Hack in Your Sleep

of prelude research and um he reads a research team of cutting ed's anonymous red team platform and prior to doing this work with his red team he built caldera which is a open source adversary emulation framework and while working as a principal cyber security engineer for mitri david has spent 15 years working as a cyber security consultant for the us government and along with full-time roles at major cyber security firms such as fire eye so let's give them a more welcome and good luck when you talk thank you very much all right you can hear me okay right uh yeah perfect and everything looks great so all right today's topic is hacking in your sleep how to do it why you want to

do it and kind of the trends in red teaming and offensive security into autonomy and why that's important so a couple things on the screen here if you do want to get a hold of me uh on pretty much all the places you'll find me at private ducky and then i do a lot of blog posting on this topic autonomous red teaming kind of future looking security stuff at this blog address uh feel free to head over there and find me as well all right the first thing kind of uh doubling down on who am i uh essentially why why listen to me on this topic um i've been in the industry about 15 years

mostly on the offensive security side between uh what's called oco offensive cyber operations for government military as well as red teaming for larger organizations i've also kind of interspersed a few years of engineering on the software side and have kind of hit this sweet spot at this point in my career of building autonomous systems that really work security into the mix uh kind of bounce around a few smaller companies security startups and so forth as well what do i do now i really focus on building autonomous systems that can hack into computers that's that's the focus area uh for my last couple years the biggest thing i've done uh in the last two years is over at mitre i spent a couple years

there building the caldera adversary emulation framework uh it's open source you can go to github and find that um and you'll see my handle on there private ducky uh if you want to get in uh contact with me via there

all right what should you learn today uh so we're gonna go through and learn how to think like a human you might think i already know how to do that it's uh kind of the intrinsic ability of thinking and doing every day making decisions uh we're actually gonna convert that kind of thought process and we're going to draw it out on paper so we can actually visualize the things that we take for granted every day and turn that into programmatic reasoning the reason we want to do that is we want to understand how an adversary actually thinks and we want to understand how this malicious actor thinks because we want to be able to build

programmatic profiles that can replicate adversary behavior in a network if we want to hack into a system automatically or auto magically as some people will refer to it you need to be able to think like the adversary and you need to be able to map that out programmatically in a way that's going to replicate those sort of decisions we're also going to learn how to apply that knowledge outside of just the learning of the decision making process we're gonna learn how to actually apply that in a real command and control center and set it up on automate so it'll run on a schedule basis this is actually phenomenal that we're following the great ransomware talk

which i loved quite a bit um the topics of cyberkill chain building out a ttp process that you can test uh very very relevant to what we're going to talk about today all right so let's start off learning how to make human decisions so i'll give you a second to kind of let this sink in this is going to be our set of potential decisions that we can make we're going to say our starting off point is way off here on the left side at waking up our goal is to drive to work so with the goal of driving to work we can kind of see all the things in between the time i wake up to the time i drive

to work that i could do these are my potential paths to achieve my goal so i may i have the we'll call these abilities as well so everything in between this waking up and driving to work we'll call that an ability so i have the ability to eat breakfast i could walk the dog i could hit snooze put clothes on go for a run get in the car get on a bike these are all things that i can do decisions i could make so when i wake up maybe i decide to hit snooze i want to go back to bed um that's good i made a decision that moves me if you're thinking of this on a

chess board i made one single move now what does that do that leaves me without any pathway to drive to work i'm stuck at i'm stuck in the bed essentially so uh that that's not a valid move for me to make if my goal is to drive to work so let's head back to the beginning and say okay well maybe i want to eat breakfast let's say i can i can make that move and and i can eat breakfast and then i skip ahead to the next stage and i say okay well um i'll put clothes on after i eat breakfast i can do that now i escaped over this red circle this uh walk the dog stuff

