Red Team infrastructure and payload development automation

this is uh red team uh automation uh infrastructure and payload development um my name as I was saying uh is Andre Lima um I work at PWC Norway have been doing this for 12 years uh red team operator researcher uh have worked around the world uh in Portugal Australia and now finally settling down in Norway for sure um and yeah you can reach out to me on LinkedIn uh if you want to check some of my previous presentations that's the link and if you want to you're interested in what I do and want to follow just uh I'm on X as well it's still weird to say that um also I'll be sharing the slides in

the end uh so don't worry about taking pictures and all that stuff uh you'll have those in the end um so yeah today we're going to talk about um because I understand there's a mix in terms of uh in the audience in terms of experience so I'm going to talk do a little intro on red team infrastructure um then I'm going to talk about my implemented solution uh big FYI uh work in progress um but I'm going to talk about the infrastructure payload development and the future development that I want to do on it and some

collisions so a little inro into red team uh infrastructure um just some uh design considerations that you should have uh and the reason why you will often see this type of architecture uh whenever red team infrastructure is mentioned um the things you are looking for here are resilience and concealment and the whole point is if you have have a payload and it's reaching out back to a C2 server uh you want to have the resilience of having more than one redirectors those redirectors do nothing more than uh redirect traffic to the backend server that could be a C2 server that could be a payload server um and what you want is if the blue team is uh

able to detect that type of traffic and it Flags it as suspicious and it Tes tries to block it you want to have uh a list of options and this case the list of redirectors so if you block redirector one you just it just automatically moves on communicating on redirector two and then if something happens on redirector three and so on now usually what you want is to have some sort of separation of Duty again gives you more resilience but uh you'll often have this logical uh architecture uh regarding for example your payload um and then another one for the C2 server uh and then maybe another one for the fishing infrastructure for example uh

you um you want to have these separated because you don't want you don't want to have the blue team uh just block one IP and all of a sudden it blocks your entire infrastructure in terms of uh uh functionality but there is a problem with this which is as you might imagine if you uh are tasked with setting this whole infrastructure up then this becomes uh a huge load of work and you do not want to do that manually uh I love s admins but this is not the job so do prefer to spend my time hacking um so yeah the solution is obviously uh given the problem that too much uh work uh uh

instead of spending too much work in SE admin you probably want to take some of that time and actually put in to what is more valuable to the client uh and actually do more uh hacking uh in that sense so automation is definitely the way to go um now just a quick note on why this type of projects is interesting um multiple Tech options different design options very customizable new tech integration um I one of the things that I've always loved to do even though I'm more connected to the security uh industry is to go randomly to conferences it conferences usually um where sometimes developers um infrastructure whatever um and just learn about new technologies and often

wondering how can I integrate that into what I know and how could that help me uh and in that sense it is incredibly interesting to just uh go deep into some of the Technologies because obviously most of us understand for example the concept of devops but have you actually ever gone deep into one solution and tried to actually have it work so this is why this type of project tends to be like super interesting you just learn something new and immediately you might have new ideas um I don't know for example uh Mojo is a new language uh but on the surface if you look at it you might just quickly put it aside as oh

it's just an AI language kind of thing but actually when you dig deep into it uh it doesn't relate to this but it's just an analogy here but um when you dig into it you start realizing that actually it's a full uh purpose language and if you understand uh how much quicker it is and how it does it uh you can quickly have the idea of maybe redesign hashcat uh I don't know hash cheetah or something and down the line maybe that's an interesting project that might come up come up um uh just because you had the idea to go to a conference and hear about Mojo that seeming seemingly unrelated so if you want to read more

into this there's a a lot of technicality uh in terms of what software to use for example in the redirectors there's more considered dump redirection when you usually go uh Oz layer level uh level three four where you're thinking about IPS or maybe TCP UDP uh that kind of redirecting but then there's also uh the considered smart redirection where um you tend to usually something related to it has the ability to read into the layer seven so HTTP protocol look into the the bodies uh of the request and decide what to do sometimes edrs and specific tools uh that sandbox some payloads will do requests and will be uh will identify themselves in the agent or in whatever

um HTTP header and you might want that flexibility so in that sense you might want to use something like mod rewrite um in my case I I'm a minimalist at heart so at this point I'm still using IP tables but later down the line as I see the need for it I will definitely uh uh uh improve it so yeah definitely some really good references um now I'm going to talk about the implemented solution uh again big FYI ongoing work um so basically it comes uh it comes down in terms of infrastructure um it comes down to a python wrapper um that runs terraform to set up the infrastructure and uh the terraform in it in itself has anable as well to for

