Have Your Pick of the Litter

stornes Bauer Staters and Enterprise Services all right this is a very interesting topic at least for me and possibly for you which is why you're here it's kind of the agenda would talk about really kind of games with history give some examples of actually put this into use will kind of wrap up with some other training free training in this environment in which you can practice some skills what happening but as we started this is me I think what the DoD for about 18 years really enjoy what I do in that space technically director for cyber operations center very much in love with PowerShell you'll kind of see that right throughout but so much so

that I'd like to develop tools in that space weather is Blue Team Red Team what have you and then also like to kind of give that right because you're a Dave talk about kind of how everybody gets to start and I got my start because I'm I took some time and kind of helped so as we started talking about this we first kind of have to define about right we're talking about stages let's define malware first right this may be a two TL DR type thing so we'll kind of sum it up and essentially we're talking about malicious software that's designed to infiltrate and do things to a machine without actual consent right and that

the cordis would malware looks to do so where did it really all begin well it began roughly about 1971 with a the Thomas who actually created the creeper Fowler it really it wasn't thought to be malicious at the time it was really can I make this execute on another machine through some type of connection so at the time it was our phonetic right so before there was actual internet itself and then it wasn't meant to be malicious in nature and as such the replication or how would propagate was really provide based upon human interaction and then there was a time in which somebody looked to make it in a more brutal fashion and when she

could replicate on this home that's where in my new to when we look at where we're at today it warm red today definitely more sophisticated than anything else all right we have not word is polymorphic we have this whole cat-and-mouse game right you heard Dave talk about adding the care of stores so as a somebody of malicious intent is developing malware and as a defender is coming about and actually having that malware and or criminal detectives to defend against it the defender I'm sorry to on this person is constantly looking for new ways to really go and get around them so it's a mouse game system and as always going on but at the core now your

words burn to space in which this is almost like a business where people are backing individuals that develop say about whether it's through financial gain or whether it is through ingest the equipment itself but you know while we still have people who are lone Ranger's if you will will get to the point of it being an organized crime estate sponsor who really started to change the game we see that we're very rapid in his base today we look at the different types that are out there now this isn't all-inclusive but just kind of someone was that a prevalence till the day I think viruses it weren't those kind of go without saying with ransomware in this space

right really really huge it's good to the point where people are in portrayal machine encrypting to set files of folders or just data period and then you're holding them for ransom until somebody pays some fee to never give those files back the less that fee is being paid rootkits have been the bank continued to be a thing very very stealthy in danger all right actually how I never really difficult for what to do trojans keyloggers adware really great weird but cool others definitely make an a a ramp up in this space as well and then when we talk about really hiding our malware or somebody trying to hide their malware whether they have Packers so now they're

trying to compress the actual true binary let's say it's some standalone you know BG info or what have you you're trying to compress that so they can allow their malware to be wrapped with it it will be self contained so upon execution it starts to do its own self extraction we have people using critters so that way if the binary is found whether it's an actual exe or DLL it's some type of a form of encryption or ex-ored applied to it so it's not as easily pick table the whole polymorphic aspect very stealthy in nature makes it much more difficult for a defender to actually find it why because it is consistently changing this form of the

fashion from system or platform and we get to the point we talk start talking about stages and really this is the basis for the sexual talk so stages themselves right at the core of that that's gonna allow us to learn a little bit about the machine before we bring in an actual real payload that we care about and when we take the second to really define stagers alright we're talking about something known as a dropper some people call them downloaders right or effective as if you will but at the core these are tiny and major pieces of code that did shift or package which are initial payload so maybe we have some an exploit that's

going to be our initial access best our moment vector on a machine rather didn't bring the actual real payload in which we care about not really understanding the state of the machine whether a bee is going to pick it up or maybe it's some you know good defender that's going to be able to highlight our stuff will first put something lightweight on there that's going to allow us to protect our equities the very thing that we maybe spend time money resources in developing and if we essentially an allow our state there to look around and figure out that the coast is clear that's really really great for us but that state is going to allow the system

to initiate some connection back to our c2 server or servers alright because we will get a bound traffic typically that goes a little bit more on notice did somebody actually try to be get into your regime but at the core lessons are below if our toolset is found because again this danger is going to be very very small we'll look at a couple of examples here and regardless of what malware we're using it's going to be expensive we feed they're spent the time and money on buying it or we spent the time and resources and actually developing it so our delivering that that kind of looks something like so have actual machine it gets exploitive

