The presentation I gave during SECURE 2019 Conference in Poland - one of the most important IT Security event in the calendar of polish *Cyber Security* conferences.
6. I. What is adversary simulation?
● A goal oriented and strategy driven towards post-exploitation and data exfiltration
actions → Threat-based Red Teaming
● We don’t focus on exploitation process →
○ Breach assumption → Adversary is already inside your network
● It provides real world indicators of compromise to your incident response team
● It establishes real world persistence inside your infrastructure
● Focuses on the behaviors of adversary’s APT techniques:
○ Emulates IN-THE-CHAIN the techniques of an attacker that is most likely to
target your env
● Your environment should stay safe → low impact on your operations
● It’s not a pentest!
6
7. I. What is adversary simulation?
● As @mubix said recently during BruCON 2019:
○ We need to start performing actions in measurable way:
■ What coverage of the ATT&CK framework you have
■ Time to detection
■ Time to response
■ How many new rules were added vs new APT techniques seeing in the
wild
■ Critical assets → How many servers forwarding logs
■ Malicious insiders detected before they stole something
7
8. I. What is adversary simulation?
● APT Emulation → you can’t detect advanced adversary moves when you:
■ Don’t understand their TTPs
■ Don’t understand and “feel” the network
■ Don’t understand OS internals
8
9. I. What is adversary simulation?
● Network security validation steps *at your environment* of:
○ Data Leakage Protection (DLP) solutions
○ IDS / IPS
○ Firewall(-NG) / WAF
○ ML / DL / AI Security Products
○ SOAR
○ SIEM / Event analytics
○ Whitelist rules
○ Forward Proxies / Web categorization
■ + bypassing attempts :>
9
11. I. MITRE ATT&CK Framework
● MITRE ATT&CK Framework:
○ MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a
curated knowledge base and model for cyber adversary behavior, reflecting the various
phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK
is useful for understanding security risk against known adversary behavior, for planning
security improvements, and verifying defenses work as expected.
○ Common language for describing:
■ Tactics
■ Techniques
■ Groups
■ Software
11
13. I. ATT&CK Framework
● Helps you understand where you are actually and what is your current status
● Four practical steps to help prepare your organization to face modern threats:
○ → Evaluate your existing controls
○ → Find top risky assets
○ → Understand your capacity
○ → Deploy improvements:
■ Threat Intelligence
■ Extract Techniques
■ Analyze and organize
■ Find or develop tools
■ Emulate the adversary
■ Share behaviors
○ → Repeat
13
17. I. How to play with ATT&CK?
● Open Source projects:
○ Atomic Red Team tests:
■ Teams need to be able to test everything from specific technical controls to
outcomes
■ We should be able to run a test in less than five minutes
■ We need to keep learning how adversaries are operating
■ Examples:
● T1028 - Windows Remote Management
● T1118 - InstallUtil
● T1127 - Trusted Developer Utilities
● T1087 - Account Discovery
■ Link:
● https://github.com/redcanaryco/atomic-red-team
17
18. I. How to play with ATT&CK?
● Open Source projects:
○ Atomic Red Team tests:
■ Very easy to run:
● Install-Module -Name powershell-yaml
● IEX (New-Object
Net.WebClient).DownloadString('http://psInstall.AtomicRedTeam.co
m'); Install-AtomicRedTeam -verbose
● Invoke-AtomicTest T1117
18
19. I. How to play with ATT&CK?
● T1202 → Indirect Command Execution
■ pcalua.exe -a calc.exe
● Process monitoring
○ pcalua.exe
● Process command-line parameters
○ ▪ -a
● Windows event logs
○ 4688 (Process creation)
19
20. I. How to play with ATT&CK?
● Open Source projects:
○ Purple Team ATT&CK Automation
■ MITRE ATT&CK TTPs as Metasploit Framework post modules
● Automation of a little over 100 TTPs as modules:
○ msf5 > use post/windows/purple/t1028
○ msf5 > use post/windows/purple/t1003
■ Link:
