SlideShare a Scribd company logo

RAT - Repurposing Adversarial Tradecraft

⭕Alexander Rymdeko-Harvey
⭕Alexander Rymdeko-Harvey

Repurposing adversarial tradecraft stems from the traditional sense of warfare and evolving your force to meet a threat.

Technology
1 of 54
Download to read offline
RAT “Repurposing Adversarial Tradecraft”
Overview Introduction of topic ◈ Who am I ◈ Where I come from ◈ Topic Intro ⬥ What is RAT ◈ What i’m trying to accomplish Adversarial Tradecraft ◈ Tactics, Techniques and Procedures (TTP’s) ◈ Tools that can be integrated Adversaries Covered ◈ Duqu ◈ Hacking Team ◈ APT 29 ◈ ProjectSauron
Who am I? I am Alexander Rymdeko-Harvey I am Pentester / Red Teamer with *************************, Previous US ARMY enlisted and have worked on the following: SimplyEmail, SimplyTemplate, EmPyre You can find me at @Killswitch-GUI
Some Background on the tools developed: ◈ Strong background in Python and common tradecraft ◈ Six months ago I had barely any C++ skill set when it came to development ◈ Tools developed are POC and are weaponized for specific use cases with multiple languages (Python, Powershell, C++) ◈ All are open source and can be found at Github.com/Killswitch-GUI ◈ I don't know if I will maintain or expand weaponization Major shout out to the entire team for the help and aid developing these , especially: Matt Graber | Justin Warner | Chris Ross | Lee Christian | Matt Nelson | Rohan Vazarkar | Keelyn Roberts
Topic Intro Let’s start with the first set of slides 1
What is RAT? Repurposing adversarial tradecraft stems from the traditional sense of warfare and evolving your force to meet a threat. - Justin Warner has a great 3 part series on the Red Team. https://www.sixdub.net/?p=705 What is this all about? Why so important? - Pushes the community forward - Educate yourself and the client of the newest attack angle
“ Red teamers often differentiate themselves from pentesters in that they “emulate adversaries” yet how often do we hear them talk about actual adversarial TTP’s based off real world threat intel?
What I’m trying to accomplish Taking the time to analyze reports: ◈ The need for threat replication ◈ Helps produce capabilities ◈ Advance the team's capability Find some of this code that actually compiles … Every tester should understand what the actions they are doing in the background
Duqu 2.0 Stealth | Precision | Leverage 2
What makes Duqu Special? WMI Data Collection ◈ Enumerate process info ◈ Remote registry collection* ◈ Extract user info / files Driver Management ◈ Start / Stop Drivers ◈ Load Drivers ◈ Write Drivers to disk Situational Awareness A unique set of tools that allowed data collection and provided awareness to operators. ◈ Detects running sniffers Network Leverage A slew of network based attacks and collection methods. ◈ PCAP* ◈ NetBIOS ◈ WPAD Persistence Unique persistence or lack of persistence for such an aggressive threat. ◈ TTP’s and confidence ◈ Rarely implanted mechanism AD Query ADSI query and GC enumeration, think PowerView! This allows for all that PostEx fun.
Hacking Team hackers talk about their Tradecraft and methodology Persistence
Duqu style persistence In Memory Duqu reports indicate that the malware lived exclusively in memory. - This is a common practice as operators today - We do how ever need to plant persistence on long term operations Location Based Reports indicate that agent implant location was a large factor. - This dictated the survivability of agent - Picked high uptime server / Data centers* HIPS Avoidance Stealth is an obvious concern, staying off disk and avoiding potential HIPS. - Dropping to disk poses a risk to be caught by heuristics etc.