the stager may be attached with it this is just an example it would always be this case we have that stager on the machine that stator didn't initiate some communication or some type of traffic back to our c2 server or a subset of servers all right we may have it to where it reaches out to a number of servers so it's not static in nature each time and it once it reaches out to that machine that c2 server would have a second set of instructions maybe go we go surveyed the machine or give me this type of data or execute this next payload or just go to sleep for a period of time and then reach back out to me

later on but at any rate typically that next stage if not that first stage is going to be encrypted I want to be able to protect that data and a communication most as possible but that second part is really where we look to see damn our whether it is a virus whether it is a worm rootkit key logger or what have you that's really where we start to see that being done the common test not only inclusive but generally speaking before somebody maybe myself invests a lot of time and effort into a machine I want to know if that machine is clear I want to know with what the state of the machine is is some other

active there maybe the exploit that I have the follow-on payload maybe it's not susceptible on that machine so we would look to probably surveyed a little bit some babies are better than others right what is the state of the machine what does the environment like put it on what that comes back is then our next follow-on steps will be done quarterly and in some cases we may look to start terminating services in order to ensure our equities are taken care of we want to validate afford a virtual machine now if the environment runs on nothing but a virtualized infrastructure that this is a goal point but in some cases us writing the virtual machine could not

like that somebody's trying to conduct some type of analysis on us and at the core we can get execution of our payload of our stager either through somebody opening XQ or not it's people file could be some web link could be just based upon a number of conditions ie this timeframe has hacked it now execute or when a particular user logs on not execute but we have the ability to really hard code that it and have some granularity into how a lie-in may execute and not ever environment is going to be the same some people will look to follow some type of methodology as far as trying to terminate this who's heard of cyber kill chain okay cool

there's this is a framework much like a few other ones but when we look at this is broken down into reconnaissance weaponization delivery instrumentation you kind of see it there why people are developed this back in 2011 and it's not a bad framework I'm not going to say which one is better than the next but as long as you're following some framework with some type of methodology that's great it's linear so we're going to go one stage after the other it really the idea is to if you're defending is to get ahead in which this may take place so we know someone is going to do reconnaissance and they're going to work their way down if you start to see

something like reconnaissance or maybe what organization that we're in a place at which you can see it happening then you may want to jump down one or two and figure out how you can stop their listing come on you don't want to follow somebody down that same path go because inevitably you're not going to be able to catch up with it but when we break this down a little bit we look at reconnaissance front perspective of somebody just trying to gain an understanding of our organization that could be as simple as to what's published about this from a open source perspective online things that you know could be found out it against this and some respect if you're

in this space the spouse significant other parents cousins typically those are most weakest links because you could do everything your power to lock down some of your social media and everything else but some of your friends and family may not believe in that same thought process so people can leverage those type of people to kind of gain some information about you as well and if we're totally from an organization perspective not visible online it kind of makes it a little bit difficult for people to understand a product or an e-commerce in which we're trying to sell or use so from a weaponization perspective after we've gained enough knowledge from the reconnaissance perspective and we're going to look to craft or even some

cases the vulnerabilities against that organization whether it be a zero-day again maybe that's not the space you run in but I'll tell you zero days are almost equivalent to eight days in my opinion all right because how often are people that are run out the next day and update their machines some organizations maybe yes but there's still some organizations running XP Tech I went to an organization head server 2000 still running all that infrastructure and let them tell it it was a vital piece and still as a vital piece from that perspective we go down into the delivery aspect and now we're trying to figure out how we can actually get it on the machine so we we've done some

reconnaissance we've done some weaponization as far as our payload or initial payload now we just gotta get it actually to the machine itself and ease into the exploitation itself and then from there we're trying to install something now for the perspective of our stager this is where we start to come in we're trying to get our stager on a machine we're trying to put it in a subject place and which is not really installed but it's definitely there so it can be called upon once we have that executing that we actually are communicating with our situ server or servers from there we get to the point of going after whatever our objectives are but really the key piece that we're

