BSidesAugusta 2018 - Tim Crothers - Leveraging Deception Techniques for Strong Detection

but I will I will try not to disappoint that the we're gonna do the super secret sauce I did realize afterwards that Italy pick the wrong title not that this title is wrong but it's just the you know get everybody here so what we're going to do today should have been cutting your endpoints because that's that's what we're going to talk about today um so first off though I want to let's see if I'm getting rate problems here there we go so first I really want to put a shout out to our besides Augusta Conference folks you know the volunteers the organizers if you don't know how much effort goes into pulling one of these things together over a

thousand people register and it's truly a labor of love and I go to a lot of conferences I do a fair amount of speaking cetera and truly this is one of my favorite conferences every year it just consists quality etc don't hesitate icers because they're not they're literally doing this because they look doing that so how many heard up there's dilemma pretty calm nowadays right how much II with the different okay we've got a couple three okay so the idea with the defenders dilemma on the surface it make on a sense right breeches are enough because I'm not throw red team today because one of my folks are in the audience and the last time I did that I

got then beat up for a good year so so I'm I do probably my single biggest distinction in my career is that my career is longer than most of my team members lives but uh but that's what makes it interesting right so so makes sense on the surface defenders dilemma I'm a blue person I've got to defend I gotta always get it right it does but I would posit to you that we have allowed some vendors to take the narrative of a month this is our space as practitioners we need to make sure we keep them this is not a rant on vendors there's a lot of fantastic vendors out there but in there trying to distinguish

themselves from the noise they kind of you know AI all the thing is some guy reached out on me Lincoln last week and he said hey we've got this cool AI base blah blah blah blah blah and you know I was trying to be polite no thanks you know not not interested and his response was well then how in the world are you defending against all of the cyber criminals using AI based attacks that's not actually a thing so we're good we're good but we need to be my point here is we really need to be conscious of terms like breaches because let's look at an attack type cycle hey so this called you know choose your miter attack framework

whichever it is but there's a sequence of things that has to occur in order for the bad guys to hurt us okay and whether you use this model or another really isn't in critical except that when key things happen right so first off there's a foothold right it's it's Monday morning blood level in my caffeine system is a little too high and I get the fish and I click on it right and now I've remote access trojan running in my life I would suggest we don't have a breach we like to call that in my shop a prevention failure because we paid for a whole bunch of this technology that the vendors all said was going to stop all

of from happening we all know they don't love it they do a good job of reducing a ton of it but some gets through right I would suggest that the the foothold right that initial axis because it's it's not good don't get me wrong I'm not saying that we should be cool about the prevention failure but we think about that rat that rat is just a tool being used by an adversary who has a goal I would suggest the breach occurs when they complete their goal right so the breach doesn't happen and maybe they want to encrypt my hard drive so they get a ransom maybe they want to steal credit cards intellectual whatever their

objective is I would suggest that we need to be thinking about because if we do it in this then what that leaves us is this really interesting speed window where we as blue team members have an opportunity to prevent a breach prevent prevention failures but we can I would suggest prevent oh then if you taking the next level I want to give a spout up to Matt Swan he was the person I publicly heard use ears can be doing using are against the bad guys instead of just rules as I walked showing the stuff today I'm intentionally just using scripts because if you're a large enterprise maybe you've got SCCM painting a thing like that

you can do the stuff up in dedupe lot easier but what I love about some of the techniques were going to discuss this afternoon even if you're a small shop you can leverage these techniques they cost nothing but a little blood okay and and the goal here is to build a detection grid call it a minefield detection minefield that is so comprehensive in our organization that occurs don't know how to navigate it bumping into one of our detection points and and this is why this is because I the defender you know to bump into one of them and now our mission is off right I got no there in the matter no they're here can't go get rid of them but if we

up my for speed and hey so a lot about okay how do we detect all the thing I'm a long long proponent of honeypot and what we're gonna do is use a variation of that specifically I'm hoping to show you today is a technique where you can take your environment right so this is endpoints some it's maybe servers laptops doesn't matter and how do we turn this into that landmine so the attacker doesn't have a way to weave without bumping into one of our detection triggers so that we can know they're in the environment and go get rid of them before they complete their objective and we breach making so are everybody's asleep after lunch it's all

