SlideShare a Scribd company logo

Ready player 2 Multiplayer Red Teaming Against macOS

C
Cody Thomas

BSides Seattle 2019 talk about operating against macOS devices with a new open source tool called Apfell

Software
1 of 45
Download to read offline
READY PLAYER 2 MULTIPLAYER RED TEAMING AGAINST MACOS BSIDES SEATTLE 2019
CODY THOMAS • Senior Operator at SpecterOps • Previously: • Adversary Emulation Engineer at MITRE • Mac/Linux ATT&CK • APT3 Emulation Plan • Twitter: @its_a_feature_ • GitHub: github.com/its-a-feature/ 2
MACOS OPERATIONS What’s the current landscape? 3
CURRENT MACOS OPERATIONS Malware seen in the wild: • WindTail • Signed macOS application • FairyTale: • Signed macOS application • Calisto • Unsigned macOS application • AppleJeus • Signed macOS application • EvilEgg and LamePyre • Utilize EggShell and Empire Red Teaming FOSS Frameworks: • Empire • Python-based agent • Single User Terminal Application • RESTful Interface • EggShell • Python-based agent • Single User Terminal Application • Evil OSX • Python-based agent • Some GUI components 4 https://objective-see.com/downloads/MacMalware_2018.pdf https://github.com/EmpireProject/Empire https://github.com/neoneggplant/EggShell https://github.com/Marten4n6/EvilOSX
OPERATIONAL PROBLEMS ● Want to emulate adversaries, but: ○ Current FOSS capabilities don’t match up ○ More easily caught as “Red Team” ○ Signing macOS applications is not easy ● Want to operate in a team, but: ○ Need proper collaboration and sharing ○ Screen sharing isn’t scalable 5
BRIDGING THE GAP How can we get operations closer to the real thing? 6
JAVASCRIPT FOR AUTOMATION (JXA) ● Scriptable execution: ○ Most of the lower-level Objective C APIs exposed in a JS way ○ Kind of like if PowerShell stopped at version 1 or 2 ● According to Apple: “In OS X 10.10, JavaScript became a peer to AppleScript in OS X.” ● Still isn’t a signed macOS Application though ○ Hard to emulate as a consultant across multiple customers ● Very limited threading capabilities 7https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
● Does osascript normally run? ○ AppleScript has been around since 1993 ○ Mainly used by Admins and power users ● How does JXA perform actions? ○ Apple Events for IPC (causes popups in 10.14) ○ Objective C API calls ● Signing? ○ Not a problem – Live off the land ○ osascript is an Apple signed binary ○ Can execute entirely in memory 8 DEFENSIVE CONSIDERATIONS
NOW IT’S TIME TO OP You’ve been tasked to operate against macOS, now what? 9
10 INTRODUCING It’s not a bug, it’s a feature
WHAT IS APFELL? ● Collaborative, post-exploitation framework with a web front-end ● Apfell server runs on MacOS/Linux (needs python3.6+) ● Apfell agents can be any operating system ○ JXA payload for macOS ○ @xorrior already released a Chrome extension payload ○ Payloads can be scripted or dynamically compiled ● Any number of c2 profiles running at a time 11
DEMO TIME! Let’s operate 12 Demo videos: ● https://youtu.be/9yjNzYtOyHE ● https://youtu.be/FJf9oQkBG0g ● https://youtu.be/_V7PrbDHfY8 ● https://youtu.be/Hgn-RUa9feo ● https://youtu.be/4mABpw20KMQ ● https://youtu.be/KypCqWSQGwE
A FRAMEWORK SHOULD BE: 1. Informative • Track data, environment, operation, OPSEC concerns • Easy to understand user interface • Purple in nature - helping both Red and Blue teams 2. Collaborative • Every operator has their own customized front-end • Can share detailed information easily and quickly 3. Extensible • Easily add/share commands, C2 profiles, payloads • Support multiple operating systems • You shouldn’t have to re-roll a UI for every new payload 13
INFORMATIVE: FOR RED TEAMERS ● Operators ● Commands ○ OPSEC (Artifacts, Transforms) ● Payload Types ○ Creation, loading modules, execution help ● Operational Data Model ○ Let’s use all the data we collect/generate in operations ● Task-Response grouping ○ not just data-dump console ● Searching tasks and responses across an operation 14
INFORMATIVE: FOR BLUE TEAMERS ● Commands mapped to MITRE ATT&CK ○ Regex matching for more granularity ○ Exports to ATT&CK Navigator ○ Auto populates based on the command ● Host/Network artifact tracking per task ○ Helpful for deconfliction and reporting ○ Auto populated while operating ○ Agents can report updates or new artifacts ○ Soon include exportability of artifacts to Splunk/SIEMs 15
COLLABORATIVE ● Web-based GUI ○ No client dependencies besides a modern browser ○ Each operator has their own profile and login ● Users assigned to operations ○ Multiple operations ongoing concurrently ○ Individual tasks sharable amongst team members ● Operators can comment on tasks ○ Seen by all members in that operation 16