going to focus on is really these two things the installation of command and control that is really the basis for this talk right we've already assumed you've done some reconnaissance weaponization you've got it on the system and now you're at a point where you're actually just trying to get it installed so you can reach back out to your C to serve in way in which one could do that is kind of like so it would take the data it would convert it to bytes then base64 and then store it that's one way you could do this in reverse order you could do one of them all of them none of them it doesn't matter right like there is no wrong way

to eat a Reese's there's really no wrong way to do this unless the defender has some type of device that's going to highlight it but this is not a one-size-fits-all thought process but this is definitely a way and we've already highlighted we're talking about this from a post exploitation perspective you're already on the machine cool we need to figure out the state of it or maybe the coast isn't clear for us to lay down some type of binary so from that perspective we are going to take a file this approach again our state there's going to be nothing but some actual code that's going to run out against something else for us the good thing about it is is there when we

need so we don't have to keep going in there and then so for this presentation I'm gonna use the what shovel out before us so I'm going to utilize the power shell here I'm going to reach out to a c2 server that I'm gonna say is one or two one six eight zero at one hundred right now I have an on run over HTTP we can do HTTP we're gonna do some manual it as well but for a simplistic perspective that's what we're doing now the next line eventually converted into bytes and in the third line I'm gonna switch it to base64 and I'm gonna spit there base64 out to the screen my c2 server I'm gonna

call back on quad fours and in my payload was going to be a stage or dat ps1 I could just name it s or a right this is the good thing about this because ultimately this base64 encoded string is what's going to be on the system somebody decodes that what do I lose I lose that URL being an IP address domain I lose that port and I lose whatever that file name is now States at that ps1 couldn't say any way to a person that this is a power show script goodness any way that it is a stager so if we name is something like a when a defender I'm looking at it I don't know what it is or

what is this a I don't know it's whatever is hosted there at the time so at nine o'clock in the morning it could be some text that changes your screen blue at ten o'clock in the morning that same file could change your text for it so the good thing about it is is very agile in the sense of what we can do with it all right we're just posting whatever we need at the time and the place all right so the first one we're going to actually use is active directory directory is a great enterprise service it's going to provide some authentication and authorization across an enterprise if you're in the Windows environment especially the domain

environment you're definitely going to have at the directory the objects in there are usually a rate in the sense of users computers there's some rooms but largely they're separated into organizational units for simplicity the database itself what we see word stored system 32 in TDs and it's going to be locked by default but no harm no foul for us we're not trying to take it when we look at the direct that week we see something like so now every apartment is going to be a little bit different in this perspective on the left hand side we have an East Coast oh you followed by Boston oh you and then we have some oh use under it with

into Boston oh you we see a number of users some groups we see some descriptions all this good stuff so this is great this is typically how an admin would actually administer at the directory and we utilize this GUI some people look to utilize it through command line whether it be power show or some other of their party tool from the power show perspective we can see how we're using an AV user and we're able to get the same information from that to directly now this is good because you probably are in an organization been to an organization in which there's people who haven't worked there in some time and they're kind of still there or

there's some service account who's trying to log into a computer and they're felling that authentication on a day to day basis right maybe they have a service account set up to perform some service and the Machine no longer exists or the password change or what have you here is that this is a goldmine for us so when we look at one individual object we'll see something like the above here and if I'm a power show perspective we're seeing some of that same data the interesting thing about Active Directory is that there's roughly 50 properties for us to actually use some of them have science limitations that were cognizant of that but the good thing about it is

by default domain users can read Active Directory that's good seems like that just need to get some code in there and in no matter what machine and I'm trying to have a point out my second part of my code they'll be able to read their property and then go out and execute okay also now from the perspective of what that really looks like we can utilize so now up front when I was talking about my stager my base64 code will always be an encoded text for the context of this this brief so I'm going to utilize one of the three properties that isn't shown by default is it shown by default so if I were to go into the

gooey aspect of Active Directory I wouldn't be able to see employee ID employee number or division except for with an attribute editor there's no other place that is shown right there by default wouldn't that have been cut that on maybe right but again this is all about being on my environment I say nine times out of ten they would so I have the ability where I'm going to call upon the user in this case I'm gonna do big shake and then I'm gonna set that 80 users division property with whatever that base64 encode is again if they wouldn't the natural be a deterrent be able to see it now I could get a little more stealthy in this and I can add an