i circle that in red because i couldn't go from waking up to walking the dog without putting on clothes that's an essential part of the process at least it is in my neighborhood so i went and i kind of skipped around that and i said okay well i put my clothes on it's a precondition in order for me to walk the dog i need to have clothes on so that's part of my decision making there was a prereq to me being capable of doing so so now i can head back at this point and i can go walk the dog so i'm moving backward so i went forward taking a step back and then i can kind

of shift ahead and say okay let's go for a run well going for a run that's not going to get me to work that's taking me on a completely different direction so that's not a good pathway for me to go so get rid of that and say okay maybe after i walk the dog i can get in the car that moves me ahead one more spot to where it's getting closer to my goal and then boom i drive to work happy i achieved my goal and i went through a number of different states here a number of different phases making moves going forward going backward we'll come back to this in just a moment but before we do that we're going to

break this down in a linear way so how did we go through the process of making these very human decisions as we moved our way down this chain we had to establish a goal first so before we can act we need to understand what our end state is or a desired end state in our last plan we had a goal of getting to work driving to work once we have a goal we need to establish what are my abilities what are the different decisions i could potentially make there's typically a finite number of decisions in any scenario so i need to establish what are they my ability set my decisions may be different from yours

we all may have different human decisions based on our own capabilities now what preconditions exist for each one so if i looked at my my set of abilities what is required because they're not all in a flat space i need to do some things to open up inability in a future decision do i have overlaps in my ability set are there duplicate duplications in what i can do and then finally i need to just establish all of these things in order to get to my last step which is what ability should i actually choose so given all of these things i eliminate the things that i can't do because of prereqs um i kind of understand the duplications

and the pros and cons and weights now which one should i actually choose so my last step is we kind of lay this out more linear we say what is my goal i want to go to work what are my abilities this is the full set of abilities that i have access to what preconditions do i have well in the last step i only had one so in order to walk the dog i had to put clothes on do i have overlaps well getting in the car and getting on a bike they could achieve the same thing i could have taken either of those to get to work at the end of the day so i kind of understand what all of

these uh potential options pros and cons are these are things that we take for granted as we make just daily decisions such as waking up and getting to work but you can lay it out in a very decision tree kind of way this is known as a concept of automated planning which is kind of a niche sector of uh ai but it's very much um probably the best way to describe it is discrete decision trees that could be overlapping that allows you to to really plan out potential decisions at a very large scale so i said the word finite before uh that was a specific term um for describing this pattern of decision making is a finite state machine now this is

a simplistic example obviously this is a very traditional one this is uh the wikipedia's example a finite state machine it's also a popular classroom example so we've all seen these subway turn styles that you walk through you've done this at a park you've done this at a subway um there's two states it's walked or it's unlocked and so we're gonna start over here on the left-hand side lock state you're at the subway you're getting ready to uh to walk through you want to take the train uh the turnstile is locked so i push it kind of following this circle it remains locked that's the current state of the turnstile okay so then i put a coin in

it i'm ready to pay that flips the state to an unlocked position when i push through the turnstile it moves back into a locked if i put a coin into an unlocked turnstile well it's still unlocked it remains in that state and so this is an example of a finite state machine which is to say that there is a known number of states two that i could be in at any given time now i'm going to be in one of these states not both at the same time and there's a process a kind of a circular pattern that will get me from one state to the other and i can move back and forth between them or remain in the same state

depending on what decisions and what actions i make so if we want to overlay this on the prior screen and say we kind of labeled the screen v2 so if i want to kind of compare what i went through from waking up to driving to work on a state machine kind of basis let me look at it like this maybe i have five potential states this is one of several ways you could diagram this out but maybe i have five potential states that i could be in i have my wake up state i've got my kind of initial state of like what do i do when i wake up um my middle state where i only have one

option putting on clothes and so forth and so as i'm kind of moving here you can see when i went through this example before i went from state one to state two when i ate breakfast and then i went to state three to put clothes on but then i hopped back to state two because i had been able to satisfy a precondition for walking the dog and then i went from state two and i was able to hop to state four and then finally at five so this is kind of the decision tree process that i went through in order to um achieve my goal well wait isn't this talk about security um yes so we need to apply this human

