Adversary Emulation - DerpCon
•
5 likes•1,843 views
Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations are covered. Adversary Emulations are end-to-end attacks against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Adversary Emulation - DerpCon
Similar to Adversary Emulation - DerpCon (20)
More from Jorge Orchilles
More from Jorge Orchilles (20)
Recently uploaded
Recently uploaded (20)
Adversary Emulation - DerpCon
- 2. DERP.TXT • Security appliance from major vendor you may know • Shrink wrap/product penetration test before putting in production (also before we pay them) • Did not want to provide us access to CLI – boooooo • Gave us restricted shell and said we would have to break out if we wanted access – challenge accepted! • Assigned the top restricted shell escaper I know@JORGEORCHILLES
- 9. @JORGEORCHILLES FOUND THE MAGIC WORD AND SO MUCH MORE
- 10. #WHOAMILed offensive security team at large financial for past 10 years Published industry contributions include: ⑊ Founding member MITRE Engenuity Center ⑊ Co-Author GFMA Threat-led Penetration Testing & Red Team Framework ⑊ SANS Instructor and author of Red Team course: SEC564 ⑊ NSI Technologist Fellow; ISSA Fellow ⑊ Common Vulnerability Scoring System (CVSSv3.1) ⑊ Author of Windows 7 Administrators reference (Syngress) @JORGEORCHILLES
- 11. 11 VULNERABILITY SCANNING VULNERABILITY ASSESSMENT PENETRATION TESTING RED TEAM IN PERSON PURPLE TEAM CONTINOUS PURPLE TEAM ADVERSARY EMULATION Definition: A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective like those of realistic adversary. Goal: Emulate an end-to-end attack against a target organization. Obtain a holistic view of the organization’s preparedness for a real, sophisticated attack. @JORGEORCHILLES
- 12. 12 An end to end assessment of the entire organization ⑊ Main differentiator from penetration testing - Tests the defenders not the defenses (detection vs. prevention) - People, Process, and Technology - Not a limited scope test targeting just a particular product, infrastructure, network, application, URL, or domain ⑊ Full Cyber Kill Chain from Recon to Objective ⑊ Often blind, unannounced exercise ⑊ Determine what TTPs would work, undetected if a true attack occurred and action plan to remediate @JORGEORCHILLES
- 13. 13 Measuring the effectiveness of People, Process, and Technology Documented metrics and timeline of entire exercise ⑊ Time and TTPs to obtain initial access ⑊ TTPs that allowed moving laterally ⑊ Identify TTPs not prevented or detected ⑊ Process and time to escalate events into an incident ⑊ Time to contain; ⑊ Time to eradicate ⑊ Process to engage hunt team, coordinate communications, alert leadership and correlate all events and realize sophisticated, targeted attack @JORGEORCHILLES
- 14. 14 ASSUMPTIONS That attack won’t work here because… “We applied all patches” “We have outbound DLP” “Our users would never open a macro” “Our applications have MFA” “Our network is segmented and only way out is through proxy” “We have firewalls, AV, and IDS” Trust but verify Can the Iranians breach us? @JORGEORCHILLES
- 15. 15 Training and improving the Blue Team ⑊ Every Red Team Exercise will result in Blue Team getting better ⑊ As you measure the people, process, and technology you will see improvements ⑊ Lessons will be learned, and processes improved ⑊ The more you train, the more you improve @JORGEORCHILLES
- 16. 16 FRAMEWORK & METHODOLOGIES ⑊ Cyber Kill Chain – Lockheed Martin ⑊ Unified Cyber Kill Chain – Paul Pols ⑊ ATT&CK – MITRE Regulatory: ⑊ CBEST Intelligence Led Testing – Bank of England ⑊ Threat Intelligence-Based Ethical Red Teaming – TIBER- EU ⑊ Red Team: Adversarial Attack Simulation Exercises – ABS (Association of Banks of Singapore) ⑊ intelligence-led Cyber Attack Simulation Testing (iCAST) – HKMA (Hong Kong Monetary Authority) ⑊ G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT) ⑊ A Framework for the Regulatory Use of Penetration Testing and Red Teaming in the Financial Services Industry – GFMA (Global Financial Markets Association) @JORGEORCHILLES