good so how do we go about doing that well I I'm a big fan mattress choose choose two method they're just a lot of folks do we write more we focus on how to sure and and if you heard Dave Kennedy's talk this morning this will be especially relevant Dave was because he and I didn't chat about that but here today is basically focusing on behavior based detection not maids detection comments from this morning integer based detection very eye brittle as the term I would use it's really protecting what it's about a little bit of change lost everything right so so in particular we know that the attackers are going to delay privileges no unless their only

thing they want to is encrypt that that they're on they're going to get some sort credits to fret by a lateral movement oh you know yeah that work they've got to have some way of communicating in the systems with an environment it's very very few attacks where they don't need some sort of admittance right so that they can access all the things so let's focus on that need okay and if I've been to the the attack framework in particular here's a snippet on the mitre attack frame it is a common goal of the effort is in their attack and that's the pain credentials right they get them from look ashes all sorts of places right and again this is

just a snippet hopefully your attack framework now go out to that URL and read up on it a lot a lot of good work do out there alright so we nip bad guys want this stuff so how do we give it to them well what I propose is that you consider using those as lures if

with the way that looks at the depot is stumble into one of these and we're off to the races right so how do we then go about weaponizing all right I'm actually gonna stop

might get the simple but the the ones that are gonna hurt us as we build them and I then we'll circle back on that then the second step its eight names oh I'm gonna walk through all of this and but we're gonna create a bunch and you probably want to think like you leave small shop probably think about the Bulls of these okay again we talk the maximum realness talk about the caveats there that that I've run into is we're again locally on our end points which counts ashed locally okay there's winter to be looking at we're gonna go through step here we also add some local cash credentials to strength I'll talk about why in just a minute and

I want you change the allure a account on I've searched is we can this ideally I'd prefer to disable the account the problem you stop alerting

so if you err accounts unless those accounts are Li live so what what I'll do here is a sample I'm just generating a random character password and change the password to that right make it essentially impossible to login absolutely and then last but not least of course some alerting so you know that my earlier scenario where my my blood levels too high in the caffeine system I've now got that at running on my laptop the adversary dumps out runs me me cats or whatever you know use your credential dump er of choice and the beauty of this is that individual if we've created these accounts properly has no way to know which are real and

which aren't right until they try them which is entirely the point right so the alert and and then it's bad guy fall for bully and a bada-bing out of boom so so do you have some background on how when medication works ok um particularly relevant a lot of people aren't aware Microsoft made some very significant changes actually with Windows Vista we beat poor Microsoft up a bunch of years for serious beat us up for a bunch of years because originally prior to Windows Vista the locally cached credentials so we capped credentials or so I login to my laptop at work I've got access you know that my computer has access to the main controller I can

authenticate great I take my laptop home I can't connect to my domain controller or more correctly my computer pick domain controller

regionally prior to this option so essentially when your windows was installed a unique key was generated for your during your computer only nor Kerala in the registry that key was used to decrypt the contents of the cache of course the the you know the algorithm got out so bad guys could decrypt them our days with algorithm as MSD CCB to your credentials are hashed and then encrypted with that it is a super strong it's not beyond crackable but unless you happen to be working for a nation-state probably not crackable is crackable but we'll talk about ways to deal with that in just a minute so that's why the credential process works that way and how that goes and in particular there's

a couple tip it's on Apollo that are really useful for us so what this so this is just for the human at that URL right there okay and all these slides are by the way up on my dick github I'll have a link to it at the end of the deck so these are the five things that cause credentials to be cached locally on your Windows box so you RDP ask so forth well so from our perspective probably the best ways for us to so we could RTP but I don't know about your environment I I have a couple hundred thousand endpoints Rd peeing to them seems like problem if I want to write there mechanisms running a

scheduled task is attack this works right so you can piece a back to schedule a task on the Rope remote computer or you can use path scheduler to leave with some scripting as soon as that cat that tasks ones under the the fake credit that you've created then it will cash ugly today however we're going to use the run ass which I found is cut this list up these techniques in order to what we want the other thing I want to call out which is relevant or but useful data is this piece of credentials hashed and stored on your computer again a lot of folks aren't you know haven't done the homework to realize there's a ton of

things that windows potentially stores and by the way these techniques work on specifics are just slightly different right but the same principles apply those are useful as you'll see as we get just a little bit so enough of me blah that's good so what

