SlideShare a Scribd company logo

Stage 1 Tradecraft

Download as PPTX, PDF
M
matt806068

An overview of basic tradecraft for stage 1 malware used for red team/adversary simulation. Blackhat 2022 vendor shill talk.

Technology
1 of 16
Stage 1 Tradecraft
Intro Stage 1 - Minimal, viable tooling that acts as an effective springboard, safety net, and auxiliary capability - typically launched from an initial access vector. Terminology doesn't matter. Tomato-potato. All teams are different, have different requirements, different targets. Flavors of stage 1 tooling or the lack thereof is similarly as diverse. Open Source examples: Atlas (Mythic Framework), Koadic. 2 Copyright © 2022 Accenture. All rights reserved.
Who am I Me, human, operator/R&D guy. @ FusionX (now part of Accenture Security) since 2015. Professionally offensive since 2012. 3 Copyright © 2022 Accenture. All rights reserved. Matt Howard Principal Security Consultant Accenture Security
3-ish Stage Model Stage 0 Initial access vector. Kicks off the process of running arbitrary code ([[stage 1 artifact]]), hopefully in a somewhat safe manner. Examples: HTA (JS/VBS), Macros (VBA), various file formats Stage 1 Automated loader typically used to protect and facilitate execution of a stage 2 payload. Alternatively*, a suite of dynamically controlled (semi-active) host access tools that is rolled into one simple package ex: Atlas, Koadic, ... * focus of this talk Stage 2 Remote Access Tools and various other digital rodents. (Cobalt strike, meterpreter, Sliver, BRC4, NHC2) Stage 3 (Bonus) A pivot off beachhead or a deeper implant (ring 0 or lower). We're not going to even count this one. 4 Copyright © 2022 Accenture. All rights reserved.
3-ish Stage Model Stage 0 Load Stage 1 Load Stage 2 Deploy Stage 3 Somewhat similar Stage 0 + Primary purpose is to load stage 1 safely + Protection + Obfuscation + Encryption + Varies widely based off execution method Stage 1 + Protections + Obfuscation + Encryption + Telemetry (flares) + Interactive manual decision making + Bare min ability to load more code + Bare min ability to collect more telemetry Stage 2 + Full hands on keyboard RATs/implants/etc + Whatever, just gimme SOCKS + Collection packages: • Quick win password grabs • Situational awareness: user behavior, AD/network/egress check, local system Stage 3 Get away from beachhead Stage 1 Variations Not this talk This talk Automated Interactive Programmatically select best action Extremely minimal C2 methods Operator selections Push telemetry, checkin, and/or fetch 5 Copyright © 2022 Accenture. All rights reserved.
History Obviously, we (red teamers) are not the first!! "Staging" has always existed but until somewhat recently* was linear and simple in nature * Malware baddies have been using it to selectively serve stage 2 for handoffs, opsec reasons, etc. * In house we've made around a half dozen of these playing catchup For us, it was born out of necessity: + pre-domain fronting + domain fronting + the major CDNs pushing mitigations + complex endpoint defenses require very software/config-specific touch + in-house implant dev, needed to protect goodies Then they became a bit more: + Stable, reliable means of loading stage 2 + Gathering specific telemetry to load more safely in the environment + Deploying and validating persistence + More :) 6 Copyright © 2022 Accenture. All rights reserved.
Detection Surface Reduction Definition: The intentional reduction of data points exposed to any given suite of security solutions, thereby reducing the likelihood said software will trigger interdiction or detection conditions. Full RAT has the most possible surface area for detection: + The most feature rich + Exhibits most observable behaviors • Command/process executions • Registry/file access • Outbound network to C2 or internal hosts for pivots, etc etc) • Various APIs for the host operating system interaction Mostly off the shelf or on Github due to cost of in house dev/updates If we assume stage 0 went well next stage should (by DSR considerations): + create the absolute minimum raw functionality required to inch towards your objective + Assume we will run in a hostile environment with everything getting inspected + Allow a form of loading - stages can load stages can load stages. Complexity generally increases in latter stages. + A stage 1 tool can load another stage that has a specific loading functionality itself... (EDR-specific injection modules) + Kinda like brain surgery in an unknown environment with a virtual periscope 7 Copyright © 2022 Accenture. All rights reserved.
C2 Considerations Stage 1 C2 should be: + A reliable channel + Blend with the environment's baseline use protocols and 3rd party services already present + Avoid complexity + Absolute minimum PDU for what is required + Have failovers + Dead drop resolvers (ex: HAMERTOSS) + Have variable beaconing timeframes long haul vs interactive vs periodic vs various 8 Copyright © 2022 Accenture. All rights reserved.
Stage 1 Architecture Stage 1 artifact - the code in an executable format of some kind: + dotnet assembly + shellcode/PIC + DLL + COFF + Raw source for interpreter Stage 1 service/LP: + The C2 listener + Can also be bridge for interacting with 3rd party service (APIs etc) Controller: + CLI/web UI/GUI + Controls service/LP + Organizes checkin data, logs, and deployed agents + Has generator function for turning an agent config into a Stage 1 artifact Inside the stage 1 program itself: + core logic • Checkin timers (sleep/jitter) • Opsec - anti- inspection/sandbox checks • etc + Client component (builtin or loaded at runtime) for one or more C2 + Built-in Stage 1 functionality subroutines called from core loop/C2 9 Copyright © 2022 Accenture. All rights reserved.
