cortana: rise of the automated red team...title cortana: rise of the automated red team author...
TRANSCRIPT
!"#$%&%'()*+'",'$-+''
./$"0%$+1'(+1'2+%0'
!"#$"%&'()*+%',"-./0"+%$"12%-'
!"#$"%#&'
! !"#$%&'()*+! ,'&-")"+! ./0-&/1(-2*+!'-0+! 3'0-42567'/-"-/')+! !28"9/'&+:'*/;#"-/')+! <02&+=)-2&>"#2+
?8/0+@'&$+@"0+A"*2+6'00/172+-8&'(%8+.BC3BD0+,E12&+F"0-+?&"#$+6&'%&"AG+
()*+'+)%,'+*-.'%,'/0+'
! H'-+"+,'&-")"+-(-'&/"7++! I'A2+>2"-(&20+"&2+0$/662*+2)-/&27E+! B)+2567'&"-/')+'>+-82+0'>-@"&2+"%2)-+6&'%&"AA/)%+6"&"*/%A+" ?8/0+/0+0"*+" !2#"(02+/-+/0+>()+" #+
102*34,'50*-,'
! .2A')0-"-2+@8"-+,'&-")"+#")+*'+! ,'92&+A"J'&+>()#-/')"7/-E+! K)#'(&"%2+E'(+-'+-&E+/-G+
6/+$0278+%0/9':*;)*#-'<72=#'
! F'&A2&7EL+=C,+M":2C+! .2927'62&L+J=C,//+=C,+,7/2)-+! .2927'62&L+I7226+I#&/6-/)%+M")%("%2+! .2927'62&L+B&A/-"%2+! F'()*2&L+I-&"-2%/#+,E12&+MM,+
6/+$0278+%0/9'>6:?%%'
6/+$0278+%0/9'@-##;'
! 32&7+/)06/&2*+0E)-"5+! !(/7-+')+N"9"+! K5-2)0/172+! IA"77O+PQRSTU!V+! KA12**2*+/)+J=C,//+
6/+$0278+%0/9'A$B%+*=#'
A$B%+*=#'?0--*C0$*+%0/'
?0$+*/*9'()*+'%,'%+D'
! B+I#&/6-/)%+M")%("%2+-'W+" B(-'A"-2+:2-"067'/-+F&"A2@'&$+" K5-2)*+B&A/-"%2+
?0$+*/*9'()*+'%,'%+D'
1)#'@0E+&*$#'A=#/+'F#/,#G'
! ,'&-")"+/0+"+*'A"/)4062#/;#+7")%("%2+-'+*2927'6+XB%2)-0Y+-8"-+#')*(#-+#E12&+'62&"-/')0Z+
! ?2"A+02&92&+6&'9/*20+*/0-&/1(-2*+#'AA()/#"-/')++! :2-"067'/-+'[2&0+#"6"1/7/-/20+")*+*"-"+A'*27+! ,'&-")"+'[2&0+A2")0+-'+#&2"-2+7')%+&())/)%+"%2)-0+-8"-+62/92+#')-25-+")*+&206')*+-'+/-G++
! ,'&-")"+"70'+6&'9/*20+-''70+-'+*21(%L+()*2&0-")*L+")*+"00(&2+6'0/-/92+#')-&'7+'>+"%2)-0+
?0$+*/*9'()*+'%+'20#,'
! :2-"067'/-+,')-&'7+! ."-"+:")"%2A2)-+! 3'0-4K567'/-"-/')+! ?2"A+I2&92&+3"&-/#/6"-/')+! :'*/>E+B&A/-"%2+!28"9/'&+! K5-2)*+B&A/-"%2+<02&+=)-2&>"#2+
?0$+*/*9'A-+#$/*+%"#,'
! K5-2)*+:2-"067'/-+F&"A2@'&$++" :'*(720+" 37(%/)0+" C,+;720+
! :2-"067'/-+C3,+I2&92&+! A0>#7/+
3)*$#)4/$+1'5"$*'
H$0C-#BIII'
! N'77EW+=-D*+12+)/#2+/>+-82&2+@"0+"+@"E+-'+$)'@+@82)+)2@+8'0-0\02&9/#20+6'6+(6+
! ,8&/0W+=DA+#')0-")-7E+&())/)%+0#")0L+=D77+6(-+-82+*"-"+@82&2+292&+E'(+7/$2Z+
! :2W+=+-8/)$+=+#")+8276Z+! ,8&/0W+=+*')D-+@")-+-'+/A6'&-+AE+0#")0+292&E+A/)(-2G+,")+@2+"(-'A"-2+-8/0]+
