Introduction To Red Team Tooling And OpSec

oh this is on cool hey welcome to my uh quote-unquote talk about modern red team tools and tactics and techniques um there is a raffle with a mystery prize if you click the link you will see and i hope you all enjoy and yeah um give you guys a second to get on to that but so just a bit disclaimer obviously this is like my own personal experiences and kind of knowledge of these things i don't represent my company whatever that may be or the kind of views or whatever if i think it works it works don't go around say anything else and it doesn't work in yours then you have to try harder really sorry

that's life and red teaming so without further ado i think we will start so a bit about me i have been in pen testing over three-ish years now i've been doing red teams for about two of those i consider myself very newbie still i'm just very still learning the ropes in my opinion i've never really considered myself at any given point an expert but it's kind of i think that's kind of a good place to be this is always changing there's always new stuff happening in red teaming there's always new tech being gone new zero days new attack paths new technologies new security detection rules new all kinds of stuff and so having that kind of mindset that

things are constantly changing beneath you is a good one to have so without further ado uh let's go and explore so uh modern red team what is a modern red team well one i did recently is what i'm going to determine so to give you the scenario a fake company called fake corp is asking for a red team and they are a relatively large company and their biggest concern is really not about their environment but about like this new sas solution they have they want to roll out it's only used by maybe a few devs and a few key members who need to use it but the main point is that it's how they host their really sensitive

internal information and they're really worried about this coming out any given point and so that's the main objective of this red team is can you get this kind of app and find data on it right so they've had pentest before but their stock is brand new so this is the first red team more or less and so in red teaming there's like this trifecta trifecta sorry which i like to consider which essentially is like basic security gaps and you know and general like bad practices and just a bit of luck and then of course you have like the perfect craft which is nothing that is real but aiming for keeping those three things in mind i

find kind of well encapsulate what like red team activities are like you'll see sometimes really easy stuff like domain admin share credits in a share or like they have really strict inbound phishing rules but enable content is there so you can just ask them to enable content and then you'll get a payload but in this case the entire scenario will be without phishing so it's a malicious employee or like post compromise so before we actually start we use osint and stuff to get information about this company uh something i found really useful is your stack overflow a lot of times devs and admins will just post information about stuff they're trying to get working with a full screenshot of

their environment uh internal internal domain names app names security policies one time one time a dev had like a full screenshot of like his entire desktop on a guitar forum because he's trying to repair a guitar and he thought it'd be a good place to do it would be taking screenshots of stuff it was very strange but once we have osinto we kind of understand what we're going for we need to build up our environment so i can't stress this enough terraform and ansible are the best things in modern red teams i can talk about getting that kind of m spun up with a couple buttons and the configurations of a c2 and a c3 off the

bat it's so much easier than doing it manually and it's so more reliable and dependable being able to do a quick few steps some configuration and this every time you can do it so you can burn the domain really quickly if you need to or you can pivot to a different kind of uh communication technique or use something alternative like slack or twitter to kind of beacon initially and all kinds of different things and that kind of initial and like confidence you're in you can get set up you get lets you focus on the fun stuff of the kind of the engagement so you don't waste no longer you're wasting like a week on domain categorization for that stuff

you're just spending it maybe half a day and then you're ready for the test so in general what you try to do is you try and build guard rails i find the more guardrails you build into stuff and the more niche it is the kind of the better returns it flows you don't know guard rails essentially before anything will run it will check its local environment and if it doesn't meet certain requirements it just won't run so something like the internal domain name or the machine name if you want to be really careful that kind of thing having those kind of built-in means that someone can't just accidentally get your payload and then run it or that if the

stock is investigating and it's like guard railed for the host they run on their own machine it does something different than it is meant to do and then that kind of control and that kind of obfuscation i find gives a good reward in terms of like long-term stuff but in reality all this is kind of basic development and it sounds really fancy it's basic dev architecture the best resources i found on this are just like normal centos based or you want to build terraform for your actual environment and then weaponizing that is only a really next step so once we have you know saw the scenario our payload essentially will hijack uh teams i think because the client would

talk to us over teams so we knew they had teams installed and this is like a reliable kind of thing and this is how kind of hijacking we find is i think it's just fairly common now so like all your common communication things like team slack discord yada yada all have like share the same kind of hijacking vulnerabilities where they look locally for a dll to run before they look in the windows folder and so if you just place that dll there which you have right access to because they want to be able to allow people to install them without admin rights you can just hijack them and run your code really free will so

you get a reliable beacon there and it when they examine the process it's all going through teams this application that's meant to be streaming content and like always in meetings and stuff so it's a bit more opsec than like running ms build or just running i don't know the xc by itself so in general i've been using a lot of cobble strike a lot so it's kind of really been carrying me in these engagements though i do experiment with other kind of c2s when i can um but a lot of the functionality cobblestrike of course the out the box stuff is really well known but you can kit it out with like buffs and which are