What was the driver to build this TTP? ◈ On a few long term engagements that required persistence and ability to OP (30+ Days) ◈ Need the ability to maintain constant C2 for backup ◈ This tool came in handy on more than one occasion and allowed for success
Questions you need to ask yourself on a OP?
Building Survivability Rating! Invoke-FindPersistence ❏ Main entry point ❏ PowerView! ❏ Enumerates target domain ❏ Filters: OS, Service Pack, SPN, ADSPath, Filter, ComputerName Invoke-Ping/Test-Wmi ❏ Feed computer object into Ping ❏ Feed up object into Test-Wmi to check for RPC ❏ WMI objects are full of properties (Pass Win32_OperatingSystem ) Calculate Values ❏ Calculate Value from 0-100 ❏ This is dependent on type of property ❏ Calculate weighted average to percent ❏ Calculate Persistence Survivability Rating Build Statistics ❏ Calculate Mean PSR ❏ Calculate Standard Deviation of PSR ❏ Variance Id’s hot spots! Calculate Weight Obtain WMI Get-NetComputer
Running the script.. ◈ Threads - Allowed for extremely fast WMI tests and data collection ◈ PowerView Get-NetComputer as the searcher: - Allows for very granular host selection ADSPath, Filter and OS ◈ Tips: - Find a custom “OU” for servers | PS> Get-NetOU -OUName *server* - Set -MaxHosts to a reasonable query size - Set -OperatingSystem to server versions
Persistence Survivability Rating Query Weighted Value Implemented Boot Time Get-WmiBootTime 40% Yes Install date Get-InstallDate 5% Yes OS Level Get-WmiOS 5% Yes System Enclosure Get-WmiSystemEnclosur e 10% Yes Architecture Get-WmiArch 5% Yes Disk Size Get-WmiDisk 5% Yes Processor Count Get-WmiProcessorCount 5% Yes Processor Cores Get-WmiProcessorCores 5% Yes Processor Speed Get-WmiProcessorSpeed 5% Yes Process Count Get-WmiProcessCount 5% Yes Persistence Checks Query Impact Implemente d VM Checks Truth of data Yes WMI Event Logging No Portable OS Implant Location Yes
Calculating the Mean → Calculate the Standard Deviation → Calculate Variance
Quick Demo!
Why 0day when you don't use SMB signing? Network Leverage
Duqu style network collection Modular Build Duqu reports indicate that the malware was modular in nature. - Common in malware and allows a custom build of agent - Reduces operational risk - This dynamic execution is emulated via reflective DLL’s Sniffer Duqu used legitimate WinPcap (npf.sys) driver for sniffing! - Full network stack capture - Ability to spoof and alter network stack Network Attacks Although Duqu had plenty of offensive capability, common network attacks integrated? - Allowed for NetBIOS / WPAD Attacks - Why use 0day or burn TTP’s if WPAD attack works? - Beyond AD in cases where separate network segments exists
UserMode Within usermode options are very limited. Elevated context is required and limited capture available. - WinSock2 possible - Allows pure native windows subsystem code to execute :) - OSI layer 3 and above available - No spoofing of the network stack Network Capture Options KernelMode Kernel space allows for complete control over the Network Stack and NIC. Elevated context and signed driver is needed. - Allows for NDIS integration of protocol drivers (NPF) - Full packet capture - Full packet injection - Network Monitoring
Native PCAP Capture in C++! Reflective DLL ❏ Main entry point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ Cobalt Strike! ❏ WinSock2 - allows for native capture ❏ Set up required API calls IPC Thread ❏ RDI in remote process has no communication with caller! ❏ Named pipe thread implemented for control ❏ Sets poison pill for control ❏ Write custom pcap header struct to disk Receive Filter ❏ Parse packet Ip, and protocol headers ❏ Filter on packet count, ip, port, and file size ❏ Parse and write to stdout ❏ Build PCAP packet struct and write to file Write Packet Build PCAP Start Capture
