Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework

10 views

Published on

The presentation I gave during SECURE 2019 Conference in Poland - one of the most important IT Security event in the calendar of polish *Cyber Security* conferences.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework

  1. 1. APT for Everyone - Adversary Simulations based on ATT&CK framework. Leszek Miś - lm@defensive-security.com
  2. 2. whoami - Leszek Miś ● Principal Cyber Security Architect / Founder @ Defensive Security ● Offensive Security Certified Professional (OSCP) ● Red Hat Certified Architect / RHCSS / RHCX / Sec+ / Splunk Architect ● Trainer / Speaker at: ○ Black Hat USA, Hack In The Box Dubai / Amsterdam / Singapore / Abu Dhabi, OWASP Appsec USA, Flocon USA, BruCON BE, 44CON UK, x33fcon PL, Confidence PL, Cyber Hagen DK, PLNOG, Techrisk PL, Open Source Day PL ● Areas of interest: ○ Adversary Simulations and Post-Exploitation Red/Blue Actions ○ Threat Hunting and Incident Response ○ Behavioral / Statistic / ML network analysis → Features Extraction ○ Hardening of Linux / Web Application / Infrastructure ○ Penetration testing / OSINT / Security audits ○ Open Source Security Software 2
  3. 3. Agenda ● Introduction: ○ What is Adversary Simulation? ○ What is MITRE ATT&CK Framework? ○ How can we use MITRE ATT&CK Framework? 3
  4. 4. Agenda ● Use-cases: ○ Trusted Binaries + SMB ○ DNS Rebinding + Docker API pwning ○ DNS AXFR Payload Delivery ○ LDAP as hidden storage ○ Active Directory as C2 ○ ICMP data exfiltration + protocol tunneling ○ Slack as C2 ○ Optionally: ■ C3 / Covenant / DoH / HTTP2 / Lateral Movement DCOM IE ● In & Out Network eXfiltration Platform ● Summary 4
  5. 5. I. Introduction.
  6. 6. I. What is adversary simulation? ● A goal oriented and strategy driven towards post-exploitation and data exfiltration actions → Threat-based Red Teaming ● We don’t focus on exploitation process → ○ Breach assumption → Adversary is already inside your network ● It provides real world indicators of compromise to your incident response team ● It establishes real world persistence inside your infrastructure ● Focuses on the behaviors of adversary’s APT techniques: ○ Emulates IN-THE-CHAIN the techniques of an attacker that is most likely to target your env ● Your environment should stay safe → low impact on your operations ● It’s not a pentest! 6
  7. 7. I. What is adversary simulation? ● As @mubix said recently during BruCON 2019: ○ We need to start performing actions in measurable way: ■ What coverage of the ATT&CK framework you have ■ Time to detection ■ Time to response ■ How many new rules were added vs new APT techniques seeing in the wild ■ Critical assets → How many servers forwarding logs ■ Malicious insiders detected before they stole something 7
  8. 8. I. What is adversary simulation? ● APT Emulation → you can’t detect advanced adversary moves when you: ■ Don’t understand their TTPs ■ Don’t understand and “feel” the network ■ Don’t understand OS internals 8
  9. 9. I. What is adversary simulation? ● Network security validation steps *at your environment* of: ○ Data Leakage Protection (DLP) solutions ○ IDS / IPS ○ Firewall(-NG) / WAF ○ ML / DL / AI Security Products ○ SOAR ○ SIEM / Event analytics ○ Whitelist rules ○ Forward Proxies / Web categorization ■ + bypassing attempts :> 9
  10. 10. I.I. Introduction - MITRE ATT&CK Framework
  11. 11. I. MITRE ATT&CK Framework ● MITRE ATT&CK Framework: ○ MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected. ○ Common language for describing: ■ Tactics ■ Techniques ■ Groups ■ Software 11