● https://github.com/praetorian-code/purple-team-attack-automation/
wiki/Available-Modules
20
21. I. How to play with ATT&CK?
● Open Source projects:
○ Metta:
■ Allows you to test your host based instrumentation (mostly)
■ Dedicated for testing EDR devices, but it is easy to customize it also for
network based checks and detections
■ Link:
● https://github.com/uber-common/metta
21
22. I. How to play with ATT&CK?
● Open Source projects:
○ RTA - Red Team Automation:
■ Framework of scripts designed to allow blue teams to test their detection
capabilities against malicious tradecraft, modeled after MITRE ATT&CK
■ Composed of python scripts that generate evidence of over 50 different
ATT&CK tactics, as well as a compiled binary application that performs
activities such as file timestopping, process injections, and beacon
simulation
■ Link:
● https://github.com/endgameinc/RTA
● https://eqllib.readthedocs.io/en/latest/analytics.html
22
23. I. How to play with ATT&CK?
● Open Source projects:
○ CALDERA:
■ Automated adversary emulation system, built on the top of MITRE
ATT&CK™ framework
■ Dedicated for Windows / Linux environments
■ Link:
● https://github.com/mitre/caldera/wiki/CALDERA-2.0
23
25. II. Use cases - Trusted Binaries
● Trusted Binaries Execution + Payload delivery over the network:
○ MSBuild + SMB channel:
■ SILENTTRINITY:
● Modern, asynchronous, multiplayer & multiserver
C2/post-exploitation framework
● Bring Your Own Interpreter technique:
○ Embeds third-party .NET scripting languages to dynamically
call .NET API's
● Link:
○ https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/c
ore/teamserver/modules/boo
25
26. II. Use cases - DNS Rebinding
● DNS Rebinding:
○ Allows an attacker to subvert the victim browser’s same-origin policy (SOP)
○ Can be used to breach a private LAN by causing the victim's web browser to
access machines at private IP addresses and return the results to the attacker
○ Low DNS TTL
26
27. II. Use cases - DNS AXFR
● Meterpreter Payload Delivery using DNS AXFR:
○ Hex-encoded chunks of payload used as a fake A records definition
○ AXFR query type for dumping a fake DNS zone:
■ 21.1556c334f57527662574e55626e4d78516b313452546b775930686b567a596e.exfil.emer
ge.pl. 604800 IN A 127.0.0.1
■ 9.2505130394d58314e54544859794d796b4b43584e6a4c6d4e6f5a574e725832.exfil.emerg
e.pl. 604800 IN A 127.0.0.1
■ 0.3049484e35637770326154317a65584d75646d567963326c76626c3970626d5.exfil.emer
ge.pl. 604800 IN A 127.0.0.1
■ 3.33162646d6c624d4631644c475a796232317361584e305056736e596e567062.exfil.emerg
e.pl. 604800 IN A 127.0.0.1
■ 8.3963334e734c6c4e5454454e76626e526c6548516f63334e734c6c425354315.exfil.emerge
.pl. 604800 IN A 127.0.0.1
■ 20.444d765a7a4132556d773163325a4e645759784d53314552484a726330684d5.exfil.eme
rge.pl. 604800 IN A 127.0.0.1
○ Link:
■ https://github.com/cr0nx/msf-payload-in-axfr
27
28. II. Use cases - LDAP Exfiltration
● LDAP as hidden storage / C2
● What if two endpoint devices can't talk directly to each other but they are both
LDAP client members?
○ Upload a base64 encoded data to well known LDAP attribute name:
■ gecos
■ telephoneNumber
■ street
■ etc.
○ download and decode base64 encoded data from defined LDAP attribute
● Based on FreeIPA:
○ There is no attribute length restriction which means we can use ex. 'gecos' attribute as
an unlimited storage space to download/upload data and bypass FW/IDS/IPS
protection.