Winsock2 Native Sniffer
IPC with the capture (Language agnostic) C++ Named Pipe Server PowerShell Named Pipe client
Build PCAP Headers PCAP File Header PCAP Packet Header
Finally Weaponize with Stephen Fewer ReflectiveDLL Injection! Why? ◈ Stealthy: - Loaded Library will not register list of loaded modules in PEB - Enumeration of process modules will also not yield in exposure - Entirely in memory execution ◈ Modular Design: - Allows for dynamic expansion of agent if developer builds IPC standard - DLL patching for second stage payloads - Agent would only need stub loader RDI Process Injection: 1. Obtain byte array of DLL 2. Get handle on target proc and allocate memory 3. RWX target memory 4. Copy over DLL to target allocated memory 5. Calculate memory offset for the DLL export 6. Create remote thread with known offset to entry point 7. Reflective Loader function locates needed libraries (kernal32.dll) 8. Locate memory addresses of API calls needed to load itself 9. Finally once loaded into memory, call DLLMain()! https://github.com/stephenfewer | http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
Quick Demo!
Loading signed drivers at runtime and In a stealthy manner Hot Loading Drivers
APT Driver Loading Critical Design Duqu required driver execution within a few modules. This could dramatically help testers: - The nature of Duqu’s mission would need this capability - This capability is not often needed on Pen Test / Red Team Stealthy Standard driver loading often entails a service creation with reboot. Hot loading a driver can be done two ways: - Kernel Driver Service Creation - NtLoadDriver() undocumented functionality Unsigned Drivers The ability to load custom drivers relies on signed drivers. This however can be bypassed: - Using exploitable drivers to gain kernel code execution - ProjectSauron used this for Network Packet Filtering & modification driver
What was the driver to build this TTP? ◈ The process to start WinPcap dynamically - we will be using NPF as the scenario ◈ Ability to perform full packet capture! ◈ Because direct threat replication is cool
SC Driver Loading Using the service controller manager we can start and stop kernel driver services. This is easy on the scale but allows for a larger footprint forensically. - Easy to implement - Dirty artifacts: Service Creation, Service Deletion, Driver Load event - Requires Driver Path and Name Loading Driver Options (We will cover both) NtLoadDriver() Loading Using the undocumented function NtLoadDriver() stealthy driver loading is possible. - Allows for NDIS integration of protocol drivers (NPF) - Full packet capture - Full packet injection - Network Monitoring
SC Driver Loading in C++! Reflective DLL ❏ Main entry point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ CobaltStrike! ❏ Base64 decode driver and DLL’s ❏ Write DLL’s and driver to required locations Open SC Manager ❏ SC Handle creation ❏ Start Kernel Driver Service ❏ Remove service used to load driver Start Required Application ❏ Run User Mode code / application ❏ All required DLL’s are loaded via LoadLibary etc. ❏ Driver is in Kernel space ❏ Safe to remove files Clean Up Service Deletion Decode and Write
WinPcap Internals Overview
Loading WinPcap DLL Matrix Operating System Packet.dll wpcap.dll Windows XP x86 Windows 7 x86 Packet 2.dll wpcap.dll Windows 7 x64 Windows 10 x86 Packet 2.dll wpcap.dll Windows 10 x64 Packet 3.dll wpcap 2.dll Extracted WinPcap package
