SlideShare une entreprise Scribd logo

Malware for Red Team

Télécharger en tant que PPTX, PDF
Satria Ady Pradana
Satria Ady Pradana

Designing Malware for Modern Red Team and Adversary Tradecraft. Why using python for building malware? Lesson learn and consideration. as presented in PyCon ID 2021 (05/12/2021)

Technologie
1  sur  35
DESIGNING MALWARE FOR MODERN RED-TEAMING & TRADECRAFT ADVERSARY Satria Ady Pradana
WHO? Satria Ady Pradana • Cyber Security Consultant at Mitra Integrasi Informatika • Director of Curriculum at Archonlabs SSD • Penetration Tester, Red Team • Community Leader of Reversing.ID 20XX Pitch Deck 2 @xathrya xathrya xathrya_
BACKGROUND STORY
RED TEAMING • Originate from military practices. • Evaluate security posture by playing as aggressor. • Full-scope, multi-layered attack simulation designed to measure how well organization’s security controls can withstand attack from real-life adversaries.
REQUIREMENT 2021 PyCon ID (Security) 5 • Deep knowledge of systems (computer system, protocols, libraries, etc). • Ability to think outside the box. • Software development skills. • Penetration testing skills • Social engineering.
WHEN DOING RED TEAMING 2021 PyCon ID (Security) 6 • Long time engagement (1 – 3 months at minimum). • Penetrate as deep as possible, maintain persistence, pivoting, exfiltrate critical information. • It means you need a way to keep your presence in the network!
THE CYBER KILL CHAIN 2021 PyCon ID (Security) 7
WHY PYTHON? 2021 PyCon ID (Security) 8 • Simple and clean structure • Designed for rapid prototyping • Extensive library
WHERE TO START?
DESIGNING IMPLANT 2021 PyCon ID (Security) 10 • What is the purpose of the implant? • What success look like? • Which feature or capabilities we need?
DESIGNING IMPLANT 2021 PyCon ID (Security) 11 • Lightweight: can be dropped through macro-enabled office document. • Evasive: evade most common products without much adaptation • Functional: collect information about target environment to aid in further operations.
TERMS 20XX Pitch Deck 12 • Command and Control attacker-controlled infrastructure which maintain control over all agents or implants by send command and retrieve the result. Alternative name: C&C, C2 server • Implant agent, small program which executed on target. Alternative name: RAT, backdoor, beacon. • Loader specific code or executable which purpose is to load the payload (implant) or other loader.
TERMS 20XX Pitch Deck 13 • Redirectors Node or system which proxies all traffic from target network (implant) to C2 server, hiding the true location of the C2 server.
ROBUST INFRASTRUCTURE 2021 PyCon ID (Security) 14 Interactive (Tier 3) • General command, enumeration, scanning, data exfiltration, etc. • Has most interaction and at greatest risk of exposure. • Ready to abandon at any time. Multiple tiers
ROBUST INFRASTRUCTURE 2021 PyCon ID (Security) 15 Short Haul (Tier 2) • As a backup to reestablish interactive session. • Use covert communications that blend with target. • Slow callback times, i.e. 1 – 24 hours. Multiple tiers
ROBUST INFRASTRUCTURE 2021 PyCon ID (Security) 16 Long Haul (Tier 1) • Maintain long-term access into target’s network. • Same as short haul, but slower. Multiple tiers
2021 PyCon ID (Security) 17
MINIMUM REQUIREMENT 2021 PyCon ID (Security) 18 • Communication Channel • Modular Design • Dynamic Reconfigurable
PLANNING FOR OPERATION
MITRE ATT&CK 2021 PyCon ID (Security) 20 https://attack.mitre.org/
2021 PyCon ID (Security) 21 https://attack.mitre.org/groups/G0016/
2021 PyCon ID (Security) 22
DESIGN & IMPLEMENTATIO N
COMMUNICATION CHANNEL 2021 PyCon ID (Security) 24 • HTTP/HTTPS: masquerade as legitimate HTTP connections • DNS: • Hybrid: DNS for telemetry or callback, HTTP for data channel. • Pure DNS • SMB: chaining beacons • TCP: with proprietary protocols
CASE: HTTP 2021 PyCon ID (Security) 25 import requests url = GenerateURL() headers = GenerateHeaders() body = GenerateBody() res = requests.post(url, data=body, headers=headers) ProcessResponse(res) Message Type: • Callback • Command • Result • Dynamic URL and endpoint? • Unique ID • Payload, where? • Interval and jitter • Telemetry, health check
MODULAR DESIGN 2021 PyCon ID (Security) 26 • Adding new features/capabilities should not changes the core program. • Framework? • Implement feature as addon or plugins • Use builtin or Windows API? • Stages? Stageless?
CASE: COMMANDS 2021 PyCon ID (Security) 27 • GET • PUT • LIST • EXECUTE • LOAD • Module: credential harvesting, • CONFIGURE: key, channel, IP, port, host, endpoint
CASE: WMI COMMAND 2021 PyCon ID (Security) 28 • Windows Management Interface • Query system state (process, services, installed apps, bios, etc) • WQL (WMI Query Language) • Module: wmi • pip install wmi • Extending implant with WMI command
COMMAND: EXECUTE SHELLCODE 2021 PyCon ID (Security) 29 • Raw shellcode as payload • Why shellcode? • Run as separate thread • Allocate space on host process • Decrypt/decompress/decode shellcode to allocated space • Create new thread and start execution from allocated space • Clean up
COMMAND: DROP & EXECUTE BINARY 2021 PyCon ID (Security) 30 • Fetch executable from C2 server • Mostly tools: Rubeus, mimikatz, message relay • Store the executable temporary • What about DLL?
COMMAND: SHELL COMMAND 2021 PyCon ID (Security) 31 • Execute shell command • Atomic or session? Variations • os.command() • subprocess.run() • subprocess.Popen()
DYNAMIC RECONFIGURABLE 2021 PyCon ID (Security) 32 • Change settings/configurations at runtime. • IP address + endpoint • Message type • Profile • Should match with C2 server
PROTECTION 2021 PyCon ID (Security) 33 • Any tool deployed in target environment needs to adhere to the highest standard of operational security (opsec)
2021 PyCon ID (Security) 34
THANK YOU Satria Ady Pradana satria.pradana [at] mii.co.id @xathrya (telegram) 2021 PyCon ID (Security) 35

