics. 40 elite Chinese hackers from late 1990s-2000s red hacker groups formed the foundation of China’s modern cyber ecosystem. Individuals moved from grassroots patriotic hacktivists in informal collectives (Green Army, Xfocus, 0x557, NCPH) to industry leaders, founding cybersecurity firms (NSFOCUS, Knownsec, Pangu Lab), leading security teams at tech giants (Alibaba, Tencent, Baidu), and in some cases transitioning into state APT operations (APT17, APT27, APT41). “New School” era with structured CTF competitions, bug bounties, university programs, state alignment.
I like Jenkins. It’s a good orchestration tool and provides remote code execution as a service.
I recently took the 
