BSidesMCR 2019:Getting Splunky With Lateral Movement Attack,Detect&Evade -Ross Bingham&Tom MacDonald

Lyra's happy days thanks very much for coming to our talk not really with these microphones at some point I'll inevitably move it away from my face and carry on talking you just like give us a little wave on the front when I would have been done that'd be good things we're gonna be talking about following on from our steel conside of life forever Game one Kerberos is attacking detecting and evading talk about the various parts of how that works within a red team life cycle and a segue from the red team United okay so this is me red team around principle over attitude I tend to do red teaming and like large complicated infrastructures used to be a

sysadmin until I saw the lights in Cairo security did some stuff in the army vaguely related to this and then I've spoken to a couple of other places received and then delivered our red team training and I've got some generic search there okay red teamer attitudes also the world small team of users both my team spent a variety of engagements paid media our products technically teams ultimately reporting as all an engagement since they'll be getting a lot more involved inside which they all didn't say two things as well where we are CGI team look at here we could always build out of it as well and it's been a big deal in the world of

detection is very unruly wakes this process won't come back and things like that video service less deeds and practically red team spent five years also so let's talk about what we're going to be covering in the talk and also more importantly like why we're going to be covering it and so what the the catalyst for this talk is we have a quick team they are on lateral movement because there's lots of different types and the three that we're going to focus on again we're using Splunk in this talk and the only reason we're doing that is good we can email info at home and saying hey can I have a dev license and they go yes and it really is that simple

it's not Splunk up there we don't use bunk internally you know I think we're platform agnostic looks like we're c2 agnostic so it's not slumber but I'll give you a tldr and how we've set it up and why we've set it up certain ways then we're moving to the good stuff the attack detect and debate focused on PS exact that hopefully majority of people are familiar with to BMI or women from this point on and then T common we'll give you a Bic sortie ldiot but they are before we go into one I'm more importantly and this is where I'm quite quite passionate about like what are the key takeaways for your organizations whether you're on

like the blue side the red side the policy side or wherever you sit in our industry like there's some key takeaways that should hopefully be relevant because if you're struggling for resources manpower time wherever it happens to be if you can't prioritize on anything just because you've got so much to do private eyes on these first because at least this will get you off the start line she'll just expand on the kind of one way but behind the talk has a red team unit loving these engagements there's kind of three really critical points and the blue team can start detainer action or like signature of what you're doing so initial execution being the first one

going do you know maybe simulate an external attack occupation you're gonna want a plank we're so user and - you know downloading a file and run a microwave race and that's when I perform key significant elections on a host team can you know have IOC score and detect on similarly with assistance you're going to generally be dropping something somewhere to desk that is then gonna leave an ayah pigment or and I receive on the host you can detect over looking about for movement again several problems here you're going to have to make defined actions within the environment your and the abou team can aware on and such as you make your network connections in some places and

just falls on from are looking it was my last thought and now sees that waste so it is a quick run down of spunk when one base logistic so in this throw memorize what you would expect it V is sponsoring a set new environment consumed on the log scale 42 from forwarder forward on is what runs on your workstation server the exactly also remote collections may involve almost where we want 80 volts forwards in the server for ingestion index index in trouble it basically organizes an index coming in so you may have like a Windows index a Linux index accessible index and that's basically failure events accordingly source types just something we're going to use if you want to be a

bit more granular your section so you maybe want to only want to look in says one event maybe windows events etc you can do that with that and it certainly says again pretty much what it says is it's what we're gonna use to drill down and either do this one so just a quick review of first long say I will get n dependent on kind of price server just install that you've been to base and ESXi universal form is pushed out to our workstations and servers and we'll get cest one deployed on to those workstations and servers as well use for additional visibility and this one where I could contact can generally rival most of it okay Peggy be ours for visibility

and endpoints and so it's definitely something more food is free from Microsoft so if you know how to deploy in your environment something to consider we're using special insecurities assessment current practice because it gives you a good baseline can work from and also practically pedesta maybe never been to the camera stock is the point in advance though the policy of on to our hosts windows oh the box just has a reasonably vanilla auditing policy the point really collect seven logs just from like a resource consumption so each perspective the problem with that is some of the key events that we're gonna be looking at today and for taking these things they aren't detected by default

they're the box so you're not pushing out custom cornflake that's gonna pack up these you're gonna miss them there's one thing to be aware of and still blindly just push our custom contract and open the best which is what I done and chickens bone server and with about 50 million events and pullers and so there's five one five six C's and windows event loads that basically anything literally and if it happens on a whole stationery generate loads and usage license fairly quickly and you don't do that it just a quick overview of a network diagram as well and you save if you've seen a proxy server the server again since in environment all that forward was go through that

otherwise home since one server she really exists and window space Eckstein DC really patched Windows 10 workstations will be configured December 1 microfarad or I'm sayin Ola on the end points in Vols got a Polish trust and tedamy coal or bank and the reason we've done that is something you could challenge these in better environments where you get really good visibility and one location but not another location so it just looks at the challenges hope we can partially CNT different things based on poor visibility across the waiting State not just one state and assign it okay good stuff so there's a hatred of tree knowledge so one understand where we are and the set up so let's move it to there

three berries two types of coverage so SMB and the exec from PS exact report hopeful hi cops and we will move into we meet windows management instrumentation and distributed common object model or decock okay we're gonna break each one of those down into attack detect and evade the idea of the attack is like Lowe's low skill attacker and you know sort of maybe an internal in a test where you know stealth isn't our primary concern or if you've been asked by different intelligence that the regulators given to you to Rick to emulate a particular attacker as if you're doing red teaming without having threat intelligence in front of it newsflash you're not actually do mighty