decision making process into the world of cyber security how does this intersect and what are my options so before we dive into how this comparison actually operates um let's talk a little bit about the miter attack framework i'd say by by this point in time everybody here should be at least familiar with what attack is um i'm a former miter guy so i might have a little bit of a better uh or more comprehensive experience working with it so i'll kind of give the the overall view of what's important to know from the perspective of this talk so across the top you have tactics and these are the tactical decisions that you could make as

an attacker so you might do reconnaissance on a computer network that might lead you to initial access which might lead you to persisting on the machine and so forth these are the high level higher level categories of things that i can do on a machine each one of these columns is going to represent a subset of the tactic and so if i decide that i want to do a defensive evasion action on a machine i can then scroll downward and see well do i want to hide artifacts do i want to exploit for defensive evasion purposes do i want to do direct volume access and so forth so i decide one of these techniques now this is a great

classification system so i can communicate what i'm doing or if i'm on the defensive side i can communicate what i'm seeing in adversary actually do what isn't shown on this screen is what is below the techniques so we can see there's 37 techniques in defense evasion we're not showing what is the procedure level and so that is the implementation of the technique and we're going to talk about that in a second here so you've got three categories of things to take away from this screen as far as the miter attack framework you had to call the ttp your tactic your technique and your procedure layer and depending on the context and the specificity that you're talking at

you're going to be talking about either any of those three um terms all right so let's see how this applies to adversarial decision making when it boils down to how a hacker or how an attacker adversary threat actor the synonym that you choose decides to attack a system it's going to be the same as the decision process that we went through as a human just waking up and driving to work so when we look at an example here we can see maybe our initial state is what's called a post-compromise state otherwise referred to as assumed breach the network has been breached the adversary has made it in and our initial state is the dropping of an implant or a rat

now let's say that i have a variety of decisions abilities that exist within my ttp database this is all the things that myself as an attacker understands how to do now my set of abilities in my personal database may be different than the person next to me we all have different capacities for what we work on we all have different specialties so our databases are going to look a little bit different in some cases drastically different now i can classify and discuss and talk about what my decisions are by leveraging the attack matrix classification so in this column here i can see a collection of tactics that i may understand how to act on and

then in the second column here i may have these are the list of techniques that would correspond to various tactics and then finally over here i may have an actual technique implementation so to kind of draw this out from an adversarial perspective after dropping an implant if my goal is to capture audio this is what i want to do i may say okay well i have to do something collection related i want to capture audio so that means i'm trying to to capture the the microphone on a laptop for instance so i need to collect it okay once i collect it i need to figure out on the miter attack framework well what's the most relevant

technique identifier these are often referred to as tids uh so technique t1123 that that one kind of fits and i could go to the attack matrix online and i could validate that that information and then finally okay t1123 there's probably a few thousand potential procedures technique implementations i could do in order to achieve this so maybe i reach into my ttp database my own knowledge store of of attacks and i pull out this and i say okay i am hitting up a mac os laptop so i can capture audio without privileges by installing a brew package which doesn't typically like it when you do root actions so i can install it uh brew install socks under the covers

point that into devno so so the logs aren't rolling um and then let's just go ahead and record for 30 seconds um into this recording wav file all right so that's my own personal knowledge the way the implementation as to how i capture audio may be very different than the person next to me but this is out of my own database and this is my process of making that decision to get to this point all right the cyber kill chain so lockheed martin came out with this a while back before the mitre attack framework became as popular as it is today this was the preferred way by a lot of folks in government and not government

for describing cyber attacks and in a very similar way this is a language a classification system uh a common language for describing how attacks occur so looking at this we can see at the very top kind of looking at this top to bottom we can see tactics coming down defense evasion command and control discovery collection and so forth these are the miter attack tactics uh that i can think on the techniques are going to be these tids again and the procedures are going to be these specific abilities that you see kind of described here now thinking about this in the same lens as our prior slide as we made decisions we could look at each one of these