Use Cases Loading additional code/modules - the core feature. [[collection packages]] or builtin telemetry commands + gather [[telemetry]] to feed operator's OODA loop + easy quick wins or environment recon + C2 viability checks outbound etc [[collection daemons]] - aka "Flight Recorder (tm)" same but more specific to changes over time/monitoring, often event driven [[sidecar - redundant access]] - have a backup C2 if your experimental C2 suddenly dies a horrible death [[deploying persistence]] - makes sense sometimes to deploy persistence and wait til next run before trying something risky to load stage 2 10 Copyright © 2022 Accenture. All rights reserved.
Continuous recon and user profiling User behavior profiling - because phished users are humans in a human world Collection daemons redux + watch the system's patterns + watch new processes/window titles + watch for new connections + watch network adapters Detect possible incident response activity 11 Copyright © 2022 Accenture. All rights reserved.
Considerations for Further Stages Get what you can first + Going full interactive is the most risky part after stage 0. + Delay it for as long as possible by favoring to extract as much useful intel and loot as you can with builtin collection functions or collection packages loaded at runtime. + Example: Individual (important) collection packages to pull all cookies, credentials (risk to obtain), notes files, situational awareness and additional context. Interactive RAT/implant stages + Ensure agent is not running on instrumented VM or IR analysis box + Stage 2 loading in the safest way possible. + All C2 for stage 2 should be checked for viability (domain categorization or stringent egress controls) + [[sidecar - redundant access]] - if your C2 dies, hopefully your stage 1 doesnt die with it. Cleanliness + When possible, stages should be able to be removed + Even best when they are automatically removed + Examples: • Keep track of child pids used in stage 2 components • Threads that contain a loaded stage 2 components • Temporary files 12 Copyright © 2022 Accenture. All rights reserved.
In-the-Wild Example Copyright © 2022 Accenture. All rights reserved. 13 SUNBURST in the wild, example and case study from the SolarWinds supply chain attack: + Anti-analysis checks on environment + Blacklist (236 entries) using FNV-A1 + xor hash trick for checks against service/process/drivers + DGA, subdomains act as egress telemetry via A record lookups • Domain name (FQDN) of host used primarily for targeting + DNS used to configure a HTTPS C2 • Hardcoded IP ranges served as ingress decision control codes • Used to CNAME to the HTTPS C2’s endpoint + HTTPS C2 takes bulk interactive commands by pulling out GUIDs from response HTML: • Idle, Exit, SetTime, CollectSystemDescription, UploadSystemDescription, RunTask, GetProcess ByDescription, Killtask, GetFileSystemEntries, WriteFile • File Exists, DeleteFile, GetFileHash, ReadRegistryValue, DeleteRegistryValu, Get REgistrySubKeyandValuenames, Reboot • Sounds familiar?? + Loads TEARDROP in-memory loads from xor'd jpg file, loading stage 2 (Cobalt Strike)
Example Stage 1 Tool Copyright © 2022 Accenture. All rights reserved. 14 "Generic Stage 1" GS1. In-house stage 1 used in a variety of ops for initial access and persistence in years past. Basic anti-IR/anti-analysis + Checked process list and window titles against blacklist + Checked MAC OUI against blacklist + Checked for expected parent process + Checked for debugger + Domain joined check Used DNS A records to configure HTTPS C2 + Creepy coincidence with SUNBURST.. + Fetched PNG file which had valid header but XOR encoded C2 PDU + Using hardcoded subdomains' IPv4 response bytes to determine HTTP C2 parameters + Configured connection and Host headers (arbitrary, runtime configured domain fronting) + Requested a series of URLs depending on the OS/architecture + IE COM or Google Docs's URL viewer as a backup fetch option Commands: + Change time/jitter + Drop and run JS/VBS or msbuild xml in a container in variety of ways + Pull down shellcode and run it in new thread + Kill a pid + Clean temporary files + Exit + Process lists and other telemetry manually pushed back via collection packages loaded at runtime
Closing Thoughts and Q&A Copyright © 2022 Accenture. All rights reserved. 15 Stages are a limiting paradigm, but so are RATs. + Stage 1 can redeploy itself in memory in many cases aka "dynamic update" + long sleep + If you just need persistence set and SOCKS then.... non-Windows/non-Mac hosts = fantastic candidates for long term persistence tooling + Lack of advanced EDR + May look funkier with regards to egress traffic Can you perform a red team without a fully functional RAT?
Thank you About Accenture Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Song, Technology and Operations services — all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 710,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at www.accenture.com. About Accenture Security Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security. DISCLAIMERS: This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.