● Link:
○ https://github.com/cr0nx/freeipa-ldap-exfil
28
29. II. Use cases - LDAP Exfiltration
● Example of LDAP as hidden storage
29
30. II. Use cases - AD as C2
● Production infrastructure as C2 (also over AZURE API)
● Internal C2 that uses standard Active Directory object properties
● Let’s analyze the schema for the “user” object in the domain to get a list of
properties ready to use for storing data:
○ Not all of them are self-writable for the user
● PS>
[DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema().FindC
lass('user').optionalproperties | select name,rangeupper | ?{$_.RangeUpper} |
Sort-Object -Descending -Property rangeupper | Select -First 10
30
31. II. Use cases - AD as C2
● AD User Attribute sizes → use any of these RW attributes for establishing an
internal C2 communication:
■ mSMQSignCertificates → 1MB
■ thumbnailPhoto → 100KB
■ userSMIMECertificate → 32KB
■ userCert → 32KB
■ registeredAddress → 4KB
■ postalAddress → 4KB
■ homePostalAddress → 4KB
■ wwwHomePage → 2KB
■ info →1KB
■ StreetAddress → 1KB
■ street → 1KB
■ primaryTelexNumber → 64 bytes
■ st → 64 bytes
■ ipPhone → 64 bytes
31
32. II. Use cases - AD as C2
● mSMQSignCertificates has a Partial Attribute Set with default schema
● Partial Attribute Set means it will be propagated to all copies of the GC in the
forest
● One-to-many broadcast style connection channel for delivering commands and
retrieving the results:
○ User A → command definition and delivery by using his own attribute
○ User B → command retrieving and sending results by his own attribute
32
33. II. Use cases - ICMP
● ICMP Exfiltration and Tunneling
● Transparently tunnel your IP traffic through ICMP echo and reply packets.
● A type “8” ICMP echo request has to send an undefined body of bytes that can
be of any content or length → exfil the data here!
● Great option for:
○ Bypassing captive portals
○ Bypassing firewalls
○ Data exfiltration
33
34. II. Use cases - ICMP
● icmptunnel uses a virtual tunnel interface (tun0) on both sides:
○ listener / receiver architecture
● visible client’s outgoing traffic is only a pure ICMP
34
35. II. Use cases - ICMP
● ICMP tools:
○ icmptunnel
○ auxiliary/server/icmp_exfil
○ nping
○ exfiltrate-data.rb
○ icmpsh
○ hans
○ ptunnel
○ itun
○ icmp-encrypted-chat
35
36. II. Use cases - Slack as C2
● Slack is a cloud-based set of collaboration tools and services that supports:
○ Workspace and team creation
○ Public and private channels
○ Personal & group messaging
○ File sharing
○ Audio / video plugins
● SlackShell uses:
○ Slack API to create a command and control channel.
○ Start-Shell as the main function connects to a user-specified Slack channel and
authenticate using a supplied API authentication token
○ Any command typed into the channel will then be executed on the host
○ Allows to import additional PS scripts into the running session by uploading them to
the Slack channel → https://slack-files.com and load directly into memory!
○ Link:
■ https://github.com/bkup/SlackShell
36
39. III. In & Out eXfiltration Platform
● Ready to use adversary tools, techniques and procedures in one network
solution that you have full control of:
● https://defensive-security.com/platform
39
40. III. In & Out eXfiltration Platform
● Ready to run in your multi-segment enterprise environment
● Focuses on network events → generates multi-direction traffic:
○ int2ext / int2dmz / dmz2ad / ad2mgmt / ad2ad / int2int etc.
● Dedicated C2 Cloud Infrastructure included
● Exfiltration and post-exploitation job definitions ready to run
● In & Out Knowledge Base → stay up to date with new network TTPs
● Useful for Red / Blue / Purple teams who want to validate network security
posture
● Enterprise subscription - training and workshops included
● Risk and impact reporting
● Provides metrics and mappings to MITRE ATT&CK Framework
● Part of dedicated Adversary Simulation Services
40
41. III. Training portfolio
● Defensive Security Training Portfolio:
○ In & Out - Network Data Exfiltration Techniques → RED Edition
○ In & Out - Network Data Exfiltration Techniques → BLUE Edition
○ Open Source Defensive Security → The Trinity of Tactics
○ BRO / Zeek IDS → Network Threat Hunting and Baseline Profiling
○ Docker Security → From 0 to Hero
○ SELinux - Development & Administration of Mandatory Access Control
Policy.
● Link:
○ https://defensive-security.com/
41
42. IV. Summary
● It’s just a short introduction:
○ Don't trust in everything what your vendor says
○ Ping - pong :)
○ Invest in competence development:
■ RED Team
■ BLUE Team
● → Purple Team / Threat Hunting
○ Be aware and verify your network security posture constantly
○ Keep learning new stuff every single day
42