tactics as its own state so as i'm attacking a system and i'm thinking about how i want to attack it as a manual hacker and we're going to get into automation in just a sec i'm going to think of it in the cyber kill chain order so i prior to to this screen i would have just known about my giant amount my giant database of internal knowledge of attacks now i have an organizational structure a language in order for me to describe my state my finite state machine of decision making and so maybe there's 12 or 13 attack tactics that i understand how to do i can order them in a specific way and say i

always want to do defensive asian actions first then i always want to pivot into command and control discovery collection persistence and so forth now remember that there is this thing called precondition so that means if i'm actually wanting to act on this in the real world i may be able to complete all of my defense evasion procedures successfully but maybe there's a precondition to a command and control procedure so i move on to discovery maybe discovery identifies how to satisfy the precondition for command and control so i circle back to command and control i execute everything i can there and then i immediately pivot back down to collection and so i'm going through this circle

where i'm trying to work my way down the chain as a as a hacker but i can get bumped back up to a different state depending on what my preconditions are and what i'm learning as i go so that's the thought process that you're going through as an attacker all right so let's see how we can hack computers um we're going to say we have a command and control so this is me sitting behind a laptop um i've got my preferred command and control center in front of me and i'm ready to start launching attacks the first thing that i need to have is my set of decisions so ttp database that's attached to my

command and control center that's my own knowledge base the second thing i need is i need to have my assumed breach scenario so i need to have a variety of rats or agents deployed out on target computers that are beaconing into my command and control center asking for instructions once i have these two things knowledge agents i'm actually ready to act so my goal in this scenario is i want to steal important files okay so for me to steal important files there's a handful of things i'm going to have to know and in this case maybe i'm wanting to steal these important files for just typical theft maybe it's surveillance maybe i want to steal and

then ransomware there's all sorts of motives that i may have for wanting to do such a thing the very first thing i need to do is find important files or to steal them i need to locate them on disk so if i have infiltrated five machines they may have various files on them that are deemed important i need to locate them the second thing i need to do is i need to create a staging directory i need a place to move or copy my found important files to maybe a network share maybe a local directory that i can consolidate things to i want to create a directory somewhere that i can store my goods and then i need to actually stage the

files which is the the process of copying from wherever on this they are to my new spot i need to compress my stage directory that's important because in my next step where i'm going to exfiltrate that stage directory if the staging directory is small i'll be much better suited for hiding from the defense of doing evasion than if that staging director is large so i want to compress that and then i want to exfiltrate that over say the network maybe http i want to steal that and then now i have the important files right now if i want to do this there's only five steps so that's easy enough very simple attack i need to do it in this order though um

these are the states that i have to be in if i attempt to compress a stage directory before i have a stage directory well that's not going to be very valuable because it's going to fail i'm going to get a pretty bad status code on that uh the same thing with staging files i can't really stage a file if i haven't found the files to begin with so i need to go through this in the specified states in order uh and i'm going to balance on these finite states there's five states in the scenario i'm going to kind of bounce between them until i'm able to satisfy all of the preconditions to each one now the big challenge here is how do i

take arbitrary text output and use it to create the input for the next decision so let's run through this as a quick scenario here so let's see if we can solve this so building upon the last example so i want to find important files here's an example that i actually personally have used in the field quite a bit because it's runs under the radar it doesn't get caught and it's actually quite successful um here's a bash example um so if i can pop a terminal open i could run this and say hey find me everything that's in the core user directory so downloads desktop documents that are of type file and were modified in the last 24 hours last one day and

that's that's a great technique for identifying important files because now you're starting to identify what a person's actually interacting with and if they're opening it every day maybe that's an important file and so this may lead me to a response like this typical shell response i get a x fill or a dump an export of uh files and i can see here okay a couple of text files a doc file one's called passwords.txt this is great as an individual hacker i'm looking at the results i'm processing it through my human decision making process and say you know what i can copy each one of these files into my new staging directory and so if i have a staging directory

