The Imitation Game: Emulating Attackers with CALDERA

yep that's right so good morning everyone welcome to be sites and welcome to Trek three so I'll be your first presentation this morning just as Mark said I will be introduced that is right okay um so just to briefly introduce myself so I'm Vita I work at PwC in the endpoint threat detection team which means that I help with threat detection and compromises coffee that sort of thing we help lines with that I'm new to be sites so it's my first time here thank you very much for having me this also first presentation so no pressure there like what could possibly go wrong right so I'm gonna talk to you in the next 45 minutes or so about attack or

emulation first I will just briefly introduce what it is and why you would want to do it so hopefully those of you who don't do it I can convince that it's actually a good thing you should look into it then a little bit on the how like how can you do it and she will see there's a lot of tools available that can help you with these sort of things and at the end I will show you some cool stuff and that's the real reason you're here right like this that's the actual stuff you want to see so without further ado let's just start attack your emulation so let's get the definition straight right out of the way so in the

broader sense when we talk about attack or emulation we talk about the act of doing what an attacker would do you know how people sometimes say to catch a thief to think like a thief and I think that very much applies to the cyberspace as well if you are defending as individual as an organization and you probably have an idea of who you were defending yourself against right especially if you work for a larger organization you probably have like threat intelligence and that should give you a better idea of where your adversaries are and what what techniques they use whether they're after who are they what vulnerabilities exploits do they use that's a very good start so as a

defender hopefully you do stuff to make sure that you detect that or even prevent that and where that is on an endpoint level or a network level hopefully you make sure that the two are aligns right the big question is however how do you make sure that you are that your defenses are effective really so if you're you know we hopefully you have some defenses in place but how do you know that you actually will catch it if they try and get into your system so your threat intelligence might if you are you cease or it might give you behavioral rules hopefully you've stuff in place to detect that how can you make sure that

you're detecting the right thing is is really ironically three you can't see what you can't see so you can if you detect something you know that you can detect it if you miss something and it's too late right so by the time you find out about that so that's why you might want to look into attack your emulation so as I said one of the main reasons for us is testing your own detection capability so making sure that you can detect what you're trying to detect Ana so we'll show you in a few slides time there's multiple ways of doing attack or emulation and I think really good advantages that you can do it we're realistic attack model what it

will look like I'll show in a bit another reason why you might want to look into it is research so it's sort of like a collateral thing but I found when I started looking into attacker emulation that you really have to start thinking like you're at a ket which means that you really have to understand the tools they use in the film abilities they use so rather than just read a report and write a signature on the base of that you really have to do the exploitation yourself and that forced me to really think about like what am I trying to do here and it really helped me improve my defenses because either way better understanding of what I was

doing so for a personal point of view research like it really helps you understand in your attacker and thirdly not an important I think is showing off is we all want to write so whether you're trying to impress a client or maybe someone in your organization someone more senior or even board level it is pretty good if you can in an automated fashion emulate what attack it will do and show that what you're doing in terms of defending is actually working right so you can actually show whether that's on an endpoint or network level that you are able to detect your adversary bear in mind that this is not a little proof right so when you emulate

in the sector it's just an example of what an attacker might do so you can't prove that you will always catch your attacking but it's just really good in terms of proving to yourself for all this what you're doing makes sense and has impact right so now let's have a closer look at how like what do we mean that we're there techie emulation how do you put that into practice so what you would usually do is you would have systems in your sights usually you would isolate them from your actual machines so actual machines with you know your base image with all your tools and point tools whatever like basically what a normal machine in your

state would look like in a normal network configuration and within that representative test environment you would do it on there take it with you you would try and break stuff you try and move laterally create persistence all that sort of jazz and so the assumption here is that you already have been compromised this is a post compromised assumption so in this test environment you're not going to deal with you know trying to infect it you just assume that has already happened what you're really interested in is answering like okay even their tacit got guessing what would it do would it move laterally would it able to would it create persistence that that's the sort of question you're