  12. 12. ATT&CK Framework 12
  13. 13. I. ATT&CK Framework ● Helps you understand where you are actually and what is your current status ● Four practical steps to help prepare your organization to face modern threats: ○ → Evaluate your existing controls ○ → Find top risky assets ○ → Understand your capacity ○ → Deploy improvements: ■ Threat Intelligence ■ Extract Techniques ■ Analyze and organize ■ Find or develop tools ■ Emulate the adversary ■ Share behaviors ○ → Repeat 13
  14. 14. I. ATT&CK Framework Source: https://attack.mitre.org/resources/adversary-emulation-plans/ 14
  15. 15. I. ATT&CK Framework ● Sample emulation plan (APT28): ○ Phase 1: ■ Initial Access: T1192 - Spearphishing Link ■ Execution: T1086 - Powershell ○ Phase 2: ■ Persistence: T1122 - COM Hijacking ■ Privilege Escalation: T1078 - Valid Accounts ■ Defense Evasion: File Deletion ■ Lateral Movement: Pass The Hash ○ Phase 3: ■ Exfiltration: T1041 - Exfiltration over C2 15
  16. 16. I. ATT&CK Framework 16
  17. 17. I. How to play with ATT&CK? ● Open Source projects: ○ Atomic Red Team tests: ■ Teams need to be able to test everything from specific technical controls to outcomes ■ We should be able to run a test in less than five minutes ■ We need to keep learning how adversaries are operating ■ Examples: ● T1028 - Windows Remote Management ● T1118 - InstallUtil ● T1127 - Trusted Developer Utilities ● T1087 - Account Discovery ■ Link: ● https://github.com/redcanaryco/atomic-red-team 17
  18. 18. I. How to play with ATT&CK? ● Open Source projects: ○ Atomic Red Team tests: ■ Very easy to run: ● Install-Module -Name powershell-yaml ● IEX (New-Object Net.WebClient).DownloadString('http://psInstall.AtomicRedTeam.co m'); Install-AtomicRedTeam -verbose ● Invoke-AtomicTest T1117 18
  19. 19. I. How to play with ATT&CK? ● T1202 → Indirect Command Execution ■ pcalua.exe -a calc.exe ● Process monitoring ○ pcalua.exe ● Process command-line parameters ○ ▪ -a ● Windows event logs ○ 4688 (Process creation) 19
  20. 20. I. How to play with ATT&CK? ● Open Source projects: ○ Purple Team ATT&CK Automation ■ MITRE ATT&CK TTPs as Metasploit Framework post modules ● Automation of a little over 100 TTPs as modules: ○ msf5 > use post/windows/purple/t1028 ○ msf5 > use post/windows/purple/t1003 ■ Link: ● https://github.com/praetorian-code/purple-team-attack-automation/ wiki/Available-Modules 20
  21. 21. I. How to play with ATT&CK? ● Open Source projects: ○ Metta: ■ Allows you to test your host based instrumentation (mostly) ■ Dedicated for testing EDR devices, but it is easy to customize it also for network based checks and detections ■ Link: ● https://github.com/uber-common/metta 21
  22. 22. I. How to play with ATT&CK? ● Open Source projects: ○ RTA - Red Team Automation: ■ Framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK ■ Composed of python scripts that generate evidence of over 50 different ATT&CK tactics, as well as a compiled binary application that performs activities such as file timestopping, process injections, and beacon simulation ■ Link: ● https://github.com/endgameinc/RTA ● https://eqllib.readthedocs.io/en/latest/analytics.html 22
  23. 23. I. How to play with ATT&CK? ● Open Source projects: ○ CALDERA: ■ Automated adversary emulation system, built on the top of MITRE ATT&CK™ framework ■ Dedicated for Windows / Linux environments ■ Link: ● https://github.com/mitre/caldera/wiki/CALDERA-2.0 23
  24. 24. II. Use cases.