Recommandé

Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
Satria Ady Pradana
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse Engineering
Satria Ady Pradana
 
Reverse Engineering: Protecting and Breaking the Software (Workshop)
Reverse Engineering: Protecting and Breaking the Software (Workshop)Reverse Engineering: Protecting and Breaking the Software (Workshop)
Reverse Engineering: Protecting and Breaking the Software (Workshop)
Satria Ady Pradana
 
Reverse Engineering: Protecting and Breaking the Software
Reverse Engineering: Protecting and Breaking the SoftwareReverse Engineering: Protecting and Breaking the Software
Reverse Engineering: Protecting and Breaking the Software
Satria Ady Pradana
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
Satria Ady Pradana
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 

Recommandé

Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
Satria Ady Pradana
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse Engineering
Satria Ady Pradana
 
Reverse Engineering: Protecting and Breaking the Software (Workshop)
Reverse Engineering: Protecting and Breaking the Software (Workshop)Reverse Engineering: Protecting and Breaking the Software (Workshop)
Reverse Engineering: Protecting and Breaking the Software (Workshop)
Satria Ady Pradana
 
Reverse Engineering: Protecting and Breaking the Software
Reverse Engineering: Protecting and Breaking the SoftwareReverse Engineering: Protecting and Breaking the Software
Reverse Engineering: Protecting and Breaking the Software
Satria Ady Pradana
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
Satria Ady Pradana
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
NCC Group
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
securityxploded
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
Cysinfo Cyber Security Community
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
FaithWestdorp
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
Chong-Kuan Chen
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
FFRI, Inc.
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
Chong-Kuan Chen
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
mjos
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
NCCOMMS
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
Mark Secretario
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Black Duck by Synopsys
 

Contenu connexe

Tendances

CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
NCC Group
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
Chong-Kuan Chen
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
Chong-Kuan Chen
 

Tendances (20)

CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
 

Similaire à Malware for Red Team

Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Black Duck by Synopsys
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
DevOps.com
 
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOLGETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
Minh237839
 

Similaire à Malware for Red Team (20)

Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Ankit Vakil (1)
Ankit Vakil (1)Ankit Vakil (1)
Ankit Vakil (1)
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
 
Stage 1 Tradecraft
Stage 1 TradecraftStage 1 Tradecraft
Stage 1 Tradecraft
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptx
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018
 
Interop 2017 - Managing Containers in Production
Interop 2017 - Managing Containers in ProductionInterop 2017 - Managing Containers in Production
Interop 2017 - Managing Containers in Production
 