EXTENSIBLE ● You can create/add any number of payload types across all OSes ○ JXA, Python, C#, Go, etc ○ Can be scripts or compiled ● You can create/add any number of commands for a payload ○ Command templating ● You can create/add/run any number of C2 profiles at a time ○ They run as sub-processes ○ Only bound ports need to be unique 17
18 APFELL Enough words, let’s see Apfell
PAYLOAD TYPES • Add / Edit Payload types • Can be wrappers for full payloads • Macro • MSBuild • DyLib 19
COMMANDS • View Code • Provide operator help • Edit code • Add/edit/remove parameters 20
COMMAND TRANSFORMS / ATT&CK / ARTIFACTS • Transform commands • Provide ATT&CK Mappings • Indicate host/network artifacts 21
COMMAND AND CONTROL PROFILES 22
C2 PROFILE PARAMETERS • Specify parameters that will be stamped into an agent during creation • “key” value is stamped out with user’s value in agent code 23
PAYLOAD CREATION - UI • Pick C2 profile, payload type, and initial commands • Stamp all pieces together 24
PAYLOAD CONFIGURATION • All payloads registered in the database • See configuration and comparison to server state at any time 25
CALLBACK VIEW • Familiar table of callbacks like most tools • Detailed task data grouped by task (not time) • Add/track optional comments per task 26
SHARING SINGULAR TASKS • Click task number on almost any page to view JUST that one task and its output • Easy to share URL amongst team members: /tasks/task# • Only viewable by users assigned to that operation 27
TASK VIEW • View all tasks at once across all callbacks • Click to expand and see output 28
SEARCH VIEW • Search all task output or task parameters for key words/phrases • Searches across all callbacks in an operation • Faster and more targeted than just 29
ATT&CK × Transform commands × Provide ATT&CK Mappings × Indicate host/network artifacts 30
APPLY ATT&CK WITH REGEX • Match all tasks where the parameters fit regex: .*id • Check matches and their current ATT&CK mappings 31
BASIC ARTIFACT TRACKING • Define formats for artifacts based on commands and command parameters 32
COMMAND TRANSFORMS • Toggle transforms on/off locally • Can optionally persist settings globally for all operators • Test outputs of each transform: 33
UPLOADING / DOWNLOAD 34 • View all uploads/downloads and file paths across an operation • Real-time updates for in-progress downloads
SCREEN CAPTURES 35 • View screen captures by callback or across an entire operation
COMMAND COMPLETION 36 • Auto populate available commands based on the associated payload type for the callback • Can use L/R arrow keys to cycle through choices
COMMAND PARAMETERS 37 • If a command has registered parameters and you don’t type any on the command line • Pop-up dialog to fill in parameters
APFELL AGENTS What does an agent look like? 38
PAYLOAD DESIGN CONSIDERATIONS 39 ● Modular ○ All commands are stand-alone ○ Main payload is just management engine ○ C2 is abstracted away ■ Creates plug-and-play C2 functionality ○ Stamp in commands at creation ■ And load more in later ● Inspiration ○ Malware samples: PlugX, Flame, CozyDuke, etc
PAYLOAD DESIGN CONSIDERATIONS 40 ● OS Agnostic ○ Apfell is a framework for collaborative operations ○ Payloads can be created for any OS – scripted or compiled ● OPSEC aware ○ Ideally agents track their footprint on host and report back ○ Artifact tracking with real-time data in responses
GOING FORWARD What’s next for Apfell? 41
FUTURE UPDATES – SHORT TERM ● More encryption ○ Currently just HTTPS ● More payload types across multiple operating systems ○ Python, Mach-O, C#, ELF, Go ● More built-in commands ○ Keylogging, Process Injection, Proxy Pivots 42
FUTURE UPDATES – MEDIUM TERM ● More customizable C2 profiles included by default ○ Control GET/POST requests ● More C2 profiles that don’t require external comms ○ SMB, SSH ● More Artifact Tracking / Defensive Guidance ○ Better tracking of operational artifacts ○ Inclusion of defensive measures for commands 43
FUTURE UPDATES – LONG TERM ● Create scriptable Python API for greater control ○ Registerable within the UI – no need for RESTful scripting ● Server speed improvements ○ Automated builds ● More UI Upgrades ○ Attackers think in graphs, not lists ● Community driven updates ○ Please contribute! ☺ 44
45 THANKS!Any questions? • Twitter: @its_a_feature_ • GitHub: github.com/its-a-feature/ • https://its-a-feature.github.io • Blog series on creating Apfell • macOS AD discovery (Orchard) It’s not a bug, it’s a feature