trying to answer here so post compromise in a representative test environment that is the setting we're dealing in so there's a few options you have and that's all different depending on what you're trying to do so the first one is the manner in which you do attack your emulation you can do it in a manual way we just literally just you know type commands basically mimic in actual attack it and to see if your detection picks it up if it maybe prevent it from happening or it shows up in loaves which is which is great and if you do it as a one-off thing there might be the right way for you what I think is way more

interesting is the automated element of it because let's face it roll cyber people we're lazy we don't want to do stuff right we want to script it up we want to do it repeatedly so the advantage of doing stuff in an automated fashion is that it saves a lot of time and you can rerun this often as you want you can almost use it as a sort of integration tests we run an attack emulation and you just see what happens on various levels endpoint network logs whatever so I'll be focusing on automated but just bear in mind maybe for your case manual might be the right answer then another question is the scope which is a little

bit more tricky there's multiple ways of doing a secular emulation so as I said you do what an attacker does blah blah blah we get that but how do you do that so if you for instance want to test your behavioral detection system maybe you have separate rules you just want to test them one by one or as a unit test so atomic tests will be really good for that you would for every rule you have create an individual action maybe like a one-liner and with malicious behavior you just see if your rule fires and if it does pass and if not feel right it's really straightforward you just run them one after another you see what rules fires

and then they give you an idea of what your defenses are doing you could almost script it up a set of paths or a batch script right it's just literally just run it and you see what happens it's very simple very straightforward there's also other ways available so on the other end of this so atomic is really basic and like one on one on the other end of the spectrum you have end to end so that is where it gets more realistic is end to end what I mean by that is actually emulating what an attacker would do from the very start till the very end right if you follow some sort of kill chain model or

whatever is really from the point where you've got the initial infection to the point where you execute your final action I mean maybe even cover tracks and remove yourself that sort of jazz so I think that's a lot more clever because that means that you don't do individual actions individual attacks who you actually use the in and outputs of individual actions for other stuff for as an example I might want to test what happens if I run the password thumping to mimic guests you know who knows movie cats and sweet most-viewed good and what you would expect so maybe my first test is I'm gonna run mimic cats and see if I detect that so that could be an atomic

action but to make it more end to end I could say okay once I run them you cats and this successful I'm going to use the output the credentials are find to move laterally or create persistence on another system something like that so end to end is you use the in and outputs of other actions chain them together link them together in a clever way and in a way make it more look like what your attacker would leave if he was actually in your estate so two actions it's not really a right or wrong answer here you can choose for either depending on what your way trying to do so for me this is what it would look

like in terms of usability and ease of use that's very easy views and usefulness so I thought make is really easy to do right you should just maybe just the one line or you can script it up you run it once you see pass fulfill and then you're done so it's really relatively easy to use but for me usefulness is relatively low I didn't let the trying of all the way to the bottom because it's more like it's not completely useless but it means it's very individual action so you're checking rather than a full attack cycle so you get an idea of what you would pick up but not like it's going to generate a lot of noise right so it's

not very representative of what you would normally see so change is sort of in the middle where it is still atomic but it's in an order that you would expect in an attack you might not even rely on the in and out groups it's just still separate actions just the American set border or sn2 ends and what that will what that actually means it will show you in a minute because there's what I will be focusing on it's for me way more useful because it is actual to four attack a lifecycle however that means that you need to whatever framework you're using you need to configure that to make sure that it actually links actions together right

you need to tell it that if I were a mimic that's I need to pass the credential somehow and then use therefore let's remove them somehow so you need to link them together and that is not as straightforward as it might look but you will see it doesn't necessarily mean that it will be difficult either right okay so now we have a few parameters here where we can play with I think end to end is more interesting I will show you in a bit why I think it will really help there's a few tools available that can help you here so fortunately you don't have to do this all yourself you don't have to start

from scratch River which might be tempting right sometimes feel like I can do it in Python but you'll see especially end-to-end it gets really complicated so it's a few tools available there that can help you I'm sure you've all seen this xkcd comic about standards about you know there's 14 standards and some of those are as ridiculous they created one overarching solution and then you have 15 standards great so that's kind of what happened here it's not quite 14 it's 13 but and this is tools that I found that all claim to do more or less the same thing and bear in mind this is just open source and aligned to the attack matrix so imagine