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012
 
[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition
 
Andy Kennedy - Scottish VMUG April 2016
Andy Kennedy - Scottish VMUG April 2016Andy Kennedy - Scottish VMUG April 2016
Andy Kennedy - Scottish VMUG April 2016
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOLGETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
 

Plus de Satria Ady Pradana

Plus de Satria Ady Pradana (20)

Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security Professional
 
MITM: Tales of Trust and Betrayal
MITM: Tales of Trust and BetrayalMITM: Tales of Trust and Betrayal
MITM: Tales of Trust and Betrayal
 
Berkarir di Cyber Security
Berkarir di Cyber SecurityBerkarir di Cyber Security
Berkarir di Cyber Security
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damental
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
IoT Security - Preparing for the Worst
IoT Security - Preparing for the WorstIoT Security - Preparing for the Worst
IoT Security - Preparing for the Worst
 
Practical Security - Modern Day Software
Practical Security - Modern Day SoftwarePractical Security - Modern Day Software
Practical Security - Modern Day Software
 
Firmware Reverse Engineering
Firmware Reverse EngineeringFirmware Reverse Engineering
Firmware Reverse Engineering
 
Reverse Engineering: The Crash Course
Reverse Engineering: The Crash CourseReverse Engineering: The Crash Course
Reverse Engineering: The Crash Course
 
The Offensive Python: Practical Python for Penetration Testing
The Offensive Python: Practical Python for Penetration TestingThe Offensive Python: Practical Python for Penetration Testing
The Offensive Python: Practical Python for Penetration Testing
 
From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in Essence
 
Android Security: Art of Exploitation
Android Security: Art of ExploitationAndroid Security: Art of Exploitation
Android Security: Art of Exploitation
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)
 
Memory Forensic: Investigating Memory Artefact (Workshop)
Memory Forensic: Investigating Memory Artefact (Workshop)Memory Forensic: Investigating Memory Artefact (Workshop)
Memory Forensic: Investigating Memory Artefact (Workshop)
 
Memory Forensic: Investigating Memory Artefact
Memory Forensic: Investigating Memory ArtefactMemory Forensic: Investigating Memory Artefact
Memory Forensic: Investigating Memory Artefact
 
Another Side of Hacking
Another Side of HackingAnother Side of Hacking
Another Side of Hacking
 
Automatic Malware Analysis & Repository
Automatic Malware Analysis & RepositoryAutomatic Malware Analysis & Repository
Automatic Malware Analysis & Repository
 
Web Security Jumpstart
Web Security JumpstartWeb Security Jumpstart
Web Security Jumpstart
 
DracOs Forensic Flavor - Workshop
DracOs Forensic Flavor - WorkshopDracOs Forensic Flavor - Workshop
DracOs Forensic Flavor - Workshop
 
DracOs Forensic Flavor
DracOs Forensic FlavorDracOs Forensic Flavor
DracOs Forensic Flavor
 

Dernier

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Dernier (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Malware for Red Team