provisioning so um if I need to install an Apache server kind of stuff that will be done with anible but setting up the whole uh VM and redirectors and all that stuff uh will be done with terraform the reason why you want to wrap this up in um in Python is that um you will often you will require for example when I do devops uh I'm using GitHub actions and what that means is I will eventually down the line have to trigger workflow and you can do that in the GitHub uh using the GitHub API to do that kind of stuff I need not only information that it is given to me as output from

terraform namely the public IP addresses from uh VMS but um also uh obviously um the API keys and everything to communicate and set up the the whole devops which I'll talk more uh ahead there's also uh I want to integrate um U uptime Kuma that's K uh just because it looks interesting so I got into it it doesn't mean necessarily it's the best just FYI but um the whole point is you want to set that up usually with terraform and anible and install it but then uh you need the API the python to again reach out to it through the API through its API to feed it the servers that you want to Monitor and how you want to monitor

them that's a bunch of uh python requests that you do so these are some of the options um that it does I'm using a click module on python it just makes things a lot easier uh and that's an example of the thing running uh it's not that interesting seeing it live uh it takes a lot of time uh a lot of time is in 10 15 minutes maybe depending on the number of redirectors but uh on the terraform applying part um but yeah and those are some of the tools that I'm using GitHub actions I'll talk a little bit moread head about those and yeah just to talk a little bit about the option to go terraform

infrastructure as code um this is one of the things I really like about terraform it's just infrastructure es code so when you need to back up your infrastructure theoretically all you have to do is get push your uh the the code itself um there are very good people that use um genkins for example which is is completely uh plausible uh and a very good option um but to be honest with you it's mostly a personal preference because first of all I look at Jenkins and it looks like something coming out of the 90s and not a huge fan uh but also on the more practical side I'm a minimalist and I want to decrease the

amount of ssadmin work that I have to do and the worst thing that uh I want to that the the thing I don't want to happened to me is to me for me to come into the office thinking that I'm going to do some really cool cool Recon on a client and then all of a sudden there's a newc critical CV on Jenkins and I have to patch it and I patch it and I figure out uh it's broken now I have to fix everything I go figure out where the backup last backup was I'm not doing that um so yeah really huge fan of terraform um and yep the next one is just the integration

between terraform and anible um just to clarify it's not like I'm an expert in these Technologies but the feeling I get is that terraform tends to be better at deployment into of infrastructure and anible tends to be better at provisioning installing software and setting the server up so uh there's a lot of discussion some people think one is best in other and but some other people think the combination of the two is the best and quite honestly I've used it and haven't had an issue yet that I could think oh maybe I should have used more one or the other um and then there's uh some notes on infrastructure security the most important thing when you have such

infrastructure especially deployed automatically is you want it to be secure uh bear in mind these are uh these are software that will be running the c2s and so on that give you access into actual infrastructure so you want to be very careful with that and make sure you know what you're doing um one of the cool things very easy to manage SSH Keys uh throughout this whole thing um the version I'm using Azure as uh on the backand um as my cloud provider um and the firewall is the network security uh group NSG and that's just a little part as you can tell by the left uh column the there's a lot of number of lines there uh but um just an

example the first one will limit uh that's for the resource C2 redirector um so so for the redirectors I will only allow SSH and to be honest I think pretty much all the VMS I will only allow SSH from the operator public IP address for example uh and then the redirectors will accept uh both Port 80s and 443 from uh anywhere uh um but there's a little trick that I will explain uh actually now in the misdirection part what does that mean so this is one of the cool things about these types of projects is that you can become very creative and because there's no right way to do things you can just do whatever you want that you

find interesting and one of the interesting stuff that I thought about was uh if you notice uh when I run it uh there's some debug information there you can tell there's a client Network range that I Supply now the reason I do that is for the the infrastructure to be able to tell the difference between what's coming from the network uh the client Network range and what's coming from the rest of the internet now if you're coming from the network uh range uh the client Network range what you will see and you try to access one of the IPS in that case the 112 um uh redirector what you will see is the actual backend I

think this case is the payload redirector so it's the payload backend server that's the the Apache that is there installed now if you try to access it I used my phone because I'm on 5G so it's just easier to uh don't have to set up anything or just to move places uh so just from my phone you see a canoli recipe uh which is good if you want to play around with the blue team and just misguide them a little uh it's always useful so yeah it's one of the interesting stuff that you can pull off um by having these Solutions so in terms of devops uh building the tools compiling uh the tools that we use very often I'm using