me so this is a we're going to break it down into high spice kill attacker those give us a kiss our defense okay so the current accesses in all the videos we pretty much got a low brave shell as a user you know whichever Joe Bloggs and we've got elevated creds to move somewhere else it doesn't make any difference than this talk whether its workstation to workstation workstation to server or server to server makes no difference because we're not worried about the or the targets and the originating source are worried about the underlying mechanism not what you're using so don't get focused too much whether it's a server or whether it's a workstation doesn't really make much

odds with deke army duty valid primary user token so it's very difficult to pass credentials to deke on stuff doesn't work so you may need to look at using like runners or UAC me versus prep bypasses and slow you AK but again you have bypasses as plenty of them around and plenty of those that still work and we'll touch on why we need about the primary user to open when we get to that section up in so just one can a key like differentiation I want to make poor weaken it again do this as PS exact original or classic pairing you know what it's moved into is more like pasta actually don't see too so

classic PS exact is this essence their enormous binary that's basically you know maybe internal pain tears back there you're gonna drop that on to death or drop on the shears quiet around the network nobody's sophisticated not very advanced apply something is probably gonna occur now you can start to look any detections for ApS effect for example all of the recommendations hang on PSX ESPC door exit get dropped on tissues and things like that and biggest problem of that is if your PS exact detection relies on that so you're not going to catch PS expectancy to it because I'm seating different so it's just something to be aware of and go into this we're going to be focusing on

yes detective agency to not know the classic membership and another also on is like Saint Mary's just go on I'm going to be a webbed up back is there equal to the broad saber probably not anymore okay cool so it's a first video on smooth hair so I can see what's appearing and so we buy a local if she'll hair is Jason Perry's just a generic nobody but we do have found es helpdesk so digital solutions help desk with a password you know and the mechanism by which we found that doesn't matter reaches you're using those creds to go somewhere else so this is a low skill attacker but basically using Pierce exact to bootstrap a ps1 liner

don't worry about the ps1 liner aspect which is just using a ps1 line is throughout a the speed and be it's easier to hook for them in splint rather than using like custom deals with various entry points and things so we're just focusing on the method that we're using to instantiate power shop okay so this is using SMB exact and you'll see immediately because could have run calc anything we need it to there but because we around the ps1 liner we receive a shop relatively standard but you'll notice there because we of the way it works we receive an instant system shell rather than going into a user process with another beta token it gives us a

system token we do note as well down here we've got the hashes that was being used and then it gives you the service that was created then the service runs and then again the service is deleted Ross will cover a little bit more about that but this is fixed imposter twenty characters assuming you don't customize it because if you're not customizing your C two before you roll it best love that no just about amending section for PS exec generally on those firewalls gonna be a good place to start were staged in one station combs are really required in your environment and again a big focus for a lot of intersection PC XenDesktop are going to be alright understanding

your environment so you're gonna beldo detections to interjections you know aerosol that you're going to need to know what's normal and your environment before you just go through it in detection zone why don't you sell all the lamps so work sees the WorkSafe don't are really legitimate and firewall can protect as well weapon and layer on it ensure you're talking pellet policies configure it in conjunction bill apps as well just ensure that's all tied don't work station to say over comms is another one you can look at and generally they're only over one week and so if you've got like hosts continually talking back to a superfan table if you can look for that and another thing

that's gonna off the back of the cab wrist i think it was probably done honey spend seeking like quickly reply into your environment is for a quick when the blue saves with honey shears in this one this is what you can do is create like something intriguing to an attacker on your FS or one or whatever searches and we can slash backup the dual digit ever be accessed you can then create an alert on that and Splunk and look provide 140 events again five 140 s will get picked up by default so you need your advanced auto policy and so you can do once you've got that visibility is you can anchor it nowhere in spoken says if this you know backup

is accessed earlier and then you know that you get to go honey shear so detection for that's what can we do and first of all we can look at it so there's couple different things you can look at some work environment somebody not 7:45 or services installed a event and also go for nine six four nine four six nine seven events which is basically the same event which is they change depending on the boys but fundamentally the same the same insane and so what we've got here as the boasts that it running on the service names which is covered for c2 as by default twenty character random string so as for c2 IOC MSN is like fourteen character

one and those other seaters will get similar overseas and as we can see services are being installed and a nice small my up here only fourteen coming back so that's a clear indication that PS exec is well and your environment said with classic PS exact as you know right index ETSU and running it this is install on a service and run it up so it's just slightly different actions there but you can see quite a nascent and sakes but it can also look at as 7000 events so the way it is exact ones that in situ so go ahead machine install service run the service delete the service before the works or the target machines really even

knows what's going on well that's going to do it is they cause an initiate to log and the service Control Manager which is so there's in main event and basically resulted in a type matter as you can see here we've got a nice clear can say small list again both that you looking at best go get the service names in there as well and again you can see they are seated I receives you can rename which will come in that leaders might covers that and but again just another key not quite when you can do also you can then go there these situations based on what's happening in your environment so that's the Windows Event say two things

a way to detect or one way to detect this look it's this one as well obviously got that in our environment we can look at this one event 13 and that's a registry of in a being modified so again when the service is installing the system already gets a view data services so that's kind of what we're looking at typical out here so we're looking for of include their teams and the services registry section and we're filling out calms picnic goes back again is another people IOC for a lot PS exact mo juice what it basically does is run command X a and then pass arguments as you can see the PowerShell directs again they passed after running that pretty

