SlideShare a Scribd company logo

Bridging the Gap: Lessons in Adversarial Tradecraft

Download as PPTX, PDF
E
enigma0x3

Presented by @enigma0x3 at BSides MSP

Technology
1 of 46
Bridging the Gap Lessons in Adversarial Tradecraft Matt Nelson, Will Schroeder Veris Group’s Adaptive Threat Division
@enigma0x3 ◦ Penetration tester and red teamer for the Adaptive Threat Division of Veris Group ◦ Developer on the Empire Project ◦ Offensive PowerShell Advocate ◦ Cons: Shmoocon firetalks, BSides DC, BSides Boston
@harmj0y ◦ Security researcher and red teamer for the Adaptive Threat Division of Veris Group ◦ Co-founder/active developer of Empire, PowerTools, and the Veil-Framework ◦ Cons: Shmoocon, Defcon, Derbycon, various BSides
tl;dr ◦ Setting the stage ▫ Red team philosophy ▫ Bridging the Gap ◦ Push it, Push it Real Good ▫ #1 - Weak Standard Images ▫ #2 - Network/User Hygiene ▫ #3 - Domain Trusts ◦ Empire ▫ Offensive PowerShell and Rats 101 ▫ Modules ▫ If time, brief demo
Setting the Stage Pentesting, Red Teaming, and the “Assume Breach” Mentality 0
Penetration Testing ◦ Definition ranges anywhere from a single person running a (slightly)-glorified vuln scan, to a full on multi-person assault for several weeks ◦ Reasonable Balance: breadth vs. depth, find as many holes as you can and see how far you can get in a limited timeframe ◦ Generally focused on finding issues and not about training/exercising processes
Red Teaming ◦ Red teaming means different things to different people ▫ physical ops ▫ in-depth social engineering ▫ custom exploit dev ▫ pure network based operations ▫ adversary emulation ▫ etc. ◦ Common thread of increased time frame, more permissive scope
“Assume Breach” Mentality ◦ With the rash of recent major incidents, organizations have started to realize that they’re probably already owned ◦ You’re not going to stop the bad guys from getting in the front door ◦ Companies need to implement an “assume breach” way of thinking
Bridging the Gap ◦ Red Teaming historically: ▫ specialized toolsets, expanded timeframe, large team size, lots of $$$ ◦ Our approach has been to build tools that automate a lot of this previously specialized tradecraft ▫ PowerShell plays a big role here ◦ We also try to distribute a knowledgebase of these tactics
Why PowerShell? ◦ “Microsoft’s post-exploitation language” - @obscuresec ◦ PowerShell provides (out of the box): ▫ Full .NET access ▫ application whitelist bypassing ▫ direct access to the Win32 API ▫ ability to assemble malicious binaries in memory ▫ default installation Win7+ !
Just a “Toy Language”?
The Weaponization Problem ◦ There’s been an sharp increase in offensive PowerShell projects over the past year ◦ But many people still struggle with how to securely work PowerShell into engagements ◦ Using existing tech at this point hasn’t always been the most straightforward
Weak Standard Images Spreading vulnerabilities by design... 1
Standard Images ◦ Organizations typically utilize some standard image per internal business unit or across the entire enterprise ▫ Frequently contracted to 3rd parties ◦ Security of this image is paramount ◦ Exploitation of this image gets us beyond the beachhead ▫ Enables further spread
Windows Services ◦ One of the most effective escalation vectors was (and still is) vulnerable Windows services ▫ Sometimes can modify a service itself ◦ However, many organizations overlook the permissions for service binaries :) ▫ Overwrite the service binary to add a local user or install an agent
.DLL Hijacking ◦ Many programs/services will search in multiple locations when loading, including directories listed in the %PATH% environment variable ◦ If you have write access to any folder in %PATH%, there’s a good chance you can drop a malicious DLL and escalate privileges on Windows 7
Standard Image Analysis ◦ PowerUp - PowerShell tool to automate common Windows privilege escalation vectors ▫ Part of PowerSploit/PowerTools ▫ Invoke-AllChecks will run all current checks against a host ◦ We also manually inspect each standard image in depth to discover enterprise “0- days”
Custom Internal Development Is the most common root cause of escalation vectors we find.
Network/User Hygiene It’s just not hard to find targets... 2
Dirty Networks ◦ This is a major catch all issue… ▫ Network Hygiene - Random default services existing with little knowledge by IT staff (ie. Tomcat, Cold Fusion, etc) ▫ User Hygiene - Lots of old users, admin users, overly delegated groups, and long running interactive logons ◦ One of the first steps in a network is to identify how ‘dirty’ it is Hunt -> pop box -> Mimikatz -> profit
Invoke-UserHunter ◦ PowerView function that: ▫ queries AD for hosts or takes a target list ▫ queries AD for users of a target group, or takes a list/single user ▫ uses Win32 API calls to enumerate sessions and logged in users, matching against the target user list ◦ You don’t need administrative privileges to get a ton of information!