- 17. INITIAL ACCESS EXECUTION PERSISTENCE PRIVILEGE ESCALATION DEFENSIVE EVASION CREDENTIAL ACCESS DISCOVERY LATERAL MOVEMENT COLLECTION COMMAND AND CONTROL EXFILTRATION IMPACT DRIVE- BY COMPROMISE APPLESCRIPT .BASH_PROFULE AND .BASHRC ACCESS TOKEN MANIPULATION ACCESS TOKEN MANIPULATION ACCOUNT MANIPULATION ACCOUNT DISCOVERY APPLESCRIPT AUDIO CAPTURE COMMONLY USED PORT AUTOMATED EXFILTRATION DATA DESTRUCTION EXPLOIT PUBLIC- FACING APPLICATION CMSTP ACCESIBILITY FEATURES ACCESIBILITY FEATURES BITS JOBS BASH HISTORY APPLICATION WINDOW DISCOVERY APPLICATION DEPLOYMENT SOFTWARE AUTOMATED COLLECTION COMMUINICTION THROUGH REMOVABLE DATA DATA COMPRESSED DATA ENCRYPTED FOR IMPACT EXTERNAL REMOTE SERVICES COMMAND-LINE INTERFACE ACCOUNT MANIPULATION APPCERT DLLS DINARY PADDING BRUTE FORCE BROWSER BOOKMARK DISCOVERY DISTRUBETED COMPONENT OBJECT MODEL CLIPBOARD DATA CONNECTION PROXY DATA ENCRYPTED DEFACEMENT HARDWARE ADDITIONS COMPILED HTML FILE APPCERT DLLS APPINIT DLLS ACCOUNT CONTROL BYPASS USER CREDENTIAL DUMPING DOMAIN TRUST DISCOVERY EXPLOITATION OF REMOTE SERVICES DATA STAGE CUSTOM COMMAND AND CONTROL PROTOCOL DATA TRANSFER SIZE LIMIT DISK CONTENT WIPE REPLICATION THROUGH REMOVABLE MEDIA CONTORL PANEL ITEMS APPINIT DLLS APPLICATION SHIMMIMG CMSTP CREDENTIALS IN FILES FILE AND DIRECTORY DISCOVERY LOGON SCRIPT DATA FROM INFORMATION REPOSITORIES CUSTOM CRYPTOGRAPHIC PROTOCOL EXFILTRATION OVER ALTERNATIVE PROTOCOL DISK STRUCTURE WIPE SPEARPHISHING ATTACHMENT DYNAMIC DATA EXCHANGE APPLICATION SHIMMING BYPASS USER ACCOUNT CONTROL CLEAR COMMAND HISTORY CREDENTIALS IN REGISTRY NETWORK SERVICE SCANNING PASS THE HASH DATA FROM LOCAL SYSTEM DATA ENCODING EXFILTRATION OVER COMMAND AND CONTROL CHANNEL ENDPOINT DENIAL OF SERVICE SPEARPHISHING LINK EXECUTION THROUGH API AUTHENTICATIO N PACKAGE DLL SEARCH ORDER HIJACKING CODE SIGNING EXPLOITATION FOR CREDENTIAL ACCESS NETWORK SHARE DISCOVERY PASS THE TICKET DATA FROM NETWORK SHARE DRIVE DATA OBFUSCATION EXFILTRATION OVER OTHER NETWORK MEDIUM FIRMWARE CORRUPTION MITRE has developed the ATT&CK Matrix as a central repository for adversary TTPs. It is used by both red and blue teams. It is rapidly gaining @JORGEORCHILLES
- 18. FRAMEWORK Most organizations will take a hybrid approach based on the frameworks and methodologies just introduced ⑊ Threat Intelligence ⑊ Planning ⑊ Testing ⑊ Closure @JORGEORCHILLES
- 19. T1086 – PowerShell T1068 – Exploitation for Privilege Escalation T1003 – Credential Dumping S0194 – PowerSploit S0192 – Pupy S0002 – Mimikatz S0129 – AutoIT Hash Value IP Address TACTICS | TECHNIQUES | PROCEDURES https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html @JORGEORCHILLES
- 20. ATT&CK Navigator
- 21. 21 TRUSTED AGENTS RULES OF ENGAGEMENT ATTACK INFRASTRUCTURE o Limited number of people with knowledge of the exercise o When players find out about exercise their behavior changes o Individuals whose daily roles and responsibilities put them in a position to contribute to reducing the risk of causing unintended impact to production systems and/or inaccurate senior or external escalation Establish the responsibility, relationship, and guidelines between Trusted Agents and Players o Rules for Blue Team o Carry out all activity as any other incident o Trusted Agents will report what incidents are being investigated o Do not report exercise related items to regulators o Rules for Red Team o Do not bring down any business process or operation o Communicate all actions during daily brief Red Team is responsible for setting up infrastructure to emulate TTPs o Choose and procure external hosting service providers o Purchase domain names o Generate domain certificates o Setup mail servers o Setup phishing and credential theft sites o Confirm reputation and categorization of all domain and IPs o Setup Short and Long Haul C2 infrastructure o Configure custom C2 tooling o Test external C2 communication PLANNING @JORGEORCHILLES White Team or White Cell
