Executing adversary simulations in properly monitored environments allows defenders to test and enhance their detection capabilities. Unfortunately, red & purple team engagements cannot be executed too often. This talk will describe the benefits of blue team led simulations by dissecting common red team techniques, show how they can be detected and release a new tool to simulate them.
4. Adversary simulation / Purple Team
Goal: Identify gaps in visibility & detection
capabilities
✘Collaborative exercise / knowledge transfer
✘Allows blue to identify and understand TTPs
✘Allows red to identify evasion paths
6. Simulation Scenarios
Simulating the same TTP under different scenarios will test
detection resilience
✘Example: Kerberoasting
Simulation 1: Invoke-Kerberoast –Domain domain.com
Simulation 2: GetUserSPNs.py -dc-ip X.X.X.X domain.com/user
vs
Simulation 3: PowerView / SharpView recon to identify target
Rubeus.exe kerberoast /user:secureservice
7. Password Spraying
✘Iterate through a list of users with a
commonly used password ( Winter2019 )
✘Used to obtain initial access / situational
awareness / privilege escalation
✘ https://attack.mitre.org/techniques/T1110/
8. Password Spray Purple Team #1
✘ Scenario:
Adversary has physical access and connects a rogue device to the network
Tools: ldapsearch, medusa.
✘ Validate one password on all domain users against a Domain Controller (NTLM)
ldapsearch -x -h host -b "dc=d,dc=com" -D “u" -W -s sub (objectCategory=Computer)(userAccountControl:XX)’
ldapsearch -x -h host -b "dc=d,dc=com" -D “u" -W -s sub '(&objectClass=user))' | grep sAMAccountName
medusa -U users.txt -p Winter2019 -M smbnt -h [Dc_ip] -m GROUP:DOMAIN
✘ Assessment:
Domain controller properly logging Failed Account Logon Events. 4625
✘ Detection
Event=4625 AND LogonType=3 group by (Client Address ) where unique(Account_Name ) >
[Threshold ]
9. Password Spray Purple Team #2
✘Scenario
Adversary controls a compromised host in the environment
Tools: cmd.exe and PowerShell
✘ Validate one password on 50 domain users against a domain computer ( Kerberos )
net user /domain
net group “Domain Computers” /domain
Invoke-SMBLogin –Username users.txt –Computer Server01 –Password Winter2019
✘ Assessment
Domain controllers not logging Kerberos events.
Enable “Audit Kerberos Authentication Service” and “Audit Kerberos Service Ticket
Operations”
10. Password Spray Purple Team #3
✘ Scenario
Adversary controls a compromised host on the environment
Tools: cmd.exe & PowerShell
✘ Validate one password on 20 domain users against 20 domain computers. (
NTLM). Sleep 5 seconds between auth attempt.
net user /domain
net group “Domain Computers” /domain
Invoke-SMBLogin –Username users.txt –Computer hosts.txt –Password Winter2019 –Sleep 5
✘ Assessment:
Domain member endpoints events are not centralized.
Existing detection analytics does not contemplate a sleep time
11. Password Spray Purple Team #n
#4: Iteration of #1 ( target a DC )
wait 30 seconds between each authentication attempt
use local accounts
target abroad dcs (random)
#5: Iteration of #2 ( target a domain computer )
use NTLM
use local accounts
target random computers
#6:
#7:
........................
13. PurpleSpray
✘ Executes password spray behavior under
different scenarios and conditions within
Windows enterprise environment
✘ Helps identify gaps in visibility as well as test,
improve and build new detection analytics for
spraying attacks
✘ Version 1: two modules, targeting SMB
14. PurpleSpray Supported Scenarios
✘ Simulate a rogue device or a compromised host
✘ Target random users ( badPwdCount <= 3 )
✘ Target different roles and random hosts ( lastLogon<= 1 day )
✘ Spraying domain or local accounts
✘ Using Kerberos or NTLM
✘ Sleep between authentication attempts
✘ Think of more ? --,> @mvelazco