if you do also closed source and not allowing your technology there's a lot of function out here they all do roughly the same they're all slightly different so with the parameters I just showed you in terms of like how atomic or end-to-end it is and they vary a bit but if you're new to this this sort of thing attacker emulation it can be quite overwhelming right like where do you saw what what are the differences is there is a recruit one and a bad one and I find that quite complex actually it requires some time to figure it out so one of my calls to action would actually be how great would it be for

just a few they were really good rather than 13 at all more or less the same thing and they're not cross compatible either so if you're right if you go for one of these solutions you might not be able to around in another so this is a bit of a risk there so um yeah unfortunately it is like that so I will focus just on a few that are relatively popular or more lively in the open source area so some of you might have heard of rat Canaries atomic bread which is really good so it's almost like a library of action so it's aligned to the attack framework if you're not heard of it like look it up it's really helpful

resource to fall for our tech is behave so they have a really good and get up a really good open source framework we have for each almost I think almost every attack technique of really good social scripts you can run so it is kind of manual it's not dynamic either this is like hard coded scripts there's no random file names it's literally a script you run you see if your detection picks it up but it is cross-platform so it's really good and it is one of the more lively is one of the more active open source projects you might have heard of ubers meta which is automated which is quite nice still not dynamic and static scripts are coded file names

or whatever so there's some limitations there but also cross-platform then we have caldera which is from meited themselves so my touristy organization behind attack and they started it as a research projects think about 1/2 year ago now so you had caldera 1.0 which was really cool fully automated and dynamic in Python I will tell you more about in a minute it's just windows though so then think about a month ago they release color a 2.0 which contains all the functionality of caldera one but also with what they call it change mode which is a bit more like what uber does with matter so it's more individual actions hard-coded so it's lights like both dynamic and not

fun IMing but the advantage is that it is cross-platform now so that's really good then you also have like and games RT a Red Team automation it's very similar to a caldera I think see there's a few options out there and there is again not necessarily a right answer but for the purposes of this talk I will be focusing on caldera BAM oh yeah so just to remind you before before remove the caldera like picking the right tool can be tricky so have a think beforehand what you're trying to do right what is your goal are you doing is there's a one-off thing why are you going to do this more frequently that might help you

identify if you go for automate not automated what is your scope are you literally trying to test individual rules or do you want to get like the full lifecycle of an attack it however you listed do you want it to be easy to maintain so that sort of links back to the all atomic and end-to-end sort of question so have a think and find your Eve so then more about caldera as I said open source research project by mighty so it's a bit research he so don't expect fleshy user interfaces but as you will see the the what happens under the booth is really good so is there's a lot of stuff you need there that is sort of

like outside my area of expertise but they handle that for you so that's really good caldera right if you install that like without doing anything it already comes with a lot of attack or actions for instance they have a profile for the Lazarus group so without having to do anything yourself you can install called our on your environment and if you run it you can emulate an lazarus group like attacker so methods they use you can run on your estate you can just see with your own detection mechanisms what would I see what would I pick up what would I miss that in itself already is really helpful and what we'll be talking about is how you can extend

that and make it for like adapted to your attacker so for me why it sets itself apart from the other other ones I just mentioned so these attack erections are defined in Python and while that it might not be the best language for this sort of thing like most of my team at least read Python most of them write Python as well so it's easier to maintain also going forward you don't have to good use of any new syntax is like a like a accepted language it works with pre and post conditions so this is where the whole end-to-end thing comes in and what that will look like I will show you in a slide or two which means that caldera

can really cleverly link actions together and make it look like an actual attack and it does that using the heuristic planet so that's one of the things that like this that's really difficult this outside my area of expertise but as long as you do your pre and post conditions caldera Google will do all the difficult stuff so that's a win-win there so a very simple setup for caldera I say just do for you what it might look like in your environment so as I said these are the three hosts at the bottom there should be representative of machines in your network you will base image your endpoint tools network configuration everything in place as it was like a