GitHub actions and again it's not like I sat down and I uh played with every single one of them out there and decided the GitHub actions is the best not the case at all but uh I like using uh if I'm using GitHub already for my repos for whatever uh I use it for project management as well it's kind of Handy um in that sense when you pull push stuff it automatically creates uh stuff in there which is super convenient but if I can have all my tools in one spot unless there is an amazing feature on some other option I will tend to have all of them on one spot and just make my life

easier so that's why GitHub actions was the options the option now that being said I've notice some difficulties in developing in writing workflows um just some things that don't sit perfectly with me that might have changed since then few months that I checked that but uh for example the latest version I want to say of Visual Studio that you can use to uh build Tools in GitHub actions is I I think it's 2019 whereas if you're using the aure uh devops not sure it's if it's Azure devops or it has specific name don't remember but um then it allows you for the more more modern uh 2022 um version and overall it kind of makes

sense that Azure would make a better uh thing uh option for building at least C tool.net stuff uh so it kind of makes sense so it's definitely something that I want to try and uh give it a go but that's later down the line so you can see here uh just an example of a workflow running now if you look at the green sign uh over here and you see here it says manually ran by Andre I was confused when I read that because I never ran that I mean I read I ran it manually I think the first couple of times when I was testing the thing but ever since it's just the the the the

infrastructure the python wrapper that runs it but I then realized on the GitHub documentation that you can manually trigger a workflow uh run U using the GitHub API and that's basically what uh I'm doing uh that's a call uh a part of the Python wrapper where I'm just obis skating the my API key of course but uh overall it's just the more than obvious stuff it's just some python code that runs triggers the workflow um now after you build the thing uh you the the naming convention is you create What's called the payload in this case it's called artifacts um now um in GitHub actions and I'm sure others uh do provide input not only input which is

useful here in terms of uh public IP addresses uh but uh also allows you to Define Secrets uh so if you want to put in your um SSH key to then connect to the payload server and upload the artifact that you just built then you do something along those lines um and

yeah now that is all about building your code but when you're building your code but after uh before building your code you want to worry a little bit bit about the code itself and the simplest example you probably want to obfuscate stuff in it um but not to be easily detectable in signature based kind of detections um so the what the the way you try to do usually that is by using some sort of scripting capabilities uh either Powershell or Python and you'll find a lot of very hacky ways where people will uh uh run scripts to find for example literal strings anything between uh um to um double quotes um and but if if you

think about it that's a very hacky and bad way to do it it can lead you depending on the complexity of the software to a lot of false positives um interpolated strings is another type of strings that you cannot detect just by simply doing that kind of stuff um but also all types of details like if if you're expecting uh a a keyword followed by uh for example if you want to update an in C you should because uh the um executable is actually I code Intermediate Language and it uh uh keeps a lot of the names of the classes methods and all that stuff name spaces um if you are looking like to replace a

class name and you're thinking about oh uh let me look for the name ABC but ABC might be like in the the uh middle of a string so let me put space ABC space but then you can find examples where the program where there's two spaces where there's a line break when there's lots of stuff bottom line is you're using you're trying to do it the hacky way which might work but it's not the best way and that's where Roslin comes in uh after doing this type of stuff I thought rosin was just a compiler uh it turns out that it's actually uh defined as a doet uh compiler platform and that sounds very fancy but basically what it

means uh it represents present C it parses the code which if you think about it it's the best tool to parse the code and interpret it and most importantly it parses the C code and it generates a syntax tree which then you can navigate and you will have all these different types um uh that will define specific uh stuff that you will then easily be able to find class names to find the the instances where they refer to that class name method names whatever you want literal strings interpolated strings um and all that stuff so the syntax tree will contain uh syntax tokens such as keywords um literals and so on uh syntax trivia all the different types there's

different types for different types of comments for example and um and syntax nodes as well um language constructs classes Nam spaces and all that so that is the power of Roslin now just a quick warning it sounds like oh I I I about to show you like a few slides on this stuff it sounds very straightforward and oh yeah it's must be like easy to use uh there's um first of all like uh but there's a lot of stuff that I'm not talking about here because this is not a Roslin tutorial um but I will give you really good references of places where I learned a lot about it um one of the things is um you can write

