by Jason Downey

The Simple Stuff

So far in The Aftermath Blog Series, I had social engineered credentials, bypassed MFA, and gained access to a VDI environment. In this entry, we’ll discuss how I successfully established command and control on the compromised host.

What Had Happened Was…

I know what you’re thinking—why set up Command and Control (C2) on a system I already had remote access to? One word: persistence.

I knew the user whose credentials I had changed would eventually notice and lock me out. This network had all the usual security measures—AV/EDR, application deny lists, no local admin, and other controls. I tried everything in our Red Team playbook—obfuscation, DLL sideloading, different LOLBins—but my Cobalt Strike beacon kept getting burned.

By luck or accident, I moved the MSBuild binary from its default location to a new folder on the desktop and renamed it REDBuild.exe. Much to my surprise, executing the renamed binary led to a successful beacon execution and established C2.

The Disclosure…

The client wasn’t thrilled. They had invested heavily in security tools and assumed they were safe. Turns out, their application deny list only blocked files based on name and path—not file hash. When we confronted the vendor about this, they admitted that Microsoft updates the hash of these binaries frequently, and it was “too much effort” to keep up. Yikes.

This was the final push the security team needed to switch from an application deny list to an allow list—starting with their VDI and server environments before rolling it out further.

The Impact…

Blindly trusting their tools would have allowed a real attacker to establish C2 just as I did.

Now that I had access to a VDI workstation, what happened next? Find out in The Vendor Requirement.


About Jason Downey, Security Consultant

Jason Downey has over ten years of professional experience in IT and information security ranging in a variety of roles in network security roles with additional experience in systems administration. Jason has spoken in front of various audiences ranging from youth initiatives to major security conferences, while creating informational content on SiegeCasts and forward-facing marketing channels. Jason excels at a variety of penetration testing tactics and is well known for his vishing and social engineering expertise.

Certifications:
CRTO, GPEN, GCIH, CCNA R&S, CCNA Security, CEH, CHFI

Authentication vs. Authorization in Web App Penetration Testing

By Red Siege | June 4, 2025

by Douglas Berdeaux Introduction Authentication and Authorization in web application penetration testing are so closely related, that it’s easy to confuse the two. This article aims to outline each process, […]

Learn More

Authentication vs. Authorization in Web App Penetration Testing

The Aftermath Part 4: The Vendor Requirement

By Red Siege | June 2, 2025

by Jason Downey The Vendor Requirement The final entry in The Aftermath blog series. At this point, I had successfully social engineered credentials, bypassed multifactor authentication, and established command and […]

Learn More

The Aftermath Part 4: The Vendor Requirement

The Aftermath Part 2: The Condition

By Red Siege | June 2, 2025

by Jason Downey The Condition In the first entry of The Aftermath Blog Series, I was able to social engineer a set of domain credentials. In this entry, we’ll discuss […]

Learn More

The Aftermath Part 2: The Condition

Find Out What’s Next

Stay in the loop with our upcoming events.