normal Network you probably want to isolate it as you'll see in a minute and then have a separate books the caldera server which is almost like a c2 channel server so it literally sends instructions to the hosts to you know move laterally great resistance dumped credentials that sort of thing so on your estates you might want to on your test environment you might want to infect one of the hosts as I said we assume it's already been compromised right so you have to install a caldera agents on at least one of the machines and from that point on you can log into the caldera server and instruct it to run emulation starting at post a maybe

and then it will you know do this persistence try and move laterally depending on how you define your attacker so what would that look like so imagine in my caldera instance I define my attacker and my attacker is able to do these things so in the interval for kobera I have these probably more options available and I've selected for my attacker that it has these capabilities it can do persistence with run DLL phone - it might copy a file remotely can do exultation with gifts I know it can delete event logs you can do piece exec in staged data and it can do mimic house right so I just tell caldera that might attack it can do this and then once you

say okay start my emulation run on this host and see where you can do it will then figure out the most likely path and attack it would take so again using pre and post conditions it will find out okay for peers exec I need credentials so maybe I should bring mimic at first and then if there works I can do be as exec and once I have B as exec I can move a file to another hosts all the way down to the lead event loads so this figuring this out this is something called errors really good at as long as you define your pre and post conditions some stuff is sort of like non-deterministic so we have the

persistence there at the top and it made it the fourth action but you might as well do it as the fifth or maybe add assault or whatever sometimes it doesn't really matter what order you do stuff right so there's also an element of non determinism there but again that is good your own emulation is that means that you're you know over engineering ominous like a single scenario the more random I think the better it is for your protection right so what wouldn't what would a choleric class look like for as I said all your actions are written in Python and they've roughly have three sections each class in which you define an action to this is where it

gets more like bringing it to life so roughly the first section is where you define your pre and post conditions then you have the biggest section is obviously where you in Python define what your remote access tool your ret should do on the infected host and at the end you there's also a clean up section so that's I think another cool feature about caldera is that once you run it you will attack your machine right so you will create your systems and you will change you drop files to change the registry keys that sort of jazz but if you want to run it again like you don't want to reimage your machine over and over again right so

caldera offers you the option to sort of undo what you changed so if you drop a file you can then at the end say well once you're done you want to clean up just delete the file right or if you change your register key change it back at the end that just make sure that and you can without having to do anything rerun your emulation over and over again so just as an example so imagine I want to implement a mimic s action so first I need to define my pre and post conditions so if you know mimic s you know in order for it to work you need a ping potential you mean admin

rights right so my precondition will be if you have admin rights I can run this my post condition will be if this was successful and you will have credentials so you need to tell Caldera in Python in there with using that classes that this is the case so called our ad and notice how to work together with the other actions so then the action itself so that's where you in Python say like okay maybe parallel mimic has from this location running the PowerShell do something clever with the outputs and then you also need to tell caldera what to do it's like if you find credentials you need to tell call there are in a structured format like these are the

credentials so that further actions know how to access username password so and clean up so if you drop files or if you maybe in this case I would trade logs or whatever you can in your Python plus say like okay delete them at the end to undo the damage you did so this is what it would look like I'm not going to go through it line by line don't worry but it's also a simplified version but you can see at the top you see precondition it says ret remote access tool and it says elevated is true so my precondition is I need my ride access tool to be elevated in order for this action to be

able to run and then my post conditions are I will be aware of users right these mimic s also give your user names obviously but more importantly I will have credentials and again post condition assumes it was successful so precondition pod condition then the middle bit this is the action itself so you might see here like literally it's a URL to a github page with invoke mimikatz Lapierre's one and then the rule below it you literally see it running powershell with IE x IWR and then the link so if you know a little of powershell you know that IE X so for Evo like the evaluation function hi WR is downloads URL to stream so this

will literally if you run this one line it will literally run mimic hats and don't get out putting your standard out the advantage of this that it is fireless like you don't leave any trades in your there's no file for you to download because everything happens in memory it's quite it's quite cool so this is where we prepare it and then here is telling calderas ret to literally run this command line and then do something clever with the output and then here's step two is literally making caldera aware of it so where our post condition is user G in credential G you now see register user G with the found username and registered credential G