Recommended

COVID-19 Therapies and Vaccines
COVID-19 Therapies and VaccinesCOVID-19 Therapies and Vaccines
COVID-19 Therapies and VaccinesDenis Cohen-Tannoudji
 
Global Capital Confidence Barometer 21st edition
Global Capital Confidence Barometer 21st editionGlobal Capital Confidence Barometer 21st edition
Global Capital Confidence Barometer 21st editionEY
 
Addressing Homelessness in King County
Addressing Homelessness in King CountyAddressing Homelessness in King County
Addressing Homelessness in King CountyMcKinsey & Company
 
Back Office Transformation | Accenture
Back Office Transformation | AccentureBack Office Transformation | Accenture
Back Office Transformation | Accentureaccenture
 
Federal Technology Vision 2021: Full U.S. Federal Survey Findings | Accenture
Federal Technology Vision 2021: Full U.S. Federal Survey Findings | AccentureFederal Technology Vision 2021: Full U.S. Federal Survey Findings | Accenture
Federal Technology Vision 2021: Full U.S. Federal Survey Findings | Accentureaccenture
 
Economy SEA 2019 by google
Economy SEA 2019 by googleEconomy SEA 2019 by google
Economy SEA 2019 by googleAIS Ahmad Iman Sudrajat
 
Global banking outlook 2018: pivoting toward an innovation-led strategy
Global banking outlook 2018: pivoting toward an innovation-led strategyGlobal banking outlook 2018: pivoting toward an innovation-led strategy
Global banking outlook 2018: pivoting toward an innovation-led strategyEY
 
When, Where & How AI Will Boost Federal Workforce Productivity
When, Where & How AI Will Boost Federal Workforce ProductivityWhen, Where & How AI Will Boost Federal Workforce Productivity
When, Where & How AI Will Boost Federal Workforce Productivityaccenture
 

Recommended

COVID-19 Therapies and Vaccines
COVID-19 Therapies and VaccinesCOVID-19 Therapies and Vaccines
COVID-19 Therapies and VaccinesDenis Cohen-Tannoudji
 
Global Capital Confidence Barometer 21st edition
Global Capital Confidence Barometer 21st editionGlobal Capital Confidence Barometer 21st edition
Global Capital Confidence Barometer 21st editionEY
 
Addressing Homelessness in King County
Addressing Homelessness in King CountyAddressing Homelessness in King County
Addressing Homelessness in King CountyMcKinsey & Company
 
Back Office Transformation | Accenture
Back Office Transformation | AccentureBack Office Transformation | Accenture
Back Office Transformation | Accentureaccenture
 
Federal Technology Vision 2021: Full U.S. Federal Survey Findings | Accenture
Federal Technology Vision 2021: Full U.S. Federal Survey Findings | AccentureFederal Technology Vision 2021: Full U.S. Federal Survey Findings | Accenture
Federal Technology Vision 2021: Full U.S. Federal Survey Findings | Accentureaccenture
 
Economy SEA 2019 by google
Economy SEA 2019 by googleEconomy SEA 2019 by google
Economy SEA 2019 by googleAIS Ahmad Iman Sudrajat
 
Global banking outlook 2018: pivoting toward an innovation-led strategy
Global banking outlook 2018: pivoting toward an innovation-led strategyGlobal banking outlook 2018: pivoting toward an innovation-led strategy
Global banking outlook 2018: pivoting toward an innovation-led strategyEY
 
When, Where & How AI Will Boost Federal Workforce Productivity
When, Where & How AI Will Boost Federal Workforce ProductivityWhen, Where & How AI Will Boost Federal Workforce Productivity
When, Where & How AI Will Boost Federal Workforce Productivityaccenture
 
Cloud value in cash management
Cloud value in cash managementCloud value in cash management
Cloud value in cash managementMcKinsey & Company
 
Automotive car
Automotive carAutomotive car
Automotive carCollaborator
 
16th Global Capital Confidence Barometer
16th Global Capital Confidence Barometer16th Global Capital Confidence Barometer
16th Global Capital Confidence BarometerEY
 
