Pi$$ing Off An APT - Ed Williams

so my name's ed Williams I'm here to talk about how we look to piss off an apt effectively when I talk about an ATP I mean nation-states organized crimes read teams or any sort of sophisticated attack that's going to test the breadth and the depth of your organization so here's a little bit about me um if you haven't already guessed I'm from Wales the other two yeah and no sheep jokes either from there on that as well as the red team that's how I see a red team in a nation-state yeah interesting facts about me I've got twins and I have been an art in the Bollywood film I almost said Hollywood but a Bollywood

film and I got an IMDB page and as you can see there the phone was described as an insult to cinema so the the the obvious thing for me used to crack on with pen testing so when we talk about apt we're looking at the enemy and who do we consider the enemy to be and what what are they doing so I got to two courts here that I see so sanzu in his latest book on Amazon describe the the enemy as somebody who doesn't look at the risk register prior to attack and this actually is my favourites sort of poster subculture poster that I think explains exactly what the hacker mentality is and when you're looking to

get into an environment or system these are the guys that you need to emulate and these are the guys that you need trying to stop simply performing a pen test and it's 2016 box that's not gonna get you very far you need to look at the edge cases the corners where that entry system is still around or the Windows 2000 box or whatever it's so bear that in mind so I'm sure we're all aware the cyber kill chain I'm not gonna spend a huge amount of time that you break the chain and it should make your life easier doesn't always work like that in reality but that's that's how it should be and and how we look to get things

done so one observation I've got and I've made over 1213 years of pen testing red teaming is zero days don't actually cause a PT's to succeed it's normally pop sec and technical debt and it's things like this where you got four fat thaw in these days in my instance running as an administrator whose sequel so you got sequel service running as domain admin that we see all the time that I've seen for the last 12 years and I'll probably see for another 12 years so don't do that because it's just really easy for us so how do we actually start to piss off an apt you've already seen this this pyramid of pain diagrams I won't go into too much detail but

effectively you got tactical challenges and what I call strategical behavioral challenges so what you really need to do is as an attacker to to model an atan ATP you need to be looking at TTP's and tools and then when you're defending you need to be looking at stopping those tools and those behaviors it's the behaviors that you're really looking at so it's laughter movement credit dumping and those type of things but I highly recommend you read the article it's really good so again there's been a lot of talk about attack mic so I'm not going to consider on that but this is something that I contribute to and I'm involved in because it is really really useful I recommend that if

you haven't had a look at it hopefully it get involved and I'm trying to interpret where you can so where do we begin when we're looking to piss off an apt or actually get into an environment you always begin at the beginning just always always int I always say to open source intelligence looking at stuff on the internet the dark web but or whatever it might be how do we do that how do we mitigate that then we do a lot laugh through the reducing X to invisibility seems kind of obvious don't run things that you don't need to run and run with limited privileges and just lock everything down because much to do can again easy said they're done and

I'll go on to a little bit of an in detail but those are the high-level premises it's really important to to social media all the things so getting email addresses subdomain Discovery's release further how many times I've compromised an environment via you 80 or test or some sort of BPM it only knows is there and then pivoting into so what is really important so you really need to get a good handle on what you've got externally facing childern again I'm sure every aware of children people know where that port is mini-quiz 476 tcp nobody Cisco's smart install so that's really bad if you go that on the Internet don't do that because there'll be nation-states looking to to get at you

and stop things running on your infrastructure so make sure you know what's hitting what's internet facing again we see things like this all the time I checked this number this morning and it's absolutely accurate so there's still SMB over 2 million SMB services listening on the Internet which again isn't meant book so don't do that one a cry for example this is a classic example that again RDP so we saw CV 2000 1907 knowing just two or three weeks ago that looks really nasty that's going to turn over a lot of people so anything RDP related get that off the internet can anybody spot the for shoes without RDP screen anybody so user name enumeration obviously Windows updates