very simp simple code and look at the syntax visualizer it's it's not hard to get to it from the menu I don't remember right now because I've done it a few months ago and now it's always there so uh but ping me later I'll I'll uh find on my notes or actually look at it but um yeah so you can click on stuff and I think there I was clicking on hello world and it immediately jumps the visualizer jumps into the type that corresponds to that object which is the string literal type um this is just an example for you to start getting like comfortable with the types and understanding how it all nests in

together but in order the com the oversimplification here is that I just showed this and everyone is probably expecting to open Visual Studio and find it uh you actually have to install Visual Studio SDK uh to do that um if that was the only thing that would be cool but so uh the nuget packages uh to be installed there are uh quite a few uh let say four or five have to check my notes again uh but they basically contain information for types classes uh libraries required to analyze uh Parts uh and understand the C uh code um then um you have multiple objects literal string interpolated string syntax travia uh all that stuff that you kind of have

to get used to um so it's a good idea to actually take a look at the visualizer um there is also I didn't put it here I forgot but uh there's also a URL a website that does that offline so if you don't have visual studio for whatever reason or just want to quickly just we go a check it uh again ping me later uh but um yeah multiple workspace types uh adoc workspace I must build workspace Visual Studio workspace depending on what you want to do you'll have to use different ones um and also understand just the the the what a workspace is a solution a project documents how they correlate with each other and then how

all the objects then come into the document object uh then you have nav uh learning how to navigate the syntax um which can be done in three ways uh link is the the simplest way is the simplest way sorry um but not great performance which is relevant if you're writing an analyzer uh which Visual Studio is running every time you press a key uh but then again for our uh purposes it's not really that bad um there um there's also syntax Walker and syntax visitor um and Link is actually something because I find a syntax Walker little bit more elegant but I've been forced to go back to link a few times just because of that last

sentence insufficient stack to continue executing the program safely now if you've ever programmed using any sort of recursion uh you know that uh if it gets too deep uh then you start having trouble with the stack and that's something that sometimes syntax Walker will trouble you and you'll have to revert to some sort of solution on link uh another uh issue is um it um all of these all those objects are immutable objects and that's something that you hear and you tend to forget really quick but what that means is every time you actually change the code uh through programming it actually creates a new instance of the uh of the object so if you're keeping the old one which is very

common uh you then struggle with wait a minute I just changed this what happen why is this not uh changing and you just have to figure out that you have to use that new object so just some really really good resources and again uh conferences that I would usually not attend uh developer more like C I think I want to say programmers developers but uh seemed very focused on C no know but um and DC Oslo where Mark Randall and Eric sheer booom uh I hope I'm pronouncing that right uh but they've they talk about very deeply about it and some other implementations uh um that don't relate to security but you understand the whole

point of having these um also xpn has really good blog uh where he actually uses Azure devops um so uh which xpan is Adam Chester uh amazing researcher uh so and actually I do have the link for the syntax visualizer um which is that one rosin quoter again I'll give you the QR code for the slides in the end so you can uh access all

this so let's just show a demo of Roslin um in this demo it will just grab a seat belt and it [Music] will uh convert all literal strings and interpolated strings to uh cap um uppercase letters I'll just share show you the code and everything just one

sec for some reason it's taking ages to start video

just one second B me

let me just try to kill Windows

media okay [Music] so let me just try to okay so I think it's

running same problem with the mouse sorry for that okay

okay so this is um basically the that the main code and as you can see there I'm loading the uh the solution um it's going to just call uh let us just run through

it so it loads a solution that's the seat belt that I'm about to update and download then it creates an instance of the uppercase writer which is an implementation of C syntax rewriter and you have those two visitors interpolated string text and interpolated uh and uh the literal string one and all of those are executed once navigating through the whole syntax tree and calling out the visit um method there so then I just have to update everything build the whole process output the assembly to an executable locally because again this is all in memory and then run it and here you can see that I'm getting a fresh copy of seat belt and then I just run it