COVID-19 Rapid Response Crisis Checklist
COVID-19 Rapid Response Crisis ChecklistCOVID-19 Rapid Response Crisis Checklist
COVID-19 Rapid Response Crisis ChecklistBoston Consulting Group
 
Bain Covid 19 situation report & action agenda
Bain Covid 19 situation report & action agendaBain Covid 19 situation report & action agenda
Bain Covid 19 situation report & action agendaAnne LEHMAN
 
COVID-19 Auto & Mobility Consumer Insights
COVID-19 Auto & Mobility Consumer InsightsCOVID-19 Auto & Mobility Consumer Insights
COVID-19 Auto & Mobility Consumer InsightsMcKinsey & Company
 
BCG Telco Sustainability Index
BCG Telco Sustainability IndexBCG Telco Sustainability Index
BCG Telco Sustainability IndexBoston Consulting Group
 
The Industrialist: Trends & Innovations - June 2023
The Industrialist: Trends & Innovations - June 2023The Industrialist: Trends & Innovations - June 2023
The Industrialist: Trends & Innovations - June 2023accenture
 
Digital Europe: Pushing the frontier, capturing the benefits
Digital Europe: Pushing the frontier, capturing the benefitsDigital Europe: Pushing the frontier, capturing the benefits
Digital Europe: Pushing the frontier, capturing the benefitsMcKinsey & Company
 
Seven Forces Reshaping Enterprise Software
Seven Forces Reshaping Enterprise SoftwareSeven Forces Reshaping Enterprise Software
Seven Forces Reshaping Enterprise SoftwareBoston Consulting Group
 
Semiconductor Gender Parity Study
Semiconductor Gender Parity StudySemiconductor Gender Parity Study
Semiconductor Gender Parity Studyaccenture
 
MAPS2018 Keynote address on EY report: Life Sciences 4.0 – Securing value thr...
MAPS2018 Keynote address on EY report: Life Sciences 4.0 – Securing value thr...MAPS2018 Keynote address on EY report: Life Sciences 4.0 – Securing value thr...
MAPS2018 Keynote address on EY report: Life Sciences 4.0 – Securing value thr...EY
 
2017 Corporate Citizenship Report
2017 Corporate Citizenship Report2017 Corporate Citizenship Report
2017 Corporate Citizenship Reportaccenture
 
2018 Local Dynamos: Emerging-Market Companies Up Their Game
2018 Local Dynamos: Emerging-Market Companies Up Their Game2018 Local Dynamos: Emerging-Market Companies Up Their Game
2018 Local Dynamos: Emerging-Market Companies Up Their GameBoston Consulting Group
 
20200610 Covid 19 - Global Auto Consumer Insights_Wave 2
20200610 Covid 19 - Global Auto Consumer Insights_Wave 220200610 Covid 19 - Global Auto Consumer Insights_Wave 2
20200610 Covid 19 - Global Auto Consumer Insights_Wave 2Martin Hattrup
 
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 Report
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 ReportNinth Annual Cost of Cybercrime Study in Financial Services – 2019 Report
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 Reportaccenture
 
Overview of M&A, 2016
Overview of M&A, 2016Overview of M&A, 2016
Overview of M&A, 2016McKinsey & Company
 
PwC’s new Golden Age Index – how well are countries harnessing the power of o...
PwC’s new Golden Age Index – how well are countries harnessing the power of o...PwC’s new Golden Age Index – how well are countries harnessing the power of o...
PwC’s new Golden Age Index – how well are countries harnessing the power of o...PwC
 
A step-by-step overview of a typical cybersecurity attack—and how companies c...
A step-by-step overview of a typical cybersecurity attack—and how companies c...A step-by-step overview of a typical cybersecurity attack—and how companies c...
A step-by-step overview of a typical cybersecurity attack—and how companies c...McKinsey & Company
 
Right Cloud Mindset: Survey Results Hospitality | Accenture
Right Cloud Mindset: Survey Results Hospitality | AccentureRight Cloud Mindset: Survey Results Hospitality | Accenture
Right Cloud Mindset: Survey Results Hospitality | Accentureaccenture
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 

More Related Content

What's hot

Cloud value in cash management
Cloud value in cash managementCloud value in cash management
Cloud value in cash managementMcKinsey & Company
 
16th Global Capital Confidence Barometer
16th Global Capital Confidence Barometer16th Global Capital Confidence Barometer
16th Global Capital Confidence BarometerEY
 
COVID-19 Rapid Response Crisis Checklist
COVID-19 Rapid Response Crisis ChecklistCOVID-19 Rapid Response Crisis Checklist
COVID-19 Rapid Response Crisis ChecklistBoston Consulting Group
 