somewhere on the computer i can say let's copy the file into it and now i found three files in this previous command and so you can see here this is a variable just for me to describe to myself that hey i want to fill this variable in with the actual file path of what i was capable of finding now this is uh not deterministic so i don't know what this value is at this point but now that i have some information arbitrary text i could take this parse it out mentally and do the replacement of this variable with one of these so in fact there's one single command or single procedure is equivalent to these three commands

so copy test.txt into directory password something so forth um that's an equivalent scenario so this is how i can roll through and say here is my command here's my arbitrary response that i get from it and then here's how i can take that arbitrary output and feed it as input into another procedure in this case this is a staging procedure and that process is taking me through these various states of decision making and it's what i typically do in a very manual way and now the question is hey can we automate this and do this in a much more uh autonomous way so what we're going to do next is we're actually going to jump

into a practical world of hey how do we actually accomplish this let me switch gears here because i love live demoing is so much better than recorded in a lot of fun ways so let me go ahead and just spin up a planet control center all right so i'll talk to this a little bit i'm going to be combining a variety of open source and free toolings from around the internet so everything here you can repeat easily by combining the same tools but we're going to roll through the process of how do we take what we learned as far as human and adversarial decision making how do we take that information and how do we convert that into

something that we can actually use at our own as an individual at our business in order to attack ourselves to become more secure it seems like a crazy idea but it'll make a little bit more sense as we go okay so the very first thing that i'm looking at is the operator command and control center this is um kind of think of this this is the the big brother to the the mitre calvera framework this is um what i can use to connect agents from the internet connect to my command and control as we showed in the slides this is also where i can launch attacks and i can store my open source ttps and my ability

sets essentially we're going to be leveraging uh atomic red team open source uh procedures so if you've seen that github and you're engaged phenomenal set of abilities uh maybe around 600 or so just in the open source dump on github so we're going to utilize a handful of those we're also going to be leveraging the miter attack framework as our classification system to talk to that and a couple other odds and ends uh as far as agents and so forth that you'll find in open source so looking at this screen right away so this is a desktop application so i'm running this obviously you can tell on a macbook and so i pop this open on screen and

i'll just cover these three things right down here just you can kind of get a feel for what these are we've got adversaries so i have one adversary built i have one agent currently deployed and i've got 76 ttps available to execute right away and so that's kind of my set of knowledge my abilities and so what i can do from here is i can actually hop over to the emulation and from here i can see that i have a single agent connected to my command and control center so we're going to keep it nice and simple and roll through how do you run an autonomous um decision making hack against a single agent and so okay so we've got uh the ability

to deploy adversaries i got my single agent i'll go look at it this agent uh has nothing on his dashboard so it's it's hasn't done anything yet for me uh hasn't executed any procedures it's not currently doing anything um got a couple options up there but we'll just jump into designing my autonomous adversary and so when i look at it i can say i already have one built that i've been kind of tinkering on and i named this one i steal things so what i can do from here is i can pop in and say okay let's go ahead and edit the the ttps that exist on this adversary all right so when i look at the

potential set of abilities and again you can think of this as the ttp database that i showed on a slide deck these are the things i this adversary understands how to do intrinsically so let me move this for just a sec all right all right so we can see we have the ability to compress stage directories thing number one so this is an exfiltration tactic on the miter attack framework we have a technique id if we're interested in that information and we can see three different implementations of this procedure so we've got three operating systems the mac os and darwin these are pretty much synonyms uh programmatically you'll see darwin quite a bit we have linux and we have windows for

each one of these operating systems we can see a single executor this is the type of program or the executable the binary that will execute the command itself the ability and so i can see for darwin i've got bash for linux i have bash and for windows i have powershell okay so these are my three different commands so i can see when i'm scanning through them we'll look at mac since i'm going to run this against a mac i can see that in order to compress the stage directory if we're familiar with bash this will make sense if not um don't worry so much about the actual syntax we can see here that this is going to

