WHOAMI
Halil Dalabasmaz
Red Team Leader
Developer of Phant0m, wildPWN, SpookFlare
C|EH, OSCP, OSWP, OSCE, eWPT, eWPTX
artofpwn.com
twitter: @hlldz | github: @hlldz
EDR
• Endpoint Detection and Response
• This solutions are designed to continuously monitor and respond to threats. They do this
by installing agents or sensors on the endpoints, which collect and send behavioral
data to a central database for analysis.
HOW IT WORKS?
WHY EDR?
• Failure of EPPs
• Real Time System Watching & Visibility
• Memory and Behavioral Analysis
• Anomaly Detection
• Empower DFIR Processes
• VirusTotal Integration
REAL LIFE - I
REAL LIFE - II
https://redcanary.com/blog/5-common-endpoint-detection-and-response-mistakes/
Next Generation War
EDR vs RED TEAM
Halil Dalabasmaz
VISIBILITY OF A WINDOWS PROCESS
VISIBILITY OF A WINDOWS PROCESS
RED TEAM CASE STUDY - I
RED TEAM CASE STUDY - I
powershell -nop -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAcwBpAG8ATgBKLnfAaQBu
PROCESS ARGUMENT SPOOFING
typedef struct _RTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
PROCESS ARGUMENT SPOOFING
RED TEAM CASE STUDY - II
WINDOWS OS BOOT SEQUENCE
PARENT PROCESS SPOOFING
BOOL CreateProcessA(
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);
PARENT PROCESS SPOOFING
typedef struct _STARTUPINFOEXA {
STARTUPINFOA StartupInfo;
LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
} STARTUPINFOEXA, *LPSTARTUPINFOEXA;
DO IT THE HARD WAY
• ver
• systeminfo
• tasklist
• tasklist /M
• tasklist /V
• net accounts
• net user
• net user Administrator
• net localgroup
• net localgroup Administrators
• net accounts /domain
• net group /domain
• net group "Domain Computers" /domain
• net group "Domain Controllers" /domain
• net group "Domain Admins" /domain
• net group "Domain Policy Creator Owners" /domain
• ipconfig
• ipconfig /all
• whoami
• whoami /priv
DO IT THE HARD WAY
• Netapi32.lib
• Netapi32.dll
• NetUserEnum()
• NetUserGetInfo()
• NetUserGetLocalGroups()
• DsGetDcName()
• Advapi32.lib
• Advapi32.dll
• RegGetValueA()
• Activeds.lib
• Activeds.dll
• ADsOpenObject()
MEMORY EVASION
• Obfuscation, Beacon Style
• Gargoyle, https://www.youtube.com/watch?v=B8lIV_Rk5Cg

Next Generation War: EDR vs RED TEAM

  • 1.
    WHOAMI Halil Dalabasmaz Red TeamLeader Developer of Phant0m, wildPWN, SpookFlare C|EH, OSCP, OSWP, OSCE, eWPT, eWPTX artofpwn.com twitter: @hlldz | github: @hlldz
  • 4.
    EDR • Endpoint Detectionand Response • This solutions are designed to continuously monitor and respond to threats. They do this by installing agents or sensors on the endpoints, which collect and send behavioral data to a central database for analysis.
  • 5.
  • 6.
    WHY EDR? • Failureof EPPs • Real Time System Watching & Visibility • Memory and Behavioral Analysis • Anomaly Detection • Empower DFIR Processes • VirusTotal Integration
  • 7.
  • 8.
    REAL LIFE -II https://redcanary.com/blog/5-common-endpoint-detection-and-response-mistakes/
  • 9.
    Next Generation War EDRvs RED TEAM Halil Dalabasmaz
  • 10.
    VISIBILITY OF AWINDOWS PROCESS
  • 11.
    VISIBILITY OF AWINDOWS PROCESS
  • 12.
    RED TEAM CASESTUDY - I
  • 13.
    RED TEAM CASESTUDY - I powershell -nop -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAcwBpAG8ATgBKLnfAaQBu
  • 14.
    PROCESS ARGUMENT SPOOFING typedefstruct _RTL_USER_PROCESS_PARAMETERS { BYTE Reserved1[16]; PVOID Reserved2[10]; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
  • 15.
  • 16.
    RED TEAM CASESTUDY - II
  • 17.
  • 18.
    PARENT PROCESS SPOOFING BOOLCreateProcessA( LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation );
  • 19.
    PARENT PROCESS SPOOFING typedefstruct _STARTUPINFOEXA { STARTUPINFOA StartupInfo; LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList; } STARTUPINFOEXA, *LPSTARTUPINFOEXA;
  • 20.
    DO IT THEHARD WAY • ver • systeminfo • tasklist • tasklist /M • tasklist /V • net accounts • net user • net user Administrator • net localgroup • net localgroup Administrators • net accounts /domain • net group /domain • net group "Domain Computers" /domain • net group "Domain Controllers" /domain • net group "Domain Admins" /domain • net group "Domain Policy Creator Owners" /domain • ipconfig • ipconfig /all • whoami • whoami /priv
  • 21.
    DO IT THEHARD WAY • Netapi32.lib • Netapi32.dll • NetUserEnum() • NetUserGetInfo() • NetUserGetLocalGroups() • DsGetDcName() • Advapi32.lib • Advapi32.dll • RegGetValueA() • Activeds.lib • Activeds.dll • ADsOpenObject()
  • 22.
    MEMORY EVASION • Obfuscation,Beacon Style • Gargoyle, https://www.youtube.com/watch?v=B8lIV_Rk5Cg