actual property that big looks looks like it makes sense with division and push that down but for me simplistic perspective there now when I call upon it from the command line we see it as below yeah again I need somebody to go in an attribute editor it's actually look at that the fact is I would rather take my chances with this because I don't believe in end it's going to go on air and do it nor what it is sent out to a point in which they did would it be something that causes concern for the next one was the registry now that's my favorite actually because I was up that Microsoft and Charlotte actually like

two weeks ago and I was having this conversation about the registry and there's so many keys there's so many values in the registry that I was willing to make a bet a 50-cent bet that there's no admin in a world who can tell you about every key every value and Windows machine all right there's just so much stuff and with that plethora of data that's there that seems like a good place for somebody to stage your code in my example I'm going to do one layer deep but largely speaking we want to go several layers deep so the registry is really formed like so we have our registry files on disk and then as we go

through a process either the Windows system is self booting up or user log in those highs on disk it loaded into memory and then they become our actual hklm or HKC you the things that were customers seeing in the registry while we're logged on while the person is long gone those things are actually locked and they're not editable by a user the things that get loaded and where they sit on disk are as follows so we have Sam security software system default those all get loaded into H tell them or HK users and then we have the NT users our data and in actual user class like that those two sit in the users profile

and they get voted into current user if I was logged on and we just did switch user rather than my NT user that getting unloaded I would then have my user hai moved over to HK users further perspective of the registry though again I'm one layer deep so on hklm software and I created a key I'm sorry value called updater 32 because frankly speaking if we had 32 or 64 onto majority of everything in Windows most people look at it but okay that looks legit and then we've added our code here again from a PowerShell perspective I'm just adding a new item and I see it there now if I get to the point where

maybe this is too loud then again I would put in some patent to push it off the screen make it into where it is it would actually had the double-click and open it and with my padding I would have some other verbage up front one layer of deep right now we'd go like four or five layers it would be tough for admin to be able to see it there it will talk about some mitigation techniques though all right we have event logs now the bit bones are very interested from a good perspective we have Event Viewer these essentially provide some form of notification detailed notification of things happening on a system while the event mode provides a lot of information

out the box a number of good injuries need to be in able to use an oddity and that's not really what we're here to talk about what we're looking to do is take advantage of the fact is good places for our code will be really anywhere that's cumbersome with a lot of data that an admin can overlook and a good thing here is this is a good place so the bad thing about it is typically these things are circular so as events howl up the code that we have in there could be overweight so really come back this will look at make it our own but when we talk about there's a lot of logs

in here we're talking to the tune of 386 ish just off of the server 2016 machine alright so that's a good place for us to be particularly speaking if we could name it in such a way at 32 or 64 or something on it which could be bypassed by an admin so I talked about making our own event logs and the reason for that is because if we look to put our stuff in application or the firewall or one of these other logs again our stuff may be overwritten and essentially put off the system when we put our stuff in our own custom log and it wraps some other stuff around it to make it look legit we stand

a chance to live in any event bugs a lot so what we'll do is we'll create a new event log I'm going to call it Windows updater and I'm gonna create a source the source is nothing more then you'll see the top of the event log here where it says updater 64 it's da identifier for that actual log itself so we'll write out to the event log R a coded message so now I have my base 64 sitting there I can go back at another time and just make sure it's there and from there I have the ability to read that file call upon the message field and then type into something that's going to

execute it again this contains my stager that sticker was nothing more than a URL wrapped in system that met that web client no harm no foul of this gets found I lose an IP address maybe a domain I lose essentially bad right in this case they see stated up on ps1 but they don't have access to that file they just see what I wouldn't be going out to get now they could get a little you know bicurious and go out there and try to have any gate to my server we're not really talking about how we're gonna stop that which we would be able to we're just more or less identify where we can store this stuff so we can go

back and get stuff later on we also have group policy from policy is a little iffy but we looked at group policy to self that's going to be the hierarchical infrastructure that's going to be used to implement specific things whether it's probably miss elation settings or just really any other configuration that we could think of from an enterprise perspective we have policy management from a local system perspective we have the actual loop room policy itself does it really matter which one we're going to use we have the ability to store a code there from a management perspective we're going to utilize the description field well there's a number of editable things with a group policy that we can use the