Recommended

Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 

Recommended

Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSCody Thomas
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of CompromiseTomasz Jakubowski
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Free the Functions with Fn project!
Free the Functions with Fn project!Free the Functions with Fn project!
Free the Functions with Fn project!J On The Beach
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Stanislav Pogrebnyak
 

More Related Content

What's hot

Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSCody Thomas
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of CompromiseTomasz Jakubowski
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 

What's hot (20)

Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of Compromise
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 

Similar to Ready player 2 Multiplayer Red Teaming Against macOS

Free the Functions with Fn project!
Free the Functions with Fn project!Free the Functions with Fn project!
Free the Functions with Fn project!J On The Beach
 
Meetup 2020 - Back to the Basics part 101 : IaC
Meetup 2020 - Back to the Basics part 101 : IaCMeetup 2020 - Back to the Basics part 101 : IaC
Meetup 2020 - Back to the Basics part 101 : IaCDamienCarpy
 
introduction to micro services
introduction to micro servicesintroduction to micro services
introduction to micro servicesSpyros Lambrinidis
 
Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...
Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...
Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...Kaxil Naik
 
Docker in production service discovery with consul - road to opscon 2015
Docker in production service discovery with consul - road to opscon 2015Docker in production service discovery with consul - road to opscon 2015
Docker in production service discovery with consul - road to opscon 2015Giovanni Toraldo
 
Rhel8 Beta - Halifax RHUG
Rhel8 Beta - Halifax RHUGRhel8 Beta - Halifax RHUG
Rhel8 Beta - Halifax RHUGNicole Maselli
 
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...NETWAYS
 
Angular2 - A story from the trenches
Angular2 - A story from the trenchesAngular2 - A story from the trenches
Angular2 - A story from the trenchesJohannes Rudolph
 
Azure functions: from a function to a whole application in 60 minutes
Azure functions: from a function to a whole application in 60 minutesAzure functions: from a function to a whole application in 60 minutes
Azure functions: from a function to a whole application in 60 minutesAlessandro Melchiori
 
Electron JS | Build cross-platform desktop applications with web technologies
Electron JS | Build cross-platform desktop applications with web technologiesElectron JS | Build cross-platform desktop applications with web technologies
Electron JS | Build cross-platform desktop applications with web technologiesBethmi Gunasekara
 
AWS ElasticBeanstalk and Docker
AWS ElasticBeanstalk and Docker AWS ElasticBeanstalk and Docker
AWS ElasticBeanstalk and Docker kloia
 
OpenDataPlane Testing in Travis
OpenDataPlane Testing in TravisOpenDataPlane Testing in Travis
OpenDataPlane Testing in TravisDmitry Baryshkov
 
LCU14 310- Cisco ODP v2
LCU14 310- Cisco ODP v2LCU14 310- Cisco ODP v2
LCU14 310- Cisco ODP v2Linaro
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAPLDAPCon
 
CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...
CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...
CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...Ortus Solutions, Corp
 
Instant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositoriesInstant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositoriesYshay Yaacobi
 
Kubernetes Forum Seoul 2019: Re-architecting Data Platform with Kubernetes
Kubernetes Forum Seoul 2019: Re-architecting Data Platform with KubernetesKubernetes Forum Seoul 2019: Re-architecting Data Platform with Kubernetes
Kubernetes Forum Seoul 2019: Re-architecting Data Platform with KubernetesSeungYong Oh
 