Invoke-UserHunter -Stealth ◦ Uses an old red teaming trick 1. Queries AD for all users and extracts all homeDirectory fields to identify likely domain file servers 2. Runs NetSessionEnum against each file server to enumerate remote sessions, matching against target user list ◦ Gets reasonable coverage with a lot less traffic ▫ also doesn’t need admin privileges
Most Organizations Have terrible privileged account hygiene in their networks. This makes our job much easier.
Domain Trusts Or: Why You Shouldn’t Trust AD 3
Domain Trusts 101 ◦ Trusts allow separate domains to form inter-connected relationships ◦ A trust just links up the authentication systems of two domains and allows authentication traffic to flow between them ◦ A trust allows for the possibility of privileged access between domains, but doesn’t guarantee it*
So What? ◦ Why does this matter? ◦ Red teams often compromise accounts/machines in a domain trusted by their actual target ▫ This allows operators to exploit these existing trust relationships to achieve their end goal ◦ More information: ▫ http://www.harmj0y.net/blog/tag/domain-trusts/
PowerView ◦ Domain/forest trust relationships can be enumerated through several PowerView functions: ▫ Get-NetForest: information about the current domain forest ▫ Get-NetForestTrust: grab all forest trusts ▫ Get-NetForestDomain: enumerate all domains in the current forest ▫ Get-NetDomainTrust: find all current domain trusts, á la nltest
Using Domain Trusts ◦ If a trust exists, most functions in PowerView can accept a “-Domain <name>” flag to operate across a trust: ▫ Get-NetDomainController ▫ Get-NetUser ▫ Get-NetComputer ▫ Get-NetFileServer ▫ Get-NetGroup ▫ Get-NetGroupMember ▫ Invoke-UserHunter, etc.
We Often Understand An organization’s domain trust mesh better than they do by the end of an engagement.
The Mimikatz Trustpocalypse ◦ Mimikatz Golden Tickets now accept SidHistories ▫ though the new /sids:<X> argument ▫ thanks @gentilkiwi and @PyroTek3 ! ◦ If you compromise a DC in a child domain, you can create a golden ticket with the “Enterprise Admins” in the sid history ◦ This can let you compromise the parent domain
The Mimikatz Trustpocalypse If you compromise any DA credentials anywhere in a forest, you can compromise the entire forest!
Empire A Pure PowerShell Post- Exploitation Agent
First Things First ◦ This tool would not be possible if it wasn’t for the help and phenomenal work from these people: ▫ @mattifestation, @obscuresec, @josephbialek https://github.com/mattifestation/PowerSploit/ ▫ @tifkin_ https://github.com/leechristensen/ ▫ @carlos_perez, @ben0xa, @mwjcomputing, @pyrotek3, @subtee, and the rest of the offensive PowerShell community!
Empire? ◦ Empire is a full-featured PowerShell post-exploitation agent ◦ Aims to provide a rapidly extensible platform to integrate offensive/defensive PowerShell work ◦ An attempt to train defenders on how to stop and respond to PowerShell “attacks”
Methods of Execution ◦ Small “stager” that can be manually executed or easily implemented elsewhere ▫ A powershell command block can load an Empire agent ▫ Lots of formats (.bat, .vbs, .dll, etc.) ◦ Listeners are the “server” side of the whole system ▫ Configuration of the agent set here
Empire Staging
◦ Currently have the following categories for modules: ▫ code_execution - ways to run more code ▫ collection - post exploitation data collection ▫ credentials - collect and use creds ▫ lateral_movement - move around the network ▫ management - host management and auxiliary ▫ persistence - survive the reboot ▫ privesc - escalation capabilities ▫ situational_awareness - network awareness ▫ trollsploit - for the lulz Module Categories
Module Development ◦ Development is extremely fast due to the wealth of existing PowerShell tech and the ease of development in a scripting language ◦ Modules are essentially metadata containers for an embedded PowerShell script ▫ Things like option sets, needs admin, opsec safe, save file output, etc
management/psinject ◦ First up: our auto-magic process injection module for Empire ▫ Takes a listener name and an optional process name/ID ◦ Uses Invoke-PSInjector to inject our ReflectivePick .DLL into the host or specified process ▫ The launcher code to stage the agent is embedded in the .DLL
ReflectivePick
PowerShell in LSASS? LOL
Invoke-Mimikatz ◦ Everyone's favorite post-exploitation capability ◦ Not just dumping creds: ▫ Golden tickets ▫ Silver tickets ▫ PTH ▫ Skeleton key ◦ Empire has Internal credential model ▫ Lets you easily reuse creds you’ve stolen
Demo
Questions? ◦ Matt ▫ @enigma0x3 | enigma0x3.net | MNelson [at] verisgroup.com ◦ Will ▫ @harmj0y | blog.harmj0y.net | WSchroeder [at] verisgroup.com ◦ Empire | PowerTools ▫ github.com/PowerShellEmpire/Empire | github.com/PowerShellEmpire/PowerTools ▫ www.PowerShellEmpire.com