last thing we want to do is put our code in something that has some adverse action on the box so we'll look to put it in the actual comment field able to do that we'll call upon our default domain policy because I thought it's going to be implemented everywhere and then we're going to store our encoded text and description now when we do that I see it just at the bottom there and I could comment normally I wouldn't care as much but this is one of those things that I feel like an admin would be in group policy clicking around and it would stand out so I'm not too keen about leaving out there what I look to

do following this was to add in seven new lines so what powers oh we're just adding in new lines and then I want to put my encoded text so I'll look to see what that does for me and lo and behold that actually pushes that code down okay I'm on to something seven new lines pushed it down so now I look to do that a little bit more and in this case ended up doing 20 when I do that based upon the screen there's no size that the user can make it in which there they be able to see that however I don't look from a PowerShell perspective they call upon it and in this case I have a

variable called retrieve I see that blank space essentially those 20 new lines and then I see my code this is a good chance that I'm willing to take at the moment not knowing who the admin is nor do I know how they actually do their job but I know one thing most admins are not going to be using a command line to to administer policy they're going to be in group policy management or the local group policy window itself and they won't be able to see that to the screen and then us will actually execute that there's nothing more than calling upon it and pass it into some type of execution engine and on actually demo of

doing one of these at the end then we have alternate data streams now what's interesting about that is if you've been in this space for a while you may be saying well alternate data streams isn't new I recognize that but it still works all right so as long as it works we're still going to use it now what maybe do is that we're gonna put some malicious code in here people hiding data in there yeah it's been anything but when we look at alternate data streams definitely something as part of NTFS file system was made as a cross compatibility for Mac OS by default has a stream of dollar sign data also the dentist rooms also used by

Internet Explorer depending on if you have your internet itself set up have you ever downloaded something trying to execute it it tells you hey this came from the internet you shouldn't trust it or what have you it's like well happy you know that well there's an alternate data stream associated with the causes of the identifier and it has a tag Adir telling you that the file came from the Internet we can easily remove it we can easily add some stuff to it that's interesting so in this case we'll look to make our own so we can actually get around it now as we look at this I'm going to get the metadata associated with this item and it's called my file

all I did was make a blank file or empty file and I see the link is 0 I'm gonna write some green eggs and ham type stuff to a alternate data stream that I called my stream when I look at it it's going to be $35.99 bytes but again the size of the original file the host file itself isn't altered so that's cool now I need to figure out the place to put it and wish this thing doesn't get overwritten or messed with what on a local machine then this is a good place right it's hijos definitely not to be there you're not going to touch it feel pretty confident about this know the environment won't dictate where is a

good place but as he host seems good for me so I'm going to take that file that's already there I'm gonna add content to it and the content that I'm going to add is a alternate data stream called secret stream the thing I'm going to fill with it is encoded text so for me to actually see this I'm going to need either power show or some other tool could be able to see that all to the data stream in this case at the bottom I'm going to go and read that and I see my color again this is nothing more than a stager all right then we have the environment variables all right these things are

dynamic in our environment and they're really based upon the system itself so when we had up here a while ago when dirt we that was essentially a environment variable and say you waited we're out when those directory was on that machine there is a number of them there but it makes it to where you don't have to hard code stuff in some people would do the baseline installation when it comes to windows other people install windows on that say their D Drive so Alton I'm sorry if our new variables help us with that there's two types there's going to be user specific and then there's going to be system once system one's a global nature going to

persist past reboots so this seems like an awesome place for us to put things in so we can go back and grab them later on the way we would do that is like so we'll create a new environment variable I'm going to call it program common program W 64y because there's already a common program W there okay so I put 64 next to it most people will say this legit and keep going about their business so we'll store it in our deucer run space first and then the second line is us doing it from a system-wide perspective the reason why we're going to put in our user space first is because what we add the system-wide one

it doesn't kick in or take effect until we reboot the box so I don't want to affect whatever system I'm on but I do want to be able to get after the task I'm using right now so when we do this we had something like so we have it being written to the registry we have to be written to the actual environment drive within PowerShell and what we wouldn't looked at our system variables like right clicking computer properties we see in there now I'm not concerned what people looking at it for PowerShell that's a one-off skill or one-off thing that people would actually use that necessarily looked worried about people looking at it from the registry I don't

