Preview Mode Links will not work in preview mode

Mar 19, 2020

Dave Kennedy (@hackingDave)


Released SEToolkit, Pentester Framework (PTF)

PoC release for “Shitrix” bug (was disclosed after Google zero initiative India group)

Jeff Snover, Lee Holmes - Powershell gods

Arguments against release

Tools are released are utilized by the ‘bad guys’

Tooling makes it more difficult to fingerprint who are who they say they are “Fuzzy Weasel Vs. Psycho Toads”

Makes the bad guys job harder by making them have to create the PoC (presumably most bad actors are skids)



Arguments for release


Tools allow for teaching Blue team, and SIEM/logging systems to understand 

Learning how something was created, being able to break down the vulnerability

Show #2:

DerbyCom - Tell us about it

Dave Kennedy Center for gaming and Leadship 


Offensive Security Tool release (PowerShell Empire 3.0)

Powershell is re-released, using Python: 


Initial tweet:

“We believe that Powershell and Empire framework will remain a major threat vector employed by APTs, malware authors, and Red Teams.” SO WHY ARE YOU UPDATING IT? You are improving capabilities you explicitly say are *used by bad guys.* Scottie, beam me up from this bizarro world.

Affirmations and evidence: 

Nope. One example: Iranian APT “CopyKittens” uses Powershell Empire. Incidentally, I found this example via



One can innovate without sharing with the adversary no? It’s literally how the defense industry work or am I missing something? 

… “Are we really justifying lowering the R&D cost of the adversary is the only way to attract talent to the defensive side. Not to mention - no one is saying developing OST is wrong. It’s the way they're being shared that’s problematic” 

The whole idea is that actors can't just git clone an advanced post exploitation framework which bypasses 95% of organisations defences. It should cost actors time & money to bypass these defences but because red team keep releasing new stuff with bypasses... the cycle continues.

Comments in Support of initial argument 

I really _want_ to agree. ... but I also work in an org with million dollar budgets, a dozen full-time detection engineers and analysts and an army of devs and sysadmins, and even we are having a hard time keeping up - how does this arms race "help" non-F500 orgs?

(later discussion does mention that he has a hard time seeing it as net negative) 

“If we don’t create the offensive tools then the bad guys will!” That is a terrible argument for OST release. “We might as well do something that harms because someone else will do that eventually anyway...” there are so many logical fallacies I don’t have enough space


Limiting yourself by not exposing more tooling to defenders is NOT how to improve security. Yikes. The more exposure you provide defenders gives you more detection's/IOC's you can build to help defend against APT's. That's the whole point of Proactive security.

It's vital that we continue to sharpen our swords. The commoditization of attacker techniques allows better defense against what adversaries are doing. 

And this whole discussion ignores a simple fact that released information is way better than exploits passed around quietly or kept in stockpile caches regardless of anyone’s metric of responsibility (which is a debatable, very hypothetical line of what’s acceptable or not).

The very fact that you and others who are taking this side are trying to cajole and brow beat to this position shows how weak your argument is. MITRE ATT&CK took off like gang-busters not because they had a better trolling game, but because it was a great idea implemented well. 

It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions. 

My stance is likely to tick off both sides here. I think there are times that limited release is good. But over and over, we've seen where vendors do not change until something is publicly released.

It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.

Security is a service that can be improved with products. Having no security or limiting exposure to offensive tool sets increases the chances of a breach. Ethical hackers sole purpose is to help make Blue better. Which is why purple teams are a great resource for any company. 

To the people upset by public red team tools. If you cant detect open source tools than what chance do you have at detecting private one off tools. It’s much easier to automate a battle against 100 duck sized horses than it is to face off against a single horse sized duck.

Defender Classification of PowerShell Empire 3.0


Is there a way to protect against it?


Where does this sit in the ATT&CK Matrix? 



Enhanced Windows Evasion vs. Defender

DPAPI support for “PSCredential” and “SecureString”

AMSI bypasses

JA3/S signature Randomization

New Mimikatz version intergration


Curveball test (CryptoAPI test scripts)

Dave’s new Esport initiative (opens in February):


DERBYCON community updates

Check out our Store on Teepub!

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email

#Brakesec Store!:




#Youtube Channel:

#iTunes Store Link:

#Google Play Store:

Our main site:

#iHeartRadio App:


Comments, Questions, Feedback:

Support Brakeing Down Security Podcast by using our #Paypal OR our #Patreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM :

#Stitcher Network:

#TuneIn Radio App: