Overt Operations: When the Red Team Gets in Your Face

this talk is going to be on red team operations it's about overt operations specifically so when we talk about red team operations the traditional context in which we think about these kind of things is that we want to not be caught right and so what this talk is going to do is we're going to get a bit of a deep dive into red teaming but a specifically alternative strategy for red teaming because what i'm seeing with a lot of red teamers right now is that we have a decent number of hurdles and challenges to overcome because blue team defenses have gotten so much stronger over the past several years and as a result we've seen an explosion in red

team tools and tactics and also some rethinking of um methodology that we maybe haven't uh utilized or leveraged in the past so we're going to have a little bit of an overt versus covert discussion here so first off who am i uh and why am i chatting with you well my name is matt tusan and you can tell that i'm super cool by the shades totally gives it away and i used to be in the air force i used to be here working in san antonio actually at lachlan air force base doing cyberspace stuff eventually i left the military went worked with black hills information security for a while doing penetration testing red teaming all that

kind of stuff swapped over to counter hack for a little bit building you might notice these these slides are sans branded doing a little bit of range building for sans i actually got to rediscover some of my military routes doing that because we do uh exercises to help with blue team validation efforts for the cpts that the military has some of them here out of san antonio in fact um after that i went ahead and made my own cyber security company open security uh which in fact is part of why i'm chatting with you here today we sponsored b-sides and they had a last-minute cancellation for a talk and they reached out to us and i said

hey i happen to have some slides sitting around uh i guess in a couple hours i can do a presentation for you so that's why i'm here and that's why we're having this uh conversation about overt and covert operations in sans i'm also the uh lead author of sec security 460 on enterprise threat and vulnerability assessment as well as the author of 665 which you'll see at the very bottom of these slides in fact because it's where these slides come from on advanced red team tactics and threat emulation now if you haven't heard of 665 before that's uh partly by design but it's also because the course isn't actually live yet the course is in

development and one of the things that i want to do as we start developing this course for sans and such is i want to share as much as we can with the community as we go through which is the genesis of these slides so what you're seeing here is essentially a bit of a beta first look at some of the things that we're exploring from the perspective of red team training and i hope you'll enjoy it so this presentation here is focused entirely on red force versus blue force operations and that what i mean by that is you've got a red team you've got a blue team and they interact with each other on a

networking environment and traditionally of course when we talk about it from the red team perspective we want to challenge the blue team our objective in the end is going to be to make blue team defensive stronger and there's a good reason for this right now i would not say that we are winning in cyberspace not really and the thing is it's not because we have to lose or because the attacker has the advantage i think once we're through this conversation and through this topic you'll see that the attacker really doesn't have the advantage since we're giving it from the perspective of red team we can actually see the history of this and why as red tamers we today perhaps need to

very significantly alter the site picture by which we actually look at how we perform operations in order to keep up with the most advanced blue teams out there but the problem that we have and the reason why we're not really winning is because many blue teams aren't focusing on what is in fact the right problem and what we see as a result of that is that attackers have essentially carte blanche access to our information networks and information systems uh with open security we do all kinds of cyber security work things like penetration testing and red teaming but also incident handling and incident response and for example i was doing an instant response uh you tend to have to do these

on site so this is the lastness and a response i did before all the quarantine lockdowns and covet 19 stuff so ah fun times so i was doing this instant response and it was for a law firm who had been compromised and ransomed this was in february and uh so we go in there and we first start looking and what we want to find out is how the attacker got in potentially do some attribution to determine who that actual attacker is if this environment got compromised by our experience we can pretty much say that it's probably not the most secure environment and not to say that if you're really secure you won't get compromised that's

not the case at all but generally speaking if i'm showing up to do incident response i'm not expecting the blue team to really know what's going on if there even is a blue team and that's just that's just typical now sometimes you have really good teams but most of the time you don't and i think a lot of the people who are having this conversation or here with us and b-sides might not actually quite realize what it looks like in the real world because most of us with an information security role work at some organization that has an information security function and that might be on the offensive side maybe you work for a company like open

security and we do cyber security services or perhaps it's on the defensive side or even offensive side but internal to an organization where the organization itself has invested into cyber security positions so if we work in the business of cyber security we're actually already exposed to something that is not normal and as somebody who's done a fair bit of instant response i can tell you what normal looks like because i show up when their network uh stops working and in those cases many times they might have some i.t personnel but they probably don't have direct information security people and that's not because if they had them they certainly wouldn't get gotten hacked or anything like that

i'm just saying we need to look at the world as a whole and there's a very very big difference between the top twenty percent of companies and the bottom eighty percent of companies out there in the top twenty percent there may be somebody who fulfills an information security role in the company specifically in the bottom eighty percent of companies and yes i seriously do mean eighty percent of companies today and i'm not even talking about say companies in uh less developed countries no i'm talking about the companies that we see and interact with on a day-to-day basis the eighty percent of those eighty percent of those companies they don't have a single employee with an information security specific

function we are talking about pretty big companies here companies that may have say two hundred to a thousand employees so we're not talking about the tiny companies but we are talking about the majority of companies and as a result in information security we're often inundated in this uh circumstances of isolation where our perspective is significantly skewed from reality because we look at things from the perspective of organizations where we work or whom we work for which means that they've likely made some investment into cyber security and i'm here to tell you right now that is not typical and so what it looks like from the attack perspective in many of these cases and also for that top 20 we'll talk

about that here in just a little bit but what it looks like from the attack perspective is that you don't need to do very much at all to be covert right so if we're talking about covert the idea with covert operations is that these are actions that we maybe do from an offensive perspective that are intended to fly beneath the radar now is it possible that it wasn't covert enough yes yes yes absolutely but when we're doing an operation right as an attacker we make a decision that decision that we make is covert if what we expect is for it to fly beneath the radar now we could get caught again that does happen but our thoughts there are i'm going

gonna do something and this will probably not get noticed and if we look at the bottom eighty percent that is a hundred percent true it's like uh uh um that anchorman uh thing right eighty percent of the time it works eighty uh hundreds it works all the time yeah that's what it is for the bottom eighty percent now in the top 20 percent we can often do covert operations without doing much either so we look at the eight at the bottom eighty percent of the top twenty percent now i sound like bernie sanders over here goodness the bottom of 80 percent of the top 20 percent yeah so the bottom 80 percent of the top 20

we generally uh are operating in an environment where there maybe is investment in security but there isn't really continuous and active defense or monitoring so what we might do is we might trip some kind of antivirus or edr edr stands for endpoint detection and response uh so we trip that system but uh when it finds our malware maybe we uh we work through our malware a little bit more and we do a bypass and now we get our malware actually working but when we do this we probably don't expect that anyone actually looked at the detection or at the antivirus alert and did anything about it because the bottom eighty percent of the top twenty percent

maybe has some of these things in place and they have the opportunity to be victorious but they don't actually take advantage of that so they have the sensors but nobody's looking at them here's a really sad example of exactly that for example equifax who here's heard of equifax yeah that's a sad story or actually just an embarrassing story right they get compromised by an attack group who had compromised them two separate occasions in the past going after the exact same data and they still managed to fall apart a third time then they took an extra four months after they found the compromise before they told anybody about it because they just don't care about the

fact that they just released 200 plus million people's credit card information and data like absolutely atrocious really want that company to burn in a fire um but what's fun or fun what's intriguing is if we look at how they found out that they were actually compromised if we look at the ttp of that attack group they were not particularly effective they didn't really know what they were doing and we can see this by some of the commands that they ran for example every time they compromised this equifax server the first command that they would run is who am i because they want to know what the user context is that they're running it okay theoretically you could know this

based on the process that you're compromising in that case it was a java web application so it was a tomcat server tomcat generally runs as root on these systems which in my opinion just a design flaw but so the attacker got gets access to these systems and starts running some basic commands on them now equifax found out months and months after they were compromised because they had a monitoring solution and the monitoring solution identified data exfiltration so why did it take four or five months for them to see for them to identify they were compromised when that compromise was happening and the data exploration was happening over that entire period of time well so it turns out they had this box

they probably paid too much money for and they plugged it in and it was doing this continuous monitoring and the blinky blinky lights were going blinky blinky blinky but nobody was looking until five months later they realized that it wasn't properly logging i think what happened was that the hard drive had gotten full of logs and they didn't clear it so it was going blinky blinky blinky and they weren't thinking about the fact that it wasn't working at all as they finally get this thing back up and running and they go oh huh i think we're hacked again this is covert operations in the bottom eighty percent of the top twenty percent you don't have to do very much

because even if the security orchestration is in place for eighty percent of that top twenty percent they're not looking at it so what we're really talking about is the top 20 of the top 20 i think that mathematically makes sense but we're talking about advanced red team we need to have the ability to project forces right to be able to operate on these environments even when there's some of the most secure ones out there and for a couple of information security firms that's really what we focus on so if i were to name the the ones that really focus here it's a trusted sac black hills information security us open security red siege their company out of dallas

texas uh our focus tends to really be on operating in some of the most well orchestrated environments from a security standpoint out there we really love to play in these playgrounds but what we'll see here is that those type of organizations have all done some interesting things from the perspective of retooling in order for it to be possible to do operations on those environments because if we do anything that is even remotely not covert enough we get caught immediately and then the entire campaign falls apart pretty darn quickly and so if we're in this circumstance where we have to tiptoe around the environment very very cautiously and then we end up in a circumstance let's say we see a

system we've got system access to that device and we know a domain admin is logged in so we want to do some kind of mimikats but we're pretty sure that something may be looking for let's say reflected dll injection into the lsas process right we're pretty sure that this operation that we're going to do isn't covert it's going to be over but we need to do it anyways because if we don't we may not be able to accomplish our objectives from a red team engagement perspective so every now and then we have what we call non-opsec safe operations we may do as a red team where we're aware that this is going to be less covert than the rest of our

operations and it's going to be more loud so it's there's a chance we might get caught and so we're talking about with overt operations here is when we do an action that we know or acknowledge the blue team should see it's possible they don't see it happens all the time right hiding in the noise is an example of this but we acknowledge that this operation we're about to do could uh key the blue team in on what we're absolutely doing now the thing about overt operations though is what if we acknowledge that we're going to be seen and we make ourselves seen everywhere simultaneously in order to cover what we're actually doing so with blue team defenses these days

there's actually this real big conversation about using cyberspace deception in order to build deceptive defensive systems that trick the bad guy into giving up information about themselves an example of a cyberspace trap like this might be if we set a fine grain password policy in active directory with a lockout policy of one and then we create a uh domain admin user for that uh for that um we create a real domain add user with a strong password that we never need to use we can throw that password away we just needed the admin account okay and we set that admin account to that lockout policy of one and then we put incorrect credentials into lsas memory on some systems you can

do this with a run as command if an attacker runs mimikatz which is one of the most common techniques that attackers will use they'll get that domain admin account and a password for it but when they try that password it's not the correct password so since the lockout policy is won it'll lock out the account and the attack or the defender can see that that system has been compromised based on that account lockout so this cyberspace deception is presenting the attacker with something that they're actively looking for but that thing that they're looking for is actually a trap um for example if you look at say monkey traps they do the ones with the the jar

that's that the hole is large enough to get your hand in uh but there's marbles in it the monkeys want to grab the marbles but so they grab a fistful of marbles and they can't get their hand out of the jar anymore so you're giving them the marbles that they want uh domain admin credentials except they're not even real domain admin credentials and you're trapping them based on the ttp that the attackers themselves actually use and this is an emerging defensive strategy for some of the top tier organizations out there i was in fact doing some of this cyber defense cyberspace trapping orchestration and design when i was in the military as part of the u.s air force's tactics

development shop but it's really really cool the thing is from the offensive perspective we've never really needed to trick the blue team very heavily into doing something because we've been able to operate covertly thus far but if we're looking at some of the most secure environments on the planet well what we have to acknowledge is that most of the covert operations would have done in the past for this security uh posture of this organization are actually going to be overt operations instead of covert ones so how can we potentially leverage leverage deception and overtly perform deception in the environment when we know aid the attacker is going or the defender is going to see us

so we want to be give ourselves more opportunity and more freedom of maneuvering the environment by convincing the defenders that we are somewhere else and doing something that we are in fact not worried about and so let's talk about this history then of overt to covert operations here with covert operations and cyber security at the very beginning of course you could do whatever the heck you wanted to do because we didn't have antivirus and for the grey beards among us you may recognize some of these screenshots here we have sub 7. sub 7 is essentially the og original gangster of remote access trojans or remote access tools sub 7 is just a backdoor implant framework right

you can create the back door it connects back to sub 7. the screenshot that's in front of it is one called poison ivy this is one that was used by a chinese intrusion set but unfortunately for them they uh they uploaded their code to a place that everyone in the world had access to and so now the world has access to this backdoor system as well to be fair these are quite old sub 7 is late 90s poison ivy is early 2000s but the thing is these these back doors these implants they should get picked up by a traditional antivirus because they don't really change not polymorphic in any sense because once upon a time those kinds of

defenses didn't exist and to be covert we didn't have to do anything anything at all and then we had things like the metasploit framework metasploit framework came out also in the early 2000s but has continued to grow and was developed and built upon by the community over time uh and heavily medically it's absolutely outstanding it is however an exploit it is an exploitation framework which includes things like exploit development so in the modern sense we don't traditionally think about metasploit as a command and control framework it does happen to be a c2 tool but we'll see with some more advanced ones are that there's a lot more command control framework features that don't actually exist in metasploit

but we do start to see in the metasploit project is some understanding that there are signatures and that we may need to do things to evade those signatures and with that we have things like the encoders inside of metasploit for example one of the ones that's uh pretty well known is called shikaraganai which is japanese for it is inevitable um and so what it does is it takes a binary and it changes that one so it might say hey look we've got um this x86 piece of assembly that does something so let's convert that to an operation that does the equivalent thing but with different codes for example if we say um um if we're putting things

in a register for registers for adding let's say we say uh set eax to one set eab to uh uh two and then add them together uh or to one and then add them together it gives you two right but you could do this in the opposite manner you could say add a to b and then add b to c and then subtract d from c and then you still get two and so here we have an example of just equivalent operations that then take a binary and make it do the same thing but do it in a different set of instructions which significantly alters the signature for that actual um binary now of course when you have an encoder

like this what you have the ability to do as an antivirus spender is you can look at that encoder since metasploits encoders are open source you can look at that encoder and you can build a signature for how that encoder changes binaries for example if you were to do something like this with calculator.exe calculator.exe will absolutely show up as a virus and most antivirus uh software because it's not actually looking for the executable it's looking for the encoder um i in fact in 2013 2014 uh built an encoder and that encoder i i still happen to have the code works to this day for metasploit uh interpreters like to this day and the only reason it does is because i

never uploaded the encoder to open source on the internet and so antivirus vendors have never had the opportunity to get the source code for the encoder and as a result i can still use it today to modify shell code and bypass antivirus vendors because antivirus itself isn't particularly a good security mechanism and i know a lot of people get a bit fatalistic about this because they say you know what am i actually supposed to do if all of these solutions that i can acquire or work on my network can be bypassed but the thing is we're actually looking at this wrong and the reason we're looking at it wrong is because we always want this staples easy

button right anti-virus is a good example of a staples easy button and it works pretty well if we're talking about a mass exposed worm like let's say wannacry because they have plenty of time to build signatures for the virus before it actually manages to get to a lot of systems will zombies be exposed yes absolutely um it's kind of like building a vaccine right once we see a new strain of say wannacry the antivirus fenders go out and they make a signature for it but they can't make that signature until they've seen that version of wannacry come out so they actually have to have exposure of certain number of people then they find it they build the

signature and uh make herd immunity essentially from everyone else who happens to have that antivirus product but the thing is that means that if you're doing operations as a human red teamer you will never be caught by these antivirus signatures because everything you're doing is from the perspective of antivirus zero day always right if i build my own back door is there a signature for it no if i use that back door for a specific campaign will there become a signature for it probably not not until that thing gets exposed and there's incident response that happens and the incident responders give that any the virus data to an antivirus vendor to create it see the

thing is a automated system like antivirus is never ever ever going to be significantly capable at detecting a human operator on an environment i as a human operator will inevitably be successful at overcoming these machines now i do hear sometimes this concept of artificial intelligence based and machine learning based cyber security and you can buy those things today and they don't actually do what they say they do in their complete garbage save your money but i do think that at some point in the future maybe 15 20 years in the future we will have perhaps not general purpose artificial intelligence but artificial intelligence that's flexible enough from a cyber security context that it actually has some ability to fight

an interactive operator but if you think that that's something that's available today you are misinformed and the sales team of that product has most likely been lying to you because it just doesn't exist today which means to stop a human attacker you need to have a human defender and we absolutely absolutely can be effective in this manner but what it means is the blue team tools that are effective as stopping human attackers tend to be tools that emphasize the blue team operator themselves as in they make them more efficient more capable of detecting and responding so that they can identify where the compromise is and identify what's going on with the with the system and the environment and

then eradicate the compromise as well so if no one's looking from a covert operations perspective we don't really need to be that covert but the thing is um but the thing is today for the best environments there's often actually real defenders who are taking these say antivirus logs or edr alerts and they're actually sending a human there to take a look at what the circumstances are whereby that was generated if nobody's looking at these logs everything is covert but today for some of the most secure enterprises your endpoint detection and response systems are actually being used by blue teams to do detection and response i know it's a revolutionary concept right it's so fascinating to see things like

say carbon black or end game an organization buys these things and they're endpoint detection response capabilities but while these organizations put them on their endpoints they never use them to detect and after that thing detects they never actually respond to what's been detected i mean it's literally in the name but so for our more advanced defenders they are actually using these tools the way that they can be most effective in enabling them to have situational awareness of what's going on on their environment itself and so as a result attackers red teamers like myself we've had to change the game because if i'm using metasploit and it triggers antivirus i can't know i can no longer rely on nobody going there to

actually look at what's happening plus these antivirus vendors may have actually created or these not just antivirus vendors but these endpoint detection response vendors have created so many uh trigger opportunities that while they might not block my malware they will almost certainly alert at some degree of severity the blue team to come look because something doesn't look right right and this is what y edr is so different fundamentally than antivirus because antivirus is there to block bad stuff and we already know it's terrible at doing that but edr isn't actually there to block stuff in fact most edr vendors happen to have signatures for malware but that's because the people purchasing them the organizations purchasing those products

expect them to block bad stuff which is fundamentally dumb like that is not what they are there for that is not what we need as blue teams uh let antivirus do any of our stuff the thing that you want with edr is the ability to detect and respond as efficiently as possible as an active defensive blue team and so while these features do often exist in edr products we really need to focus on is that blue team life cycle around detection and response and as a result of that any of the major cyber security uh services firms like open security trusted sec um red siege black hills list goes on in guardians we've all had to go out and develop our

own custom command and control tools and malware some have released those tools to the public other tools are closed source and we're maintaining them in-house because we need to continue to be able to do operations and we need to overcome the fact that many of these vendors are literally watching our projects on on github and immediately creating signatures the moment we push something to them whereas if we just didn't push those signatures we would never ever get caught for example uh prismatica here is the uh c2 framework that's created by my company open security and there's some remote remote backdoors and such in there as well uh that one is though uh open source and

free and on the internet uh we'll talk about that a little bit um as well but so what we see here is that it's actually become a bit of a golden age of c2 because defenses have had so much investment put into them i believe information security this year or maybe you know last year was a 70 billion dollar industry like wow but the thing is that uh that market capitalization is all on the defensive side so like mcafee was bought out several years ago by intel for 1.2 billion or something absurd like that uh which means that as red teamers what we're actually doing is we're operating and competing and trying to overcome products that have billions and billions

of dollars invested in them and so open source projects are just not going to be able to compete on that level so in that context what do we do well the first thing that we saw the information security community the red team community do is just start releasing massive amounts of new c2 tools it's really a golden age of c2 and what you see here is actually something called the c2 matrix the c2 matrix is a a web app that's created by george ochies he's actually the author of the security 5 64 and 565 classes with sans on red teaming and so this product here goes through a bunch of different c2 toolkits and helps you decide which ones

are possibly best for your organization to use so we see here a bunch of them on the left hand side we can actually go through this wizard and ask the the matrix for um what is probably possibly gonna be the best utility for us to use in our actual uh red team organization so we could do something like do we need this to have an exposed api uh does our c2 framework need to support multiple users okay next what kind of channels do we want to be able to communicate over uh does it need to be able to operate on different operating systems well maybe you want all three i'll tell you that most of these c2

tools focus on windows for a good reason active directory domain is where most of our engagements rely on some of them do have linux support but not a huge number have mac os support interesting uh what are the capabilities do we need maybe we want to have custom profiles on the actual network this is going to be really important for our conversation on overt operations here in just a little bit because here we're talking about features that a c2 framework has in order to make it more covert we talk about overt operations we actually may want to be louder we'll look at what that seems like in just a moment so we say it needs to have the ability

to have custom c2 profiles that allows us to control how it communicates over the internet let's say we're using http communication with a custom c2 profile we get to set things like what the get parameters are going to be in the get request and what the server is going to respond back with so on both sides you can maybe make the communication look exactly like it's aws or google docs or something like that um what kind of uh interface does it need to have maybe we want to have a gui or a web interface uh maybe cscli is good enough for us but maybe we want to have some kind of ui did most of the advanced c2 frameworks

these days are starting to have a ui which i do feel like is important it can have some efficiency improvements there but most importantly it's a lot easier to get multi-faceted people together to form a red team if there's some kind of cohesive ui that can be shared um and then what kind of support i'd say we don't care about support too much and it lists us here the c2 framework tools that are potentially going to support our needs

and prismatic is one of them that's tool is up here um it's got an api and such and you're welcome to take a look at it if you'd like to um it's the product that's supported by open security and it's open source and free we're continuously developing it over time and there you see that all right so in the end blue team capabilities are very very heavily on the rise at the moment and blue teams are getting better better better day by day but i still see this all the time um anthony coggins here tweeted this at me um when i was talking about overt operations on twitter and he said as a blue team member and

i've heard this so many times from so many people but he says as a blue team member we i always say we have to get it right 100 of the time red team only needs to get lucky once and the thing is he is wrong he is really really wrong but his position is not unique so many blue teamers have this fatalistic point of view and they say i'm going to lose my job at some point i've already made my piece with that because an attacker is going to get in and there you go and you know if all of your users on your environment are local administrators then yeah that's probably probably just given up

the uh the ghost at that point but the thing is let's think about what an attacker has to do and where they have to be successful they have to craft some kind of fishing ruse most likely if they're going fishing to get in which is the most common way to actually get access to networks so they craft some fishing roos and they send that phishing email to somebody and a user clicks on it will they eventually get a user to click on something yeah yeah they will now once that user clicks on something they need to uh that click needs to cause code execution so the attacker can have remote access will that work eventually sure sure it

might do we have any detection controls on that i hope we have some some for things that are getting executed and post exploitation as well now what now the attacker has access as a standard regular user in the domain do they start their ransomware campaign no of course not um i was doing last year a uh incident response for an organization that was ransomware uh the attackers asked for like 2.2 million dollars via bitcoin to extort them for their network back they ended up negotiating the uh the actual ransomware fee down to 1.4 million dollars which is still obscene but the reason they had to pay is because they had the company was making about 40 million dollars

in gross revenue year over year and uh if they said no they would have had to fire all of their employees and they would have gone out of business because the attacker had everything they had all of their source code they had all of their workstations all other servers it was full compromise they got massacred and uh so the question was pay 1.4 million dollars or go out of business that's a pretty easy question for them to answer in that case and so what we have to realize though is what were the circumstances that caused that to happen well their network was not particularly secure by any means and they had a lot of local

administrators in all of their systems but in spite of that and and their domain controller was vulnerable to the eternal blue exploit let me throw that one out there too but in spite of all of that the attackers got into the environment in november december and then they launched their ransomware attack in april end of april in fact it was almost may that's eight months of opportunity to detect and then to respond and if the attacker at any point alerts you to their presence allows for that detection to happen well then you you get to respond that's a really big home field advantage the blue team has and if we're actually looking to identify ttp that attackers do and

we're looking to discover them in a post exploitation context every single action the attackers take every single command that they run is an opportunity to detect for that same organization we did for them a a culminating exercise so we helped eradicate the compromise we helped train their team we help them orchestrate better defense controls and do uh active detection and active defense on their network and then we finalized the whole thing in february of this year with an on-site red team where uh my red team was compromising their environment and i was embedded with the blue team there doing say a purple team operations where the red team is trying to attack and then we're defending and they were

exceptionally successful against uh against even my red teamers so i'm not too worried about this happening to them again in the future and the reason for it is blue teams have this fatalistic perspective where they think they're going to lose and by thinking it they make it so when it comes down to it blue team does have the home field advantage and as red teamers if we're operating on the most well orchestrated blue team environments we have our work cut out for us really really heavily and so the thing about that is if let's say we're doing a bread team and we're using a tool like cobalt strike and the cobalt strike binary that we're using as a remote

access tool gets picked up by antivirus and we lose to blue team it can be really really frustrating because well what are we going to do about it i can't buy a tool that an antivirus vendor can't also buy and make signatures for so we just we're in this weird place where we're doing all kinds of operations that we know an attacker would do and would bypass the blue team but because we've got certain requirements in red team let's say using commercial office self tools or open source tools we know that we are being louder than the actual the the actual attack groups might be who have this 1.4 million dollars to potentially gain off of a compromise like this and so

that can be really frustrating when you feel like you got caught and the blue team won and the reason why they won is not fair because it wasn't realistic or contrived there wasn't enough network traffic going on it's just not fair right well we have to resist that urge we really really do because red team is all about making the blue team better and so if they catch our stuff that's outstanding now if we identify that they need to be better because they wouldn't catch something realistic we may want to do what's called a white card and say okay you caught this keep looking for another way that you could catch this let that one go and

pretend that you're not seeing that let's threshold that for a little while see what else you can detect so we can do those kind of things but the other way we may consider this is if the blue team can see everything because their orchestration is really good what if instead of trying to go more covert so that there's less for them to see what if we do the opposite and we go really really overt so that when they look at their network it looks like their network has exploded it looks like the attacker is everywhere everywhere everywhere and if it looks like we're everywhere what can the blue team possibly do to detect or respond to the very

specific place and specific actions that we actually want to accomplish we're talking here about creating some kind of fog of war effect so that the defenders see all of this action going on in their network but don't have the ability to respond to what we're actually doing here's an example of a little bit something like that this is uh me teaching at the uh tbt 570 class we do with sans which is red force versus blue force where i play the red team and then uh the students are all different groups of the blue team and they have to defend this environment against an attack campaign this is uh campaign b i think um and if you notice here

that's cobalt strike as a screenshot behind the scenes and all of their systems are beating out to me but am i doing operations on all of them simultaneously or is the tool on the left hand side which is not cobalt strike the actual remote access tool that i'm using in order to compromise the environment and accomplish my objectives where cobalt strike exists just to get them focused on it these coal strikes a little bit louder there are signatures for it if you seem like end game it might really focus in on cobalt strike so while they're spinning their wheels focusing on all of these loud signatures that sure could potentially be bad we're actually accomplishing our

envir our operations our covert operations external to the overt noise that we're creating inside the environment and so if we want to orchestrate an attack campaign in this context we have to reverse engineer the blue team and the blue team essentially does detection and then response and on the detection side the way that we tend to operate in order to avoid detection or to operate in the detection window of blue team is we try to be more and more covert or alternatively something we're not going to talk about today but alternatively we could attack the blue team defenses to um to disrupt their detection capability for example if i'm trying to do really hardcore covert operations

and i get onto a system one of the first things i'll probably do is kill splunkd.exe if they're using splunk as their sim because now suddenly that system is no longer responding and then we'll do whatever operations we want and then probably turn splunk back on so that they can't tell that they're that the system is actually down and has stopped responding it looks like the system started responding again and now it's just missing the logs that were potentially at risk so we can attack their network defenses as well there are a large number of things you can do to attack network defenses for example with edr products if you use local firewalls or art cache tables you can prevent the

edrs from communicating with the actual endpoints and if they can't communicate with the endpoints they can't alert the defensive team either so there's actually a lot that you can do from the perspective of attacking network defenses and network controls as the red team in order to degrade the blue team's detection capability and so if we're operating in the detection uh the counter detection standpoint of things there are some things we can do now on the response thing like they've found us at this point and they want to respond there's a couple things you can do as well because the thing is with detection and response that cycle for the blue team their objective as a

