BSides SP 2025 - Exercícios de Red Team: Não simule a ameaça, seja a ameaça!

I'm going to ask you to stand in the frame so you don't step out of the third chair to get the picture. I'll try. Hello, guys. Good morning. Just a few faces, well-known, some faces more shameless. There's one hidden back there, look, Pasquinelle, naughty. All right? Well, guys, first of all, thank you for being here to watch the talk. Welcome. I'll call you... Before I call you, right? We are going to talk about "Don't simulate a threat, be a threat" which is a necessity that I've noticed in the market for a while. People confuse things a little when we talk about offensive security. We have a big subject, there are many details, so you have pen tests, you have head team operations, you have head team, you

have opponent simulation, you have a lot of names. but at the end of the day I feel that the market mixes a lot of things and that we end up not taking it in the way that could take the best advantage of the exercise, both for the customer and for the development of the operators themselves, of the guys themselves who are doing the exercises. My name is Oliveira, I am the founder of Hakai, I work today in charge of the operations team of Red Team, besides working with other fronts, we are a startup, so if you need to change water, clean the floor, I clean it too. I'm a retired researcher, until last year, I went back to research now. So I've reported failures at Cisco, Trend, P&P Dynamics,

The Link, etc. I'm at Trend's Hall of Fame and I have a lot of CVs there because I'm old. So I've been doing this for a long time. I've also been married four times, which makes me extremely fit to be a head team operator. So, without adapting well to situations, this ends up corroborating everything. We have a little agenda here. I'm not a guy who sticks to the slides, so I prefer to talk, to talk. So, as long as you have any questions, raise your hand, we'll take a break and answer. Let's just try to follow the pace, so the guy from the pace can chat with me, okay? Here I brought a little bit of my team, we are the operators of Red Team,

and here I start to talk a little bit about the differences of things. At Arrakay today we have 44 collaborators, but only these guys who do operations of Red Team. Why? We separate what is pentesting from what are operations of Red Team. Within a pentest, we are focused on doing the activities, the tests, much more in that context of amplitude. So I want to look at the maximum number of things in a test time possible, find the maximum of vulnerabilities. When I look at Red Team operations, we are focused on concordance. So my goal is to simulate the closest possible threat. And then the title of this talk came out. I was having a conversation

on Twitter with Dom, who is the founder of MDSEC, a company that I have as a reference from Europe, and then I commented on it. I said: "Man, I see that people are much more concerned about simulating than being a threat. So I'm worried about how much we are preparing the client for the reality of what he lives." So, for example, you take a client that has a good maturity, and then you say: "No, we're going to do a red team." And then you're doing a red team, and then at a certain moment, by any method, you fall into the network, you run the bloodhound, everyone knows bloodhound? Or most of them? Cool, nothing against

bloodhound, I like it. Runs the bloodhound, and then the SOC catches, hits an alert, the SOC triggers and such. Then the guy: "Wow, how cool!" "Our SOC is efficient, the test went well, I don't know what." I'm from Rio, so I curse a lot, so, poetic excuse. But I ask you, how many APTs have you seen using Bloodhound? An APT doesn't use Bloodhound. So, they're different activities. They all obviously have their value, their need, their moment, but they're different activities.

I'll talk a little bit about the mentality and why I think that way and why I think it's the best way to deal with the operations of the Red Team. This context of operations of the Red Team emerged deep down in history on a Navy team, Navy SEALs more specifically. Today you have an elite team called SEAL Team 6. Everyone must have heard about it at some point in a movie or something else. And I really like this military context. And what happened? At the time, there was an admiral who was kidnapped inside American soil. And then what happened? The high-level people were like: "Man, are we really prepared to deal with more advanced terrorism,

with people who come here and want to troll the barracks?" And then they chose a captain, a chief of one of the first units of the SEAL Team Six, to assemble a unit that would put the American security into American soil. and this unit was called Red Cell. Then, look it up on the internet, read the story, there are several versions and everything. And then what happens? These guys coordinated so many operations, both in bases in American soil and in bases in foreign soil, that the guys kidnapped the Air Force One, the guys entered military bases and put supposed bombs, the guys painted. And then it became very clear that you only know if the

door is closed if you try to open it. It's no use thinking that you're ready, your SOC is good, I have EDR, I have DLP, I have this, I have that. But how do you put that to the test? How do you really test that and bring discomfort to your team? Because we only grow in discomfort. I know guys who put DLP and think, "No, there's no way to filter data." Then the guy filters it via DNS and DLP doesn't see anything. It's useless. Here we have a quote, both a matter of... I think it was The Washington Post, talking about this team and why it got lost. And then I get into another difficulty.