but on right now top bottom left even default user name admin and there's some FTP user which is probably going to be carnage so it's just that is just something that's going to be easily ownable or for somebody who's looking to concentrate on your environment so make sure you know what you've got out there so you can also really useful when you look into determine cloud services I love Oh 365 love smashing through that I get a lot of joy through that so if you're looking to work out if they're using all 365 saw with DNS MX records tax records will give you if they use a G suite are on 365 I'll talk a little bit later Aden

and how we get into or 365 and how good it is the key not speaking yesterday mentioned that over 365 there's a lot for you and it does in terms of security but it also gives you quite a big attack surface that you can leverage so there's typical ante smoothing techniques that you probably need to be aware of SPF DK and D mark so you can stop spoofing emails also those checks for that as well so I definitely recommend do that I'm still on the OS int phase looking at whatever Doc's and organizations got this is this is my organization and they've got loads of Doc's out there and some of them will give you a clue as to what we're running

internally so you can then look at a kit yawn and drive your fishing through that vector so how do we actually get in and how do you stop people from getting fishing believe it or not is still like shooting fish in a barrel macros still very popular and successful you might not believe me but there was this report from ncsc admittedly September 2018 but the numbers are pretty startling and pretty frightening even mature organizations still struggle with these type of things so it's not as hard as it might seem I don't know there's a lot of blue team as you would argue against me but the numbers of the numbers at the moment are the methods that we use and the really

successful so HTA files HTF isles by HTML or well ii a little bit noisier and a little bit more obvious but if somebody's immature and they're gonna get gonna get knocked over with that dde was really popular probably 18 months two years ago still see that has been really useful as a release will attack vector another example ence machines were SMS fishing so imagine everybody's got a Ford of some description and have its pre not that difficult to get his phone number so sending an SMS malicious SMS we can leverage a lot of attack vectors through that where this credential are looking to corrupt the underlying form switching very popular social media who hasn't got

a social media account no that's good so social media fishing also very popular same as any other sort of phishing attack but we still use it and it's still very successful harder to do watering hole type attacks you need to only the sort of third party so there's legal stuff around that but you need to bear that in mind to stop an apt and to stop the bad guys because because they will do that third party exploits so flash classically and anything asks this running like that but just don't run flash is my advice browsers there was a really pernicious Firefox CV that I saw yesterday that of really bad so we'd be looking at sort of

leveraging those type things moving forwards and we normally typically fingerprint a browser through with user agent I know you can sort of spoof in that but generally we get a lot of success from identifying user agents and leveraging if they're running some sort of outdated browser and then again back to or 365 login login portal clones people love people left very familiar with all 365 and we get a lot of success from who who is running office 365 who isn't the same that's not the same okay but that makes sense if you're not running it is it G suite or something similar so password spraying again another really useful method of how we how we get in and this is from cert us

and as you see there classic method username enumeration via any method and then just spraying them for week creds again office 365 is is really good at that and then once you get in download the gal we blow the restless and then you kick off again then but the beauty about kicking off again is you're in a trusted mailbox so if you come into my trusted mailboxes a lot you can then do to leverage yourself into the environment off to another another pivot point and there's the the reference format so Microsoft and others they do offer a lot of sort of empty hacking things for one of that expression for example anti-phishing they've got some

some machine learning around that mailbox intelligence and safe links smart lock out so that uses again machine learning algorithms to spot unusual sign activity to say you're signing in from somewhere that you don't know me sign in from that will flag and then you can work off that flag MFA obviously because I say in some some of the newer things by imposters lists is a really useful I'd recommend you but the reality is those things are 100% accurate and we've been in situations and environments where were able to compromise even when some of those are turned on but not everybody turns these features on or is in aware of them and they're not perfect so this was the safe

link spacecraft bypass I think it's probably about a year ago where you were able to just by using a base rife hit RF you could basically amalgamated the two together they would just fly through any any issue so you just need to be really mindful that one thing isn't going to stop somebody from getting into your environment so what really starts to piss them off passwords I would argue making your passwords difficult whatever that means NIST in 2017 released a latent a new version of their guidance and their guidance is eight character minimum up to 64 or greater it doesn't differentiate between non admins and admins so by that guidance alone you would get domain admins