blue team is to detect the attack and respond to the attack before the attacker delivers effects like let's say the ransomware for example that company that i gave as an example here where they were ransom for 1.4 million dollars if they had responded at any point before the ransomware hit it's no big deal right it's either 1.4 million dollars or nothing because if they can respond before the effect gets delivered it doesn't matter that they were compromised this is another thing that blue teams don't realize it doesn't matter that you're compromised what matters is that you can respond before the attacker delivers their effect be it ransomware be it data theft whatever it might be and so as the

attacker if we want to be successful during the response we can hack faster so if they've detected us and they're in the process of responding but we are able to be more efficient or to speed through the network and deliver our effects faster than the blue team is able to respond then we still win okay now alternatively what about the blue team's resources what if we give them more to respond to so the thing is attackers have been doing all kinds of denial of service attacks for eons and eons neons and by eons i mean computers have been around for eons right so attackers have been doing these kinds of attacks like sin flood attacks right

sin flood is a denial of service attack generally it's a distributed denial of service tax you're doing it for multiple different hosts but the objective there is to exhaust all of the resources for that remote host generally a website or something right so it's a website and we're doing a sin flood attack because we're anonymous and anonymous has just come back uh okay and so they're doing this in flood attack what is their objective they don't really hack into the box all they're doing is over utilizing all the resources that are available to that system and now the system is no longer available but we have to think of blue team itself as a resource

because if we can exhaust all of the blue team's resources then we've essentially done a denial of service attack against the blue team themselves and this is what we're talking about we talk about over operations so we look at over operations and we look at the covert to overt continuum we can of course if you want to be more covert we can slow things down if we want to uh stay underneath weeds we can do that targeting of network detection controls and attack those more overt is to hack faster right we're going to be louder we acknowledge that these are over operations but what we're taking a gamble into is we're gambling that we're going to be

able to hack fast enough to hack faster than they can respond and then finally with blue team resource exhaustion we are being very overt because our objective there is to give them so much to respond to really overt that they can't actually respond to the things that matter the most um and so if you look at the timeline here we can compress or stretch these different components of the blue team's detection and response capability and so all of the operations that we as red team perform within this continuum their objective is to either stretch that detection response window or to compress our operations into that window so they fit within it and so if we want to target the blue

team directly we have to think about how they do operations so we need to break down and deconstruct their security operation center in order to do things like uh identify what we want to do to resource to exhaust those resources for example most organizations have a host team and they have a network team and if we're exhausting the network team but we haven't done the host team then we might actually still be losing so we want to deconstruct their actual operations and then perform exhaustion attacks against all of those components so for example we might go back to exactly we talked about the c2 tools right we wanted to find for a covert operation c2 framework

a c2 framework that lets us do custom profiles well what if you do the cobalt strike default profile most intrusion detection systems i hope all of them but most detection systems will trigger an alert that says c2 tool detected if you're running cobol strike in default modes so generally speaking as an attacker we're thinking about covert so we want to modify everything and do everything custom but what if we just take cobalt strike and we plant it on all of the systems in the environment and we don't even care if they find the c2 servers because we're not using them the only thing we care about is your ids is telling you that there's outbound attack traffic from your

environment go look at hosts one through five thousand because they're all doing it um we don't want to be slow here right so we're looking at over to covert continuum instead of hacking slow we want to hack faster or at least make it appear like we're hacking faster so we want to have these beacon intervals be really really loud what you see on the right hand side is a tool called ai hunter which is really good at discovering beaconing based malware we want to make it really easy to discover an ai hunter because we want not to hide in the noise we want to create noise to actually hide ourselves in so it looks like all of our outbound

stuff is beaconing really rapidly um we can also spoof these this is actually really really really cool um when people first get interface security they're like oh yeah you can spoof your ip but when it comes down to it that's not exactly true because if we're looking at a protocol like tcp tcp is connection oriented right it's stateful so you send a syn packet in you get a synack um and then you acknowledge that you receive that syntax and now you've established through a handshake and then you send data via like push push push messages and so on okay this means that you have to track that session state which is done by the sequence numbers in tcp

so you can't actually spoof your ip address because when the target system responds to that spoofed message the system that received it needs to or it's going to have to respond with the sequence numbers that are calculated based on the first senate received and will only accept that final act if the sequence numbers match as well so you actually need to understand both sides but the thing is if we're doing um attack operations we can spoof both sides because we can fake both of them so we can spoof from inside the environment and then spoof the responses that come back in them from wherever we would like so let's say i have a c2 ip address

