Enterprise security tools provide a deep level of insight, and access, to the
organizations they are designed to protect. Although, in the right hands these
tools can be powerful assets for a blue team, they can be equally valuable for
an attacker. Attackers can subvert legitimate functionality to gain and
maintain access to an enterprise's crown jewels.
Solutions such as Splunk, Tanium, Tripwire, Carbon Black Response, in addition
to providing detailed reporting on an organizations assets, all offer the
ability to run commands or scripts for administrative purposes on end points.
Many of these systems by default, or only, run commands as the 'System' user
on Windows. This can be leveraged to gain access to critical systems, pivot
into 'segmented' networks, and maintain stealthy command and control.
Unfortunately, these tools are commonly deployed with inadequate hardening, or
with excessive number of administrative user accounts. One reason for this
could be the prior knowledge required to leverage the power of these
applications in a safe and controlled manner during a pentest, causing them to
largely go unnoticed, or unreported on most tests. We want to bring awareness
to the importance of protecting deployed security tools and provide a
framework for pentesters and red team teamers to leverage these tools on
engagements. The tool we are releasing is called secsmash, and provides a
handy commandline tool to turn credentials you've acquired for a supported
tool into enterprise pwnage.
Information security consultant at Tevora since 2012. Wore a lot of hats initially, including solution integration work, auditing, and penetration testing. Kevin now leads Tevora's penetration testing and red teaming group. Areas of focus include Network, web, and mobile application penetration testing, development of internal Tevora penetration testing and social engineering toolkits, malware analysis and incident response.
Steven is a former Marine and now penetration tester/red teamer from Southern California. When he isn't brewing awesome coffee he enjoys doing research on different threat techniques and tool development.