with the found password so that's like this is simplified version this is more or less what's going on and then in this case there's nothing to clean up right is it won't drop any files it won't change any registry keys you don't even need to kill any processes this is it so your cleanup is nothing so this is this was really simple this is pretty cool so you can do this this is an example dump credentials obviously you can do this for all sort of thing so before I move on to showing you and showing you what we did to extend it to make it even more exciting there's a few challenges here right so

we now know how could ever works and how you can implement your own stuff or even if you don't want to implement stuff like Paul Dirac already comes with a lot of built-in stuff there's a few challenges here so once you know you're at a ket making sure that you have all their capabilities in Caldera is one of our challenges right making sure that it's actually a good representation of the attacker you're trying to defend yourself against another one is a big one is the detection itself so in the example I just showed you you saw that literally the command line contains the word mimic hats right so if you really if you have a really stupid rule-based

system you might say oh I know how to detect mimic hats just by looking at the command line if I see the word mimic hats then I found it yay well that's obviously not what you're looking for right so even though in this emulation you might have a rule that detectives you're really looking for the wrong thing by what you should be looking for is these ways powershell arguments or maybe the dll powershell knows is that would also be like different from normal so a challenge here that even if you implemented you should make it as random as possible so that you don't detect the wrong thing the same we'd like if you have anything

artificial intelligence related like it might pick up that all your evil stuff always contains the word mimic hats will always go to know your internal github that's obviously the wrong thing that's not where you're after so that is a challenge so make sure that once you run it you detect the right thing and well same with realism right what techniques you use timing so in called area can also set like the interval between individual actions if you really want to make sure that it is realistic make sure that you set all these parameters right so it looks like an actual attack sweet so that was a crash course into normal called error and that is really good

there is there's an open-source version of it which you can obviously use there's people contributing to it which is pretty cool what we did is extended even further so beyond standard caldera there's a few things that you see in the world quite often that you can't do normally but I'm we've changed caldera to do these things and I'm gonna walk you through them so there's three things here you start with all bins or all busts and then we have some very simple office keishon techniques also masquerading techniques little bins who here knows little bins okay so law bins or sometimes a law bus stands for living of the land wineries or law passes living off the land wineries and scripts

whatever it is is tools that are either included in your operating system like Windows or come with standard software like Microsoft Office Java that sort of thing there are legitimate tools may be signed even and that you used to do like stuff it's not intended to do so obvious examples here will be PowerShell is present on every operating system after Windows XP and you can just write any script you want right you can asset issue so you can download files you can run processes whatever so that is a really obvious one you also got W script and C script for your VB script MSHDA that that's the obvious options there's also more obscure ones so if you are

familiar with the attack framework you know that well sometimes it's look like half of them but I think it's like a quarter is law Benson there's so many windows processes that you can abuse to do suffice more meant to do so a few other examples are just randomly picked so we've got rag Azzam axe whizzes is quite cool I miss bills or puppy Rendell fee WS this is an example of a script it's a Microsoft signed scripts that you can trick into executing pretty much whatever you want so why would you want to do this isn't that Tackett well because you're already in write like why would you need these tools so it's a way

to stay under the radar because it means if you are using for instance out of my msbuild to contact your c2 server your detection mechanism might think like oh i've seen i must build reaching out to to network posts before that's probably fine right or if you use rag as them to execute a bad command it might think oh it's a Microsoft signed binary that then whatever it spawns is probably good as well I could don't need to worry about that so that's one way another way is that some organizations have application whitelisting so you can only run certain processes a common thing to do is just allow Microsoft sign processes for instance so imagine if you use reg Azzam I think

it's signed and you trick it into running your evil process you can bypass your application whitelisting right who's quite often these sign processes are allowed to spawn whatever they want right so law bins so how do you do this in caldera so for caldera to understand it you again need to think about pre and post conditions so a precondition will be the in order to run a login I need to know command that I want to run right session precondition your post condition will be if Milo Boone was successful the command will have executed so simple example so if I want a machine and I want to run my evil dog X a binary and I want to stay