that's on azure i can spoof any ip address response on the outside as well as the inside so let's say on the inside i've got my little spoofing tool and maybe i'm using escape before it and i send a syn packet out to an ip address on the internet that doesn't have a host that's up just any random ip address okay now on my azure side right the one that is really my c2 tool i can spoof a response because i actually know what the sequence numbers are from the original sin message and the send message is going to receive that and it's going to be able to send back that act so we can actually spoof all

sides of this the thing is we won't actually get the results the traffic but if we're doing overt operations we don't care about the results of traffic this isn't real c2 this just looks for all intents and purposes like real c2 which means we can make it look like your environment is being compromised by hundreds of thousands of remote c2 servers simultaneously by spoofing both sides of the communication really really quickly and easier environment and so on the network side most organizations they tend to be very very network focused in their defensive strategies and on the network side they're going to want to put in firewall rules but they can't put in viral rules for the entire internet

and if we spoof to make it look like the c2 addresses are every host in the entire internet well their network team is immediately compromised and their resources are exhausted so our real c2 is now much more effective because they can no longer detect and respond to it because their use or their resources are now over utilized here's an example of one of the tools they might use to do some of this detection this here is elk stack this is actually via the security onion version and so the network team may be relying on something like this our objective is to fill this with bogus information such that the actual attack information that we're looking for is no longer

easily discernible because it's full of all kinds of other things that look like really bad attacks that need to be responded to and so the other side of that is going to be host operations they might be using say splunk senders to get host event logs they might be using something like say uh silence so here we see host logs silence crowdstrike edrs we want to fill the logs of all of these systems as well in order to cause over utilization of the host so that means if we want to make everyone think that we ran mimi cats on a system so they have to respond to that we don't actually need to run mimikats

all we need to do is create an event log that makes it look like we ran mimikats because then in their sim their sim is going to tell them they ran mimikats because those log forwarders they're not actually looking for techniques they're being executed they're reading the logs and those logs have been constructed such that the blue team will have good uh indicators of compromise to look like look at so we need to do is identify what those indicators of compromise are going to be and then we need to fill the logs on all of the systems with that it turns out that powershell is extremely good for this and with powershell we can use the get

event or not get create event logs commandlet in order to accomplish this let me pull this up for you so you can see an example

um come on computer

computer doesn't want to work the way that i intend it to so we're just going to cheat it

so if you were to jump to something like a windows machine here and open something like powershell

buddy

copy and pasting is hard today all right we'll just open up a text editor and slap it in a text editor

so you could run a command lit like this here's a real quick one-liner and all it does is add um a new event log where the event source is minicats.exe and if you're building a uh a detection holy macro computer if you're building some kind of detection where that detection is um looking for certain strings that are known to be bad like mimikats maybe that's a really common one to have some kind of detection built around we've essentially just created event logs that allow us to create that in the event log and since the get the new event log commandlet in powershell actually lets you run it against remote computers we can have access to a single

computer in the environment and run this against all of the computers in the environment to make it look like mimikatz has been simultaneously run on every single system local to that actual system so we can absolutely control what the actual atta defenders get to see in the environment and if we can control that we can make it look like something like this this is mimikatz is being executed everywhere and so now that they have detected it everywhere they need to respond to it everywhere and can't respond to what really matters where else might we find some of these things to use as detections the living offlane binaries and script project has a list of those defenders

today often go through these low basses in order to build detections in splunk or in elk to determine whether or not an attacker has run something so if we go through here we have now a list of things to make our covert operation scripts do and of course the attackers or defenders know all about different languages and such that are being used so if we're using something like powershell and powersploit all of these things are malicious in nature and so if we make it look like that has been executed somewhere or we actually just drop it and run it somewhere but we do this ad nauseum to hundreds of systems that's all more noise the

defender has to respond to and so we're doing here is essentially reverse deceptive operations where the defender may want to deceive us to make us vulnerable acceptable to a trap we can also trap the defenders here too make them think that the attack is happening in their finance department we're actually focused on getting data from hr or whatever it might actually be and we can absolutely uh take advantage of sun tzu style techniques here now if you're interested in things like cyber space deception there is a podcast that's called the take back the advantage podcast by kevin fiskus it's a full youtube channel um it's really really good actually um i was in fact on a podcast with kevin fiskus a couple

weeks back and all these videos were up there really interesting way to make your mind think differently about cyber security than perhaps it has in the past um here's my contact information if you have questions that come out at some point in the future and you want to reach out or you want to jam about red teaming and uh cyber space trapping and deception and all those kind of things i'm totally into it i'm pretty active on twitter so that's probably your best bet to look up look me up i also have a youtube channel and i do videos on these kinds of things all the time hi max john we're right up at the end of

our time here but there's actually a great conversation going on in the discord right now uh we're gonna move that to track four breakouts so if you'd like to jump on there at the end of this uh there's tons of questions and there's some back and forth that i think that uh you can definitely help out with thank you perfect i'll jump on the discord and we'll chat it up alright everyone thanks so much for your time i hope this was interesting for you

you