Rumpel life a lot of inner be able to eat the leeks so I'm running a witness 2006 server and a Windows 10 server VM Windows 10 workstation VM sorry Wow brain brain blank there now so for full disclosure I have fully turned off Windows Defender and stuff because I'm going to use me me cats and some tools like that if you can go to know that the tools and being them past the the protections just a foregone conclusion unfortunately it's further tempting the demo just I turned it off but I I want you to know that I kind of cheating a little bit so let's start with our Windows 10 computer as you can see I've

logged in here let's add another user to the cache so Doug works works with me I'm gonna pretend and so will sign mr. Burke in and he has secured 2018 alright we've signed Doug in now I did that because what you're seeing is because I've done a local law Windows ascetic but and in my research I did a lot of approaches where one of the things i did was i went in and i just added directly to the registry the the cache credentials and that works the problem is I realized as I was working through this is that doesn't create all of the windows artifacts created when you log in locally to a host and so we could do

that the artifacts are fairly straightforward but there's north of a hundred of them okay and I I don't know about you but I'm a fan of taking the simplest expedient route so ergo this is why I'm logging in locally or in this case using a script technique to log in locally and that way we let Windows create all of those facts because again remember we're going for maximum realism I don't want to tip off the adversary that my lure accounts that I'm going to add into this system are not actually me so so I signed in as Doug just to show you that you know that's what you this is the effect we're trying to achieve as is

what I am not very well trying to say all right so let me sign back out it's Doug sign back in as myself Tim see and as you can see I have an equal to keep password this mr. Burke's because he's a good guy all right so sign into Windows 10 so let's look around a little bit so that we can understand what some of this stuff looks like that we've got to deal with all right so yep I'm gonna fire up a admin console here I'm gonna switch over to my conveniently installed Mimi Katz and run that of course we've got to turn on our debug mode oh there I go sorry lost sight there all right so we've got debug

mode turned on so let's look at a few of these credentials right so first of all let's validate Who I am so you can see I've got Tim see right Oh so I'm gonna need a little higher privileges here oops let's try token : elevate there we go all right now I've got a system token so this in turn of course gives me the ability to do things like an LSA Dom Ellis a so LSA pump of LSA is just my local accounts so these are not the domain accounts that this machine is joined to just the local accounts in the system what often our adversaries are interested in is our cashed accounts notice I've got two locally cached

accounts at this point so I've got Doug account because I just signed in with that and of course my C account that I'm currently logged in with also of interest based upon the attack list and a bunch of time working with the adversary we've got a whole bunch of secrets installed in here okay one thing that's probably worth pointing out actually lest I forget I mentioned the MSD CC b2 algorithm I showed the passwords not to actually intend to poke fun at Doug but because I wanted to show that those passwords are the same password notice that the MS cash v2 stored credentials are completely different and that's because of the hashing that's taking place even though

is encrypted with the same local system okay and hence right they're more difficult to - at this point so then let's say dump on us from yep we're joined to the poem Corp domain because of course why wouldn't you name your company poem Corp especially if you're going to do demos all right so now now I switch to the to the Active Directory server so so step one as well plan out our so this is where we won't think what are the domain accounts that are typically leveraged by adversaries a lot of times things like your desktop administrator group right so I'm a user I call it my printers not working I need some help the desktop support folks who

have a domain account RDP to my my machine so they can fix my printer problem because they've already peed it got cached locally often that is the type of accounts that are used by the ever so what we're gonna want to do is use things that you're on an Active Directory and there we go my click is not Active Directory users and groups you can see in in running through Samantha's set up early a desktop admin so let's you so simple here we're going to create a new user new user will call him Bob no let's call him Phil we all know how good Phil is supporting people and his desktop user ID we're gonna call