on the radar I will pick a random login so in this example I chose Verizon with the /u parameter so that requires you to compile a custom DLL so that will be the action and then the post condition will be well it runs successfully so as you can so you can see here on the slide this is what it might look like if you're anything call so you have the command little taxi process here which is called Airbus process red sofa can run solder on the craft form really then you see it's spawning rag Azzam so system clearly through binary and you see it here calling it with this parameter adobe updated of yellow so I don't know about

you but I've seen Adobe doing where they're things so if I see something like this I'll be like I believe it might be JIT actually obviously in this example that it's evil so this is a compiled dll that will trigger a guys into executing my temp processes called evil so this is what it might look like so it's a very good way to stay on the derailleur or avoid application like this bypassing right so there's one so what that will look like in practice all showing a demo after this so then obfuscation the principle is really simple like it's not it's not it's not rocket science a lot of rule-based systems look for keywords right so you might say in the

example I showed you if I see PowerShell and I see it running a command line that contains ie X based ways I don't want that so a lot of systems if you're looking for Bay fuel stuff rely on keywords so what if you try and hide these keywords with with this various ways of doing it so there's another resource so presentation will be available at the end by the way both the slides and all the code I've shown you the implementation equal there will be on my github including all the references you see in the presentation so if you're interested in up the station's really good resource they're a few simple examples are imagine you are

looking for the keyword hello world one simple way of doing that is just cutting the string up in pieces so here you see how the world and it's now three pieces and my detection mechanism won't detects hello world anymore this is interrupted with these annoying codes and plus signs so that's one way of doing it another simple ways escaping it so in PowerShell the escape characters are backtick so you just escaped a few characters that don't need escaping PowerShell will still understand it but your rule based detection mechanism might miss it format string also quite nice so basically you allows you to reorder a string in in a in a random order making it both are to

look at humans it's hard to read what it says now right and but also for machines like it might miss the actual keyword it's for people pay 64 encodes also low-hanging fruit like you would be surprised how easy it is to run base64-encoded commands and a lot of systems don't detect it and unencoded so again if you're looking for certain commands if you just place 64 encoded you might completely miss it so just to remind you this is just simple software really stupid systems if you have more clever stuff like entropy analysis will reveal this is doing something weird right these normal commands won't have as many quotes or loss signs or tactics so there are obviously all the ways to

detected which is really nice where you will see in practice a lot of attackers you'll still try it even if they get detected it's just maybe your detection will miss it so what will they look like in Caldera so again precondition post condition so my precondition is I need a command so this is our mimic s command again ye xie w and then this will give up your own so now we implemented this obfuscation it will randomly pick one of the ones I just mentioned so in this case it shows format string so well good luck understanding what it says here right like if you don't see this you just see that you can tell something

weird is going on but if you're looking for the word mimic hats like it's now in three separate pieces right so I think it's like 40 full strings of four characters so it makes it more difficult to if you're in it actually works if you run this one and will actually check they will actually remember casts this is a lot harder to detect although as I said if you have entropy analysis or something off the lights you're still detected and hopefully you will still do other cleverer ways of detecting it anyway but this is just a good way to check like do Shu system actually go beyond normal keyword checking then finally masquerading this is something we saw more recently and

again we think about it it's quite simple so you take a legitimate utility like PowerShell w scape whatever and you put it in a temp folder you call it something else and profit so imagine in the example I gave you you have a rule that says are looking for PowerShell in combination with IE you come online what if I call it's definitely not PowerShell but XE and put in a temp folder and I've run the same commands can you still work right but will your rule based detection system still detected is not called PowerShell anymore all right or what about this browse is the second one does anyone recognize the icon it's I think it's C scripts or double used to

give one of the two if I call it SVC hosts and I put it in temp there might be a lot of like even like if you look at it with the human eye you might think yeah could be so what would that look like in an attack so imagine I want to run the command WC EJ scripts evil DOJ's if I run this like that it might get detected very easily this is not like a normal way of using W scripts but with our implementation in caldera it will just randomize the name it will copy it to a temple to give it a random name but sort of legit sounding so in this case