Bain Covid 19 situation report & action agenda
Bain Covid 19 situation report & action agendaBain Covid 19 situation report & action agenda
Bain Covid 19 situation report & action agendaAnne LEHMAN
 
COVID-19 Auto & Mobility Consumer Insights
COVID-19 Auto & Mobility Consumer InsightsCOVID-19 Auto & Mobility Consumer Insights
COVID-19 Auto & Mobility Consumer InsightsMcKinsey & Company
 
The Industrialist: Trends & Innovations - June 2023
The Industrialist: Trends & Innovations - June 2023The Industrialist: Trends & Innovations - June 2023
The Industrialist: Trends & Innovations - June 2023accenture
 
Digital Europe: Pushing the frontier, capturing the benefits
Digital Europe: Pushing the frontier, capturing the benefitsDigital Europe: Pushing the frontier, capturing the benefits
Digital Europe: Pushing the frontier, capturing the benefitsMcKinsey & Company
 
Seven Forces Reshaping Enterprise Software
Seven Forces Reshaping Enterprise SoftwareSeven Forces Reshaping Enterprise Software
Seven Forces Reshaping Enterprise SoftwareBoston Consulting Group
 
Semiconductor Gender Parity Study
Semiconductor Gender Parity StudySemiconductor Gender Parity Study
Semiconductor Gender Parity Studyaccenture
 
MAPS2018 Keynote address on EY report: Life Sciences 4.0 – Securing value thr...
MAPS2018 Keynote address on EY report: Life Sciences 4.0 – Securing value thr...MAPS2018 Keynote address on EY report: Life Sciences 4.0 – Securing value thr...
MAPS2018 Keynote address on EY report: Life Sciences 4.0 – Securing value thr...EY
 
2017 Corporate Citizenship Report
2017 Corporate Citizenship Report2017 Corporate Citizenship Report
2017 Corporate Citizenship Reportaccenture
 
2018 Local Dynamos: Emerging-Market Companies Up Their Game
2018 Local Dynamos: Emerging-Market Companies Up Their Game2018 Local Dynamos: Emerging-Market Companies Up Their Game
2018 Local Dynamos: Emerging-Market Companies Up Their GameBoston Consulting Group
 
20200610 Covid 19 - Global Auto Consumer Insights_Wave 2
20200610 Covid 19 - Global Auto Consumer Insights_Wave 220200610 Covid 19 - Global Auto Consumer Insights_Wave 2
20200610 Covid 19 - Global Auto Consumer Insights_Wave 2Martin Hattrup
 
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 Report
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 ReportNinth Annual Cost of Cybercrime Study in Financial Services – 2019 Report
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 Reportaccenture
 
PwC’s new Golden Age Index – how well are countries harnessing the power of o...
PwC’s new Golden Age Index – how well are countries harnessing the power of o...PwC’s new Golden Age Index – how well are countries harnessing the power of o...
PwC’s new Golden Age Index – how well are countries harnessing the power of o...PwC
 
A step-by-step overview of a typical cybersecurity attack—and how companies c...
A step-by-step overview of a typical cybersecurity attack—and how companies c...A step-by-step overview of a typical cybersecurity attack—and how companies c...
A step-by-step overview of a typical cybersecurity attack—and how companies c...McKinsey & Company
 
Right Cloud Mindset: Survey Results Hospitality | Accenture
Right Cloud Mindset: Survey Results Hospitality | AccentureRight Cloud Mindset: Survey Results Hospitality | Accenture
Right Cloud Mindset: Survey Results Hospitality | Accentureaccenture
 

What's hot (20)

Cloud value in cash management
Cloud value in cash managementCloud value in cash management
Cloud value in cash management
 
Automotive car
Automotive carAutomotive car
Automotive car
 
16th Global Capital Confidence Barometer
16th Global Capital Confidence Barometer16th Global Capital Confidence Barometer
16th Global Capital Confidence Barometer
 
COVID-19 Rapid Response Crisis Checklist
COVID-19 Rapid Response Crisis ChecklistCOVID-19 Rapid Response Crisis Checklist
COVID-19 Rapid Response Crisis Checklist
 
Bain Covid 19 situation report & action agenda
Bain Covid 19 situation report & action agendaBain Covid 19 situation report & action agenda
Bain Covid 19 situation report & action agenda
 
COVID-19 Auto & Mobility Consumer Insights
COVID-19 Auto & Mobility Consumer InsightsCOVID-19 Auto & Mobility Consumer Insights
COVID-19 Auto & Mobility Consumer Insights
 
BCG Telco Sustainability Index
BCG Telco Sustainability IndexBCG Telco Sustainability Index
BCG Telco Sustainability Index
 