SC Driver Service
RDI SC Driver Demo!
NtDriverLoad Loading in C++! Reflective DLL ❏ Main entry point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ CobaltStrike! ❏ Enable privileges for current process ❏ SeLoadDriverPrivlage Write Registry Keys ❏ NtLoadDriver requires a registry location ❏ Write three required for API ❏ Retrieve NTDLL.dll location ❏ Retrieve Process location of undocumented call NtLoadDriver() ❏ Convert path to unicode ❏ Call Undocumented API call ❏ Pass registry path ❏ Call NtUnloadDriver on the registry path ❏ Clean up after all calls are done etc NtUnloadDriverLoad NTDLL.dllEnable Privileges
RDI NtDriverLoad Demo!
APT 29 Long Term | Survivability | Fast Paced 3
What makes APT 29 Special? WMI ◈ Heavy reliance on WMI ◈ Custom WMI class creation ◈ Heavy use of PowerShell Persistence ◈ Not Agent persistence but the level of activity ◈ Extremely well equipped Agent Deployment The ability to use multiple agents with multiple IOC’s ◈ Using a main agent vs backup agent ◈ Think C2 initial setup Known Lots of great research on the net! Talks from mandiant and ◈ Defcon talks like “WhyMI so Sexy?” Matt Graber ◈ Nick Carr, Matt Dunwoody, DJ Palombo, and Alec Randazzo Mandiant Talk
A Custom RDI Agent POC Long Term Agent
Agent Capability Core Agent (Modular): - Pure C++ Agent - In memory logging outlet - Standard Calls (Sleep/Jitter etc..) - VM Detection (WMI Profiling) - AV Detection (Driver Query Based) - Process Listing (API / WMI Methods) - Shell Commands (cmd.exe) - Shell Code Injection (Process Injection) - Token Manipulation (Make Token/Rev) - RunAs - WinAES (Windows Crypto Providers) - WMI Monitoring: - Service Creation - Process Creation - Driver Creation
WMI Event Monitoring Why should I care? ◈ HUNT / IR is doing it to catch you, why can't we use it to catch them? ⬥ HIPS, UpRoot ◈ Think about how you capture memory from a compromised machine! ⬥ USB with Memorize in userland... ◈ The ability to make operator decision agent side in time sensitive situations ⬥ The ability to cleanly exit an agent or just sleep What should we monitor: ◈ Process Creation: ⬥ IR Toolset ⬥ Common RE / Memory Capture ⬥ Environmental Change (HUNT?) ◈ Service Creation: ⬥ New software ex (cylance service creation) ◈ Driver Install: ⬥ Often complete memory capture requires signed driver ⬥ NPF.sys, mktools.sys etc..
WMI Process Monitoring Within Agent
Rule Creation (Dynamic Vector) Rule Trigger Handler
Process Creation Ex.
Service Creation Ex.
Ex. Rule Triggered
WMI Event Within Demo!
Conclusion Code Takeaways: ◈ All of these techniques are talked about documented and mentioned. ⬥ Nothing 100% novel ◈ Finding the documentation is near nonexistent ⬥ Finding code that compiled.. ◈ Hopefuly the mass amount of PS, C++ code examples are helpful! ⬥ All written in VS 2015 with project files :) Key Takeaways: ◈ The attempt to try some of these techniques (TTP’s) ⬥ Driver loading not often but really cool! ◈ The knowledge gained on low level Windows operations ⬥ Very key for operators debugging toolsets
https://github.com/killswitch-GUI/Domain-WIFILocate Geo Wifi Keys https://github.com/killswitch-GUI/Persistence-Survivability Persistence Survivability Rating https://github.com/killswitch-GUI/Winsock-PCAP Winsock2 PCAP Capture https://github.com/killswitch-GUI/HotLoad-LoadDriver/ ScLoadDriver / WinPcap / NtLoadDriver https://github.com/killswitch-GUI/DeepFreeze-Agent POC IR Aware Agent
Any questions? You can find me at: @Killswitch-GUI · CyberSyndicates.com