attempt to tar a directory and we can see this is a variable based on what we saw on the sides so this is a pound and a couple of curly braces this is meant to be replaced at runtime based on the finite state machine that the adversary is currently in when it's executing so i can see okay well it's expecting to create a new stage or sorry attempting to compress an existing directory and call it whatever the name of the directory is plus just tar.gz to show that and then it will echo that to screen as a debug log okay so you can see that windows of the command looks a little bit different obviously it's powershell so you're

going to see different syntax the goal is that the result of that will be identical though okay so now i can scroll down and say okay well stage collected files let's say my second ability is i want to be able to copy files to a different directory so well this is a common technique to stage files instead of stealing the original copies so you don't want to steal the original maybe that'll become really noticed because you're picking things up and exfiltrating and removing kind of like ransomware will get picked up as a noticeable thing to the defense so what i want to do is i want to copy them somewhere else and then steal the

copies now this command takes two preconditions it requires a file to copy and then it requires a directory to copy into okay so this one wouldn't be able to run first if i'm in my finite state machine process if you can visualize that this one would have to wait until a later state unlocks the ability for me to achieve these two preconditions scrolling down i can see that i also have the ability to create a new directory so two two different types of commands again this will create a directory in the temp stage directory on a mac uh and then it will go to screen as a debug log so you can see kind of what it

did and where it put that stage directory finding of recent files you can see three different implementations one for linux one for darwin and one for windows um again they're all going to do the same thing which is hey how can i find files that were modified the last day they're all looking at criteria slightly differently though and then my last ability in this adversary profile is collecting artifacts over http so this is going to attempt to lift a file from a target system so some remote system that's running the agent and it will attempt to post those over http or sorry put them over a put request um in order to exfiltrate and steal

whatever that is now if i look here i can say okay well there's a handful of preconditions here it's requiring you know files to steal it's requiring the name of the agent that is doing the stealing it's requiring some internal um session and http location information where where does it send the information all right so it's got to send that to an http um endpoint for instance all right so i've got five things not a very big profile but it's five things if i was interested in finding more to add to this i could search through and you'll find all sorts of um ttps that are going to come from places like mitre you're going to

find them from atomic red team you can import other open source ttps in here as well from other sources if you are interested in that sort of thing all right so now i've got my adversary i can create another one if i'm interested and that will pop down here and i can start from scratch but i'm going to focus in on this this i steal things adversary from here i can do one main thing that may be really um appealing to me from a adversarial perspective especially if i'm a red teamer and i want to run this test on repeat i might take advantage of this scheduling option and decide to run my adversary every day at 12 34 pm that's current

time right so i could i could say yeah let's run this every day drop this on a computer somewhere and just let it execute the goal there obviously is to have continuous autonomous uh red teaming where you can build out a profile however you want that isn't going to just sequentially do steps one to ten it's going to apply finite state machine logic and the results could be different from day to day based on the information it's learning and adapting to uh within the the environment you're running so i'm not going to schedule it because i actually want to run it now another thing i could do is i could apply goals and i could say you know

what i want to add a goal onto my adversary uh that is very explicit and i want to say hey run my adversary until it's capable of collecting something maybe i wanted it to run until it collects a specific password or a password at all maybe i want it to run until it's capable of finding out which uh which domain host is running the email server um so there's all sorts of goals that i may be interested in but we'll skip over that and say okay well let's go ahead and deploy it when i deploy the adversary you can see this turned orange real quick if you're capable of seeing that it runs really fast by default in here

you can slow it down if you want to do something um that is a little bit easier to grok yourself when i head over to the agent now i can see in less than a second it was able to run 11 procedures so just ran 11 things let's scroll to the bottom to see kind of where it started off so when i go to the bottom i can say okay 12 36 0 3 here on the time now the first thing i did was find recent files and i can see the attack classification information t-1005 perfect i can see the pin that executed in case i want to match this up in a defensive environment