it shows Google update the Lexi and now instead of running W scripts it will run Google update and because there's a copy of the binary it will still work as expected but it looks a lot less suspicious right so again if this is your so we saw there's actually being used for persistence so imagine you have an auto run entry that is called ceaseless window slash template Google up labeled Lexi and with this parameters maybe you wouldn't call evil but yes but imagine it's called like accept EULA dodged as if you see it isn't your auto run entries you might think a single will run from temper fall and yeah that's something that Google might do so

it's actually running W scripts and if you use an AV it will tell you like oh actually it's a trust of Microsoft process and there's zero detection so nothing going on here so this is just a really easy way to bypass systems that don't go the extra mile that just look at the superficial things so again we accept a caldera to do this stuff randomized filename and this is what it might look like in your process tree in phone lines including well right so putting it into contexts so what I did for a demo is that I created in etiquette which is some random capabilities and I ran it and it will use masquerading obfuscation and law

and just to give you an idea of what that would look like and what it would look like in your estate so for this attack you obviously in fact you often assumed that you've been affected so state zero is outside of scope so maybe then my techid ism discovery techniques some lateral movement maybe we'll do some execution then maybe use that to create resistance to say on the network and at the end for tracks and that's between brackets because for their AB how with the Box supports undoing what you do right so the cover attracts is sort of copied by that so imagine we have this so in the discovery and Left row movement face it can run mimic hats

you can find administrators you can find other machines on the same network it can move through other machines there's a good start right so this is what I defined in caldera this is what my attacker can do for execution so this is where the more like interesting stuff computers stuff we implemented ourselves it can download a web server but also set up a web shell using that download and maybe it can accelerate data using the web shell if it was successful maybe then with persistence it can create an autorun entry for the web show so that it can even survive a reboot and can still do exfiltration or send it malicious commands and as I said cover

tracks right caldera at the end will clear all files registry keys whatever as long as you define it in your caldera action right demo time so just before I start the clip so we have here on the left hand side the interface of caldera rooms is caldera 2.0 you will see initially gray boxes popping up and then if they were successful they turn green if they were unsuccessful it turned red then on the right-hand side here you see the victim machine so I've just one machine just keep it simple at the bottom here you see the temp folder this is ro caldera we'll drop a lot of files so just so you can see what's going on

then here I have process explorer so at the top you see see agent Alexei which is the surface that runs the caldera you will see that it will spawn commander and then you'll see all the commands that are caldera will run to emulate your attack I have a magnified version at the because it's quite small vote for you guys at the back and see it so this is the more interesting bit and I will describe what's happening here so let's start so as I said the first thing that we'll do is it will create command Aleksey so and now here starting so now it's see here it says running mimic hats so let's pause it

so what you can see now is that it's decided to run the example I gave you with the IE xie W and the whole give up URL but it kind of falls off the page but as you can see here it's using format string so if the full version if cut up the string into I think ten different parts and it gave it to PowerShell so this is one of the techniques right this is the office keishon technique hopefully eat this box will turn green meaning that it was successful so it's now running and it's fireless so you don't see anything here right i hopefully this won't turn green and if you care it currently says zero

credentials but if this was successful it Massa's 13 credentials so that works so we have credentials so we can move laterally that's cool so as I said Cabrera is non-deterministic so it now decided to enumerate all the computers in the domain could have done that's the first action right but it doesn't really matter right okay so now I decided to start downloading the web server and it decided to use a little bin for that so it decided to use cert util which is a binary that's I think present all pretty much every Windows operating system since Windows XP which is a weird vulnerability that you can make it trick to downloading any file you want so you

can see here cert util and if you look here it makes me see it going to a URL right download some binary and if there was successful you can now see the zip file view we've randomized the name again to make sure that my detection system doesn't like just look at the file name but really looks at the behavior right so box turned green we got a web server now so again non-determinism it decided now to enumerate admin groups so it's using PowerShell for that and if you look at the command line you will see that it there's nothing on the command doesn't showing that there's nothing on the command line you so it uses to stand it

in so if you just look at command you won't see any malicious behavior this is literally putting the equal months in the standard in and again it's fireless so you won't you won't see anything so give that a few more seconds and then hopefully you move on to the next one okay that is finished right okay so now we decided to create persistence so I think this one actually runs inside caldera so you don't actually see any processes nor do you see any files dropped right so now this new box is great it says down launching web server using run DLL 32 there's another law bin so it realized that it has a downloaded version of this web