This team had some operations that they went beyond the limit. Like kidnapping a guy, torturing a guy to get access where they shouldn't. And I think it went a little too far. And the rest you can imagine, right? American court, all that crap. "You can't even slap a guy, you're a jerk." Anyway. So this also corroborates for us. Because think like this, if I'm doing a Red Team exercise, it's also difficult for me to treat this with my client. Because for an APT, the APT doesn't want to know if the CFO will be upset if I get him in a spear phishing. He wants him to get hurt. But how do I explain this to

my client? How do I put it in his head? "Man, you'll have to mess with this guy, but he has an ego of the size of the planet." So there's all this dance to do. And then we get into what a RedOps project is and how it usually works, how I usually structure it. A RedOps project is very connected to project time. So you can't do a Red Team operation in a week, two weeks. is a much bigger context. I need to do the target threat modeling, I need to understand what are the critical points for it, and I also need to understand the essence of the thing. There is no red team if there

is no blue team. I know there's a long line of people saying "we're or we're not". Dude, this doesn't work. The only function of the RedOps is to improve the monitoring, detection and response processes of threats. Because being committed or not is a matter of time and focus. You will be. "My company is a pick, I spend a lot of money". You will be, man. If the guy wants, someone will fall on the phishing, someone will give a molly, someone will take a pendrive, someone will do some shit. So, We need to have this first understanding. And if I need to bring this maturity to Blue Team, how do I do it in two weeks,

where I have the scenarios that the client can use? One is the CROWD EDR, the other is the SILENCE EDR, the other is the Sentinel EDR. There is no universal bypass. Each operation has a different context. So I need to prepare for this operation, structure this whole operation process and agree with my client on the objective of this operation. There are clients today They will ask: "I want to test my resilience in front of an attacker who wants to get access to my internal network." It's a goal. "But I want to test this beyond just getting internal access. I want you to get internal access, I want you to remain accessible, I want you to

lateralize, I want to have a general view of how my team is ready to deal with this threat, even to know where I have to improve." And again, the essence of the Red Team exercise is to improve the processes as a whole. And why do I say that? Because sometimes you can access an office account, like 365, and you can log in, and then you can get to the event, and then a week later, SOC resets the password and cuts access. Cool. But the operation continues. Which is another premise. When we talk to the client, we say: "If you get the detection, you can ask if it's us, because I won't let you say: "Gamem, Gamem, die, did we get invaded?"

You can ask, I'll say yes or no, I won't say the address, I won't give any clue, I'll just say yes. And you follow with the incident response. But in a more friendly response, you don't have to stay up all night, that kind of shit. But why is this important? Let's say that out of 100% of the clients, 5% of them can make an effective response to an incident. What do I mean by that? Going back to the example, the guy logged in, he's on VPN, and a week later he cut access. But the guy didn't see that we were lateralizing, the guy didn't see that I was keeping access, the guy didn't see what

happened in the bigger picture. And then, when we deliver the report, the presentation, and also talk to the blue team to understand what can be improved, the guy says: "We didn't see it, we stopped back there." And that's the problem. You stopped back there, but I'm in the network, I can do whatever I want. So, it's also part of this exercise to bring maturity. And then, as I say, it's a big exercise, it takes 160, 320 hours, it's a one-month project, or more, sometimes it takes more. and has the difficulty of the market. I'm not very politically correct, I say what I think. So sometimes it's very difficult to get to the market and say:

"I'm going to do a Red Team operation and the estimated time is four weeks." Then the guy looks at you and says: "No, but I have a competitor who does it in a week." It's not a Red Team operation. There's no way to do it. The guy can be the legend, the "paskinel", the beast, but he won't do it. It's complicated. So, there's a bit of this difference, and make the guy understand that he has to compare pear with pear, banana with banana. "What activity do you want? Do you want a pen test? Do you want an adversarial simulation?" And then there are other contexts, like purple tint, TPS, that we won't go into today,