desktop admin Oh - ok so we're just like we'd create any other account I'm gonna uncheck the youth and then give it a password so I'm gonna go past 20 18 you we want to think about using something even realistic for this only because if you've got an adversary who is capable of cracking some of these hashes just want to be safe right relatively I'm sure your company's your your bad passwords like pet a team bang bang you know they would never do that um oh I've already got a feeling I don't think so will we will this is Phil's brother Bob there we go and of course uh we've now created count right so our Bob plan Tamara we want to

go out now in properties because of course what we want to do is add privileges oh that's because I had clicked to click done wonderful I'm getting that limited so we want him to be a member of our domain admins this doesn't necessarily mean be your domain admin again pick something appropriate if you've got support folks in your organization you might want to do something like that maybe you've got some mid-level it's a good idea to you know again go out look at your your actual population pool pick something appropriate so now we've got a bob plan Tamira user in our system right and his account name is desktop admin Oh - okay so then three all the systems and I

think I'm running as admin but just to be safe greater command prompt so now I'm on the system and just so I don't you don't have to see me painfully type lost yay luckily I have backup all right so what I'm gonna do paste this here and make this a little bigger so you guys can see it

so what am I gonna do here I'm going to run a PS exact against my workstation so again this is in control right authenticating as this new account that I created right so let's make sure we get our name correct properties so this one I call desktop admin Oh - and of course what we're gonna do want to do is plan this all out appropriately okay and then I'm going to do a run ass and just because Windows has gotten pretty finicky in Windows 10 and some of the later controls about tightening up around I'm going to do a run ass but I'm just going to copy the run is over and again authenticate remember on my

earlier list run as is one of the ways to cache a local user the PS exact authentication to the workstation won't cause that user ID and password to be cached locally the run ass however will so we use the PS exact to do this and of course the beauty of this is we can do this across a bunch of systems and you know do it effectively there are other links if you vendors out there that are starting to offer solutions or doing some of these techniques or products what we'll find is a lot of them are doing using an agent on the system and doing an inject into else ass so the when I log in on when using another

place it gets cached is in the lol saps memory space okay and so a lot of the the vendors are injecting it into that the problem with that from my perspective is twofold one it doesn't survive a reboot which is why they're doing it with a local agent and I don't know about you but my systems folks are really tired of new additional agents on my end points so so better to not have to do that and secondly it doesn't create all the artifacts either so if I'm a relatively smart adversary that I'm going to not just pull those credentials out of the else asked cash I'm also going to go hey are these credentials locally cached and

if not then we might have a problem so I'm Pierce exacting run ass on that local system using this new account that we created okay and if we pop over to this system let's just dump out of me me cats and look in our users directory we should see oh wallah a admin Oh to pop up what we've done is be a script or just a single command in this case but easily scriptable is created that look little in user in a very realistic way that's now going to show up in all of the traces so if I go back to my Mimi Katz and again run that

dump my cache notes of a desktop admin Oh - and in case you're wondering what this NL dollar sign want an ounce dollar sign who is well that's actually a reference to the local ash so let me open up another command prompt here a second this time I'm going to do a PS exact s I D - D am I supposed to be giving giveaways away all right so Oh perfect so as giveaway number one who can tell me why I just did a PS exact to my - run command dot exe on my local host nope good thought good thought it does but it closes right back out it does but it deletes it as soon as it's done running

great thought yeah no great thoughts little trick some of the attackers use yeah no I elevated myself exactly what this did was this new command prompt is out running as system not as my admin account so this is just a little trick to run as system I need that because the portions of the registry that I want to look at can't be seen and eyesight's not really good

yes so and there's other ways to feed this just too but the reason why I wanted to do this is because part of this journey because my goal here is not to give you a comprehensive way accomplishing this what I'm trying to do is kind of bring you up to speed on some of the possibilities right because this is something you really want to customize for your environment so this is the cache it's stored under H key local machine security cache by default Windows caches 10 entries and it's just a first-in first-out buffer so if I have 11th person login whoever is the oldest last logged in just gets dumped out and it gets replaced so that