Recommended

Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to SnortHossein Yavari
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 

Recommended

Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to SnortHossein Yavari
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
All About Snort
All About SnortAll About Snort
All About Snort28pranjal
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
NMap
NMapNMap
NMapPritesh Raka
 
CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料SECCON Beginners
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Malvertizing Like a Pro
Malvertizing Like a ProMalvertizing Like a Pro
Malvertizing Like a Pro⭕Alexander Rymdeko-Harvey
 

More Related Content

What's hot

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
All About Snort
All About SnortAll About Snort
All About Snort28pranjal
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料SECCON Beginners
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 

What's hot (20)

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
All About Snort
All About SnortAll About Snort
All About Snort
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
NMap
NMapNMap
NMap
 
CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 

Viewers also liked

External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- WiresharkJulia Yu-Chin Cheng
 
Windump
WindumpWindump
Windumpjk847
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 

Viewers also liked (8)

External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Malvertizing Like a Pro
Malvertizing Like a ProMalvertizing Like a Pro
Malvertizing Like a Pro
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark
 
Windump
WindumpWindump
Windump
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
 

Similar to RAT - Repurposing Adversarial Tradecraft

Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Building SuperComputers @ Home
Building SuperComputers @ HomeBuilding SuperComputers @ Home
Building SuperComputers @ HomeAbhishek Parolkar
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersMichelle Holley
 
New Jersey Red Hat Users Group Presentation: Provisioning anywhere
New Jersey Red Hat Users Group Presentation: Provisioning anywhereNew Jersey Red Hat Users Group Presentation: Provisioning anywhere
New Jersey Red Hat Users Group Presentation: Provisioning anywhereRodrique Heron
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red HatShawn Wells
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
PHP QA Tools
PHP QA ToolsPHP QA Tools
PHP QA Toolsrjsmelo
 

Similar to RAT - Repurposing Adversarial Tradecraft (20)

Aci dp
Aci dpAci dp
Aci dp
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Building SuperComputers @ Home
Building SuperComputers @ HomeBuilding SuperComputers @ Home
Building SuperComputers @ Home
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear Containers
 
New Jersey Red Hat Users Group Presentation: Provisioning anywhere
New Jersey Red Hat Users Group Presentation: Provisioning anywhereNew Jersey Red Hat Users Group Presentation: Provisioning anywhere
New Jersey Red Hat Users Group Presentation: Provisioning anywhere
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
PHP QA Tools
PHP QA ToolsPHP QA Tools
PHP QA Tools
 
Nikto
NiktoNikto
Nikto
 

Recently uploaded

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Recently uploaded (20)