Similar to Ready player 2 Multiplayer Red Teaming Against macOS (20)

Free the Functions with Fn project!
Free the Functions with Fn project!Free the Functions with Fn project!
Free the Functions with Fn project!
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Meetup 2020 - Back to the Basics part 101 : IaC
Meetup 2020 - Back to the Basics part 101 : IaCMeetup 2020 - Back to the Basics part 101 : IaC
Meetup 2020 - Back to the Basics part 101 : IaC
 
introduction to micro services
introduction to micro servicesintroduction to micro services
introduction to micro services
 
Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...
Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...
Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...
 
Docker in production service discovery with consul - road to opscon 2015
Docker in production service discovery with consul - road to opscon 2015Docker in production service discovery with consul - road to opscon 2015
Docker in production service discovery with consul - road to opscon 2015
 
Rhel8 Beta - Halifax RHUG
Rhel8 Beta - Halifax RHUGRhel8 Beta - Halifax RHUG
Rhel8 Beta - Halifax RHUG
 
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
 
Angular2 - A story from the trenches
Angular2 - A story from the trenchesAngular2 - A story from the trenches
Angular2 - A story from the trenches
 
Azure functions: from a function to a whole application in 60 minutes
Azure functions: from a function to a whole application in 60 minutesAzure functions: from a function to a whole application in 60 minutes
Azure functions: from a function to a whole application in 60 minutes
 
Electron JS | Build cross-platform desktop applications with web technologies
Electron JS | Build cross-platform desktop applications with web technologiesElectron JS | Build cross-platform desktop applications with web technologies
Electron JS | Build cross-platform desktop applications with web technologies
 
AWS ElasticBeanstalk and Docker
AWS ElasticBeanstalk and Docker AWS ElasticBeanstalk and Docker
AWS ElasticBeanstalk and Docker
 
OpenDataPlane Testing in Travis
OpenDataPlane Testing in TravisOpenDataPlane Testing in Travis
OpenDataPlane Testing in Travis
 
LCU14 310- Cisco ODP v2
LCU14 310- Cisco ODP v2LCU14 310- Cisco ODP v2
LCU14 310- Cisco ODP v2
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAP
 
Tranquilizer
TranquilizerTranquilizer
Tranquilizer
 
CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...
CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...
CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...
 
Gitlab ci-cd
Gitlab ci-cdGitlab ci-cd
Gitlab ci-cd
 
Instant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositoriesInstant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositories
 
Kubernetes Forum Seoul 2019: Re-architecting Data Platform with Kubernetes
Kubernetes Forum Seoul 2019: Re-architecting Data Platform with KubernetesKubernetes Forum Seoul 2019: Re-architecting Data Platform with Kubernetes
Kubernetes Forum Seoul 2019: Re-architecting Data Platform with Kubernetes
 

Recently uploaded

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 

Recently uploaded (20)