see evidence doing that too often if anything and it may look there if anything so we'll look to push that off so and the way we will look to do that is kind of like what we did before with some padding instead of doing new lines we'll just add some padding to up front in this case that it was like seven or eight spaces that we had in there we're doing a little bit more and now we've totally pushed it off the screen again if I was concerned about somebody double-clicking it they would be able to see it but if I'm concerned about that I can add some text in there maybe I could see one of those something right and in

a number of padded characters just a push to rest up it off the screen and then when we call upon this key we can get rid of the fake text and the padding and then executed but from this perspective we have the ability to actually store this on our system and the full code looks like so so that very first line we have a space and then we're going to Pat it with 116 of them and then we're going to add in our encoded text and it would just continue at all like we've created it before

all right and then we have WMI and sim so when those management instrumentation and then common information model WMI was Microsoft's response to w bill all right so it's gonna be the whole web based enterprise management aspect which was really a initiative to get after how do we share information amongst the system and a number of the system so Microsoft's implementation event is w online W Maya has been around for a long time we're talking about roughly 1990s and it was made available within PowerShell up until version 2 with version 3 Arkansas has done away with that and they've come out with the common information model I also work when we start talking about modern

version of Windows modern version of power shelves that's the method in which they're going forth with WM I assume it utilizes a number of classes and namespaces largely these things are way too large for an end to be able to understand but nonetheless we'll dive a little bit deeper to these namespaces of organizations of classes themselves so let's say we had 130 to process for example that allows us to get running processes off of a machine and then that itself as a class would fall under some type of namespace maybe that namespace would have processes services the ability to read environment variables or a number of other things so namespaces are essentially buckets and in the classes

themselves actually allow us to get the information the class so they have properties and methods so when we look at properties those are going to be essentially attributes about something and when we look at methods those are going to be actions that we can take so this is all kind of interesting because we can utilize that your lie and really sim to get after our task of finding a place to store our code and we're going to do that outside of what they already have we're going to make our own because if we make our own there's no signature for it but depending on our machine the number of these classes kind of they swing in a

sense of number on the machine that I was on to think this wasn't Windows 10 I did this on I had roughly 10,000 classes roughly 10,000 right that's huge these classes are made available based upon what type of software we have we'll install it on the machine but let's be real 10000 like that that's going to be difficult for a admin to transfer they don't want to get after it another way and we're going to do that is when I walk through so I got a machine here

okay cool so I have a website that is being hosted by PowerShell it's nothing more than a a simple web server so if you're used to Python if you've heard of simple HTTP server the same thing in PowerShell and it's literally roughly 18 lines so oh you know seeing in this

okay now you see cool so we're talking roughly eighteen lines makes up this web show interesting about this I will shut up this website is it serves up everything that's on my actual desktop so we can come in here and from a command line perspective

we'll just see if we can interact with the website and we can so the very thing that we call it upon stated ps1 if you look at the third line under was being returned it has a comm object which it's going to spit out a by the text form if you will right by the pop up box in this case is just a pop up box but you could really host whatever you want all right it could be another piece of code that is called upon another site to download something the good thing about how we're doing is is that that script that we're downloading at stay for that ps1 never touches this system the contents of it

are downloaded and stored in memory all right for the context of wishes processes write it in so the Pentagon would type of ap we may have this spent a high chance of not being caught all right because I would expect my Navy to catch anything that I put on my disk malicious with anything not maybe not so much so I'm going to create a new class called 132 defend 64 it does not exist and the way we do that is we're going to create a new object and then we're going to actually save it cool so I have a new class that I'm gonna call when 32 61 230 to defend 64 from there I'm going to

create a new property and as you will call the properties were nothing more than attributes so I'm going to call this property my property I'll store there just a string and it's going to be you know just a simple test to see if I can actually write that to it I'll go back and verify that it's there and we can see down below the second line there it says value this is just a test to see if data could be stored okay awesome so David can't be stored I'm going to go back through and take my stagers drink and now I'm going to start the process of converting it to base64 so I can save it but as such I just have