NL dollar sign 1 through 3 you can see early the cache of those and notice all of the other entries of the 10 are empty it's pretty common to reduce the number of cache entries in your environment typically however can't turn this completely off because if you turn it off the problem you've got is your goes home and can't login to their machine and we want people to work at night too not just during the day right so I with me so far still so what we've done we didn't a user in the domain we used the PS exact with a run ass so that caused it to be cached locally on my Windows machine now what

we want to do is make sure that the adversaries can't use it so you know I've just got a little simple password tool so I randomly generated a 50 character password and of course want to toggle back to my domain controller and change password now so that password is no longer valid right so I reset password and I can paste in that 50 character password that frankly I'm going to keep track of and now it's been changed so just to be safe ink actually gets the we want to make sure that can i that's a big is a little bit of residual danger here but once we do music sir not touch wood it's got a huge password throw it

away hey you know make sure you're 80 okay sure and obviously they could change it but your baby folks exit so that not a risk that perspective in my opinion this pretty effectively communicates but again IRB we're so what have we done here you've the password

uh finding it because what happens is if I'm gonna get a against alien ID feature off top

the the account again only if it's accepted does it record e in the begins III that B that works extremely well so what we're gonna so if I pop a bit you actually see a bunch of the for an ID eight overtime trying to figure out for so 46:24 is the event I was trying to think of her you what I found these seventy 147th on event ID triggers when there's a Kerberos failed pre off okay so under the hood right active directory is using modified version Microsoft and Virgin of Kerberos right for compatibility reasons a bunch of other stuff let me refresh ok so we've now changed that password so bad guys oh and

I skipped a step I'll come back to it though so right now don't Prudential eight so they want to try that I have it in one of my command windows here somewhere okay so there's my PS exact and I'm gonna take off the run app so I'm just you're gonna try and authenticate and attempt it execute a CMD cedar okay so I'm just gonna execute the PS exact but of course I'm using and notice I got an access denied that's what we're trying to do right the in this scenario I'm the adversary I've scraped those credentials I'm now to authenticate using because that oh it's a domain account this is fantastic I'm going to be able to use this to move

around in the environment if we trigger over here today notice oh desktop bad manoa to said hey that's clear on an a pre off Kerberos login event so this allows us if we set up alert for a seventh one on starter IDs we have eken ism that will alert with a fidelity date rice varieties we could have 50 could have a hundred lure ID whatever it is this through the environment we've a mechanism or looking behavior of someone trying to use our creds against us make now there's one thing I inadvertently skip and actually I'll turn this does anybody know command-line way add grits to the local window secret key there's the command-line tool anybody

know what that is I'm asking some carefully your questions so we'll ask something else and he guesses good try not sir good thought though close ad is is a command line parameter for it no not read Jack again another really good thought so there's this cool command called Kaimuki CMD key ships with every version of Windows right and so what I can do is in this time I'm just gonna add a pop account right so again this case ours is called desktop admin Oh - I I just picked male for this case right we could do it with anything right but the key here is when i run this manned on a system what it did was

it stored that credential that username and password in our local secrets so if i go over again to me me cats nope I'm doing this because of the difficulty in cracking what I'm doing is giving them another option - you know we we want to make the lure account Dave so we don't want to make it so difficult for them to crack that that they don't end up using it and so again I'm gonna move quickly here so I want to get back to the other part token elevate frame length there and so this time I'm gonna run sec URL s a which is to dump the local secrets logon underscore oh no underscore and then s

come on arrow key there we go alright so me I'll let scroll way down oh there it is right in front of me notice that is stored in a reversible format so Femi cats can extract it problem and a whole bunch of it's not just me me cats okay what what have we done here all right let's let's go back to the regularly scheduled programming here so again it's to weaponize the the points mentioned earlier I've come back a little more detail on the plant out lures see why some of these suggestions are so important right we really want to make this realistic the better you are at making this look like your real IDs

the more likely you are to lure them into traffic right we also don't want to put this on all of our endpoints unless you're a really big organization think about having a handful of those maybe maybe you do it a bunch of different ways organization really works because the this approach it's something that even you're really really skilled folks you know hypothetically Dave's crew might apt to trip over does that make sense because remember they don't have a way of knowing whether this idea is real unless you make it too obvious all they can do is try it they just know it's a locally - tidy until they attempt to leverage the ID they have no way of determining