The Industrialist: Trends & Innovations - June 2023
The Industrialist: Trends & Innovations - June 2023The Industrialist: Trends & Innovations - June 2023
The Industrialist: Trends & Innovations - June 2023
 
Digital Europe: Pushing the frontier, capturing the benefits
Digital Europe: Pushing the frontier, capturing the benefitsDigital Europe: Pushing the frontier, capturing the benefits
Digital Europe: Pushing the frontier, capturing the benefits
 
Seven Forces Reshaping Enterprise Software
Seven Forces Reshaping Enterprise SoftwareSeven Forces Reshaping Enterprise Software
Seven Forces Reshaping Enterprise Software
 
Semiconductor Gender Parity Study
Semiconductor Gender Parity StudySemiconductor Gender Parity Study
Semiconductor Gender Parity Study
 
MAPS2018 Keynote address on EY report: Life Sciences 4.0 – Securing value thr...
MAPS2018 Keynote address on EY report: Life Sciences 4.0 – Securing value thr...MAPS2018 Keynote address on EY report: Life Sciences 4.0 – Securing value thr...
MAPS2018 Keynote address on EY report: Life Sciences 4.0 – Securing value thr...
 
2017 Corporate Citizenship Report
2017 Corporate Citizenship Report2017 Corporate Citizenship Report
2017 Corporate Citizenship Report
 
2018 Local Dynamos: Emerging-Market Companies Up Their Game
2018 Local Dynamos: Emerging-Market Companies Up Their Game2018 Local Dynamos: Emerging-Market Companies Up Their Game
2018 Local Dynamos: Emerging-Market Companies Up Their Game
 
20200610 Covid 19 - Global Auto Consumer Insights_Wave 2
20200610 Covid 19 - Global Auto Consumer Insights_Wave 220200610 Covid 19 - Global Auto Consumer Insights_Wave 2
20200610 Covid 19 - Global Auto Consumer Insights_Wave 2
 
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 Report
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 ReportNinth Annual Cost of Cybercrime Study in Financial Services – 2019 Report
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 Report
 
Overview of M&A, 2016
Overview of M&A, 2016Overview of M&A, 2016
Overview of M&A, 2016
 
PwC’s new Golden Age Index – how well are countries harnessing the power of o...
PwC’s new Golden Age Index – how well are countries harnessing the power of o...PwC’s new Golden Age Index – how well are countries harnessing the power of o...
PwC’s new Golden Age Index – how well are countries harnessing the power of o...
 
A step-by-step overview of a typical cybersecurity attack—and how companies c...
A step-by-step overview of a typical cybersecurity attack—and how companies c...A step-by-step overview of a typical cybersecurity attack—and how companies c...
A step-by-step overview of a typical cybersecurity attack—and how companies c...
 
Right Cloud Mindset: Survey Results Hospitality | Accenture
Right Cloud Mindset: Survey Results Hospitality | AccentureRight Cloud Mindset: Survey Results Hospitality | Accenture
Right Cloud Mindset: Survey Results Hospitality | Accenture
 

Similar to Stage 1 Tradecraft

Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseAmazon Web Services
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
C:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded Day
C:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded DayC:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded Day
C:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded DayArik Weinstein
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldC4Media
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
SOFTCAMP SHIELDEX INTRODUCTION
SOFTCAMP SHIELDEX INTRODUCTIONSOFTCAMP SHIELDEX INTRODUCTION
SOFTCAMP SHIELDEX INTRODUCTIONSoftcamp Co., Ltd.
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewallsAkapo Damilola
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 

Similar to Stage 1 Tradecraft (20)

Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny Griffin
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Docker practical solutions
Docker practical solutionsDocker practical solutions
Docker practical solutions
 
C:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded Day
C:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded DayC:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded Day
C:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded Day
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Userland Hooking in Windows
Userland Hooking in WindowsUserland Hooking in Windows
Userland Hooking in Windows
 
SOFTCAMP SHIELDEX INTRODUCTION
SOFTCAMP SHIELDEX INTRODUCTIONSOFTCAMP SHIELDEX INTRODUCTION
SOFTCAMP SHIELDEX INTRODUCTION
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewalls
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 