and you can see everything comes back in a upper

case that is very weird because I'm not moving it okay okay

now there are some complications there um uh things get trickier I mean um the thing is you uh that is a very simple example but it's the example uh I wanted to show it because it's the easiest to visualize uh because of the uppercase of course uh but the when what you actually want to do is to integrate to grab that literal string or literal string or uh uh interpolator string and put it inside a decode method not only encrypt off fiscated somehow or encrypted uh but also uh put it inside a decode method um now what that means is that you have to write the code for the decode method somewhere now the penny on

a software that could mean uh the inside a namespace uh inside a class um and just write another method but it has to be code that is reachable uh throughout the anywhere that has um uh a text that has been offis skated so it makes you think it it's not that straightforward so now just to clarify some goals um what you want to have is fresh if forar ready to go fresh payloads ready to go uh simple to deploy easy to manage but and for future development uh uh what I want to do is having the infrastructure timeout for auto cleanup uh because ideally you don't want to stress too much about uh Bringing Down the infrastructure uh and

just have it uh you know the engagement is ending in two months for example you just set a date and it does it automatically uh of course more c2s um everything that it's being done is being the redirection and everything right now is through IPS um not domain names so that's a part but I've uh I've seen that you can actually buy uh domain names probably generate a few random ones um to test it out but there are tools that will generate if you give it some sort of context in terms of naming of company kind of thing it will generate a few random uh names that are kind of related to it so it's a better of uh disguise

but again you want to automate all of that support to htps uh still not done also uh fishing um infrastructure support I definitely want to add that um how long do I have okay um now a lot of people like uh um Solutions like Go Fish uh but personally uh haven't had great experiences uh because my the obvious thing about these kind types of tools is that you lose a little flexibility and control over what is sent um so a lot of spam filters will tend to become really good at detecting the minor things uh about how an email is uh developed um so you want to uh be very careful with that uh and to that extent I'm a uh much a

bigger fan of developing the whole thing myself uh um very quickly python codes running that connects to um an SMTP server in a I've done it in AWS before uh but pretty sure you can do it anywhere else uh to send an email and then you control the whole body that could be HTML that could be just text but you control everything exactly everything that goes into that and then just create the whole um uh fishing site where you collect the credentials and so on and make it look like uh something uh legit quick conclusion uh good right team infrastructure design principles resilience security uh easy to deploy good payload Dev principles obfuscation encryption is usually uh not always but

usually an Overkill um from experience bypassing edrs most of the times what you are actually trying and it really important for you to understand the goal here what you're trying to bypass is autom automated static analysis as in signature based uh kind of detections um you can never uh stop really good manual reverse engineer uh so might take them longer but you that's the point you want them to take a little bit longer but it's just for you to be able to then move laterally and get other uh machines so it's very important to understand what is the purpose here and more often than not zor by zor U with zor encryption with zor officiation or

encryption technically uh with one bite key is more than enough um code insertion to stop automated Dynamic analysis don't have time I would elaborate on that so just ping me after but ioc stripping per compilation per op uh good insertion you want to have that because uh you want to have the functionality of if something gets uploaded to virus total you want to be able to under understand exactly which engagement were you on when you developed when you compiled that payload uh um and it's really good feedback as well for the client and for yourself if you're in the middle of an engagement and one of your payloads gets uploaded you know it's from this engagement and

not the previous one or something like that um so you probably need some fresh payloads you only get that kind of feedback if you have these goit into your payload and then of course the kill switch uh there uh the job is ethical hacking and there is a very important part of on the ethical uh word and that also means respecting the client's time now a lot of the times you assume oh but my infrastructure is gone like what do I care you should care because when a payload is triggered is executed and it starts running you need to have a kill switch otherwise um what that's does is starts a whole bunch of red flags and uh

tickets throughout the whole company and you're just wasting people's time unnecessarily as opposed to it just check if it uh it's the time of the engagement if it is for example if it is running on a computer in the domain that belongs to the client um so you you definitely want to check those things and when you want to check for example for domains you don't want to put in the actual domain of the client in the payload because that's a hint that a client X might have been compromised uh so what you want to do is if you understand password storage is pretty much something like that it's a bit streem to Salt it but what you want to

have is a hash of it so you grab the domain uh where that computer belongs you hash it you compare you with your hash and that's uh only if it matches then you run but if you take anything from this talk uh let it be the following never send a human to do a machine's job agent Smith uh so I hope you've learned that today uh you can grab the the slides on that QR code uh again I'm reachable if you want to check my previous presentations uh so thank you very much for coming [Applause]