so beacon object files and stuff so you can so it runs in memory or like aggressive scripts to add extra functionality i have a few links to some useful ones i use there but once i have this stuff i'm able to go around and kind of fingerprint where i am what they do so i look at the kind of the processes running what avs edrs gpos they implement while there any gaps any kind of exclusion zones that i can look into and so i find some a few things so they're running like something like cisco amp which you'll hook into every process and scan it as it runs and it's very memory intensive but it will pick

up most things but if you run things in like with block dlls for example that will just bypass it won't be able to hook into that which is i think is a pretty interesting gap and so we do the kind of using that kind of thing we will use like inline execute uh which is like an aggressive script for cobblestrike that allows you to run instead of a run execution where it will spawn a process and then inject into that it will just run the process in its own memory and that kind of bypasses some avs and edrs so we have some we can do some like stuff so we get like group policies uh

active directory enumeration domain certificate enumeration using the certified tool by spectrops which is a relatively relatively recent and then just digging through shares you'll be surprised we find lying around especially in big environments so we have that we've done some good old-fashioned recon but we have nothing interesting our user is brand new they were made for this engagement they have no cool rights they have nothing interesting and no access but by default they have this share lying around which is just on a sql server and it has a backup of the sql server that runs every few months apparently so small a few of them one of them is small enough to just exfiltrate and then restore offline using a bit of

msd call on a vm and then from that you can pull the sa hash and crack that and using using just the general word list or the name of the instance and stuff you can crack them fairly reliably and with that point onwards it's just kind of cmd xp cmd shell so you can just run using a tool called power up sql you could run remote sql queries against it and since you have the sa account you're able to run os commands that way and so using that we're able to laterally move from our initial axis machine onto the server so and that as system writes because the server is misconfigured that it has more permissions than it needs so

now we're running a system which is great and using some certification stuff we find that domain computers can s can go from uh just domain computers into domain controllers using certificate templates you can use that tool to essentially privacy further to domain admin awesome but it's not enough our main objective wasn't privacy it was compromising sas solution so we need to look elsewhere so to chase this objective to kind of summarize the summary uh what we did so we had i will say we had the user using dt sync we got the credits for the developer user alice and we hung around to see when any of the devs came online had a session so we ran to the tool

called bloodhound to look for sessions uh the user bob came online and so using alice's creds we logged into email account and sent him an email saying hey bob i'm having problems accessing this sas solution could you please log on for me and see if you're having the same issues bob obviously not unaware that we have a beacon running his machine happily obliges logs onto the thing and emails alice saying yep i can log in no worries here's a screenshot and so we dump sessions uh google chrome sessions those cookies and stuff from his app from his browser and use those essentially hijack his session and access the application giving us access to all the juicy like uh internal

confidential data and achieving our objectives so easy and with that we had finished the main flag for the engagement so obviously the client is happy we've proved where they're vulnerable and shown like issues they've done they come back with some detections the session dumping was a bit loud they thought there was a miscommunication someone in the stock thought it was a pem test so he didn't escalate until later he realized it wasn't which point was a bit too little too late um and so obviously that kind of thing was not great for me i thought i could have done it better could be more upset i don't know if anyone knows how to dump sessions without doing that but i'd be

interested um i the blue team saw some other activity but i won't go into detail because of time but we also use things like run dll which is a windows executable to run payloads which is not ideal it's a known way to run bad files and so now these days i'd use them like msi exec or mshda or something more niche but open to suggestions and in general i'm aware that if i had no access to that initial share that first step this would have been a very different process so like how would i have done the other things they're happy with this but obviously they may well there's one issue there's always dozens more you don't see and that's kind of a

limitation of red teams but that is what it is so are there any questions yes

uh what do you mean by deception technology [Applause] [Music] so i wouldn't really spray credential as much on an end point especially in the red team initially um at that point because it just could be fairly noisy i would imagine all those login events would raise a flag in terms of bypassing that i would if i had to i would maybe run like one per day kind of thing i do some credits and i pick like a bit and i spray that and stop and do nothing else for the rest of the day and just kind of like by spacing out your activity you blend in a lot more with normal stuff i think and that would be kind of the best

way to evade that kind of stuff um i have like a minute left is anything else oh yes yeah

so the question here is you know how do i feel about automated red teaming as a manual red teamer um i don't know it'd be cool to get automated out of a job but other than that i think an issue would automate itself it looks for the known so a lot of things as ad audit is not a red team uh i think a lot of these tools will focus these kind of low hanging fruits and not really think about the wider picture things like maybe start not stuffing shares but like maybe combining different issues together to chain things i find it difficult to think and then especially obviously with social engineering internal phishing i think

these kind of tools will struggle with that kind of internal aspect like we picked bob in this scenario because bob and alice talked a lot and they had a certain way of talking so by copying that bob was none the wiser but automated tool would kind of struggle with that kind of connection um anything else all right cool i guess that's me done um