Recently uploaded

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 

Stage 1 Tradecraft

  • 2. Intro Stage 1 - Minimal, viable tooling that acts as an effective springboard, safety net, and auxiliary capability - typically launched from an initial access vector. Terminology doesn't matter. Tomato-potato. All teams are different, have different requirements, different targets. Flavors of stage 1 tooling or the lack thereof is similarly as diverse. Open Source examples: Atlas (Mythic Framework), Koadic. 2 Copyright © 2022 Accenture. All rights reserved.
  • 3. Who am I Me, human, operator/R&D guy. @ FusionX (now part of Accenture Security) since 2015. Professionally offensive since 2012. 3 Copyright © 2022 Accenture. All rights reserved. Matt Howard Principal Security Consultant Accenture Security
  • 4. 3-ish Stage Model Stage 0 Initial access vector. Kicks off the process of running arbitrary code ([[stage 1 artifact]]), hopefully in a somewhat safe manner. Examples: HTA (JS/VBS), Macros (VBA), various file formats Stage 1 Automated loader typically used to protect and facilitate execution of a stage 2 payload. Alternatively*, a suite of dynamically controlled (semi-active) host access tools that is rolled into one simple package ex: Atlas, Koadic, ... * focus of this talk Stage 2 Remote Access Tools and various other digital rodents. (Cobalt strike, meterpreter, Sliver, BRC4, NHC2) Stage 3 (Bonus) A pivot off beachhead or a deeper implant (ring 0 or lower). We're not going to even count this one. 4 Copyright © 2022 Accenture. All rights reserved.
  • 5. 3-ish Stage Model Stage 0 Load Stage 1 Load Stage 2 Deploy Stage 3 Somewhat similar Stage 0 + Primary purpose is to load stage 1 safely + Protection + Obfuscation + Encryption + Varies widely based off execution method Stage 1 + Protections + Obfuscation + Encryption + Telemetry (flares) + Interactive manual decision making + Bare min ability to load more code + Bare min ability to collect more telemetry Stage 2 + Full hands on keyboard RATs/implants/etc + Whatever, just gimme SOCKS + Collection packages: • Quick win password grabs • Situational awareness: user behavior, AD/network/egress check, local system Stage 3 Get away from beachhead Stage 1 Variations Not this talk This talk Automated Interactive Programmatically select best action Extremely minimal C2 methods Operator selections Push telemetry, checkin, and/or fetch 5 Copyright © 2022 Accenture. All rights reserved.
  • 6. History Obviously, we (red teamers) are not the first!! "Staging" has always existed but until somewhat recently* was linear and simple in nature * Malware baddies have been using it to selectively serve stage 2 for handoffs, opsec reasons, etc. * In house we've made around a half dozen of these playing catchup For us, it was born out of necessity: + pre-domain fronting + domain fronting + the major CDNs pushing mitigations + complex endpoint defenses require very software/config-specific touch + in-house implant dev, needed to protect goodies Then they became a bit more: + Stable, reliable means of loading stage 2 + Gathering specific telemetry to load more safely in the environment + Deploying and validating persistence + More :) 6 Copyright © 2022 Accenture. All rights reserved.
  • 7. Detection Surface Reduction Definition: The intentional reduction of data points exposed to any given suite of security solutions, thereby reducing the likelihood said software will trigger interdiction or detection conditions. Full RAT has the most possible surface area for detection: + The most feature rich + Exhibits most observable behaviors • Command/process executions • Registry/file access • Outbound network to C2 or internal hosts for pivots, etc etc) • Various APIs for the host operating system interaction Mostly off the shelf or on Github due to cost of in house dev/updates If we assume stage 0 went well next stage should (by DSR considerations): + create the absolute minimum raw functionality required to inch towards your objective + Assume we will run in a hostile environment with everything getting inspected + Allow a form of loading - stages can load stages can load stages. Complexity generally increases in latter stages. + A stage 1 tool can load another stage that has a specific loading functionality itself... (EDR-specific injection modules) + Kinda like brain surgery in an unknown environment with a virtual periscope 7 Copyright © 2022 Accenture. All rights reserved.
  • 8. C2 Considerations Stage 1 C2 should be: + A reliable channel + Blend with the environment's baseline use protocols and 3rd party services already present + Avoid complexity + Absolute minimum PDU for what is required + Have failovers + Dead drop resolvers (ex: HAMERTOSS) + Have variable beaconing timeframes long haul vs interactive vs periodic vs various 8 Copyright © 2022 Accenture. All rights reserved.
  • 9. Stage 1 Architecture Stage 1 artifact - the code in an executable format of some kind: + dotnet assembly + shellcode/PIC + DLL + COFF + Raw source for interpreter Stage 1 service/LP: + The C2 listener + Can also be bridge for interacting with 3rd party service (APIs etc) Controller: + CLI/web UI/GUI + Controls service/LP + Organizes checkin data, logs, and deployed agents + Has generator function for turning an agent config into a Stage 1 artifact Inside the stage 1 program itself: + core logic • Checkin timers (sleep/jitter) • Opsec - anti- inspection/sandbox checks • etc + Client component (builtin or loaded at runtime) for one or more C2 + Built-in Stage 1 functionality subroutines called from core loop/C2 9 Copyright © 2022 Accenture. All rights reserved.