Recommended

Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
enigma0x3
 
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
enigma0x3
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Control
enigma0x3
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
enigma0x3
 
Red team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deploymentRed team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deployment
enigma0x3
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat Security Conference
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
Nephi Johnson
 

Recommended

Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
enigma0x3
 
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
enigma0x3
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Control
enigma0x3
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
enigma0x3
 
Red team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deploymentRed team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deployment
enigma0x3
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat Security Conference
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
Nephi Johnson
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
Benjamin Delpy
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...
Denis Gundarev
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
1N3
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
Nikhil Mittal
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
Nikhil Mittal
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
Will Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
Denis Gundarev
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
Will Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
Will Schroeder
 

More Related Content

What's hot

BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
Denis Gundarev
 

What's hot (20)

BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
 
SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
 

Similar to Bridging the Gap: Lessons in Adversarial Tradecraft

Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 

Similar to Bridging the Gap: Lessons in Adversarial Tradecraft (20)

Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Multi-tenancy with Rails
Multi-tenancy with RailsMulti-tenancy with Rails
Multi-tenancy with Rails
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Avoiding the security brick
Avoiding the security brickAvoiding the security brick
Avoiding the security brick
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Bridging the Gap: Lessons in Adversarial Tradecraft

  • 1. Bridging the Gap Lessons in Adversarial Tradecraft Matt Nelson, Will Schroeder Veris Group’s Adaptive Threat Division
  • 2. @enigma0x3 ◦ Penetration tester and red teamer for the Adaptive Threat Division of Veris Group ◦ Developer on the Empire Project ◦ Offensive PowerShell Advocate ◦ Cons: Shmoocon firetalks, BSides DC, BSides Boston
  • 3. @harmj0y ◦ Security researcher and red teamer for the Adaptive Threat Division of Veris Group ◦ Co-founder/active developer of Empire, PowerTools, and the Veil-Framework ◦ Cons: Shmoocon, Defcon, Derbycon, various BSides
  • 4. tl;dr ◦ Setting the stage ▫ Red team philosophy ▫ Bridging the Gap ◦ Push it, Push it Real Good ▫ #1 - Weak Standard Images ▫ #2 - Network/User Hygiene ▫ #3 - Domain Trusts ◦ Empire ▫ Offensive PowerShell and Rats 101 ▫ Modules ▫ If time, brief demo
  • 5. Setting the Stage Pentesting, Red Teaming, and the “Assume Breach” Mentality 0
  • 6. Penetration Testing ◦ Definition ranges anywhere from a single person running a (slightly)-glorified vuln scan, to a full on multi-person assault for several weeks ◦ Reasonable Balance: breadth vs. depth, find as many holes as you can and see how far you can get in a limited timeframe ◦ Generally focused on finding issues and not about training/exercising processes
  • 7. Red Teaming ◦ Red teaming means different things to different people ▫ physical ops ▫ in-depth social engineering ▫ custom exploit dev ▫ pure network based operations ▫ adversary emulation ▫ etc. ◦ Common thread of increased time frame, more permissive scope
  • 8. “Assume Breach” Mentality ◦ With the rash of recent major incidents, organizations have started to realize that they’re probably already owned ◦ You’re not going to stop the bad guys from getting in the front door ◦ Companies need to implement an “assume breach” way of thinking
  • 9. Bridging the Gap ◦ Red Teaming historically: ▫ specialized toolsets, expanded timeframe, large team size, lots of $$$ ◦ Our approach has been to build tools that automate a lot of this previously specialized tradecraft ▫ PowerShell plays a big role here ◦ We also try to distribute a knowledgebase of these tactics
  • 10. Why PowerShell? ◦ “Microsoft’s post-exploitation language” - @obscuresec ◦ PowerShell provides (out of the box): ▫ Full .NET access ▫ application whitelist bypassing ▫ direct access to the Win32 API ▫ ability to assemble malicious binaries in memory ▫ default installation Win7+ !
  • 11. Just a “Toy Language”?
  • 12. The Weaponization Problem ◦ There’s been an sharp increase in offensive PowerShell projects over the past year ◦ But many people still struggle with how to securely work PowerShell into engagements ◦ Using existing tech at this point hasn’t always been the most straightforward
  • 13. Weak Standard Images Spreading vulnerabilities by design... 1
  • 14. Standard Images ◦ Organizations typically utilize some standard image per internal business unit or across the entire enterprise ▫ Frequently contracted to 3rd parties ◦ Security of this image is paramount ◦ Exploitation of this image gets us beyond the beachhead ▫ Enables further spread
  • 15. Windows Services ◦ One of the most effective escalation vectors was (and still is) vulnerable Windows services ▫ Sometimes can modify a service itself ◦ However, many organizations overlook the permissions for service binaries :) ▫ Overwrite the service binary to add a local user or install an agent
  • 16. .DLL Hijacking ◦ Many programs/services will search in multiple locations when loading, including directories listed in the %PATH% environment variable ◦ If you have write access to any folder in %PATH%, there’s a good chance you can drop a malicious DLL and escalate privileges on Windows 7