whether it's any good or not right point three of course is the local secrets again just to make the bar slightly lower and then of course what the other steps we did is we created the domain pic account we logged in locally using the PS exactly the run as again lots of ways of doing this especially the furia large organization I would highly suggest something like an SCC I'm ja or shot do that we and added some local although I did it out of order and of course we went for alerting so there's a few things that we want to keep in mind though in terms of challenges I mentioned this in passing earlier if you

disable the account you disabled the ability or at least to what I found if you find a way to be able to disable and still alert on that individual ID please tweet me or email me or something because I'd love to know it because I have not yet found it okay that's a problem because the failure occurs so the Kerberos off event is only on your domain controllers so you won't it's important to understand you won't your detection won't fire until they attempt to use it does that make sense so you aren't right in there but you got to be ready to run quick when that happens and dependent your environment making it realistic could be problematic right

think about the the pattern luckily most organizations have you know pretty typical naming conventions and things like that varieties which help with all of this for us right all right so those are the challenges terms of next steps this is matching the surface right again if you look at the attack well and the things the adversaries are tending to do go on and looking at our github to see if we've got hard-coded passwords there looking on our wiki they standing where our users dentist don't they're set in a way that is accessible right and so again use that right we can create things in those only in our detection grid right and of course Jen

there's lots of other things you know I would even suggest thinking about partnering with your build team and making it part of building the system's right as part of it they often have to build all of this out anyway why not bake some of this stuff in there okay so we'll move to questions contact infos if anybody wants to come please hopefully feel free and and really what I'm hope I'm not trying to suggest that this is the end I'm trying to suggest the bikini I believe as defenders to leverage our systems against the adversaries in many many ways that like in this case cost us nothing right we're leveraging infrastructure we already own and it paid for and doing it

in a way that makes it really difficult for the adversaries to know and if they bump into one of those again we're off to the races we potentially prevent breaches so questions

yeah yeah yeah that's so anything shove a rebuild or users for this particular mechanism anything short of a complete system rebuild the cached credentials stay local so updates and all of that don't affect any of this which is oh did I misunderstand your question yeah oh sure yeah yeah

so - so that's so a question was given new capabilities right well well Dave's talk this morning right in his keynote he was talking about some of the new approaches for for getting into our system I would ask that if an attacker can leverage it then we as defenders can think of ways to use it against them right the beauty of this knee of the attackers it's dependent pop of the literally what Dave was talking about right is a lot of our genus right the obfuscated a little bit and our detection doesn't work in we're doing is worth

yeah yeah yep absolutely I did quite the work every difficult the cat

at something that can change its action bunch over these logs are nomadic shall we say I use the past word trop as potentially an indicator they're coming from I absolutely think that's the kick just is you know keep track of your lures so in that case maybe deploy different lures to different locations right you can correlate the events with the failed login to get the hostname it's just not in the forty seven seventy one yeah you could yeah so that was could we keep someone yeah absolutely that feels a little more dangerous for me if my op really quick at that I can be on them really quick then what you're doing is you're turning your systems oh

honey in my case I'm not really I'm using some of the techniques of deception but for just an alert mechanism a detection mechanism I was going that way I probably personally would would leverage some sort of honeypot environment so that they're contained within that rather than opera my own systems but if you're really confident in your team sure go for it that's a question over here yes

ah right yeah soup soup I think that becomes secondary in this case right again what I'm really trying to suggest here is that we attack the behaviors so even if it Russia right in those scenarios Russia has specific playbooks they still need to obtain credentials they can't magically just the system now certainly they can use exploits as part of that this is by no means am I suggesting you should run this oh look I'm speaking this is an idea and an approach for leverage in it the adversary it's that most of us happen that make sense it's certainly not going to solve that problem but I would suggest it's just think we are complete time and I forgot

to ask the last two questions so can we ask on the next person ask a question all right ask question what was Doug Burke's password when I signed it I saw that hand first you and a purple shirt correct password 2018 because because Doug picks really good swears like all right one more and I need a question my mom I already asked the command key oh so we used run as what's one of the other techniques for causing credentials to be cached locally on a host I saw that first scheduled tasks that's right excellent well thanks everybody for coming and have a great rest of the day [Applause]