but specifically there are other ways to see it. Well, given this introduction, any questions or considerations? You can scream, Moçada. No? Then, let's go. I'm afraid I'll ask my wife, "Hey, is everything okay?" She'll say, "Yeah." I know it's not, you know? Then I open it, as they say, I saw a video on YouTube, the guy says, "Open today's box." What did I do today? I didn't do anything. Then I get lost. But anyway, Open Test Threat. I did a study, and then I used some data from the people at Red Canary. How long has it been, brother? I can see you're nervous. And there are some data from Red Canary, which is a very

cool institution, I took a look at it later, they did a nice study where they mapped several attacks, responses and everything else to understand the differences between an APT, between a threat and a part of pen test. And again, folks, I don't get it wrong, pen test is extremely important in the cycle, but in this context we are talking about something else. And then some things were observed by them, I'll talk about their data a little later, but there's a little bit here of what we shouldn't do, of what we shouldn't do in a Red Team operation to just separate this thing from being a threat or from being a pen test. We'll have a practical example, I'll show you the code and

everything, there will be a video of POC, you don't have to worry about taking a picture, then I share everything on GitHub, you can take it for granted, and if you have doubts, you can also call me on Insta, I take a while to answer, but I answer. Ignoring threat modeling. Don't guess, model. This is a phrase from a guy who works with us in DevSec, which is: "You're going to attack a company that produces food products, that has a niche there, a soda, for example. What do you think is important for this company? What is the threat that really corroborates it? Even in a context like this, "Okay, I got into the network." What will everyone look for when

you get into the network? What is the main target? Someone said down there. "AD, I want AD, I want AD." Man, there's a lot more important than AD, man. A lot more important. Obviously, if you master AD, you have access to a lot of things. But in the context of a mature company, if you master AD, how many weapons are pointed at your face? How many detection chances do you have? So, this is the reasoning, let's get the mentality. And the threat modeling is very linked to this. So, for example, if I, in a Red&T operation, deliver to a soda company that I got access to Active Director, great, and I could look for other things, great too, but what if I deliver to her that I had access

to the patent requisition that she will do next month? And if I deliver to her the formula that she uses in the soda? And if I deliver to her the process she has to put on time the amount of product she will put on the market? It's much more important to the executive than to me. If I stop the logistics system, if I stop the CLP, the ladder of the system that does it, do you realize that the impact is much greater? It's much more important to him. Again, I'm not saying it's wrong, you don't have to get the AD. Well, I, as the old guard, love to get an AD. But I make smart choices. So, if I'm on the network, if I have a series, I'm evaluating

a lot of things. Man, there's a lot of things monitoring AD. It doesn't make sense to go out on a fight with him. It's not what I'm going to deliver as an objective. So, knowing what is important for your client is extremely important. The threat modeling brings that. because you will also understand other things in the RICOM part. So, for example, you will do a RICOM, but, "where does this guy have a office?" "This guy has a tiny office in Mexico, there are only four guys." Do you really think this office doesn't connect via VPN? Then you will fight with the main office, which has Netscope, Arnold Schwarzenegger, Silvestre Stallone, some fuckers. That's not what

APT does, brother, it's not. Sometimes you will have to leave, there's no way, you know? But if you have the opportunity not to leave, don't leave. I didn't know about protection technologies. "Man, this is old stuff, I'm 40, 20 years old, but I'll talk about it." People have a habit of using tools, which makes me want to give up my life. Brother, you have to understand what you're doing. How are you going to keep access to AWS if you don't know what the rules are, how the secrets work, or in Azure, do you know how Azure's policies work? There was a guy who did something there, I was like, "Man, I got a drop in

politics." I said, "So what now?" "Man, I can't get in." I said, "Why not?" "Man!" I'll tell you a secret for those who don't know. Security policies aimed at Azure, for example, are mostly applied in devices. So the guy applies in Mac, Windows, Linux. Normally, he doesn't apply to iPhone, for example. And that's separated within Azure AD. So what do you do? You take your phishing target to iPhone. "I scanned this QR code here, dear. Right here, my brother." Got it? Done. Bypassed. But how do you know that if you don't know how Azure works? "I'm going to bypass, I'll fall there, there's something that I get pissed off about too." Sometimes the guy goes

to LinkedIn and says "I bypassed CrowdStrike." Okay, I'll go there and look, the guy executed Shell, opened it. Man, really, CrowdStrike is shitting on your artifact. CrowdStrike, the jewel of his crown, is working with what comes next. So, I joke that CrowdStrike is a malware with steroids, with steroids, it's bombed. It hooks almost all Windows functions. So, getting your shell is easy. Now, go there, play on the L size I want to see. Execute the traction to see if it won't catch you. So, that's the big question. For you to be a Red Team operator, you need to know what you're doing. In fact, in my opinion, for everything. But to be a Red Team

