Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations are covered. Adversary Emulations are end-to-end attacks against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.
2. DERP.TXT
• Security appliance from major vendor you may
know
• Shrink wrap/product penetration test before putting
in production (also before we pay them)
• Did not want to provide us access to CLI – boooooo
• Gave us restricted shell and said we would have to
break out if we wanted access – challenge
accepted!
• Assigned the top restricted shell escaper I know@JORGEORCHILLES
10. #WHOAMILed offensive security team at large financial for past 10 years
Published industry contributions include:
⑊ Founding member MITRE Engenuity Center
⑊ Co-Author GFMA Threat-led Penetration Testing & Red Team
Framework
⑊ SANS Instructor and author of Red Team course: SEC564
⑊ NSI Technologist Fellow; ISSA Fellow
⑊ Common Vulnerability Scoring System (CVSSv3.1)
⑊ Author of Windows 7 Administrators reference (Syngress)
@JORGEORCHILLES
11. 11
VULNERABILITY
SCANNING
VULNERABILITY
ASSESSMENT
PENETRATION
TESTING
RED
TEAM
IN PERSON
PURPLE TEAM
CONTINOUS PURPLE
TEAM
ADVERSARY EMULATION
Definition: A type of Red Team exercise where the Red Team
emulates how an adversary operates, following the same tactics,
techniques, and procedures (TTPs), with a specific objective like those
of realistic adversary.
Goal: Emulate an end-to-end attack against a target organization.
Obtain a holistic view of the organization’s preparedness for a real,
sophisticated attack.
@JORGEORCHILLES
12. 12
An end to end assessment
of the entire organization
⑊ Main differentiator from penetration testing
- Tests the defenders not the defenses (detection vs.
prevention)
- People, Process, and Technology
- Not a limited scope test targeting just a particular
product, infrastructure, network, application, URL, or
domain
⑊ Full Cyber Kill Chain from Recon to Objective
⑊ Often blind, unannounced exercise
⑊ Determine what TTPs would work, undetected if a true
attack occurred and action plan to remediate
@JORGEORCHILLES
13. 13
Measuring the
effectiveness of People,
Process, and Technology
Documented metrics and timeline of entire exercise
⑊ Time and TTPs to obtain initial access
⑊ TTPs that allowed moving laterally
⑊ Identify TTPs not prevented or detected
⑊ Process and time to escalate events into an incident
⑊ Time to contain;
⑊ Time to eradicate
⑊ Process to engage hunt team, coordinate communications,
alert leadership and correlate all events and realize
sophisticated, targeted attack
@JORGEORCHILLES
14. 14
ASSUMPTIONS
That attack won’t work here
because…
“We applied all patches”
“We have outbound DLP”
“Our users would never open a macro”
“Our applications have MFA”
“Our network is segmented and only
way out is through proxy”
“We have firewalls, AV, and IDS”
Trust but verify
Can the Iranians breach us?
@JORGEORCHILLES
15. 15
Training and improving the Blue Team
⑊ Every Red Team Exercise will result in Blue Team getting better
⑊ As you measure the people, process, and technology you will see
improvements
⑊ Lessons will be learned, and processes improved
⑊ The more you train, the more you improve
@JORGEORCHILLES
16. 16
FRAMEWORK
&
METHODOLOGIES
⑊ Cyber Kill Chain – Lockheed Martin
⑊ Unified Cyber Kill Chain – Paul Pols
⑊ ATT&CK – MITRE
Regulatory:
⑊ CBEST Intelligence Led Testing – Bank of England
⑊ Threat Intelligence-Based Ethical Red Teaming – TIBER-
EU
⑊ Red Team: Adversarial Attack Simulation Exercises – ABS
(Association of Banks of Singapore)