- 22. 22 Matrix of command and control frameworks for Red Teamers ⑊ Google doc of most C2 frameworks: www.thec2matrix.com ⑊ Documents various capabilities of each framework ⑊ There is no right or wrong, better or worse framework ⑊ Find ideal C2 for your current objective ⑊ Wizard like UI to select which one: ask.thec2matrix.com ⑊ How-To Site for using C2s: howto.thec2matrix.com ⑊ SANS Slingshot C2 Matrix Edition @JORGEORCHILLES
- 25. 25 Initial Foothold Compromised System Network Propagation Internal Network Action on Objectives Critical Asset Access ⑊ Reconnaissance ⑊ Weaponization ⑊ Delivery ⑊ Social engineering ⑊ Exploitation ⑊ Persistence ⑊ Defense evasion ⑊ Command & Control ⑊ Discovery ⑊ Privilege escalation ⑊ Execution ⑊ Credential access ⑊ Lateral movement ⑊ Collection ⑊ Exfiltration ⑊ Target manipulation ⑊ Objectives PIVOTING ACCESS The Unified Kill Chain – Paul Pols The Unified Kill Chain is a good answer to some of the Cyber Kill Chain limitations! @JORGEORCHILLES
- 26. 26 ⑊ What TTPs were prevented? Why? Document these too! ⑊ What was detected? How long did it take? - Time to contain - Time to eradicate ⑊ Where processes followed? - Process and time to escalate events into an incident - Process to engage hunt team - Process to coordinate communications & alert leadership - Process to corelate all events and realize sophisticated, targeted attack CLOSURE @JORGEORCHILLES
- 27. 27
- 28. 28
- 29. 29
- 30. Automated Emulation https://medium.com/@jorgeorchilles/purple-team-exercise-tools-a85187ce341 ⑊ Red Team will be asked to repeat TTPs ⑊ Don’t waste Red Team Operator time re-doing the same TTP while engineers, operations, and SOC get detection working
- 31. Thank you! 31 Q & A?@JorgeOrchilles @C2_Matrix https://www.thec2matrix.com/ https://www.sans.org/course/red-team-exercises-adversary-emulation
Editor's Notes
- https://www.youtube.com/watch?v=RfiQYRn7fBg
- Escaping the restricted shell. Was written in ruby and some proprietary commands. Bypassctl was one that sent arguments to shell. 1. Create a file in the tmp directory 2. Make the file we created editable and executable 3. Echo our "usermod" command into our executable shell script which would give the current user root privileges 4. The "id" command shows we are a regular user 5. The "sudo -l" command shows we can run "tcpdump" as root with "sudo" privileges 6. Run the "tcpdump" command calling our shell script "-i eth0" binds our packet capture to the ethernet interface "-G 1" rotates the dump files every one second "-w /tmp/lepwn.pcap" writes the command output to a file which is needed for the "-z" option "-z" /tmp/lepwn" runs the shell script lepwn (/usr/sbin/usermod -g adm currentuser) The "usermod" command adds the user running the restricted shell to the "adm" group giving it root privileges 7. Running "sudo -l" again shows we can now run ALL commands as root without a required password 8. Root privileges are confirmed when we can view the contents of the shadow file Vulnerable Ruby Code: The restricted shell was written in Ruby and didn't properly sanitize command line arguments. A few proprietary Linux commands were executed in the Ruby script using "Open3.popen3" which spawns external operating system commands. The ability to join command arguments and include the command line operators (i.e. ; and &&) enabled us to supply a second command to be executed from within the restricted shell. Developer comments: You find lots of great developer comments when reviewing their code! Reference the Jurassic Park quote...