  • 2. WHO? Satria Ady Pradana • Cyber Security Consultant at Mitra Integrasi Informatika • Director of Curriculum at Archonlabs SSD • Penetration Tester, Red Team • Community Leader of Reversing.ID 20XX Pitch Deck 2 @xathrya xathrya xathrya_
  • 4. RED TEAMING • Originate from military practices. • Evaluate security posture by playing as aggressor. • Full-scope, multi-layered attack simulation designed to measure how well organization’s security controls can withstand attack from real-life adversaries.
  • 5. REQUIREMENT 2021 PyCon ID (Security) 5 • Deep knowledge of systems (computer system, protocols, libraries, etc). • Ability to think outside the box. • Software development skills. • Penetration testing skills • Social engineering.
  • 6. WHEN DOING RED TEAMING 2021 PyCon ID (Security) 6 • Long time engagement (1 – 3 months at minimum). • Penetrate as deep as possible, maintain persistence, pivoting, exfiltrate critical information. • It means you need a way to keep your presence in the network!
  • 7. THE CYBER KILL CHAIN 2021 PyCon ID (Security) 7
  • 8. WHY PYTHON? 2021 PyCon ID (Security) 8 • Simple and clean structure • Designed for rapid prototyping • Extensive library
  • 10. DESIGNING IMPLANT 2021 PyCon ID (Security) 10 • What is the purpose of the implant? • What success look like? • Which feature or capabilities we need?
  • 11. DESIGNING IMPLANT 2021 PyCon ID (Security) 11 • Lightweight: can be dropped through macro-enabled office document. • Evasive: evade most common products without much adaptation • Functional: collect information about target environment to aid in further operations.
  • 12. TERMS 20XX Pitch Deck 12 • Command and Control attacker-controlled infrastructure which maintain control over all agents or implants by send command and retrieve the result. Alternative name: C&C, C2 server • Implant agent, small program which executed on target. Alternative name: RAT, backdoor, beacon. • Loader specific code or executable which purpose is to load the payload (implant) or other loader.
  • 13. TERMS 20XX Pitch Deck 13 • Redirectors Node or system which proxies all traffic from target network (implant) to C2 server, hiding the true location of the C2 server.
  • 14. ROBUST INFRASTRUCTURE 2021 PyCon ID (Security) 14 Interactive (Tier 3) • General command, enumeration, scanning, data exfiltration, etc. • Has most interaction and at greatest risk of exposure. • Ready to abandon at any time. Multiple tiers
  • 15. ROBUST INFRASTRUCTURE 2021 PyCon ID (Security) 15 Short Haul (Tier 2) • As a backup to reestablish interactive session. • Use covert communications that blend with target. • Slow callback times, i.e. 1 – 24 hours. Multiple tiers
  • 16. ROBUST INFRASTRUCTURE 2021 PyCon ID (Security) 16 Long Haul (Tier 1) • Maintain long-term access into target’s network. • Same as short haul, but slower. Multiple tiers
  • 17. 2021 PyCon ID (Security) 17
  • 18. MINIMUM REQUIREMENT 2021 PyCon ID (Security) 18 • Communication Channel • Modular Design • Dynamic Reconfigurable
  • 20. MITRE ATT&CK 2021 PyCon ID (Security) 20 https://attack.mitre.org/
  • 21. 2021 PyCon ID (Security) 21 https://attack.mitre.org/groups/G0016/
  • 22. 2021 PyCon ID (Security) 22
  • 24. COMMUNICATION CHANNEL 2021 PyCon ID (Security) 24 • HTTP/HTTPS: masquerade as legitimate HTTP connections • DNS: • Hybrid: DNS for telemetry or callback, HTTP for data channel. • Pure DNS • SMB: chaining beacons • TCP: with proprietary protocols
  • 25. CASE: HTTP 2021 PyCon ID (Security) 25 import requests url = GenerateURL() headers = GenerateHeaders() body = GenerateBody() res = requests.post(url, data=body, headers=headers) ProcessResponse(res) Message Type: • Callback • Command • Result • Dynamic URL and endpoint? • Unique ID • Payload, where? • Interval and jitter • Telemetry, health check
  • 26. MODULAR DESIGN 2021 PyCon ID (Security) 26 • Adding new features/capabilities should not changes the core program. • Framework? • Implement feature as addon or plugins • Use builtin or Windows API? • Stages? Stageless?
  • 27. CASE: COMMANDS 2021 PyCon ID (Security) 27 • GET • PUT • LIST • EXECUTE • LOAD • Module: credential harvesting, • CONFIGURE: key, channel, IP, port, host, endpoint
  • 28. CASE: WMI COMMAND 2021 PyCon ID (Security) 28 • Windows Management Interface • Query system state (process, services, installed apps, bios, etc) • WQL (WMI Query Language) • Module: wmi • pip install wmi • Extending implant with WMI command
  • 29. COMMAND: EXECUTE SHELLCODE 2021 PyCon ID (Security) 29 • Raw shellcode as payload • Why shellcode? • Run as separate thread • Allocate space on host process • Decrypt/decompress/decode shellcode to allocated space • Create new thread and start execution from allocated space • Clean up
  • 30. COMMAND: DROP & EXECUTE BINARY 2021 PyCon ID (Security) 30 • Fetch executable from C2 server • Mostly tools: Rubeus, mimikatz, message relay • Store the executable temporary • What about DLL?
  • 31. COMMAND: SHELL COMMAND 2021 PyCon ID (Security) 31 • Execute shell command • Atomic or session? Variations • os.command() • subprocess.run() • subprocess.Popen()
  • 32. DYNAMIC RECONFIGURABLE 2021 PyCon ID (Security) 32 • Change settings/configurations at runtime. • IP address + endpoint • Message type • Profile • Should match with C2 server
  • 33. PROTECTION 2021 PyCon ID (Security) 33 • Any tool deployed in target environment needs to adhere to the highest standard of operational security (opsec)
  • 34. 2021 PyCon ID (Security) 34
  • 35. THANK YOU Satria Ady Pradana satria.pradana [at] mii.co.id @xathrya (telegram) 2021 PyCon ID (Security) 35