Operationalizing Cybercrime Data For Red Teams & Offensive Ops

By Jason Haddix 🙂

Check out Flare (sponsor): Flare | Cyber Threat Intel | Digital Risk Protection Threat Intelligence | External Attack Surface Management | Flare

DarkNet Diary about his story

He made his fake ID from sus websites (ShadowCrew)

Ubisoft CISO
Talks at DEFCON/BlackHat
Made Arcanum for testing and training (like TCM)

When doing Red Teaming you have to understand real adversaries:

Professionals and Hackers don’t use the same vulns that they go after
He uses certain things that he’s familiar with, you can use different

2023 because every year reviews the previous and 2025 (of the 24) hasn’t been published yet

Exploit public-facing apps has grown (VPNs, apps)
Spearphish - Targeted for someone specific
Most of the things either target creds or use exposed creds

Mainly credential abuse

DBIR (by Verizon) is free!

Adversary Order of Operations mental model:

uses xmind to create this
Level 1:

They go after whole bunch of data that’s already public on the internet
Dumps, breaches, ended up being pasted to the clear web
Alerted on by DeHashed and HIBP
Level 1 because often become invalid very quickly bc if they got hacked this bad, they usually force password resets

Level 2:

Russian Market (all tor based and dark web)
Sell packs different types of access

Level 3:

Ransomware as a service

used to be LockBit but they got taken out
There are many more RaaS

Install ransomware → victim don't pay → sell data to a market where they make money before it gets posted in public (usually discord, telegram, etc)

Level 4:

Real good fresh data
Stealer logs
Markets on Whatsapp, Telegram, and Discord (Telegram the biggest, Discord is cracking down)
You get creds and cookies so you can replay cookies not just creds

Level 5:

Using Devs to get into Live

Level 6:

EvilGinx

Level 7:

N-Day, writing their own exploits
Reversing private security patches

Level 8:

0-day, previously unknown

Level 9:

Paying someone to get them access
Getting someone hired at that company

Level 9 is the highest risk of being caught (levels are in order).

You become a CTI to obtain all that info and use them as a Red Teamer:

This is called a CTI pyramid of pain

More common to use these lists and in the past 2 years than ever before

Used to be only the top 3 who do this

How to access the darkweb^

Sock accounts that he builds, using proxies and VPNs to hide his source

The UI has been updated from that

You can buy access to these computer
You want to look for computers for the company
You search by domain

App domain

In a VM:

They even have IPTVs!

Counterfit Pokemon and Magic the gathering cards exist!

Buying:

Don’t buy it with crypto off those websites, that’s illegal!
Flare can provide things like that

He started with build:

Using already public, published data
Gaining access without funding the bad guys (like Flare)

Level 1:

By the time the data makes it here, it’s kinda meh (mostly invalid)

For several websites like DeHashed
Will grab the passwords and emails
Just needs an API key (you need access to these websites first to have an API)

Level 1.5:

Roll your own DB

the saved one is about a year ago (saved for posterity)

He couldn’t get it from Wayback

There’s one he found from something like Wayback for Gits, but that’s what the did

Level 2:

Forums

Level 3:

chat ecosystems

Doesn’t cover the shady-er darker ones
Starter to get into these things

Keep spreadsheet of sock puppets, stay anonymous
normally building all of this takes a very long time
Flare can do it for you

Stealer logs
Malwares like Redline (redline is dying tho)
Steals autofills, cookies

Process:

Find the stealer logs
Find cookies, autofills, etc
Try them on the organization you’re red teaming for

What we can do (because we can’t do everything bad guys do):

They pay us
We can go after their network

External websites
Internal network

We can go after their SaaS applications

Spraying:

Allows AWS proxy which is great to maintain access (TCM training for how)
CredMaster is available on GitHub Embed GitHub

Target these because CVEs come from these often
We can see if the Stealer Logs have any of these product domains for creds to try
90% of the world uses Microsoft for AD/OS. The rest will use Google Workspace

sometimes mac

Other orgs use to get access and go back to attacking MS using trusted access (from SaaS apps)
Got cred from Stealer Log → got stopped by MS defence (impossible travel) → went thru ADP for paycheck and HR → login to the ADP data → HR person to manage the ADP account → had access to all payment info and private info
Try replaying creds on SaaS they use!