elevate character that don't do that some form of dictionary to disallow common passwords so there's a number of tools you can get in both Windows and UNIX that will stop you from creating a password a password one or some common words that you should only use for example your organisation's name so don't do that and now all printing characters including spaces and so you just see basically increasing the key space don't have a password of a space because that's not a very good idea even though it'd be difficult to see it when you actually crack it this has happened to me before throttling and so not lock out the throttling so just just monitoring what's going on I'm probably most most

interesting from my perspective is nor require my password exploration so don't change your password once you get a good password stick to it and don't change it so this was relatively new and I don't see a lot of organizations doing that and the NCC have actually done the same thing and recommended that get a good password keep it unique but there's no there's no need to change it was long as you cycle it and put a zero on at the end of it and then the solvus recently saw makeup and and spotted from ad security that cloud Azur cloud stuff is now increasing their past their maximum password so that's that's really good really positive so

what is frustrating is when you see things like this frustrating for two reasons one is there's an issue with that and secondly it's it's mfa can they be spot why is that not a good idea for MFA so it's using SMS as the second factor or the multiple factor SMS is not a good idea for a second factor so I wouldn't recommend it there's a number of tricks you can do about swing phones and it's not that difficult do we've actually done it on a few sites and few tests so I semester the second fact is dead so wherever you see that probably raise an issue and there was something that I spotted on moneybox

a while ago when TSP customers were being hit by something very similar so on to mobile my favorite things office 365 so Trust trusted sac did a really good blog post probably two or three weeks ago where they mapped a number of different attack factors for office 365 the first and the best ones where a single URL will give you the identify if it is using all 365 then you can kick on again so where you see here the namespace type if that's managed that then is using office 365 if it's federated then obviously federated ad and unknown is doesn't exist and doesn't exist in this moment so that's Amazon no surprise and then then you can start to

enumerate user names and office 365 this is a really nice combination here so 200 you're in which makes sense a 401 so you got a valid username and password then that means it doesn't require to a face so you can just password spray that 403 valid username good password but you do need to FA so if the two FA is SMS and you can you start to do that or look at something else and then 404 then it's an invalid username so you can just grab one of the many user name lists on the internet and just spray that against office 365 get a list the user names and then go again then exchange web services

or legacy services so the o365 portland may require two fa but exchange web services doesn't always so from your base client you can attempt to connect so you've got credentials username password and then that will bypass any two fa requirement and it's quite simple URL so you just need to to map that and manage it so if you see two fa on the portal doesn't necessarily mean that it's gonna be two fa for these next services so property fa again I saw this fairly recently Google apparently their eighty five thousand ploys hadn't been attacked and that is from their them using a hardware key saw that obviously even if is half true that is obviously a good step forward and I

definitely recommend that do that for your organization so removing technical debt so once we get into an organization one way of stopping us from doing anything is is removing the stuff that's easy to do not go over into pool so again the enemy does not check your risk register prior to attacking so make sure you are actually getting rid of that Windows 2000 box or that 2003 box or even two hours late box these days that's the main join because that is the thing that the bad guys gonna look I'm not gonna bother with the 2016 boxes admittedly this can be really difficult in large complex environments if you got legacy kit mainframes is for hundreds

and things and 0's is again it can be difficult that's going to be somewhere that the bad guys are going to look to attack the next thing that's really important I think is is how it is being mature and being mature response is assuming you've reached so John Lambert Microsoft has got an excellent sort of sentence around this and how you can look to defend defenders thinkin lists and attackers thinking graphs so what that actually means is and you've got a domain controller that probably the bad guy want to go after why go after the domain controller that might be really lockdown we just go after Bob who admins the DC he's probably not his workstation

is probably not a lot than will station and I see the end user device or the workstation this is the battleground so that is one of my kids pointing again at another one so it's really important that's concentrate on the end-users advice because that if somebody's coming external to in to take it around on a desktop so making sure that you can you can lock that desktop down once somebody does get foot told onto an end-user devices there's probably gonna be one or two things that happens they're gonna look to do situational awareness and the numeric rads so patching if there's any aunty exploit mitigations on there just the general level of hardening where the