server what you can see here it might be a bit small so it there's now a process here this is updates daemon and if you recognize the I can this is the icon for run DLL 32 and you can see it also drops a random file here and SCT script with a random over to random filename so what we'll do now is use another login would run DLL 32 to exit extract the zip file into a folder here and then run the web server so let's see if that works so as you can see you can see new folder here random file name box turned green so we know it was successful so now it

actually trying to set up the web shell I think it was really quick but you see if I can get that back right so you can see here my commander process forms PowerShell and then spawns this process called use be web server which spawns Apache binaries for my temp folder and caldera actually checks if it can reach out to his web server it uses a read dodgy PHP script to just execute random commands they can then check if it X is able to actual trade information so the Box turned green so we know that was successful bet you saw that happen in like 2 seconds it was really really quick right this is the final stage

should now tries to move laterally so it creates a share on another host that it found using one of the other actions and then it copies the caldera process to the other hosts which was also successful so that's where it stops so it now goes through the cleanup face and as you'll see here all the files that were created will now disappear in a matter of time there we go so that was it so this is how you can inkle Dera emulate it and this is what it will look like on your fix-it machine so I just have this next slide just for reference I'm not going to go through it this one and what I go through like all

the actions and sort of like how which actions rely on others and what tech needs to be used right so we saw off the station send it in Loeb in more little bin saw masquerading yeah have a look at is at home if you want to but just to remind you that this is just not random tests just firing random commands but it's actually relying it's actually thought about the order and it also relies on past actions right so this one can only run in action for successful and for can only run if three was successful so pretty cool stuff I think but as I said this is just a start right so now you have successfully emulated an

attack you have done what an attacker would do but the challenges dig you detect it right if you in this case didn't stop it right because it was successful but can you detect it at least so this is an example of what that might look like in your analytics platforms this is mine so the challenge now is to see what did I what did I find what did I miss can I improve it somehow so the example I gave with the file names like maybe you see that you're detecting the wrong thing but can i improve it so it really starts now only so this is all cool stuff and as I said you can I will be

sharing the code so you can pretty much do this yourself by installing it but the big question is what did you see right so I'm gonna wrap up so attacker emulation going forward so I showed you a lot of cool stuff and for me I think my mind my vision will be that a lot of people should look into this but not only look into it and we also share their work so to set an example I will be sharing my code but I really hope that other people well that the solution you're using whether that's caldera one of the others and that you share what you're doing so other people can use it and you don't have to reinvent the wheel

it would be great if you had like modules you can share just like matters flow and people could just sort of plug in and with these five are pre and post conditions you can just with minimal a fluid emulate specific attackers right imagine you could download like an apt on one two three profile you can run it and just within seconds see what you can detect I thought I think it will be amazing and the industry-standard idea so these tools are not cross tool compatible so would be nice if you somehow people come up with a profile that all tools can accept me you can just choose whatever tool you like before I go through my final slide just

just a reminder as I said it's great it can help you a lot but it's not a silver bullet and it's going to help you see that what you're doing as an impact but it's not proof by no means right it's just for yourself to see what you're doing makes sense it's maybe to tell others that what you're doing actually has an impact but it's not gonna it is this is not like a universal solution to everything so I think it's my penultimate slide so key takeaways I really hope when you're back home you think like what was this weird guy rambling on about in the morning so for things and psycho emulation helps you

not just understand the threats you're facing but also your defenses are you really looking for the right thing if you do a tech emulation do it the right way right make it as random as possible make it as real as possible so you can have actual results that give a good idea of your the status of your defenses it doesn't have to be difficult is all the stuff I showed you is what I did but you can just reuse that you don't have to do it yourself so it doesn't have to be difficult and as I said community based sharing I really hope that some of you are inspired and that you all be sharing yours work so we can all see

what you what you were doing so both the slides and the code can be found on my github page get up with Carlos pizza any feedback or whatever use follow me on Twitter shoot me a message or send me an email you can also just find me during the break and another chat thank you [Applause]