bad guy you see they're pretty straightforward to see detect obviously can't change that again but it's just something you can get a quick little calculate pillow and get good NSA into what's going on in detect on it and so one last thing is you start seeing these events flying around your network wait what you gonna do you can maybe trying we're not really going to cover threat under this tall we've covered abhorrent and the cameras talk but we're just gonna connect quickly look at like trying to understand what's going on if you do see this it could be good on your network so you can look for SMB net phones but across and it's good point to

me to notice emphasizing the importance of having like your workstation subnet dopants wrong your server something it so that I see the difference we can use a look-up tables in sport is there any problems happening between any file any I even this lookup table to those ie workstation subnet I we're falling so then you've got you can suddenly see Parrish exe talking across the aisle almost or even to the sales rep asking on the Box there on hey over four or five again just more i overseas that you can look at the deco and in trying Toto detection as well okay cool so how do we start evading that you know if the threat intelligence says you know you

can't use more advanced techniques we need you to emulate sort of activist or something similar um how can we carry on using this exact to give ourselves a bit more time until the analyst catch up with us also be not familiar the term IOC is indicator of compromise think of it as like a tell and that you socket over top okay so I say you don't need to use in posh and you don't need to use yes exactly you can use SMB exact call in the ll and XE whatever you happen to need you know you've been involved you could call like HTA's or VBS or whatever you need basically whatever your execution method is you can do that down

like map dries and we show you how to do map drives in a second without exposing them to the user which is handy obviously even the dimmest user will wonder why he's got additional map rise arriving in his Windows Explorer halfway through his day you can customize you know service name lengths and things like that and it's doable with the resource can ask packet and all that good stuff in cs:go more strike not sure about in you endo community well then the so expensive it's almost boot you can being a service is something legit to the target this is something there's certainly the netted RT were really quite aggressive on as soon as we gain new accesses whether

that's a new machine new host new server new user a user credentials we begin enumeration and situational awareness gathering again and then feed that back into the cyber kill chain although we all hate that term actually it does work and there's a reason we're still using it in 2019 so we should know before we move from workstation one to workstation to you know whether SMB SMB comes up here is in use already in that environments because weather look to the event logs would've run seatbelt and all active circumspect rocks and got the system on convicts so we should know that what we're about to do whether it will blend in or whether it won't blend

in before we run it you know the idea of like yoloing different and removal techniques around is volatile in my opinion and indeed we'll try not to use the comms back variable there's only a fine line to amounts of those so you could actually quite easily alert on the comms back ones you can change that in posh with - comes back and and indeed if you want to roll something different just edit the Edit EAPs wall before you will blowed it into the implant let's say we touched on there a service is created executed and then deleted again quite quite noisy maybe it might actually just be easier to use SC C to actually create a legit service that

triggers a particular time or whatever and then don't delete it you know you'd se don't actually to create a legitimate service in a legitimate fashion rather than using his exact to create run and delete that might actually stay lower even though we're then leaving another artifact of a service on the on the target host okay so how do we actually do that then I sense import we will allow use and be exact to call the DLL will be Bob loaded here these are just the default options were showing with noting here the central one allegedly a super competence EDR is running on these machines and so here we are just literally uploading a proxy payload with

proxy creds embedded in it this is where the map drive is done up here you can see if we've left in T cold on here so you can see where that drive letter would go and if you don't put t colon in there no the drive is still mapped but it doesn't show up in Windows Explorer ok so that's pretty awesome and then that allows you to right there in that user context pretty simply we then just simply have it uploaded the XE we then call the DLL call it s2 DLL with the entry point or void function which is the posh default entry point and then indeed you just call it the service where we shown actual hours to find it

insulin or here live here we would clearly opening that like citrox of data Palo Alto global update or whatever you want to call it or feel involved pulse VPN updater because there's all sorts of RC rocking and rolling for them yeah who knew ok we happened with PS exact sort of that's where the TI pitch is err sort of like low to mid tier that's fine if you know many sis up means in particularly in like medium sized organizations still using peers exactly because they have a really embraced PS remote or anything like that so let's look at women double your mind and again before we get into a tldr and what we mean is

this is again the current access but liberal abuser on a workstation but again we've got the helpdesk account through whatever mechanism doesn't matter and he's effectively domain albumen we just don't know that yet who nested overly permissive nested groups because we've never seen that before either okay I'm operating to do it maybe to move to another box via whimmy let's do is just do a quick tail there are two sip over here just didn't do a quick tail they are on there but winnie is okay so without getting massively wrapped into the theory of this women has filters which are you know run this when a condition of the time equals blah the CPU equals blah the amount of free

memory equals blah whatever you want that is a query you know so it's and it returns true and your query is run when your the things you're checking for is run and we've got consumers which is a thing that runs when your filter returns true I know we've got a binding that brings them together there we've got things like subscriptions a lot other good stuff too if you want to learn a little bit more about the theory underlying whimmy and just back out some NCSE certs or if you have don't want to spend you know sort of two years of your life doing pointless certifications you could read mr. Kramer's astonishing 2015 white paper that pretty much sort of kicked

off the whole so more common usage of whimmy and that's the the initial white paper there where it all came from and then everything since then and sort of followed on from that and I'll get on Syria in the evasion section there's also some really solid stuff from Rubin fuzzy sack with Mothe files that's really solid stuff as well next excellent so we've got a shell over here as Jason Perry again you might recognize him from Steele Khan and he's pretty hot list he's getting or getting fished all the time and we're going to use women to again execute a particular DLL okay so relatively standard stuff and we can see down here yeah X load we now get a new