  25. 25. II. Use cases - Trusted Binaries ● Trusted Binaries Execution + Payload delivery over the network: ○ MSBuild + SMB channel: ■ SILENTTRINITY: ● Modern, asynchronous, multiplayer & multiserver C2/post-exploitation framework ● Bring Your Own Interpreter technique: ○ Embeds third-party .NET scripting languages to dynamically call .NET API's ● Link: ○ https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/c ore/teamserver/modules/boo 25
  26. 26. II. Use cases - DNS Rebinding ● DNS Rebinding: ○ Allows an attacker to subvert the victim browser’s same-origin policy (SOP) ○ Can be used to breach a private LAN by causing the victim's web browser to access machines at private IP addresses and return the results to the attacker ○ Low DNS TTL 26
  27. 27. II. Use cases - DNS AXFR ● Meterpreter Payload Delivery using DNS AXFR: ○ Hex-encoded chunks of payload used as a fake A records definition ○ AXFR query type for dumping a fake DNS zone: ■ 21.1556c334f57527662574e55626e4d78516b313452546b775930686b567a596e.exfil.emer ge.pl. 604800 IN A 127.0.0.1 ■ 9.2505130394d58314e54544859794d796b4b43584e6a4c6d4e6f5a574e725832.exfil.emerg e.pl. 604800 IN A 127.0.0.1 ■ 0.3049484e35637770326154317a65584d75646d567963326c76626c3970626d5.exfil.emer ge.pl. 604800 IN A 127.0.0.1 ■ 3.33162646d6c624d4631644c475a796232317361584e305056736e596e567062.exfil.emerg e.pl. 604800 IN A 127.0.0.1 ■ 8.3963334e734c6c4e5454454e76626e526c6548516f63334e734c6c425354315.exfil.emerge .pl. 604800 IN A 127.0.0.1 ■ 20.444d765a7a4132556d773163325a4e645759784d53314552484a726330684d5.exfil.eme rge.pl. 604800 IN A 127.0.0.1 ○ Link: ■ https://github.com/cr0nx/msf-payload-in-axfr 27
  28. 28. II. Use cases - LDAP Exfiltration ● LDAP as hidden storage / C2 ● What if two endpoint devices can't talk directly to each other but they are both LDAP client members? ○ Upload a base64 encoded data to well known LDAP attribute name: ■ gecos ■ telephoneNumber ■ street ■ etc. ○ download and decode base64 encoded data from defined LDAP attribute ● Based on FreeIPA: ○ There is no attribute length restriction which means we can use ex. 'gecos' attribute as an unlimited storage space to download/upload data and bypass FW/IDS/IPS protection. ● Link: ○ https://github.com/cr0nx/freeipa-ldap-exfil 28
  29. 29. II. Use cases - LDAP Exfiltration ● Example of LDAP as hidden storage 29
  30. 30. II. Use cases - AD as C2 ● Production infrastructure as C2 (also over AZURE API) ● Internal C2 that uses standard Active Directory object properties ● Let’s analyze the schema for the “user” object in the domain to get a list of properties ready to use for storing data: ○ Not all of them are self-writable for the user ● PS> [DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema().FindC lass('user').optionalproperties | select name,rangeupper | ?{$_.RangeUpper} | Sort-Object -Descending -Property rangeupper | Select -First 10 30
  31. 31. II. Use cases - AD as C2 ● AD User Attribute sizes → use any of these RW attributes for establishing an internal C2 communication: ■ mSMQSignCertificates → 1MB ■ thumbnailPhoto → 100KB ■ userSMIMECertificate → 32KB ■ userCert → 32KB ■ registeredAddress → 4KB ■ postalAddress → 4KB ■ homePostalAddress → 4KB ■ wwwHomePage → 2KB ■ info →1KB ■ StreetAddress → 1KB ■ street → 1KB ■ primaryTelexNumber → 64 bytes ■ st → 64 bytes ■ ipPhone → 64 bytes 31
  32. 32. II. Use cases - AD as C2 ● mSMQSignCertificates has a Partial Attribute Set with default schema ● Partial Attribute Set means it will be propagated to all copies of the GC in the forest ● One-to-many broadcast style connection channel for delivering commands and retrieving the results: ○ User A → command definition and delivery by using his own attribute ○ User B → command retrieving and sending results by his own attribute 32