  • 10. Use Cases Loading additional code/modules - the core feature. [[collection packages]] or builtin telemetry commands + gather [[telemetry]] to feed operator's OODA loop + easy quick wins or environment recon + C2 viability checks outbound etc [[collection daemons]] - aka "Flight Recorder (tm)" same but more specific to changes over time/monitoring, often event driven [[sidecar - redundant access]] - have a backup C2 if your experimental C2 suddenly dies a horrible death [[deploying persistence]] - makes sense sometimes to deploy persistence and wait til next run before trying something risky to load stage 2 10 Copyright © 2022 Accenture. All rights reserved.
  • 11. Continuous recon and user profiling User behavior profiling - because phished users are humans in a human world Collection daemons redux + watch the system's patterns + watch new processes/window titles + watch for new connections + watch network adapters Detect possible incident response activity 11 Copyright © 2022 Accenture. All rights reserved.
  • 12. Considerations for Further Stages Get what you can first + Going full interactive is the most risky part after stage 0. + Delay it for as long as possible by favoring to extract as much useful intel and loot as you can with builtin collection functions or collection packages loaded at runtime. + Example: Individual (important) collection packages to pull all cookies, credentials (risk to obtain), notes files, situational awareness and additional context. Interactive RAT/implant stages + Ensure agent is not running on instrumented VM or IR analysis box + Stage 2 loading in the safest way possible. + All C2 for stage 2 should be checked for viability (domain categorization or stringent egress controls) + [[sidecar - redundant access]] - if your C2 dies, hopefully your stage 1 doesnt die with it. Cleanliness + When possible, stages should be able to be removed + Even best when they are automatically removed + Examples: • Keep track of child pids used in stage 2 components • Threads that contain a loaded stage 2 components • Temporary files 12 Copyright © 2022 Accenture. All rights reserved.
  • 13. In-the-Wild Example Copyright © 2022 Accenture. All rights reserved. 13 SUNBURST in the wild, example and case study from the SolarWinds supply chain attack: + Anti-analysis checks on environment + Blacklist (236 entries) using FNV-A1 + xor hash trick for checks against service/process/drivers + DGA, subdomains act as egress telemetry via A record lookups • Domain name (FQDN) of host used primarily for targeting + DNS used to configure a HTTPS C2 • Hardcoded IP ranges served as ingress decision control codes • Used to CNAME to the HTTPS C2’s endpoint + HTTPS C2 takes bulk interactive commands by pulling out GUIDs from response HTML: • Idle, Exit, SetTime, CollectSystemDescription, UploadSystemDescription, RunTask, GetProcess ByDescription, Killtask, GetFileSystemEntries, WriteFile • File Exists, DeleteFile, GetFileHash, ReadRegistryValue, DeleteRegistryValu, Get REgistrySubKeyandValuenames, Reboot • Sounds familiar?? + Loads TEARDROP in-memory loads from xor'd jpg file, loading stage 2 (Cobalt Strike)
  • 14. Example Stage 1 Tool Copyright © 2022 Accenture. All rights reserved. 14 "Generic Stage 1" GS1. In-house stage 1 used in a variety of ops for initial access and persistence in years past. Basic anti-IR/anti-analysis + Checked process list and window titles against blacklist + Checked MAC OUI against blacklist + Checked for expected parent process + Checked for debugger + Domain joined check Used DNS A records to configure HTTPS C2 + Creepy coincidence with SUNBURST.. + Fetched PNG file which had valid header but XOR encoded C2 PDU + Using hardcoded subdomains' IPv4 response bytes to determine HTTP C2 parameters + Configured connection and Host headers (arbitrary, runtime configured domain fronting) + Requested a series of URLs depending on the OS/architecture + IE COM or Google Docs's URL viewer as a backup fetch option Commands: + Change time/jitter + Drop and run JS/VBS or msbuild xml in a container in variety of ways + Pull down shellcode and run it in new thread + Kill a pid + Clean temporary files + Exit + Process lists and other telemetry manually pushed back via collection packages loaded at runtime
  • 15. Closing Thoughts and Q&A Copyright © 2022 Accenture. All rights reserved. 15 Stages are a limiting paradigm, but so are RATs. + Stage 1 can redeploy itself in memory in many cases aka "dynamic update" + long sleep + If you just need persistence set and SOCKS then.... non-Windows/non-Mac hosts = fantastic candidates for long term persistence tooling + Lack of advanced EDR + May look funkier with regards to egress traffic Can you perform a red team without a fully functional RAT?
  • 16. Thank you About Accenture Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Song, Technology and Operations services — all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 710,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at www.accenture.com. About Accenture Security Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security. DISCLAIMERS: This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.