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

RAT - Repurposing Adversarial Tradecraft

  • 2. Overview Introduction of topic ◈ Who am I ◈ Where I come from ◈ Topic Intro ⬥ What is RAT ◈ What i’m trying to accomplish Adversarial Tradecraft ◈ Tactics, Techniques and Procedures (TTP’s) ◈ Tools that can be integrated Adversaries Covered ◈ Duqu ◈ Hacking Team ◈ APT 29 ◈ ProjectSauron
  • 3. Who am I? I am Alexander Rymdeko-Harvey I am Pentester / Red Teamer with *************************, Previous US ARMY enlisted and have worked on the following: SimplyEmail, SimplyTemplate, EmPyre You can find me at @Killswitch-GUI
  • 4. Some Background on the tools developed: ◈ Strong background in Python and common tradecraft ◈ Six months ago I had barely any C++ skill set when it came to development ◈ Tools developed are POC and are weaponized for specific use cases with multiple languages (Python, Powershell, C++) ◈ All are open source and can be found at Github.com/Killswitch-GUI ◈ I don't know if I will maintain or expand weaponization Major shout out to the entire team for the help and aid developing these , especially: Matt Graber | Justin Warner | Chris Ross | Lee Christian | Matt Nelson | Rohan Vazarkar | Keelyn Roberts
  • 5. Topic Intro Let’s start with the first set of slides 1
  • 6. What is RAT? Repurposing adversarial tradecraft stems from the traditional sense of warfare and evolving your force to meet a threat. - Justin Warner has a great 3 part series on the Red Team. https://www.sixdub.net/?p=705 What is this all about? Why so important? - Pushes the community forward - Educate yourself and the client of the newest attack angle
  • 7. “ Red teamers often differentiate themselves from pentesters in that they “emulate adversaries” yet how often do we hear them talk about actual adversarial TTP’s based off real world threat intel?
  • 8. What I’m trying to accomplish Taking the time to analyze reports: ◈ The need for threat replication ◈ Helps produce capabilities ◈ Advance the team's capability Find some of this code that actually compiles … Every tester should understand what the actions they are doing in the background
  • 10. What makes Duqu Special? WMI Data Collection ◈ Enumerate process info ◈ Remote registry collection* ◈ Extract user info / files Driver Management ◈ Start / Stop Drivers ◈ Load Drivers ◈ Write Drivers to disk Situational Awareness A unique set of tools that allowed data collection and provided awareness to operators. ◈ Detects running sniffers Network Leverage A slew of network based attacks and collection methods. ◈ PCAP* ◈ NetBIOS ◈ WPAD Persistence Unique persistence or lack of persistence for such an aggressive threat. ◈ TTP’s and confidence ◈ Rarely implanted mechanism AD Query ADSI query and GC enumeration, think PowerView! This allows for all that PostEx fun.
  • 11. Hacking Team hackers talk about their Tradecraft and methodology Persistence
  • 12. Duqu style persistence In Memory Duqu reports indicate that the malware lived exclusively in memory. - This is a common practice as operators today - We do how ever need to plant persistence on long term operations Location Based Reports indicate that agent implant location was a large factor. - This dictated the survivability of agent - Picked high uptime server / Data centers* HIPS Avoidance Stealth is an obvious concern, staying off disk and avoiding potential HIPS. - Dropping to disk poses a risk to be caught by heuristics etc.
  • 13. What was the driver to build this TTP? ◈ On a few long term engagements that required persistence and ability to OP (30+ Days) ◈ Need the ability to maintain constant C2 for backup ◈ This tool came in handy on more than one occasion and allowed for success
  • 14. Questions you need to ask yourself on a OP?
  • 15. Building Survivability Rating! Invoke-FindPersistence ❏ Main entry point ❏ PowerView! ❏ Enumerates target domain ❏ Filters: OS, Service Pack, SPN, ADSPath, Filter, ComputerName Invoke-Ping/Test-Wmi ❏ Feed computer object into Ping ❏ Feed up object into Test-Wmi to check for RPC ❏ WMI objects are full of properties (Pass Win32_OperatingSystem ) Calculate Values ❏ Calculate Value from 0-100 ❏ This is dependent on type of property ❏ Calculate weighted average to percent ❏ Calculate Persistence Survivability Rating Build Statistics ❏ Calculate Mean PSR ❏ Calculate Standard Deviation of PSR ❏ Variance Id’s hot spots! Calculate Weight Obtain WMI Get-NetComputer
  • 16. Running the script.. ◈ Threads - Allowed for extremely fast WMI tests and data collection ◈ PowerView Get-NetComputer as the searcher: - Allows for very granular host selection ADSPath, Filter and OS ◈ Tips: - Find a custom “OU” for servers | PS> Get-NetOU -OUName *server* - Set -MaxHosts to a reasonable query size - Set -OperatingSystem to server versions
