One of the areas I focus on as a red teamer is the building and optimization of capabilities through development and infrastructure automation (or really anything under Tactic TA0042 for fellow MITRE ATT&CK©️ wonks).
I’m fortunate to have time to spend on open source work related to those two! 😄 Here are some of my recent projects:
|Stage 0/1 payload, persistence||Node.js|
It supports any OS that can run Visual Studio Code but has been tested on macOS, Windows, and Ubuntu Linux. Its functionality is implemented with platform-agnostic APIs, providing the same minimal set of capabilities on any target.
Venus provides the flexibility to gain initial access on endpoints of any flavor in an unusual and unexpected package, providing a jumping off point for host triage and the deployment of other tools. You can also use Venus to build and drop a malicious VS Code extension as a persistence mechanism, as others have written about.
Sockdrawer is an alias identity manager for Red Teams, OSINT collectors, journalists, and privacy-conscious people. Its name comes from the term sockpuppet.
Individuals and teams can use the tool to generate alias identities and keep notes on their use. You can keep up with current and planned feature work on the project’s public Kanban board.
Sockdrawer is a Ruby on Rails web application that comes with a Dockerfile for development, testing and production. The project also includes configuration for conveniently running the app with Docker Compose.
I make sure Sockdrawer is still working as it evolves through unit testing (suite) with RSpec, acceptance testing (suite) with Cucumber, and GitHub Actions for continuous integration. I’m evaluating Cypress for end-to-end test automation.
Eddie Vetter is a command-line tool for triaging macOS applications and binaries, especially for vulnerability research.
I wrote Eddie so I wouldn’t have to remember the various options for
to triage macOS executables or deal with parsing its output every time. At the
moment it reports on:
- Whether the executable is signed
- The signing authority
- Whether or not Hardened Runtime is enabled
- The executable’s entitlements (ex:
I’m planning to rewrite it in Go, remove its dependency on
jq for JSON
parsing, and expand its functionality.
|Stage 0 payload||Swift|
Proof of concept for malicious auto-running Xcode Playgrounds.
|Dev environment config||Bash/Vagrant|
I made mythic-crate to give myself a repeatable setup for local Mythic C2 development. Since then, I’ve also used it to run a local command and control server for use with payloads running in my local macOS research lab.
I recently started working through Katie Nickels' Cyber Threat Intelligence Self Study Plan. It’s a collection of suggested reading, videos, activities and things to ponder for folks who are new to CTI or interested in learning more about it.
I decided to track my progress on this list and keep notes using the awesome Obsidian personal knowledge base app. That way I can check off items as I complete them, write my notes in Markdown, and even annotate PDF and EPUB documents right in the same portable notebook.
Hoping others would find this setup useful when working through the CTI Self Study Plan themselves, I made its initial structure and config available as a GitHub template repo.