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 

Ready player 2 Multiplayer Red Teaming Against macOS

  • 1. READY PLAYER 2 MULTIPLAYER RED TEAMING AGAINST MACOS BSIDES SEATTLE 2019
  • 2. CODY THOMAS • Senior Operator at SpecterOps • Previously: • Adversary Emulation Engineer at MITRE • Mac/Linux ATT&CK • APT3 Emulation Plan • Twitter: @its_a_feature_ • GitHub: github.com/its-a-feature/ 2
  • 3. MACOS OPERATIONS What’s the current landscape? 3
  • 4. CURRENT MACOS OPERATIONS Malware seen in the wild: • WindTail • Signed macOS application • FairyTale: • Signed macOS application • Calisto • Unsigned macOS application • AppleJeus • Signed macOS application • EvilEgg and LamePyre • Utilize EggShell and Empire Red Teaming FOSS Frameworks: • Empire • Python-based agent • Single User Terminal Application • RESTful Interface • EggShell • Python-based agent • Single User Terminal Application • Evil OSX • Python-based agent • Some GUI components 4 https://objective-see.com/downloads/MacMalware_2018.pdf https://github.com/EmpireProject/Empire https://github.com/neoneggplant/EggShell https://github.com/Marten4n6/EvilOSX
  • 5. OPERATIONAL PROBLEMS ● Want to emulate adversaries, but: ○ Current FOSS capabilities don’t match up ○ More easily caught as “Red Team” ○ Signing macOS applications is not easy ● Want to operate in a team, but: ○ Need proper collaboration and sharing ○ Screen sharing isn’t scalable 5
  • 6. BRIDGING THE GAP How can we get operations closer to the real thing? 6
  • 7. JAVASCRIPT FOR AUTOMATION (JXA) ● Scriptable execution: ○ Most of the lower-level Objective C APIs exposed in a JS way ○ Kind of like if PowerShell stopped at version 1 or 2 ● According to Apple: “In OS X 10.10, JavaScript became a peer to AppleScript in OS X.” ● Still isn’t a signed macOS Application though ○ Hard to emulate as a consultant across multiple customers ● Very limited threading capabilities 7https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
  • 8. ● Does osascript normally run? ○ AppleScript has been around since 1993 ○ Mainly used by Admins and power users ● How does JXA perform actions? ○ Apple Events for IPC (causes popups in 10.14) ○ Objective C API calls ● Signing? ○ Not a problem – Live off the land ○ osascript is an Apple signed binary ○ Can execute entirely in memory 8 DEFENSIVE CONSIDERATIONS
  • 9. NOW IT’S TIME TO OP You’ve been tasked to operate against macOS, now what? 9
  • 10. 10 INTRODUCING It’s not a bug, it’s a feature
  • 11. WHAT IS APFELL? ● Collaborative, post-exploitation framework with a web front-end ● Apfell server runs on MacOS/Linux (needs python3.6+) ● Apfell agents can be any operating system ○ JXA payload for macOS ○ @xorrior already released a Chrome extension payload ○ Payloads can be scripted or dynamically compiled ● Any number of c2 profiles running at a time 11
  • 12. DEMO TIME! Let’s operate 12 Demo videos: ● https://youtu.be/9yjNzYtOyHE ● https://youtu.be/FJf9oQkBG0g ● https://youtu.be/_V7PrbDHfY8 ● https://youtu.be/Hgn-RUa9feo ● https://youtu.be/4mABpw20KMQ ● https://youtu.be/KypCqWSQGwE
  • 13. A FRAMEWORK SHOULD BE: 1. Informative • Track data, environment, operation, OPSEC concerns • Easy to understand user interface • Purple in nature - helping both Red and Blue teams 2. Collaborative • Every operator has their own customized front-end • Can share detailed information easily and quickly 3. Extensible • Easily add/share commands, C2 profiles, payloads • Support multiple operating systems • You shouldn’t have to re-roll a UI for every new payload 13
  • 14. INFORMATIVE: FOR RED TEAMERS ● Operators ● Commands ○ OPSEC (Artifacts, Transforms) ● Payload Types ○ Creation, loading modules, execution help ● Operational Data Model ○ Let’s use all the data we collect/generate in operations ● Task-Response grouping ○ not just data-dump console ● Searching tasks and responses across an operation 14
  • 15. INFORMATIVE: FOR BLUE TEAMERS ● Commands mapped to MITRE ATT&CK ○ Regex matching for more granularity ○ Exports to ATT&CK Navigator ○ Auto populates based on the command ● Host/Network artifact tracking per task ○ Helpful for deconfliction and reporting ○ Auto populated while operating ○ Agents can report updates or new artifacts ○ Soon include exportability of artifacts to Splunk/SIEMs 15
  • 16. COLLABORATIVE ● Web-based GUI ○ No client dependencies besides a modern browser ○ Each operator has their own profile and login ● Users assigned to operations ○ Multiple operations ongoing concurrently ○ Individual tasks sharable amongst team members ● Operators can comment on tasks ○ Seen by all members in that operation 16