proxy implants most of these in this demo all proxy implants because our test bed has a squid proxy in it you can't you know workstations and stuff can talk straight to the internet because that shouldn't be a thing and I should go through a proxy and you can see I'll get a full primary toketee as that D s health best user that say that happens to be on the DC doesn't matter we're just looking at what Whitney looks like it doesn't make any odds whether again workstation workstation service server etc any questions on that cool so hopefully access one has a bunch of events that are specifically related to web native a and so we've got a one here

which is for event consumer detection and so we can pretty much leverage this and it's a pillow web event consumer happening on on our endpoints as you can see here will be a couple of suspicious-looking Parsi to consumers office again an invasion waiver that you can achieve these name client blame then I have another thing they're doing as well as getting create keeping deletes as well and so these are like clear is easy pretty much you look at straight off the bat is to see what's going on again as I mentioned understand in your environment it's gonna be critical to getting reliable detection and then say until hosted on in the environment after whammy and it's right in your

environment get it used all time then that's like these might not work they also may work we've been doing already middle of related attention responses from the end of engagement and working on the client and actually currently they had a whole bunch of em eNOS and it was their IT staff using WMI to throw each other by using WebEx account we go ahead seen stuff like that popped out and also turn on since comes an interest in be briefly Sibley's but you know like that it's my stuff's going on environment you're going to have a you know pepper problem try build a reliable situations when you have a bunch of additional nonsense going on so again

it's the mention says phones go ahead event specific portrait when we thanks we'll get a Bigfoot anything here which is for film prevent detection again broadly similar and save you're gonna get from it so anyone events and except extra information here but go the dude is still which is a way to assess our trace you can all live on that as well and again it comes back to you when you environment post what's gonna basically give you reliable FCC's get nowhere fatigue and so yes again you can see you could host user so when they are then and creativity positive and it's being run also get rich there you may be wondering what centers that is basically Wendy's replacement as

well Blake 233 I think it was but it'll be really clear but no vision so just something to be mindful of because it does have different things you can call with seven berries where everyone lives anything so what happens if your system on events are not going to be any good then well you can look at when if your PSU which is one of the core boundaries that when we use these to perform actions on a horse what is going to do is going to run in it and will do things which is what we're getting and say into here we can see that when we go here's some lower shield badness and we can

also see the command line arguments going along with that so if you could you know when they spawn and parachute on involving one-liners I even do another maybe less obvious things Wendy well whatever you can start with on this and again comes back to as this noble career environment if you use web me a lot at administration and maybe the arc Explorer if you don't use with me at all and you know this would be good to go and I think you look as well as telemetry detection so if you do use weather maybe you only use it to go and run a batch much less reps and say midnight between midnight and 1:00 you can have a speculoos events but

maybe between 9:00 and 5:00 normally he's going on you can use the amateur detection if you start seeing when the events firing off you know between 95 in sex work you can start to look at what was going on we should be happening so you can end up on that one last thing you do is 468 which is process creating as well so again looking at when a PR BAC creating processes so if the other ones still work for you maybe that's too hard for you and we're looking at you know we're just gonna add a bit more of a genetic pretty here and we're back we've seen as parallax he's getting spawned also you can again use a lester

files like of new and bad files and this one however sales and the exe wherever as you can just have that aware on those files in and it's doing other things that you know she environment ignore those one thing to note again Matt will talk about this later on in the occasion is decibels is dead yet so you know maybe situational awareness okay excellent so you seen on the left hand side and a previous screen shot and there's lots of mentions of their service that's in a wben folder has Windows based enterprise management they came from when in Microsoft land and DISA most we said is to do with images so for any Microsoft admins here you're probably

familiar with them like sysprep than the old days now used ism to manage the images that use a Windows deployment services and such so how do we start evading okay if the TI says wanted to ramp it up a little bit okay how do we do that so we can actually do viola swimming which is pretty good so previously we've had to drop stuff onto the target and then execute okay so we are in a pet leaving artifacts allowing the stock to maybe tie hosts together and you can see where we've been or where we're planning on going based off houses but also we then have to clean that up at the end of the engagement

which is a difficult good reminder have access to that host anymore or B we have to like lift a load of hashes in the report and people know what's that so the exceptionally talented James for Shaw and discovered met two GIS and then published tool for that so that's his Twitter up there supremely clever bloke and then we also have you Jer shelf and Chris Roth Susannah Soria on Twitter again very clever guy we can tie those two things together and we can now use file the swimming again worth noting that because we're going to know what's blending in because we've done our situational awareness because we are a professional Red Team organization rather than just firing things around

randomly we know what's going to blend in so we know what the Winnie's subscriptions that already exist are so will now try and we control the naming of these whether their subscriptions filters or triggers and we can try and customize the ones that we put onto the target to blend in a million here and as your hopefully seeing that all lateral movement is detectable it just depends on how much storage you've got how good your level one analysts are and can you find the needle in the field full of haystacks and until you even know what haystack to look at it's very easy to find sort of when you know where you're meant to be looking you come back to me

you and you've got like 30,000 endpoints in a hundred countries and then it starts to like a ramp up the complexity to non-trivial so we've also got like women implant from Chris hunter which I think uses the OS debug registry key Mussoorie he's actually quite like almost like a full implant you can upload and download files execute commands and stuff using whimmy implant it's not C 2 compatible at the minute - that's my knowledge we did know about like a cursory go at getting it in what if didn't see his intrusion operations course or he's also gave a workshop on offensive with me at steal calm and the slides are up on 14 of security calm