  33. 33. II. Use cases - ICMP ● ICMP Exfiltration and Tunneling ● Transparently tunnel your IP traffic through ICMP echo and reply packets. ● A type “8” ICMP echo request has to send an undefined body of bytes that can be of any content or length → exfil the data here! ● Great option for: ○ Bypassing captive portals ○ Bypassing firewalls ○ Data exfiltration 33
  34. 34. II. Use cases - ICMP ● icmptunnel uses a virtual tunnel interface (tun0) on both sides: ○ listener / receiver architecture ● visible client’s outgoing traffic is only a pure ICMP 34
  35. 35. II. Use cases - ICMP ● ICMP tools: ○ icmptunnel ○ auxiliary/server/icmp_exfil ○ nping ○ exfiltrate-data.rb ○ icmpsh ○ hans ○ ptunnel ○ itun ○ icmp-encrypted-chat 35
  36. 36. II. Use cases - Slack as C2 ● Slack is a cloud-based set of collaboration tools and services that supports: ○ Workspace and team creation ○ Public and private channels ○ Personal & group messaging ○ File sharing ○ Audio / video plugins ● SlackShell uses: ○ Slack API to create a command and control channel. ○ Start-Shell as the main function connects to a user-specified Slack channel and authenticate using a supplied API authentication token ○ Any command typed into the channel will then be executed on the host ○ Allows to import additional PS scripts into the running session by uploading them to the Slack channel → https://slack-files.com and load directly into memory! ○ Link: ■ https://github.com/bkup/SlackShell 36
  37. 37. II. Use cases ● Recommended tools: ○ download_exec_elf_in_memory ○ C3 ○ Covenant ○ Sliver ○ goDoH ○ Apfell ○ Faction C2 37
  38. 38. III. In & Out - Network eXfiltration Platform.
  39. 39. III. In & Out eXfiltration Platform ● Ready to use adversary tools, techniques and procedures in one network solution that you have full control of: ● https://defensive-security.com/platform 39
  40. 40. III. In & Out eXfiltration Platform ● Ready to run in your multi-segment enterprise environment ● Focuses on network events → generates multi-direction traffic: ○ int2ext / int2dmz / dmz2ad / ad2mgmt / ad2ad / int2int etc. ● Dedicated C2 Cloud Infrastructure included ● Exfiltration and post-exploitation job definitions ready to run ● In & Out Knowledge Base → stay up to date with new network TTPs ● Useful for Red / Blue / Purple teams who want to validate network security posture ● Enterprise subscription - training and workshops included ● Risk and impact reporting ● Provides metrics and mappings to MITRE ATT&CK Framework ● Part of dedicated Adversary Simulation Services 40
  41. 41. III. Training portfolio ● Defensive Security Training Portfolio: ○ In & Out - Network Data Exfiltration Techniques → RED Edition ○ In & Out - Network Data Exfiltration Techniques → BLUE Edition ○ Open Source Defensive Security → The Trinity of Tactics ○ BRO / Zeek IDS → Network Threat Hunting and Baseline Profiling ○ Docker Security → From 0 to Hero ○ SELinux - Development & Administration of Mandatory Access Control Policy. ● Link: ○ https://defensive-security.com/ 41
  42. 42. IV. Summary ● It’s just a short introduction: ○ Don't trust in everything what your vendor says ○ Ping - pong :) ○ Invest in competence development: ■ RED Team ■ BLUE Team ● → Purple Team / Threat Hunting ○ Be aware and verify your network security posture constantly ○ Keep learning new stuff every single day 42
  43. 43. Thank you! Keep generating evil! Keep hunting evil! leszek.mis@defensive-security.com

×