  • 17. EXTENSIBLE ● You can create/add any number of payload types across all OSes ○ JXA, Python, C#, Go, etc ○ Can be scripts or compiled ● You can create/add any number of commands for a payload ○ Command templating ● You can create/add/run any number of C2 profiles at a time ○ They run as sub-processes ○ Only bound ports need to be unique 17
  • 19. PAYLOAD TYPES • Add / Edit Payload types • Can be wrappers for full payloads • Macro • MSBuild • DyLib 19
  • 20. COMMANDS • View Code • Provide operator help • Edit code • Add/edit/remove parameters 20
  • 21. COMMAND TRANSFORMS / ATT&CK / ARTIFACTS • Transform commands • Provide ATT&CK Mappings • Indicate host/network artifacts 21
  • 23. C2 PROFILE PARAMETERS • Specify parameters that will be stamped into an agent during creation • “key” value is stamped out with user’s value in agent code 23
  • 24. PAYLOAD CREATION - UI • Pick C2 profile, payload type, and initial commands • Stamp all pieces together 24
  • 25. PAYLOAD CONFIGURATION • All payloads registered in the database • See configuration and comparison to server state at any time 25
  • 26. CALLBACK VIEW • Familiar table of callbacks like most tools • Detailed task data grouped by task (not time) • Add/track optional comments per task 26
  • 27. SHARING SINGULAR TASKS • Click task number on almost any page to view JUST that one task and its output • Easy to share URL amongst team members: /tasks/task# • Only viewable by users assigned to that operation 27
  • 28. TASK VIEW • View all tasks at once across all callbacks • Click to expand and see output 28
  • 29. SEARCH VIEW • Search all task output or task parameters for key words/phrases • Searches across all callbacks in an operation • Faster and more targeted than just 29
  • 30. ATT&CK × Transform commands × Provide ATT&CK Mappings × Indicate host/network artifacts 30
  • 31. APPLY ATT&CK WITH REGEX • Match all tasks where the parameters fit regex: .*id • Check matches and their current ATT&CK mappings 31
  • 32. BASIC ARTIFACT TRACKING • Define formats for artifacts based on commands and command parameters 32
  • 33. COMMAND TRANSFORMS • Toggle transforms on/off locally • Can optionally persist settings globally for all operators • Test outputs of each transform: 33
  • 34. UPLOADING / DOWNLOAD 34 • View all uploads/downloads and file paths across an operation • Real-time updates for in-progress downloads
  • 35. SCREEN CAPTURES 35 • View screen captures by callback or across an entire operation
  • 36. COMMAND COMPLETION 36 • Auto populate available commands based on the associated payload type for the callback • Can use L/R arrow keys to cycle through choices
  • 37. COMMAND PARAMETERS 37 • If a command has registered parameters and you don’t type any on the command line • Pop-up dialog to fill in parameters
  • 38. APFELL AGENTS What does an agent look like? 38
  • 39. PAYLOAD DESIGN CONSIDERATIONS 39 ● Modular ○ All commands are stand-alone ○ Main payload is just management engine ○ C2 is abstracted away ■ Creates plug-and-play C2 functionality ○ Stamp in commands at creation ■ And load more in later ● Inspiration ○ Malware samples: PlugX, Flame, CozyDuke, etc
  • 40. PAYLOAD DESIGN CONSIDERATIONS 40 ● OS Agnostic ○ Apfell is a framework for collaborative operations ○ Payloads can be created for any OS – scripted or compiled ● OPSEC aware ○ Ideally agents track their footprint on host and report back ○ Artifact tracking with real-time data in responses
  • 41. GOING FORWARD What’s next for Apfell? 41
  • 42. FUTURE UPDATES – SHORT TERM ● More encryption ○ Currently just HTTPS ● More payload types across multiple operating systems ○ Python, Mach-O, C#, ELF, Go ● More built-in commands ○ Keylogging, Process Injection, Proxy Pivots 42
  • 43. FUTURE UPDATES – MEDIUM TERM ● More customizable C2 profiles included by default ○ Control GET/POST requests ● More C2 profiles that don’t require external comms ○ SMB, SSH ● More Artifact Tracking / Defensive Guidance ○ Better tracking of operational artifacts ○ Inclusion of defensive measures for commands 43
  • 44. FUTURE UPDATES – LONG TERM ● Create scriptable Python API for greater control ○ Registerable within the UI – no need for RESTful scripting ● Server speed improvements ○ Automated builds ● More UI Upgrades ○ Attackers think in graphs, not lists ● Community driven updates ○ Please contribute! ☺ 44
  • 45. 45 THANKS!Any questions? • Twitter: @its_a_feature_ • GitHub: github.com/its-a-feature/ • https://its-a-feature.github.io • Blog series on creating Apfell • macOS AD discovery (Orchard) It’s not a bug, it’s a feature