he's a good guy knows pretty much everything about women and that's have you said earlier on we also got sim methods and I think generally this is super anyone's looking for like a master's thesis there's probably some sort of really good stuff to be loved on when you look into sim methods because it is quite a distinct architectural change from Winnie so not it's more than just web 2.0 there's very likely to be some good other good lateral movement techniques in there pendants got fifty fifty research time a big pretty awesome we can also use women to spawn something else okay so we're going to talk about diversification very briefly we talked on diversification quite extensively at

stake on if we're going to use a technique that may get us caught why do we try and diversify as much as possible by us you are ELLs execution methods entry points user account user accounts or proxy codes we could maybe use P bind and will come into our people MIT is in a second so what we can do here is use file lists movie and so we're going to use again this is built into poverty tube by default again eminently achievable with her COBOL stripe or whatever particular frameworks you're familiar with and if you've still got Empire although empires allegedly dead you know you can use it there so here we're going to use women proxy payload

plus the credentials and here we can see we're consumer name have made it nice and simple to hunt for pop see to consumer quantity to filter and the process name upon which to trigger there's spce host okay so without getting too much into Windows internals SPC host is always there so we can see here that we use will be js2 executors and we use this particular dot next to Jay s base64 string here we have got a plan to allow an additional option over here to pass different types of payloads in but at the minute if you want to pass things that are to propwash c2 implant in just base64 whatever you want to execute DLL whatever it is and basically

for it and call it this and then this mechanism here will run ever for the command or other implants or other shell or other situ framework you wants that own concession pass between c2 if you want more importantly here we can see that this is the query that will cause the consumer that we've written okay so select star from win32 process start race where process name equals svchost.exe C host is running run the thing I want SVC host is always running so game on and we can see in this case our net 2jf space 64 payload now runs that's why all this awesome so let's have a little quick TLDR on P bind and don't want to

get too much into it cuz it's kind of like an hour talk by itself it's made by a super clever guy works for us called Doug McLeod it's aimed to get where server land is extremely well segmented and you can't get reliable two-way comms in you can only get push comes on four four five which is kind of how it should be everywhere and in server land anyway and so will it's designed for that and it's erm it's like a sub implant that you can put into your c2 framework and is c2 agnostic so you can put it into CS innuendo wherever you need yes okay so at this point we've we've already back doored uses Romeo profile which is

possibly quite achievable because they'll be stored on a file share somewhere and but then we wouldn't be able to reach into the server where the citrix box or the VDI session or the Terminal Services session is because that's appropriately segregated when we compile P bind on our windows attacking machine this key is automatically generated and then we can upload that into the users profile then go home for the day and Joe Bloggs comes in the next day and his room and profile logs on again because we know what these variables are we can then just can master them as a connect and it will automatically connect as we can see there we can now run commands in

the context of the user which we just connected to and which is quite a big power up really because before we had no way of executing commands on that server whatsoever now we can axiu commands on that server as a valid user and we can see here we just get there pretty bumpy bind commands the host name and we can be by a commander Who am I which is quite good also what's pretty awesome is we can then run use P bind in the context of the remote user to run other dll's that we can upload rupee bind the next slice with the reader there and you can upload that they ll onto the target file system and

then run it okay in this case here we've hard-coded the proc secrets in so this server is able to get to the internet but if they've got appropriate layer three controls because Lane seven controls is not enough if you've got then three controls to prevent servers talking to the internet you can use implant 41 here as a daisy so implant 43 will talk back to implant 41 and then implant 41 talks out to the c2 proxy and then back out to the c2 server by whatever domain fronts and stuff are going on okay as a top tip if you have to seek your service talking to the internet it's not a good thing so that's

why certainly on the operator side of life will use a workstation as an own good workstation to handle all the Daisy coms you're not familiar with how to do daisy chaining in posh Rob here is the middle of rewriting the documentation so he'll definitely know that them and also generally it's pretty simple if you've got the latest Potter public and the syntax is a thousand percent better okay so let's have a look at with me again so the to call P bind again just here because we we could get command execution in the context of all in the previous video or how do we started and enumerated us server and things like that so here is a proof of concept will

just use powerup this is bundled into P by and already but if you want to squirt other system management automation dll's into your behind just open up in nanopore them if you feel involved and then you can you can pay sixty for whatever payload you'd like into P bind then pipe it into the implants you can then just call it with P bind squirt the module name and then all of the functions that would be available within that partial implants are available from P bind command we can see there just as a proof of concept in bhopal checks and you can see the power up runs down the pea vine or four or five using push comes only a leg three

point of view named pipe forwards and backwards as a byte stream from outside we're three point of view why that's also pretty awesome is you could also quite easily base64 stuff like mini cats and all that good stuff and then use P vine to call mimic a spreads are memory hashes out memory you might think that Oh PowerShell base maybe Katz is dead it's like well no but then also by the time we're using P bind is probably against some really super important production servers most large organizations by the time they're involved in C best few best and T best Red Team your frameworks and they'll have probably pretty monstrous technical debt that they're afraid of changing

things and their systems will say must be run on physical 10 must run on beams must not have EDR antivirus is running on it as well you know like for example staff and EDR well best of luck and you know so we can actually abuse that quite heavily by making use of highly highly secure at layer 3 but actually quite poorly secured of the operating system layer and things because there's no AV or the AV is trivial maybe they were a McAfee like old school and things like that which won't provide any detection whatsoever against their baby cats in memory using system management automation dot DLL which is what posh is running ok so let's have a tea or they