⑊ intelligence-led Cyber Attack Simulation Testing (iCAST) –
HKMA (Hong Kong Monetary Authority)
⑊ G-7 Fundamental Elements for Threat-Led Penetration
Testing (G7FE-TLPT)
⑊ A Framework for the Regulatory Use of Penetration
Testing and Red Teaming in the Financial Services
Industry – GFMA (Global Financial Markets Association)
@JORGEORCHILLES
17. INITIAL ACCESS EXECUTION PERSISTENCE PRIVILEGE
ESCALATION
DEFENSIVE
EVASION
CREDENTIAL
ACCESS
DISCOVERY LATERAL
MOVEMENT
COLLECTION COMMAND AND
CONTROL
EXFILTRATION IMPACT
DRIVE- BY
COMPROMISE
APPLESCRIPT .BASH_PROFULE
AND .BASHRC
ACCESS TOKEN
MANIPULATION
ACCESS TOKEN
MANIPULATION
ACCOUNT
MANIPULATION
ACCOUNT
DISCOVERY
APPLESCRIPT AUDIO CAPTURE COMMONLY
USED PORT
AUTOMATED
EXFILTRATION
DATA
DESTRUCTION
EXPLOIT PUBLIC-
FACING
APPLICATION
CMSTP ACCESIBILITY
FEATURES
ACCESIBILITY
FEATURES
BITS JOBS BASH HISTORY APPLICATION
WINDOW
DISCOVERY
APPLICATION
DEPLOYMENT
SOFTWARE
AUTOMATED
COLLECTION
COMMUINICTION
THROUGH
REMOVABLE
DATA
DATA
COMPRESSED
DATA
ENCRYPTED FOR
IMPACT
EXTERNAL
REMOTE
SERVICES
COMMAND-LINE
INTERFACE
ACCOUNT
MANIPULATION
APPCERT DLLS DINARY PADDING BRUTE FORCE BROWSER
BOOKMARK
DISCOVERY
DISTRUBETED
COMPONENT
OBJECT MODEL
CLIPBOARD
DATA
CONNECTION
PROXY
DATA
ENCRYPTED
DEFACEMENT
HARDWARE
ADDITIONS
COMPILED HTML
FILE
APPCERT DLLS APPINIT DLLS ACCOUNT
CONTROL
BYPASS USER
CREDENTIAL
DUMPING
DOMAIN TRUST
DISCOVERY
EXPLOITATION
OF REMOTE
SERVICES
DATA STAGE CUSTOM
COMMAND AND
CONTROL
PROTOCOL
DATA TRANSFER
SIZE LIMIT
DISK CONTENT
WIPE
REPLICATION
THROUGH
REMOVABLE
MEDIA
CONTORL PANEL
ITEMS
APPINIT DLLS APPLICATION
SHIMMIMG
CMSTP CREDENTIALS IN
FILES
FILE AND
DIRECTORY
DISCOVERY
LOGON SCRIPT DATA FROM
INFORMATION
REPOSITORIES
CUSTOM
CRYPTOGRAPHIC
PROTOCOL
EXFILTRATION
OVER
ALTERNATIVE
PROTOCOL
DISK
STRUCTURE
WIPE
SPEARPHISHING
ATTACHMENT
DYNAMIC DATA
EXCHANGE
APPLICATION
SHIMMING
BYPASS USER
ACCOUNT
CONTROL
CLEAR
COMMAND
HISTORY
CREDENTIALS IN
REGISTRY
NETWORK
SERVICE
SCANNING
PASS THE HASH DATA FROM
LOCAL SYSTEM
DATA ENCODING EXFILTRATION
OVER COMMAND
AND CONTROL
CHANNEL
ENDPOINT
DENIAL OF
SERVICE
SPEARPHISHING
LINK
EXECUTION
THROUGH API
AUTHENTICATIO
N PACKAGE
DLL SEARCH
ORDER
HIJACKING
CODE SIGNING EXPLOITATION
FOR
CREDENTIAL
ACCESS
NETWORK
SHARE
DISCOVERY
PASS THE
TICKET
DATA FROM
NETWORK
SHARE DRIVE
DATA
OBFUSCATION
EXFILTRATION
OVER OTHER
NETWORK
MEDIUM
FIRMWARE
CORRUPTION
MITRE has developed the ATT&CK Matrix as a central repository for
adversary TTPs. It is used by both red and blue teams. It is rapidly gaining
@JORGEORCHILLES
18. FRAMEWORK
Most organizations will take a hybrid
approach based on the frameworks and
methodologies just introduced
⑊ Threat Intelligence
⑊ Planning
⑊ Testing
⑊ Closure
@JORGEORCHILLES
21. 21
TRUSTED AGENTS RULES OF
ENGAGEMENT
ATTACK
INFRASTRUCTURE
o Limited number of people with
knowledge of the exercise
o When players find out about exercise
their behavior changes
o Individuals whose daily roles and
responsibilities put them in a position to
contribute to reducing the risk of causing
unintended impact to production systems
and/or inaccurate senior or external
escalation
Establish the responsibility, relationship,
and guidelines between Trusted Agents
and Players
o Rules for Blue Team
o Carry out all activity as any other
incident
o Trusted Agents will report what
incidents are being investigated
o Do not report exercise related items
to regulators
o Rules for Red Team
o Do not bring down any business
process or operation
o Communicate all actions during