my strengths cool so then we'll convert it to bytes will convert it to base64 and then we'll verify that it's there and this is what I'm stored on disk so very mental if we see that this amount of characters is what's rendered would just add strength imagine if we were trying to put a binary imagine if that binary cost us some money right maybe it was through man-hours of development maybe we pushed purchased it from some other type of organization but nonetheless let's think about the cost associated with it so I'm going to create another property I'll call it pad and then I'll store it near my actual base64 code and then when I go back to actually look at it I see

my base64 code I also see that strength up top that we call it boner earlier so now it's sitting here I can restart the box I can go about my very married business I can come back to one flater and I can utilize this code as here so long as this box doesn't get we start that we started we formatted or gone offline I have it there for as long as I need you when it's time for me to actually run it I can call upon it like so verifying that's there and then we can actually execute it in this case is just a pop-up box again maybe it's a next stage downloader where it goes out to my site

and instead of pulling back this little pop-up box it pulls down a binary maybe I tell it to survey the system telling me you know what users log on was to architecture was to help the status as far as how often they updated maybe I tell it to execute a key logger for a period of time and it bring that information back really the opportunities D the things that we could be worth endless and I don't even have to change the name of this so right now it's danger got ps1 but on my c2 server I can just open that up put some other stuff in there and then the next time it comes to reach back and grab it it

executes stat so it's very dynamic and modular in that perspective

now about the first person that dick about stagers all right so as we look at 1971 with the creeper bow where to where we're at now there's a lot of people in between more so in the last 10 years that really have jumped on this where we see a number of threat sets that are starting to use multi stage or a stage malware and from my perspective I think it's more common than what we believe right but we see people using proxies I'm in order to retrieve additional payloads why because the malware which they want to lay on that system too costly for them to go out there and just do it from the beginning we have them

utilizing that payload or really Dennis danger to understand the Machine we see that's where backspace does again why would I take time to to install or lay down something that we've spent a lot of time and money on just to have it set up by some type of heavy burners and then we see stuff like muddy water all right muddy water at the bottom it utilizes it so they can download the numeration scripts to better understand the machine before it goes on now nothing in life comes without you know some good and bad in this case we have some pros very lightweight you see that that was essentially a one-liner of sorts I can wrap that whole on delivery perspective

a bolide machine good tactical machine and it really all I'm putting on target is actual base64 itself very low equity what do I lose if that gets caught nothing it's modular so I can change that code at any time then we could host it wherever we want now some of the cons in this is depending on the visibility of that effort it could be very visible that we're going out and downloading stuff also it may spike or really present to somebody that we're doing something nefarious if they're unfamiliar with the sites at which we're gonna downloaded from and then if our stager becomes blocked or really an RC 2 server becomes blocked at any time then we kind of lose visibility

and the ability to affect anything on there so some mitigation techniques well least privileged you heard Dave talk about segmentation and isolation absolutely application whitelisting definitely difficult to actually do time intensive but man I tell you probably provides the most bang for a buck as far as reward and in detection you can't detect what you don't have so if you're not logging you're already losing and then from a proactive perspective they're inducing thread honey and some analysis well we're not infiltrated I don't see anything well that's because you're not looking hard enough for the people who's in your network are very quired but at the end of the day there's a couple ways to get around it now as I

started to wrap up here all right you see we use PowerShell very heavily well I run two PowerShell training sites one is called under the water under the wire I've seen a lot of 70,000 people since 2015 roughly players from 78 ofthe 193 issue countries and essentially under no wire allows you to SSH into a Windows environment will present you what they task and then whatever the answer is to that task becomes the password to the next user and you're essentially going about the game of that matter this design to give people access to a power show interact the PowerShell environment and to provide training it's all free all right it is linear in nature and we're talking about roughly

75 challenges now if that's not difficult enough for you as we talk about the whole purple team Blue Team Red Team well then we have Tosh hunter Tosh unders roughly 90 challenges that allows you to from a situation scenario based perspective go through and utilize PowerShell to answer particular questions one minute you're some blue team guy and the sock the next minute you're some red team guy on some engagement but nonetheless all you have is PowerShell don't get to see how people were using it from a day-to-day perspective you'll get to gain more familiarity with it and take it back to your environment which is what I think anybody and everybody would like to have so with that that

brings us to the end I'll pause for any questions there's some information about me if you want to keep in touch or any that type of stuff this presentation is that that site if you're interested all right awesome