are on decomp so that's distributed common components sorry I continually call the common and it's absolutely not Corral's not called that his component object model I could give you a tldr on that but I'd quite harshly recommend you get yourself a 60 minute to tell the are from James for sure again he did talk called common 60 seconds which is like the authoritative how come works 101 is genuinely stunning you can see my were two protos arrow but it is this a set of methods that Microsoft products have that can expose remote methods that can be called through RPC music provided you've got valid credentials once those methods are them you can created a connection to

their valid CSL ID we'll go through that a second lots of different methods are exposed some of which are like open new tab close tab all sorts of various ones but some of them are like shell execute and stuff like that which will give you command execution in the context of the current logged on user ok here we can see up here we've got a cell as low Priya dead and the shell as hi Priya been you know it's hi Priya because Ben has a star and this is built into posh again this is just an indication of how a lower skill attacker would do it mrs. bake bake do what you can guys can obviously

customize it in folk decomp proxy payload and it's important to know that you need to have a valid primary user token to make use of this hence why we need to have a shell as bad and you can't do you can't pass credentials to the Deb and plans of them work and you'll scroll up here we've seen as a default and a decon method here is MMC 20 which is Microsoft management console the things you know in Active Directory you manage Active Directory with like Active Directory users and computers that's running inside MMC biopsy and that has comm methods that are able to be instantiated remotely as we can see here MMC 20 application and then we can see

there there's a shell execute command and that's the command that we run so actually we just bootstrap to see a yes one-liner but again that could have been anything we needed it could be anything you want it to be so that's the power of that really from a deception point of view quite loud though most mature organizations hopefully by now attaching that from a process tree in a process parent point of view because what that looks like on the defender side is SVC host of mmm CXC pretty super weird should never happen nor in all daily operations what you tend to see is explorador XE spawning a child process of MMC dog scene as you can see nothing

comes back as as the user that's currently locked on okay so let's do that manually really so we're not calling a PowerShell one-liner this is how we do it manually all this is available on the internet and on our github once I get reliable internet in this building so you declare this as one lining or in four separate lines my simple really was spread through here this is how you connect to the MMC CSL ID think of it as like a good and then that's the command you want to run and then that will then run over here we'll get a new shell in a second an important you'll note an important difference between at the shelter we had in the

previous video and the shell that comes in Nets so we've got a new shell here but actually you'll note that then has a hash sign class nothing to do with mush see - that's his Sam account named directory that's because Ben is actually been half sighing exactly enterprise administrator and he is currently logged on to the exchange box okay so that's pretty awesome from our side because we used comm with highly privileged creds but actually the command is executed in the context of the currently logged on user which is pretty rockin and you gain a primary token as him and also you then go out through the proxy as him to see again pretty good it's a separate

discussion of whether and surprise admin should be allowed through the proxy of course but in this case horse things as MC being spawned by sec oh so that's exactly what we're gonna look for here and we're gonna look for that happen small amount of events going on here with a parent image as SVC host and it's born in MMC exit another thing to know here is the D combos are given an SVC host IMC 50 calm again actually understand your environment HD come home of you environment for is it normal for the environment SJ will consider the more sales a way to move around however we have important before by using be calm environment case

or some so again situation awareness like blended with your environment don't judge things going to be smart and actually export yourself and so first action and second reaction is looking for the become launched as I mentioned so as you can see here oh go ahead please do L and what is good so it's executing commands and you can see the COS IDs and there as well so you can fly on the COS IDs but they all get which so again could be noisy I'm just again environment most was going to be normal for and so we can be born we can use for scene in that event whether I would already approach or detection and

go to the show create stuff and since I wouldn't want your fate available you shall create an urge to see here go you know seven events coming up here the reduce things post the watch [Music] really worth quite a tease a lot of these detection Zarkana broadly similar become because there is only so many ways you can saturate things and do things again it just depends on what's going to work for your environment and so again you can see become one trend here as well and all the good stuff that's been appointed potential IOC okay awesome so if you want a bit more theory and grounding on what like decom is nelson enigma 0-3 accents to apply that

on there he came up with the idea really to my knowledge he's got some pretty solid walkthroughs on there there's probably a really good research time usage in to finding more of these methods that we can instantiate because lots of people are starting to get detection z' for those poor those here CLS ids couid be instantiated and there's only a finite list most like there's only a finite list of logins if you still party in my case 2017 here so there's only a finite list of low bins that are effective so how do we if they eat well then we don't use MMC 20 because again SVC host MMC twitter mmm 0 XE abnormal and so much of the detection

here are around presence of the abnormal absence of the normal you don't know what your network should look like then how you gonna find it when it doesn't look right so we can use different methods and outlook has got some really good ones Visio excel and word gentleman from outflank has got notice that you can use Excel M which is I think of it as super old-school VBA that's not technically correct but are conceptually correct and that will allow you to to run scripts over decomp he's got a proof of concept called Excel for decomp which it's got a curve ball strike script and I was interested it's super slow but then that's easily tweakable if you look

at the source and he even tells you how to do it on github that's really good but does require 32-bit powershell process that you're sending it from and also you need to be nice to be 32-bit outlook on the target and 32-bit Soria office on the target which is still the majority because a 64-bit office is earlier 365 has only been the default for like three or four months now they're so like 90% of the planet is still running 32-bit office despite having this add 60 Computers about ten yet they're on where is it it's in the pipeline to get this integrated into pasti - it's just issues with size of shellcode so the staged

payload from cobol strike is about 800 bytes or so when I tried to get this going for Pasha's 103 kilobytes so quite quite a size difference left took like three or four hours staging or byte at a time over decom but no dice I thought I called it quits at 3 hours kind of thought my shell wasn't coming in by that point so what we can do though let's say we are using shallots to your shell windows or Excel for decon or more out working things like let's say we are using that how do we ramp it the complexity up again more importantly remember we're going to call something and it isn't going to be powers on so if