lapses on there he met back in the day when casting firewall rules and general or games you are logging tapes is really good stuff so that's the type of stuff you would look for when you situational awareness on a box or you gonna enumerate the local horse and then spread to the network so so maybe you're gonna do some elzar cruise to the d c-- maybe they run some net commands to see see the domain users or anything like that so it's trying to reduce that scope so how did you stop that you had the end user device it's pretty pretty simple really so what you need to do is you new things like laps is every running laps here ya

know maybe you need whitelisting a blog so make sure they can't run any sort of any commands msbuild so - till we seen their net all command those type of things powershell both versions so make sure you you're really locking those things now and what's really important the things that we don't see often enough horse-based firewalls there's probably no reason why desktops need to communicate with one another by SMB so you can probably lock that down that'll stop some lateral movement and then be really understanding of data flows and then looked a lot of fat down so you've got some form of micro segregation which does make it really hard for an attacker because once they

if they can't really get out of that little share this can be really hard for them to to get what they actually want which would be probably some form of data some phone credential and logging as well we can viewed a lot of stuff what system on and which is a great tool and highly recommend using it but make sure you are logging and pushing those logs off properly if you do get onto a box one of my favorite things to do is kerberos thing so effectively as a domain user you can query the the Kerberos service ETA TCP and get a load of SPS and that poorly they're pulling encrypted so you can decrypt them easier

than rather than having to and to go through the pain of getting onto the d c-- and then dropping in tds and that's the tool I wrote that does some of that but there's some detailer living off the land so that is in my house and I think it's grants house was he over there right yeah so living off the land it's not a new technique a lot of people talk about it Oh a the bad guys then the less likely to upload tools or malware what they're gonna do is use inbuilt tools so what you need to do is lock that down so they could use PowerShell WMI even the net tools or anything that's going to

spread their sort of persistence I'm including BMS build which is something that we use a lot of in our organization unser to tell again and it's another example of living off the land it's just it's a very simple way of just dropping some creds using inbuilt tools so there's some red keys that you just do and then that will give you the the hives and you can push them off to your box and then you can crack them so that's again really simple so effect IDs again the earlier the gorilla talked spoke about system on and logging and things like that so it's it's really recommended that you do use and you do collect appropriate event IDs from my

experience people either log nothing or log everything and neither of them are particularly good doesn't help you when you're trying to work with a customer to say okay we got a privilege did you see us doing XYZ and there's a yes or no or maybe cleanup and covering tracks so this is something that would definitely recommend people monitor for and if you can see in that particularly well but but when you clear all the event logs that in itself creates a service one one zero to clear of head logs so so either dog do that if you are getting into an environment because this is pretty obvious I think I know you can see that

there and the the other thing is these tools like memory cards now are getting quite efficient at stopping event logs and then not logging what's going on so you just need to be mindful of that but if you do see one one zero two there's that see no reason why anybody should be clear in their event logs you can see other other things that need to be monitored local group changes so there's two events for that so typically if you do get on to a box and you get some sort of privilege you might want to create a user for persistence well that's easier to be easily flag up so make sure you do that and there's that

there's some event IDs for that laughter look out movement make sure you're monitoring for that this is it's a couple of different ways to do it there's LDAP and there's SMB Susan make sure you monitor both of those that makes it really hard to if somebody does get into your vironment they are going to need to move somewhere and they're unlikely to land on DC if they did that'd be really bad make sure you looking for application crashes for example if we're using flash a flash exploit that's going to crash in a crash the app so you need to make sure you doing that service installation for example PS exec creates a service when you run it or my tradecraft doesn't

involve PS exact but some people do so make sure you if you do use it be aware that it is creating an event and then monitor for that event and that's just an example and from us-cert with some TTP's that I mentioned earlier pastor spraying SSM being a domain controller so that's got quite a few events but ones if we don't use SMB then do you manage it so you can use new zelda to queerly the DC to get to get information on that again as an event that you need to monitor so be mindful of those things Kerberos logging so that that is quite complicated and it can get really noisy so you need to be mindful that if