  • 17. Standard Image Analysis ◦ PowerUp - PowerShell tool to automate common Windows privilege escalation vectors ▫ Part of PowerSploit/PowerTools ▫ Invoke-AllChecks will run all current checks against a host ◦ We also manually inspect each standard image in depth to discover enterprise “0- days”
  • 18. Custom Internal Development Is the most common root cause of escalation vectors we find.
  • 19. Network/User Hygiene It’s just not hard to find targets... 2
  • 20. Dirty Networks ◦ This is a major catch all issue… ▫ Network Hygiene - Random default services existing with little knowledge by IT staff (ie. Tomcat, Cold Fusion, etc) ▫ User Hygiene - Lots of old users, admin users, overly delegated groups, and long running interactive logons ◦ One of the first steps in a network is to identify how ‘dirty’ it is Hunt -> pop box -> Mimikatz -> profit
  • 21. Invoke-UserHunter ◦ PowerView function that: ▫ queries AD for hosts or takes a target list ▫ queries AD for users of a target group, or takes a list/single user ▫ uses Win32 API calls to enumerate sessions and logged in users, matching against the target user list ◦ You don’t need administrative privileges to get a ton of information!
  • 22. Invoke-UserHunter -Stealth ◦ Uses an old red teaming trick 1. Queries AD for all users and extracts all homeDirectory fields to identify likely domain file servers 2. Runs NetSessionEnum against each file server to enumerate remote sessions, matching against target user list ◦ Gets reasonable coverage with a lot less traffic ▫ also doesn’t need admin privileges
  • 23. Most Organizations Have terrible privileged account hygiene in their networks. This makes our job much easier.
  • 24. Domain Trusts Or: Why You Shouldn’t Trust AD 3
  • 25. Domain Trusts 101 ◦ Trusts allow separate domains to form inter-connected relationships ◦ A trust just links up the authentication systems of two domains and allows authentication traffic to flow between them ◦ A trust allows for the possibility of privileged access between domains, but doesn’t guarantee it*
  • 26. So What? ◦ Why does this matter? ◦ Red teams often compromise accounts/machines in a domain trusted by their actual target ▫ This allows operators to exploit these existing trust relationships to achieve their end goal ◦ More information: ▫ http://www.harmj0y.net/blog/tag/domain-trusts/
  • 27. PowerView ◦ Domain/forest trust relationships can be enumerated through several PowerView functions: ▫ Get-NetForest: information about the current domain forest ▫ Get-NetForestTrust: grab all forest trusts ▫ Get-NetForestDomain: enumerate all domains in the current forest ▫ Get-NetDomainTrust: find all current domain trusts, á la nltest
  • 28. Using Domain Trusts ◦ If a trust exists, most functions in PowerView can accept a “-Domain <name>” flag to operate across a trust: ▫ Get-NetDomainController ▫ Get-NetUser ▫ Get-NetComputer ▫ Get-NetFileServer ▫ Get-NetGroup ▫ Get-NetGroupMember ▫ Invoke-UserHunter, etc.
  • 29.
  • 30. We Often Understand An organization’s domain trust mesh better than they do by the end of an engagement.
  • 31. The Mimikatz Trustpocalypse ◦ Mimikatz Golden Tickets now accept SidHistories ▫ though the new /sids:<X> argument ▫ thanks @gentilkiwi and @PyroTek3 ! ◦ If you compromise a DC in a child domain, you can create a golden ticket with the “Enterprise Admins” in the sid history ◦ This can let you compromise the parent domain
  • 32. The Mimikatz Trustpocalypse If you compromise any DA credentials anywhere in a forest, you can compromise the entire forest!
  • 33.
  • 34. Empire A Pure PowerShell Post- Exploitation Agent
  • 35. First Things First ◦ This tool would not be possible if it wasn’t for the help and phenomenal work from these people: ▫ @mattifestation, @obscuresec, @josephbialek https://github.com/mattifestation/PowerSploit/ ▫ @tifkin_ https://github.com/leechristensen/ ▫ @carlos_perez, @ben0xa, @mwjcomputing, @pyrotek3, @subtee, and the rest of the offensive PowerShell community!
  • 36. Empire? ◦ Empire is a full-featured PowerShell post-exploitation agent ◦ Aims to provide a rapidly extensible platform to integrate offensive/defensive PowerShell work ◦ An attempt to train defenders on how to stop and respond to PowerShell “attacks”
  • 37. Methods of Execution ◦ Small “stager” that can be manually executed or easily implemented elsewhere ▫ A powershell command block can load an Empire agent ▫ Lots of formats (.bat, .vbs, .dll, etc.) ◦ Listeners are the “server” side of the whole system ▫ Configuration of the agent set here
  • 39. ◦ Currently have the following categories for modules: ▫ code_execution - ways to run more code ▫ collection - post exploitation data collection ▫ credentials - collect and use creds ▫ lateral_movement - move around the network ▫ management - host management and auxiliary ▫ persistence - survive the reboot ▫ privesc - escalation capabilities ▫ situational_awareness - network awareness ▫ trollsploit - for the lulz Module Categories
  • 40. Module Development ◦ Development is extremely fast due to the wealth of existing PowerShell tech and the ease of development in a scripting language ◦ Modules are essentially metadata containers for an embedded PowerShell script ▫ Things like option sets, needs admin, opsec safe, save file output, etc
  • 41. management/psinject ◦ First up: our auto-magic process injection module for Empire ▫ Takes a listener name and an optional process name/ID ◦ Uses Invoke-PSInjector to inject our ReflectivePick .DLL into the host or specified process ▫ The launcher code to stage the agent is embedded in the .DLL
  • 44. Invoke-Mimikatz ◦ Everyone's favorite post-exploitation capability ◦ Not just dumping creds: ▫ Golden tickets ▫ Silver tickets ▫ PTH ▫ Skeleton key ◦ Empire has Internal credential model ▫ Lets you easily reuse creds you’ve stolen
  • 45. Demo
  • 46. Questions? ◦ Matt ▫ @enigma0x3 | enigma0x3.net | MNelson [at] verisgroup.com ◦ Will ▫ @harmj0y | blog.harmj0y.net | WSchroeder [at] verisgroup.com ◦ Empire | PowerTools ▫ github.com/PowerShellEmpire/Empire | github.com/PowerShellEmpire/PowerTools ▫ www.PowerShellEmpire.com