we're going custom because we should be you know we're customizing our payloads and things like that before we put them on the target and whether it's an ACCI a dll or whatever shell code mechanism why don't we configure it to auto migrate into a known good process using correct migration processes you know don't be using the signature ones from Z you know like rewrite create remove thread and things like that over playing with fire maybe do some suspended RTL create user thread stuff and we can also spoof the parent process to try and defeat a layer one and layer one unless who notices that random processes have child processes that don't look legit and indeed we can use either features

over inbound wash or the ones they're built into her well strike the argue syntax and because I have to spoof command-line arguments and there's a really good talk from a guy called will Burgess at MWR think you gave it a twirl where's hacking fest last year about how red teaming needs to mature and get better at the in-memory evasion and staying you know dropping beneath the radar when ER comes knocking they've got a proof of concept called gargoyle or something similar and that's quite clever stuff and indeed if we know what the system on config is because we're going to do situation where as when we land on that end point we'll also know exactly what processes this one's going

to alert on exactly how it's going to alert on those and then we can spend the time guaranteeing that we're going to fit in or we could use a system on whitelisted binary for example one that doesn't attract as much attention from sis mom you know and whether that's Disney host or you know some sort of relate to Windows updating and things like try and blend in particular if it's a well-known one that the level one analyst thinks is going to be legit so let's do a quick demo of that then on the Left we just got the output of whom I slash Paul we're gonna remotely instantiate using shell execute we're gonna use global protect plugin to

XE which is like a live actor we compile back in the office so what does that look like from the user side nothing is the answer totally transparent you'll notice we've got the no shell the reason we've got no shell currently is because in left in the exit we would have some message boxes so we could explain to you what's going on so we can see here appeared of for three full full and we're in the current user context of Chaeronea just the user we're in trying to laterally move to we're also in a 32-bit arch so that now you'll note the shell has come in so you know been through the execution process you can

see now we do actually have a 32-bit shell as Corin and it's c-sharp or other windows powershell we've talked about how powershell is dead allegedly and we talked about that steel comment Ben Turner and Doug and Rob mustn't talk about it empty size London but more importantly we can see our current bid is 4 3 3 4 and our current bid here is 4 3 3 4 which is crew it's got a pair of process the 5 a 2-0 which is chrome itself so we've spoofed our parent process and we've we're now like in a in a process that looks legitimate to be making network connections from a system on side of life you know Google Chrome

making network connections it's kind of expected functionality easy to blend in and again if we needed to we can build in some additional stuff whether we want to use Outlook to spoof into so need to make sure you get your architecture is correct or whether you want to use any other process you know making network connections probably not a good choice but you know stuff like Chrome Outlook maybe not word and things like you can you can spoof your parent process to try and break the process tree tracking from the layer level one of us so that's what that looks like and then that gains you a she D sharp shell and we're trying to

ramp up the complexity so we're not touching system management automation Tila and then that sir we're game on from their who successfully actually moved okay so come towards the end now key takeaways if you're struggling to prioritize if you are not rolling like a defense in depth strategy it's a matter of when not if the inevitable happens you know Active Directory is kind of the attack surface and the workstations are the way in now and we see workstation to workstation communications like we do it quite frequently from the blue side if you you should have obviously like a CSB of your workstation subnets and the CSV of your service of Nets pop them into Splunk as lookups and say if you ever

see workstations of net talking to workstation subnet that's obviously not a good sign very rare that should happen particularly like workstation stuff net in London talking to a workstation subnet in Singapore you know you should very rare that that's the thing hopefully you know so private VLANs totally gather that's quiet minister to be difficult used to be a system in implementing the private VLANs are scale in a proper grown-up organization of like 300,000 employees not a small task you know everyone's getting loads of overtime now that however on whose firewalling is less at less hard so loads of people who reach I'm debrief and say hey let's do one hoot firewalling they say it's impossible

doesn't fit the business it's a massive overhead and then they forget this or eighty-five to ninety percent of their employees aren't actually anything special whatsoever and they live in Microsoft Word Microsoft Excel Microsoft PowerPoint and Microsoft Outlook doing nothing special my aim is just any other employee so run me through the thinking where on whose firewalling doesn't work for them absolutely does work you're just not willing to put the time in the least bit man enough to admit it where's the other 20% of your employees maybe they'd be exempt from the window filing policy or you have a more more granular one so I think personal thing is like service minimization and on whose firewalling massive massive wins

and again layer three segregation really helps i get that by the time you're going in through like you're mature enough to be doing red teaming properly you might have rather large technical destitute early gather but when you're opening new offices and building new infrastructure you know you can set segregation up there correctly you know so going forward you're in a better place and then have a rolling program to fix the lack of segregation that you've got on your old stuff and as I say we again we say this in quite frequently red teaming comes quite late in the in the pyramid of assurance services you know several rounds of pentest to remove low-hanging fruits and several

rounds of ad audits like a comprehensive ad units that cover the entire forests not just a tiny little subdomain we don't need to get into the matrice now but testing things in isolation whilst they're part of like a wider infrastructure there's nothing good is at the end of that road and again know what normal looks like in your environment whether it's Willie years exact or decomp and obviously there's other ways as well you need to know what normal is you don't know what normal is then how can you monitor for presence of the abnormal because you're you're literally the black in a dark room with your hands out in front of you've got no nothing to