maybe i want to see if splunk was capable of seeing it if i'm writing that as a sim or elastic search um so i do track that as a as an option now when i click on this let's see what it was capable of finding all right so i can see the command that ran that's not a surprise we showed that one a couple of times now the output is interesting because i didn't know this output before this is everything that would have been modified in 24 hours on this machine that it is running on so let's see it was capable of finding two not super important ds store uh files from finder and then it was

able to find an executable file well that may be interesting um i can see down in the parsed results section i can see that it was capable of locating or sorry i was i can see it's capable of extracting the three individual indicators of compromise that it found and store them as variables it stores them as file.t105. well why file.t105 because these files were found by running a t-1005 technique on the attack matrix and their file paths that is the variable that is automatically created for me now as i scroll down i can see the abilities that i currently have in my own database that i could apply learned knowledge about file and unlock so these are the different

abilities i have now opened up the the states on the finite state machine that i have opened myself up to if i so desire so with my newfound knowledge of three file t1005 variables i can stage collected files i can encrypt them or i can collect them over http so i've got three things so the more procedures and abilities i have access to in my own database the more things i'm going to unlock and the more powerful my adversary will be if we close that one down let's look at the next one up all right we are staging collected files so we can see here that we were able to take and fill in two variables so

we were able to fill in the stage directory that we executed where to put this and then we're also able to fill in the actual file layer we're going to go through a couple of these stage directories and see um sorry a couple of these files and we can see that we're capable of collecting all three files and moving them or copying them sorry into the temp stage directory so scroll up a little bit and to the next cut area so we stage all these files um you can see the pids increasing once we stage the files you can see we created the stage directory down here as well we'll move up to compressing however

and okay here we go so now we compress the stage directory so again this um we have the command here that filled in the variables the precondition knowledge that we learned from prior step and we say okay well now let's go ahead and tar up this new directory temp stage call it temp stage.target.gz um and let's see if we can parse out that knowledge and because we echoed it to the screen we're able to parse it and say okay well yeah we just learned that we have a file dot uh t1560.001 whenever you see the dot whatever that is a miter attack technique sub technique um so that's just a further implementation of the technique itself

not much of a difference in terms of functionality however and so we can say okay well we parsed out this new variable so we could use that if we so desired to exfiltrate the stage directory over file.io well that's a cool one file.io is a common internet file share that is a one-time file upload so you can i use this a lot among many others uh in actual red team assessments and in other places for exfiltrating data to a website that is generally white listed and allowed through you can usually get things out through a lot of these file share services and so okay so my ability so it looks like i have an ability in my database

that allows me to exfiltrate over file.io and i could potentially tie this new staged compressed directory to file that out and steal that information so that's good to know as i scroll up i can see myself collecting all the files and so i collected a bunch of files prior and right now my adversary decided to steal the files one by one versus stealing the compressed file so it could have included file.io and taken the compressed director that i created before but because i didn't give my adversary my adversary that ability i gave it only the ability to collect single files at a time it's going through the collection of of important files it located and stealing

them off the computer the way it's doing it is through http and it's curling the file over the http port of my command and control center which is running on localhost for the simplicity of not running remote agents and you can see here kind of what it did gives it 10 seconds to try to ship the file over the defense and it's going to roll through for each one of my files that i was capable of collecting now that all right as you can see here start to finish uh 12 minutes or sorry in less than a second started off at 03 and ended at 03. so like i said before you can slow this

down there's a variety of options for doing that sort of thing if i want to apply a sleep otherwise known as a jitter to your agent that will start applying longer um periods of time between making decisions which may be helpful if you're doing this type of test uh in a non-offensive manner if you're doing this type of test uh as you should in a defensive way uh you're gonna be able to slow it down and work with the defense and say okay let's run this every day let's do this in a nice realistic type of fashion okay so let's take a quick jump over into the actual attacks themselves so we can get eyes on