somebody is doing some Kerberos based attacks you can't really need to to trim that down and to keep a really close eye because it because it will get noisy so needs to be needs to be managed somehow you know is this person should they be doing this Kerberos traffic at this point in time you need a bit of intelligence around that so some some advice and some of the things that I think are release well from my perspective as a pen tester that I don't see enough of people actually understand the network you know it's quite easy now to spin up a box with I know two thousand or three just as a test box

with sequel on it so make you understand that - I understand have data flows around you network if you don't understand of data poses around your network you're not going to be able to micro segment it correctly or not you just to put some rails around it that'll make it a lot harder for people inside and external to be able to cross boundaries I'm really concentrate on TTP's and behaviors I think that's really key is the one thing you should probably if you can take out of here is is make sure you're not looking at his hashes you're looking at what people do whether it's and tread dumping or moving laterally or I'm trying to break out

another environment or something like that so those are the behaviors that links back then to make their attack so so have a good look at I know a lot of people spoken about if it is really worth looking up so I definitely can see a lot of this people not raising their domain functional level I'm not getting the benefits out of it so again in a very recent engagement I saw they were running a couple of DC 2016 but the domain functional level was domain was Windows 2003 so they're not getting the enhanced benefits of running the latest versions in their DC so some of the things that you do get Windows 2008 you get find very passive policies when you

upgrade the domain functional level last interactive login information that is gold that's you really must release for information Windows 2012 r2 you get protected users you can put somebody in protected users group and then there may because then isn't as effective and there's a lot of authentication policies that comes from lifting a domain functional level excuse me something I don't see enough of I probably not likely to see privileged access workstations so pause is the Microsoft version of it so it's just really having a lock down Windows environment that you can only do what you supposed to do on it again it sounds like common sense but we just don't see a lot of it or stopped the domain admin

subscription unbend root on standard workstations again we see a lot of that so you know he's really if you can minimize the privilege usage and then lock everything down you're gonna be in a really good state and then the ultimate goal which again I've never she's seen and I've only heard of two or three environments in the world is red forest environment so this is a window specific thing basically you splits your environment into tears and you can't cross the boundaries very easily you meet and specific machines to be able to get to the next level and then again to the next level so your tea is zero I can be your domain admins tier 1 server

admins and then tier 2 venez workstation admins so again I've not actually seen this in in the wild has anybody seen it Neil so that more than I thought that's correct I want a square but what is again really important and I mentioned it earlier is is not looking so much of the tactical but more the strategical and the behaviors of what people actually do because that's gonna stop people like me and the bad guys from getting in and doing really bad things so in my conclusion get the basics done even though they are really hard to do cross everything if you get the basics then you're gonna be in a really good a really good place you know we see a lot

of organisations spending a lot of money on really expensive boxes but don't really get to the nub of the situation and I was patching passwords and policies you get those sorted you're gonna raise the bar significally it's going really hard then to do so anything meaningful in that environment and they as make sure that that not one they just don't do one thing it just blows everything up make sure that you've got privilege separation you've got a segregation and all those type of good things because it just makes it really hard if it's really hard you can then get your detection linear response to kick in and catch the person whether is in turn like so and I think something

that sort of slightly overlooked is availability visibility and reaction if you can see what's going on then you can do something about it and then how quickly you react to that thing is really important so make sure you get the visibility well it's through system on or logging or just some of the event IDs that I mentioned I think that'd be a really good place to start and that's it does anybody got any questions on that no no questions oh that one [Music] so now the PowerShell has probably been picked up a little bit more by EDR products products yeah what would a PT's laughs red team's be moving to a little bit of C sharp net so

so msbuild sir you tell you can do all those things so it's the same in I hate the word indicators but it's the same indicators you're looking at but you just you just need a good lockdown environment if you can't run now msbuild sir you tell any of those things it's gonna it's gonna be hard to compile your code and run it so it's those type of sites but that's going to change and that'll be something else that'll be really hard any other questions nope No thank you very much that's a rate