daily brief
Red Team is responsible for setting up
infrastructure to emulate TTPs
o Choose and
procure external
hosting service
providers
o Purchase domain
names
o Generate domain
certificates
o Setup mail
servers
o Setup phishing
and credential
theft sites
o Confirm
reputation and
categorization of
all domain and
IPs
o Setup Short and
Long Haul C2
infrastructure
o Configure custom
C2 tooling
o Test external C2
communication
PLANNING @JORGEORCHILLES
White Team or White Cell
22. 22
Matrix of command and control
frameworks for Red Teamers
⑊ Google doc of most C2 frameworks:
www.thec2matrix.com
⑊ Documents various capabilities of each framework
⑊ There is no right or wrong, better or worse framework
⑊ Find ideal C2 for your current objective
⑊ Wizard like UI to select which one: ask.thec2matrix.com
⑊ How-To Site for using C2s: howto.thec2matrix.com
⑊ SANS Slingshot C2 Matrix Edition
@JORGEORCHILLES
23.
24.
25. 25
Initial Foothold
Compromised System
Network Propagation
Internal Network
Action on Objectives
Critical Asset Access
⑊ Reconnaissance
⑊ Weaponization
⑊ Delivery
⑊ Social engineering
⑊ Exploitation
⑊ Persistence
⑊ Defense evasion
⑊ Command & Control
⑊ Discovery
⑊ Privilege escalation
⑊ Execution
⑊ Credential access
⑊ Lateral movement
⑊ Collection
⑊ Exfiltration
⑊ Target manipulation
⑊ Objectives
PIVOTING ACCESS
The Unified Kill Chain – Paul Pols
The Unified Kill Chain is a good answer to some of the Cyber Kill Chain limitations!
@JORGEORCHILLES
26. 26
⑊ What TTPs were prevented? Why? Document these too!
⑊ What was detected? How long did it take?
- Time to contain
- Time to eradicate
⑊ Where processes followed?
- Process and time to escalate events into an incident
- Process to engage hunt team
- Process to coordinate communications & alert leadership
- Process to corelate all events and realize sophisticated, targeted attack
CLOSURE
@JORGEORCHILLES
Escaping the restricted shell.
Was written in ruby and some proprietary commands. Bypassctl was one that sent arguments to shell.
1. Create a file in the tmp directory2. Make the file we created editable and executable3. Echo our "usermod" command into our executable shell script which would give the current user root privileges4. The "id" command shows we are a regular user5. The "sudo -l" command shows we can run "tcpdump" as root with "sudo" privileges6. Run the "tcpdump" command calling our shell script"-i eth0" binds our packet capture to the ethernet interface"-G 1" rotates the dump files every one second"-w /tmp/lepwn.pcap" writes the command output to a file which is needed for the "-z" option"-z" /tmp/lepwn" runs the shell script lepwn (/usr/sbin/usermod -g adm currentuser)The "usermod" command adds the user running the restricted shell to the "adm" group giving it root privileges7. Running "sudo -l" again shows we can now run ALL commands as root without a required password8. Root privileges are confirmed when we can view the contents of the shadow file
Vulnerable Ruby Code:The restricted shell was written in Ruby and didn't properly sanitize command line arguments. A few proprietary Linux commands were executed in the Ruby script using "Open3.popen3" which spawns external operating system commands. The ability to join command arguments and include the command line operators (i.e. ; and &&) enabled us to supply a second command to be executed from within the restricted shell. Developer comments:You find lots of great developer comments when reviewing their code! Reference the Jurassic Park quote...