  • 17. Persistence Survivability Rating Query Weighted Value Implemented Boot Time Get-WmiBootTime 40% Yes Install date Get-InstallDate 5% Yes OS Level Get-WmiOS 5% Yes System Enclosure Get-WmiSystemEnclosur e 10% Yes Architecture Get-WmiArch 5% Yes Disk Size Get-WmiDisk 5% Yes Processor Count Get-WmiProcessorCount 5% Yes Processor Cores Get-WmiProcessorCores 5% Yes Processor Speed Get-WmiProcessorSpeed 5% Yes Process Count Get-WmiProcessCount 5% Yes Persistence Checks Query Impact Implemente d VM Checks Truth of data Yes WMI Event Logging No Portable OS Implant Location Yes
  • 18. Calculating the Mean → Calculate the Standard Deviation → Calculate Variance
  • 20. Why 0day when you don't use SMB signing? Network Leverage
  • 21. Duqu style network collection Modular Build Duqu reports indicate that the malware was modular in nature. - Common in malware and allows a custom build of agent - Reduces operational risk - This dynamic execution is emulated via reflective DLL’s Sniffer Duqu used legitimate WinPcap (npf.sys) driver for sniffing! - Full network stack capture - Ability to spoof and alter network stack Network Attacks Although Duqu had plenty of offensive capability, common network attacks integrated? - Allowed for NetBIOS / WPAD Attacks - Why use 0day or burn TTP’s if WPAD attack works? - Beyond AD in cases where separate network segments exists
  • 22. UserMode Within usermode options are very limited. Elevated context is required and limited capture available. - WinSock2 possible - Allows pure native windows subsystem code to execute :) - OSI layer 3 and above available - No spoofing of the network stack Network Capture Options KernelMode Kernel space allows for complete control over the Network Stack and NIC. Elevated context and signed driver is needed. - Allows for NDIS integration of protocol drivers (NPF) - Full packet capture - Full packet injection - Network Monitoring
  • 23. Native PCAP Capture in C++! Reflective DLL ❏ Main entry point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ Cobalt Strike! ❏ WinSock2 - allows for native capture ❏ Set up required API calls IPC Thread ❏ RDI in remote process has no communication with caller! ❏ Named pipe thread implemented for control ❏ Sets poison pill for control ❏ Write custom pcap header struct to disk Receive Filter ❏ Parse packet Ip, and protocol headers ❏ Filter on packet count, ip, port, and file size ❏ Parse and write to stdout ❏ Build PCAP packet struct and write to file Write Packet Build PCAP Start Capture
  • 25. IPC with the capture (Language agnostic) C++ Named Pipe Server PowerShell Named Pipe client
  • 26. Build PCAP Headers PCAP File Header PCAP Packet Header
  • 27. Finally Weaponize with Stephen Fewer ReflectiveDLL Injection! Why? ◈ Stealthy: - Loaded Library will not register list of loaded modules in PEB - Enumeration of process modules will also not yield in exposure - Entirely in memory execution ◈ Modular Design: - Allows for dynamic expansion of agent if developer builds IPC standard - DLL patching for second stage payloads - Agent would only need stub loader RDI Process Injection: 1. Obtain byte array of DLL 2. Get handle on target proc and allocate memory 3. RWX target memory 4. Copy over DLL to target allocated memory 5. Calculate memory offset for the DLL export 6. Create remote thread with known offset to entry point 7. Reflective Loader function locates needed libraries (kernal32.dll) 8. Locate memory addresses of API calls needed to load itself 9. Finally once loaded into memory, call DLLMain()! https://github.com/stephenfewer | http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
  • 29. Loading signed drivers at runtime and In a stealthy manner Hot Loading Drivers
  • 30. APT Driver Loading Critical Design Duqu required driver execution within a few modules. This could dramatically help testers: - The nature of Duqu’s mission would need this capability - This capability is not often needed on Pen Test / Red Team Stealthy Standard driver loading often entails a service creation with reboot. Hot loading a driver can be done two ways: - Kernel Driver Service Creation - NtLoadDriver() undocumented functionality Unsigned Drivers The ability to load custom drivers relies on signed drivers. This however can be bypassed: - Using exploitable drivers to gain kernel code execution - ProjectSauron used this for Network Packet Filtering & modification driver
  • 31. What was the driver to build this TTP? ◈ The process to start WinPcap dynamically - we will be using NPF as the scenario ◈ Ability to perform full packet capture! ◈ Because direct threat replication is cool