Good/important list^

They are not dead/not useful!
CrackMeIfYouCan
Use AI or JTR/hashcat rules to iterate over an already known password
He used Claude here in the SS
Newer groups use AI or JTR or hashcat to “refresh” the old dumps by applying common user behavior
Cookie rotation + password manager to prevent

Cookie Operations:

It will try to login to these from cookie
Red Teams do this manually:

These are things to look for in cookies (cookie domain, name, purpose) when reviewing stealer log data

Sometimes cookie injections gets banned (impossible travel/fingerprinting/etc)
Get an Azure box and proxy your browser thru the Azurebox

Doing this bypasses some MS defense because of the Azurebox
Try their AWS region or local geo
fresh browser profile
spoof mobile user agent

This sometimes will not undergo the same defenses that computers/workstations/PCs have

Phishing Ops and Initial Access:

Red Teaming course from them (soon!)
This is mainly an intermediate course
Still in heavy development

Two approaches:

EvilGinx

Gives you creds and cookies

File Payloads (CS/C2?)

File attachment and hope the user double clicks

Until 2025, this is what most did combo (EvilGoPhish)
Offered Email + SMS
GUI!
The newest versions also support QR codes phishing (some call it Quishing)
GoPhish had a better GUI, that is why the combo got used together. Also gave great visualization (right side of the SS)

2025:

Expensive
Killer Features:

Botguard

Bypass a bunch of techs (like MS ones like proofpoint and email vetting) that will try to block your campaign

Phishlets DB

Best phishlets, they update them often

Evilpuppet

It will scoop browsers better.
It will try to bypass protections from the browsers and such

mgeeky
That’s his mental model
Early 2024 presentation
Several from BUY is probably in HOLD and SELL now. Check his stuff.
WarCon22 - Modern Initial Access and Evasion Tactics.pdf

Buy an IP list, rent a VPS, or rent AWS to rotate IPs.
Plugin to Burp (Burp VPS Proxy) to make sure each request
ShadowClone to do Linux-based systems (moved to Lemma + ax framework)
If you DM on Discord he will give you the fork of something that was forced to be taken down by a company
Distribution:

Bruteforce creds or directories

Divide that testing into little pieces that “distribution” tools will take care of without getting banned

Pentesters vs Hackers

For hackers, these are second choice after their main methods
What hackers do?

Internal Web Apps:

Internal Logins (use Caduceus instead of NMAP).

It doesn’t alert because it visits and finds SSL cert and all the domains listed. It’s web traffic on 443. SOCs won’t notice this. Just give it an IP range!

They use this on the internal to find the following:

All these knowledge bases, Dev/Proj management, Gits, Repos, Build servers, Unreal Engine, Jenkins,

Jenkins can run raw linux commands and can be used to pivot
Plugins are horrible for Jenkin
Some hardcode creds that are high-priv creds
Credential Reuse

Grafana is just like Jenkins
Secrets Managers
These get checked first because the first list is easier to detect.

They use creds on these + you can actually brute force these because usually they don’t have brute prevention on internal apps

Web bugs that let you take over Grafana
Devs aren’t perfect and sometimes will paste passwords in the confluence or slack or sharepoint etc

Tools don’t always show you everything! So not true.
New ones (AI):

Those have web apps, and sometimes they are very susceptible to attacks

Like mlflow, h20-3, etc

Open source projects that get deployed internally so there’s trust

Good place to look for hardcoded creds
Some don’t even have auth on them so you can go look at the giant data

Started it themselves, enriched it with AI
Read the SS/Tool:

Things to look for, Purpose, Default Port, Web Dashboard Title, Authentication, Verified CVEs for that software

These are everything to look for before getting into the “usual” and detectable activity