J*8.=$07/29'K"#/+'F%,+#/#$,'
+ +')+292)-^)"A2+_++ +`+*'+-8/0+0-([++ +`+ab+c+;&0-+"&%(A2)-+
+ + +`+aR+c+02#')*+"&%(A2)-++ + +`+a)+c+)-8+"&%(A2)-+
+d+
L*+*'K"#/+,''
L*+*'K"#/+,'
! ,&2*2)-/"70+! e'0-0+! M''-0+! C'(-20+! I2&9/#20+! I200/')0+
e'0-\I2&9/#2+H'-/>E+!'-+e'0-+=A6'&-+!'-+
A7+0'6B;0$+'
6"*$7+89:")$%$)"&'
H$0C-#B'
! =+@")-+-'+#')-&'7+0200/')0+" f/-8+A(7-/672+"#-'&0+(0/)%+-82A+" f/-8+"00(&")#2+-8"-+-82+0#&/6-+@')D-+7'02+#')-&'7+
J*8.=$07/2'
! =)-2&"#-/)%+@/-8+"+:2-2&6&2-2&+0200/')W+
!on meterpreter_command {!! !# $1 = session id!! !# $2 = command and arguments!! !# $3 = output }!
!m_cmd(session id, “command”);!
J*8.=$07/2'
! =)-2&"#-/)%+@/-8+"+6&'#200+-8&'(%8+"+A2-2&6&2-2&+0200/')W+
!on exec_command {!! !# $1 = session id!! !# $2 = command and arguments!! !# $3 = output }!
!m_exec(session id, “command”);!
J*8.=$07/2'
! =)-2&"#-/)%+@/-8+"+I8277+0200/')W+
!on shell_command {!! !# $1 = session id!! !# $2 = command and arguments!! !# $3 = output }!
!s_cmd(session id, “command”);!
B+#''7+*2A'+
5+-%;)"#'<"1),)=%$)"&'
H$0C-#B'
! =+@")-+-'+"7-2&+8'@+B&A/-"%2+*'20+g+" <02+"+*/[2&2)-+6"E7'"*+>'&+#2&-"/)+"--"#$0+" =)-2%&"-2+"+*/[2&2)-+252#(-"172+@/-8+60252#+" :'*/>E+B&A/-"%2+/#')+*/067"E+
J*8.=$07/2'
! F/7-2&0L+8''$+")+"#-/')+")*+#8")%2+-82+6"&"A2-2&0+
filter some_filter_name { # inspect $1, $2, $3, etc.!!return @_;!} !
B)'-82&+#''7+*2A'+
>*+#'?&$+#,%=+'
H$0C-#B'
! =+@")-+-'+25-2)*+B&A/-"%2+@/-8+)2@+>2"-(&20+" =)-2%&"-2+-8/&*46"&-E+-''70+" K56'02+:2-"067'/-+F&"A2@'&$+>2"-(&20+" ,')-&'7+,'&-")"+#"6"1/7/-/20+
J*8.=$07/2'
! ,'&-")"+0#&/6-0+A"EW+" .2;)2+$2E1'"&*+08'&-#(-0+" .2;)2+6'6(6+A2)(0+" ,&2"-2+#')0'72+-"1+/)-2&>"#20+" ,&2"-2+-"172+/)-2&>"#20+
?82+7"0-+#''7+*2A'+
?0$+*/*9'()*+'%,'%+D'
! B+I#&/6-/)%+M")%("%2+-'W+" B(-'A"-2+:2-"067'/-+F&"A2@'&$+" K5-2)*+B&A/-"%2+
@7BB*$3'
! !"#$%&'()*+! ,'&-")"+! ./0-&/1(-2*+!'-0+! 3'0-42567'/-"-/')+! !28"9/'&+:'*/;#"-/')+! <02&+=)-2&>"#2+
?8/0+@'&$+@"0+A"*2+6'00/172+-8&'(%8+.BC3BD0+,E12&+F"0-+?&"#$+6&'%&"AG+
()#$#'+0'=0'E$0B')#$#G'
! ?@/--2&W+h"&A/-"%28"#$2&+! KA"/7W+&0A(*%2h%A"/7G#'A+
,'&-")"+/0+6'0-2*+"-W+
! fffW+8--6W\\@@@G>"0-")*2"0E8"#$/)%G#'A+