Editor's Notes

  1. Anthem, Home Depot, Sony, etc. Post-breach exercises, etc.
  2. This has kept these TTPs relegated to large, military teams
  3. Able to do what we want completely in memory
  4. From Virus Bulletin 2015 Many people have written off PowerShell as being a real malware solution because it is a scripting language “Easy” to defeat/block the interpreter This has also caused incident responders to overlook it as a malware vector Helpful if we provide some real world demos :)
  5. “This is the problem we’re trying to solve!” … more on this later
  6. Often refered to them as “golden images” -if you have a vuln in the standard image, you have that vuln enterprise wide
  7. Abusing perms on a service binary requires a box reboot
  8. Now with no external binary calls
  9. “Old Invoke-StealthUserHunter functionality” Also not DFS servers and DCs
  10. 17m
  11. except in one case, which I’ll cover in a bit
  12. no more nltest!
  13. red is parent child, green arrows are external, blue is cross-link
  14. Where do you think the trust boundary is- domain or forest? Mention “Trusts you might have missed” talk
  15. This doesn’t work for external domain trusts
  16. DOMAINS ARE NOT THE TRUST BOUNDARY FORESTS ARE!!!
  17. Another tool in the belt!
  18. Staging keys are generated per agent -reversing one agent’s comms won’t burn the rest of your agents
  19. Metion Lee’s code
  20. - 34:00