Back
Stephen Tomkinson
Public tools
Tool Release
June 12, 2024
3 mins read
NCC Group is pleased to open source a new tool built to help Red Teams log their activity for later correlation with the Blue Team’s own logging. What started as a simple internal web based data-collection tool has grown to integrate with Cobalt Strike and BloodHound to improve the accuracy and ease of activity recording. As the tool became integral to how NCC Group’s Full Spectrum Attack Simulation (FSAS) team delivered Red and Purple Team assessments additional functionality such as reporting plugins and credential analysis have grown the tool into something we believe could benefit the wider Red Teaming community.
Access the code at: https://github.com/nccgroup/SteppingStones
Activity Recording
At the heart of Stepping Stones are “Events” which describe a specific Red Team action between a source and a target. They can be annotated with MITRE ATT CK IDs, tags or the raw command line evidence, but the original design philosophy was to make data capture as effortless as possible so none of these are mandatory in order to allow data to be entered “in the heat of battle” rather than retrospectively.
Additionally, files can be dropped onto an Event to record where artifacts have been placed (allowing more effective post-job clean-up) and to generate file hashes for Blue Team reporting.
Cobalt Strike Integration
Stepping Stones includes a bot which can connect to your Cobalt Strike team server and stream activity into Stepping Stones. This is held in a separate area of the application so that the only relevant activity can be “cherry picked” and escalated into a reportable Event. This “cherry-picking” workflow also applies to other types of ingested activity like PowerShell transcripts imported via the bespoke EventStream format.
Alternatively, as beacons are spawned the source/target dropdowns for Events are updated with any new hosts, users and processes so that Events can also be manually recorded against the compromised systems.
Having access to real-time Cobalt Strike activity facilitates other functionality such as being able to notify (via webhooks) when a beacon first connects, or mark one as “watched” so that a Red Team operator can be re-notified should a dormant beacon reconnect, e.g. when a victim powers on their laptop the next day. Beacons and their associated activity can alternatively be excluded from the UI, reports and notifications if they match configurable patterns that identify them as the result of internal testing rather than genuine victim activity.
BloodHound Integration
To further improve the accuracy of sources and targets Stepping Stones can connect to BloodHound’s Neo4j database and use the data within to suggest users and hosts.
Again, with this integration in place a number of other features were subsequently added to make the life of the Red Team operator easier: there is a tree view of the domain(s) OU structure in Stepping Stones based on the BloodHound data – allowing a more familiar hierarchical target selection view of the graph data. Similarly, Stepping Stones facilitates building wordlists from text in BloodHound to help crack those accounts whose password is derived from the account name or a comment on the user in AD.
Credentials
A successful Red Team operation will come across a number of passwords, secrets and hashes on their way to meeting their objectives. Managing these can be cumbersome and the Credentials area of Stepping Stones aims to alleviate that. Hashes and passwords can be extracted from raw tool output or the streamed Cobalt Strike activity, and any associated compromised accounts marked as “owned” within BloodHound automatically.
Features from https://github.com/crypt0rr/pack/ have been re-implemented to generate likely wordlists and hashcat masks from previously cracked data.
A graphical dashboard provides further insight into the patterns used for passwords, generating graphs for statistics like those produced by https://github.com/digininja/pipal and comparisons against the https://haveibeenpwned.com/ breached passwords.
Stepping Stones has been “dog fooded” by the FSAS team throughout its multi-year development and has been able to happily scale up to multi-month jobs. However, the system aims to still be useful even if not integrated with Cobalt Strike/BloodHound.
It is a Python Django web application which can run on either Windows or Linux. The philosophy is to deploy a fresh instance for each engagement, as it supports multiple users, but not multiple engagements. The database is currently SQLite, allowing all data for that engagement to be archived without cross contamination between jobs or a build up of multiple jobs worth of sensitive data.
Full installation and upgrade steps can be found in the read me file.
Published by Stephen Tomkinson
Published by Stephen Tomkinson
View all posts by Stephen Tomkinson ->
Here are some related articles you may find interesting
Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap Lua 5.1 Musl’s Next Generation Allocator – aka mallocng mallocng Cycling Offset Exploiting CVE-2022-24834 on the mallocng heap mallocng Heap Shaping Ensuring Correct Target Table->Array Distance Lua Table Confusion redis-server/libc ASLR Bypass and Code…
Vulnerability Research
June 11, 2024
31 mins read
System Management Interrupts (SMI) provide a mechanism for entering System Management Mode (SMM) which primarily implements platform-specific functions related to power management. SMM is a privileged execution mode with access to the complete physical memory of the system, and to which the operating system has no visibility. This makes the…
Cyber Security
Tool Release
June 10, 2024
5 mins read
This year’s Real World Cryptography Conference recently took place in Toronto, Canada. As usual, this conference organized by the IACR showcased recent academic results and industry perspectives on current cryptography topics over three days of presentations. A number of co-located events also took place before and after the conference, including…
Conferences
Cryptography
June 7, 2024
14 mins read
Previous post
View articles by category
-
-
Academic Partnership (3)
-
Annual Research Report (3)
-
Asia Pacific Research (1)
-
-
Blockchain (5)
-
Books (17)
-
Business Insights (6)
-
-
Cloud Security (18)
-
Conferences (38)
-
Corporate (7)
-
Cryptography (119)
-
CTFs/Microcorruption (1)
-
Current events (1)
-
Cyber as a Science (6)
-
Cyber Security (404)
-
Detection and Threat Hunting (16)
-
Digital Forensics and Incident Response (DFIR) (23)
-
Disclosure Policy (1)
-
Emerging Technologies (12)
-
Engineering (5)
-
Fox-IT (18)
-
Fox-IT and European Research (8)
-
-
-
Intern Projects (2)
-
iSec Partners (52)
-
Machine Learning (30)
-
-
-
North American Research (28)
-
-
-
Patch notifications (35)
-
Presentations (55)
-
protocol_name (1)
-
Public interest technology (1)
-
Public interest technology (10)
-
Public Reports (53)
-
Public tools (106)
-
Reducing Vulnerabilities at Scale (22)
-
Research (367)
-
Research Paper (20)
-
Resources (2)
-
Reverse Engineering (49)
-
-
Standards (13)
-
Technical advisories (219)
-
Technology Policy (1)
-
Threat briefs (3)
-
Threat Intelligence (69)
-
Tool Release (112)
-
Transport (16)
-
Tutorial/Study Guide (48)
-
UK Research (10)
-
Uncategorized (28)
-
-
VSR (32)
-
Vulnerability (169)
-
Vulnerability Research (9)
-
Whitepapers (239)
Most popular posts
Most recent posts
- Stepping Stones – A Red Team Activity Hub
- Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap
- Enumerating System Management Interrupts
- Real World Cryptography Conference 2024
- Public Report – Keyfork Implementation Review
Call us before you need us.
Our experts will help you.
Get in touch