the database of options now what we can see here is all the attack tactics that i have capability to or access to and all the miter attack techniques that are underneath those tactics so if i'm interested in adding in new abilities into my data sets and i need a bigger amount of abilities or procedures to execute um i can import them from like i said before atomic red team i can import them directly from here um or i could pop over and say let's just create my own if i'm offensive minded i'm good with whatever computer language that i want to write my own attacks i can pop into this editor screen and start building and this is powerful

from a test and repeatability standpoint so as we're talking about um the capacity and capability of hacking in your sleep uh you don't want to use a static set of tests to run your red team operations or if you're doing this for blue team they're going to get used to that repetition pretty quickly so you want to be capable of not just pulling things off of the shelf from say atomic red team a miter caldera or even you know the operator system here you want to be capable of building your own procedures and adding in the customizations that you expect your organization to test against and so i may say you know what let's go ahead and

create a new discovery tactic we will make that um maybe domain groups we'll say find groups on the laptop perfect uh look for the current users group and we'll say this can run on a mac os a darwin this runs under bash and we'll just do something nice and nice and smooth and simple say groups right and so i can create this and that's that's good i'll save the ttp to my database and this does a couple of things so it adds a new procedure into my own internal database uh so i'm capable just that quickly of creating this is kind of like an attack ide if you're a programmer an integrated development environment very similar to that so now i'm

capable of adding in that knowledge base for something that will run on a darwin sh and then i can pick any agent if i want to go ahead and test this against and say okay well let's see if i can point this at an agent see if it actually works good um maybe i want to start putting in preconditions i can do that as well um so the idea here is to make a rapid pace ability to structure your attacks to build comprehensive adversary profiles down here in the right hand area we talked about this one previously on the slide deck which is check if you have any overlaps in your abilities as you make

decisions you may end up with five equivalent things that you could do that all have the same effect so down here i can see similar ttps permission groups discovery so similar ones as to this one let's click on it okay so this is a pretty similar tdp this is a windows powershell version of it and i can see the darwin variation is exactly the same and when it's is the same i could combine these or i could leave them as two kind of very similar procedures uh and then when i execute my uh procedure or sorry my adversary it will pick one of these to execute now popping back into um the order of events because i want to

close this out looking at the finite state machine which is kind of the important thing that ties all of this together is the idea of using tactics as your finite states themselves and so as i launch an adversary through here what's going to occur is that adversary is going to run its set of abilities through the finite state machine as defined here however i have it set so it's going to attempt to do defense evasion procedures first and then within this state machine there's an internal state machine that's going to attempt to do the techniques in this same circular process as it attempts to execute anything that it has already satisfied all preconditions for so it'll attempt defensive asian first

it'll move down to command and control it'll move down to discovery if discovery finds something that it unlocks in defense of asian we will move back to that stage switching states effectively in order to achieve that so the idea is to really replicate how an adversary would approach a problem set by combining miter attacks classification system with the lockheed martin cyberkill chain and saying let's automate this process let's learn from the output the arbitrary output of running commands and use that as input to future ones and so again what i would hop over to pop over to the emulate section and do is i would hop over here and say let's build out as many adversaries

as i would like so maybe i would like to do one in ransomware as we saw in the last presentation and now i can add ttps that conduct ransomware attacks you'll find a bunch in atomic red team as well as just the operator system um i can go ahead and build out a pretty comprehensive ransomware test install antivirus on my network install edrs launch my ransomware test and see is it capable of catching without my adversary in in the wild essentially and this is the process you want to set this up you want to do some variation of this where you're scheduling out your adversaries and allowing your your defensive teams to to test if you're on the defensive

side for you to test uh completely hands off and this process will enable you as a defensive person or a red teamer to start to get value from the security side the more advanced security side between actual red team assessments and so the whole idea is this should be continuous and it's essentially the process of hacking in your sleep that's all i had anybody have any questions

well i thought it was a great presentation so thank you for sharing it thank you

um i think uh the next room uh the next slot for track one is actually empty on the schedule yeah it's just um break slash chat such meetups so if you want to continue discussion or questions in the discord with uh david hunt i'm sure he'd be more than happy to do that absolutely