base information and information to let decisions on EDR again it belongs on everything really and the cost I appreciate the cost they're still cheaper than get note and a big one for me as well as an on the slides is for for quite a few years now our red team is have kind of like run right and then the blue team has just been on the receiving end of it well actually now the pendulum is assigned to swing ever so slightly back towards the blue side yeah um z script lot logging and all that good stuff okay so we move to c-sharp but then MZ is coming for dotnet and no it's here already or certainly in beta

or public preview grants it'll be a bit of a like most people deploy it but you know it inevitably that will come again a red team will need to adapt but you've got deception technologies now you're not making use of deception with on the blue team you're doing yourselves a disservice whether it's elusive or honey tokens honey spins you check I'll get over how to do it you know you are you're losing a chance to catch the lower tier attacker you need to make use of the fact that you know your networks you know your battle rhythm of your network what happens week in week out better than anybody when we arrived we know nothing

about your environment together you know and then the situational begins you know where your critical assets are you know where the attackers will need to go from the layer 3 points of view to get there so plant some minefields for is on the way makers work harder so we can test you better on the blue side because you know the whole point of red TV is to validate and improve the detection of response capability of the blue team our entire red team industry exists to make the blue team better that's the whole point and a big personal thing if don't be the armadillo which is really really rock hard on the outside but once you get in is all super squishy and

super soft and super vulnerable yeah just another thing on the early the EDR say two things like visibility is just a first step in protecting your environment because of all you've gots visibility all you're gonna do is watch shows run right your network you actually need to be like detect erratically and detect contain eradicate in the media you can't do that then you are look sleep is gonna watch shows go wails and so it's just like plugging in a DDR isn't gonna save you you're gonna need to then build on top of that EDR so the bolts are alright but you know you can RTFM on them find there's a blind spot so you're gonna want people that

are confident and it's technologies you're deploying so you can build a custom cordon fix custom watch list for black for example and then you're gonna need your density contemplate boots good forensics capabilities and you know basically apply and when stuff goes wrong because if you don't do that but say you can smell it again just on having the plan obviously by the time you're doing red teaming you've hopefully got like blue team play books you know when we see malicious activity who are we going to wring you know we got call off contracts with their by IR teams and stuff like that it's super awesome when you keep the play books for that on the file share like absolutely

thanks very much if this is a reason we invented like secure password bolts we can store documents in them too maybe like our mission critical here but we've seen play books it makes me like some apps they all so impactful brief so like oh and then you rang so and so how do you know that it's like well we were reading your email at the same time and we've also used a soft phone to do it and we saw you on your screen dialing your IR provider makes because we knew you were going to do that because we were also on your box looking at the incident response plan so it makes for some like pretty impactful

debriefs what regards do the basics in doing well one of the dependencies for decom okay so just to make connect great thanks to everyone on this list for either of you know you know research with you that we can all conserve energy and use or for helping over to talk nature given to the lab and stuff that we can repeal dollar although tools they didn't have fun and I'll say thanks to you for a reason to coming lessons healers ramble on for an hour and so cliche that I touched it duck from that too as well forgetting the migration stopped work thank you that's us thanks

we've got a few minutes for questions if anyone's got one sticky hand up no okay oh here we go your tracks stops your problem eating at it work ever seen anybody actually deploying lockdown whitelisting with russia cost of the MLS or what was the number one block well is he massive again how did stare but refuses or moon impactful risk users they're probably just go along so you could widest them and then we ignore super spangled users whether they're developing CNC like maybe they have a slightly more weapons free so by the singleton class we going to businesses the answer if it doesn't fit a visitor you're just implicitly saying I am not willing to invest in I'm

clean and that is a good at least no big Buffalo is a big nice incentive visited a nightstand just all fifty blind like to them whether it's a job off the recruiters office matter puppets doing also might not love it it's not super special is very breathable and also add in that ability is pretty key as well like all of some businesses will focus on like prevent impression well you're not going to prevent profession there's always gonna be you met it's coming at you techniques the attackers can use it's about reliable things you know hang your hat on but if you can you know detect contain eradicate and say you know five minutes of a fresh happening

you're in a pretty good place is it all the attacker is gonna do is like see we've compromised maybe perform a couple actions and in the back hair again and then you know you've got a are you've cloned the combs URL people opt all that and then a table like you know we can fiber and go again so we get a good way these are the analyst who is empowered to make well thought of but well thought help book quick decisions the will cause outages is actually really good flight archive metal is earlier so we have a very very quick user loop our ability to observe the situation orientate ourselves decide what we're going to do

and then at Arvid Institute is because our mobile phone bills are 16 hours a day for 30 days a week you know so we are the phone all the time all day every day we don't need to worry about your change management change management has had its place absolutely the other Duke what's happened but having having it three day James window to reset you know upon service account password like three days later you know three days is over you know we are well on the way to fighting half the report by that one he tell me how people who are in power to change creds a firewall rules and know that it will make a an outage you know

it will knock your entire se can believe often time Surya will knock them all off line but it's still better than the alternative so go be empowering your people whose technology just warm hearted people and process of other people's people is hard to stand up your own capabilities six years people what usually processes again lots of people you have to wrapped around the axle about like oh we need a process with this process Latin by the time we've had a meeting with everyone in this job you know we aren't empowering the lower ranks as aware of the analysts order or be like the risk owners whether it's a CRO technical risk odors and supplier how to juice arms great totally go out

being assist I've been for the still not as severe as the impact of having a potential compromise much better to be the BBC News for you you have one of your officers with offline which affected some people bookie airline tickets or something rather than the alternative which is all of my customer data was in an 80s bookid ability since either posted together just have capital one so you know bringing this missile even there give it up for for Ross and Tom making