  • 32. SC Driver Loading Using the service controller manager we can start and stop kernel driver services. This is easy on the scale but allows for a larger footprint forensically. - Easy to implement - Dirty artifacts: Service Creation, Service Deletion, Driver Load event - Requires Driver Path and Name Loading Driver Options (We will cover both) NtLoadDriver() Loading Using the undocumented function NtLoadDriver() stealthy driver loading is possible. - Allows for NDIS integration of protocol drivers (NPF) - Full packet capture - Full packet injection - Network Monitoring
  • 33. SC Driver Loading in C++! Reflective DLL ❏ Main entry point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ CobaltStrike! ❏ Base64 decode driver and DLL’s ❏ Write DLL’s and driver to required locations Open SC Manager ❏ SC Handle creation ❏ Start Kernel Driver Service ❏ Remove service used to load driver Start Required Application ❏ Run User Mode code / application ❏ All required DLL’s are loaded via LoadLibary etc. ❏ Driver is in Kernel space ❏ Safe to remove files Clean Up Service Deletion Decode and Write
  • 35. Loading WinPcap DLL Matrix Operating System Packet.dll wpcap.dll Windows XP x86 Windows 7 x86 Packet 2.dll wpcap.dll Windows 7 x64 Windows 10 x86 Packet 2.dll wpcap.dll Windows 10 x64 Packet 3.dll wpcap 2.dll Extracted WinPcap package
  • 37. RDI SC Driver Demo!
  • 38. NtDriverLoad Loading in C++! Reflective DLL ❏ Main entry point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ CobaltStrike! ❏ Enable privileges for current process ❏ SeLoadDriverPrivlage Write Registry Keys ❏ NtLoadDriver requires a registry location ❏ Write three required for API ❏ Retrieve NTDLL.dll location ❏ Retrieve Process location of undocumented call NtLoadDriver() ❏ Convert path to unicode ❏ Call Undocumented API call ❏ Pass registry path ❏ Call NtUnloadDriver on the registry path ❏ Clean up after all calls are done etc NtUnloadDriverLoad NTDLL.dllEnable Privileges
  • 39.
  • 41. APT 29 Long Term | Survivability | Fast Paced 3
  • 42. What makes APT 29 Special? WMI ◈ Heavy reliance on WMI ◈ Custom WMI class creation ◈ Heavy use of PowerShell Persistence ◈ Not Agent persistence but the level of activity ◈ Extremely well equipped Agent Deployment The ability to use multiple agents with multiple IOC’s ◈ Using a main agent vs backup agent ◈ Think C2 initial setup Known Lots of great research on the net! Talks from mandiant and ◈ Defcon talks like “WhyMI so Sexy?” Matt Graber ◈ Nick Carr, Matt Dunwoody, DJ Palombo, and Alec Randazzo Mandiant Talk
  • 43. A Custom RDI Agent POC Long Term Agent
  • 44. Agent Capability Core Agent (Modular): - Pure C++ Agent - In memory logging outlet - Standard Calls (Sleep/Jitter etc..) - VM Detection (WMI Profiling) - AV Detection (Driver Query Based) - Process Listing (API / WMI Methods) - Shell Commands (cmd.exe) - Shell Code Injection (Process Injection) - Token Manipulation (Make Token/Rev) - RunAs - WinAES (Windows Crypto Providers) - WMI Monitoring: - Service Creation - Process Creation - Driver Creation
  • 45. WMI Event Monitoring Why should I care? ◈ HUNT / IR is doing it to catch you, why can't we use it to catch them? ⬥ HIPS, UpRoot ◈ Think about how you capture memory from a compromised machine! ⬥ USB with Memorize in userland... ◈ The ability to make operator decision agent side in time sensitive situations ⬥ The ability to cleanly exit an agent or just sleep What should we monitor: ◈ Process Creation: ⬥ IR Toolset ⬥ Common RE / Memory Capture ⬥ Environmental Change (HUNT?) ◈ Service Creation: ⬥ New software ex (cylance service creation) ◈ Driver Install: ⬥ Often complete memory capture requires signed driver ⬥ NPF.sys, mktools.sys etc..
  • 46. WMI Process Monitoring Within Agent
  • 47. Rule Creation (Dynamic Vector) Rule Trigger Handler
  • 52. Conclusion Code Takeaways: ◈ All of these techniques are talked about documented and mentioned. ⬥ Nothing 100% novel ◈ Finding the documentation is near nonexistent ⬥ Finding code that compiled.. ◈ Hopefuly the mass amount of PS, C++ code examples are helpful! ⬥ All written in VS 2015 with project files :) Key Takeaways: ◈ The attempt to try some of these techniques (TTP’s) ⬥ Driver loading not often but really cool! ◈ The knowledge gained on low level Windows operations ⬥ Very key for operators debugging toolsets
  • 53. https://github.com/killswitch-GUI/Domain-WIFILocate Geo Wifi Keys https://github.com/killswitch-GUI/Persistence-Survivability Persistence Survivability Rating https://github.com/killswitch-GUI/Winsock-PCAP Winsock2 PCAP Capture https://github.com/killswitch-GUI/HotLoad-LoadDriver/ ScLoadDriver / WinPcap / NtLoadDriver https://github.com/killswitch-GUI/DeepFreeze-Agent POC IR Aware Agent
  • 54. Any questions? You can find me at: @Killswitch-GUI · CyberSyndicates.com