operator, specifically, we're talking here, you need to know what's going on. You need to know what's on the other side, how it works. Being precipitated, the famous early. Look, I'm suffering with this shit here. This is the thing. Let's assume, let's assume, the guy went there, fucking, made a phishing, used the famous EvolDink, I don't know, everyone likes it, took the session tokens, pah, okay. What do you do when you get that? Does anyone want to kick? No, no one wants to kick. So, come on, you took the session tokens or the password, usually, from what I see, from most people, people log, right? You will log, you will mine data, you will do data

mining and such. But you didn't even know where the hell you committed. And what's the problem? It's called impossible travel. Microsoft has a control, mainly, that if you go from São Paulo to Minas, it will alert. It will alert, SOC will reset the credit and you will lose not only phishing, but the whole structure you set up to do the thing. It's useless. So calm is precision, precision is speed. As Captain Nascimento from Tropa de Elite would say, "The ball can be breaking, the world is ending, the test is hard, the time is short, you will do things calmly." So you got a credential, like this example, you have to do an OSINT, you have to know where the guy is from, what he does. Another real example I

can cite is this: the guy got a cred, made a giant OP, logged in, then at the end he got another cred and logged in. Logged in, was detected. And then, why was he detected? The credit card of the person he caught, she went on vacation one day later. "Damn, Oliveira, but how would he know?" One day later, he was there on Facebook. Beach, sun... The kid wanted to rest, even from his husband, poor thing. He was like: Where to look at what's happening? Where is this person working? Is this person on maternity leave? Did the guy break his foot? You have to know the behavior you're doing. It's an operation, not a pen test. Being detected counts. Being lazy, and then it gets into a difficult

context, because when you get a mature client who has a shell to do a Red Team operation, it's not an easy activity to do. Is it beer? Is it water? Oh, no, I don't drink water. No, I'm kidding. Thank you. How is it? Oh, it's already possible. So, I forgot what I was saying. My TDAH took me. Greed? Good, good. And I took the medicine this morning. Greed, I was already in a bit of a hurry. Wait, my wife is calling me, she talked to me. So, what is the trouble of being lazy? A head team operation in front of a resilient client, as a whole, takes time and you get very frustrated in the process. So, like, you're

going to hit the bar several times, several times. There was an operation that we stayed for a gringo client two and a half months, scratching with the crazy, and when we thought it was going, my brother, bar. So, if you're lazy, you're not resilient, you're not attentive to details, with the operation and wear, it will compromise what you are doing. Russian roulette, which is very much linked to the early there, because the guy is like this: "Will it take your place?" I don't think it will work. Then the damn guy logs in. Damn! Let me see. There are some guys here who give me some trouble. I'm on. Like, in the middle of the holiday, the guy will want to log in to RedOps. I said: "Road? Are

you off?" Damn! Are you going to do the holiday behavior? It's not like that. Jumping steps. And what is jumping steps? I also see that this is very common, both for people who do operations and for people who are in pen tests. People start to do the test, then they're looking, suddenly, I think there's a SQL injection here, and that's it, people abandon the recon and go away. Then they'll explore the SQL injection. The TDAH took it away. Then the guy doesn't finish the recon, doesn't finish the Threat Model, doesn't finish the operation's context view, and then what happens? Time goes by, and he goes on with the operation. And then he spends a long

time with the chain, and what happens? It goes wrong. But then he doesn't have enough data, intelligence to reformulate and go back. Fucked. Why? Because he skipped steps. So, respect the steps. Never give up. And then comes another controversial point that I put there, which is to stop being detected. Look, from the beginning you are talking about all the precautions to not be detected. But we have to understand that we don't, as I say, we have to add value to the client. So, let's go. Today, inside the HACA we have labs with some ideas, we have our own artifacts, our own malware, our own style, our own techniques, it's very necessary. But if I leave

an operation without any moment where I was detected, where did I measure the guy's stock? So I can say how he is. What do I mean by that? Sometimes you come there, a cannon shot to kill a mosquito. Go there with a custom artifact, research by bypass, fuck, I made the head, compromised, I'm leaving. Then comes that young guy from Anonymous, sends an MS Venom to the guy and the guy falls. So, there are some moments of the operation that I like, like, "so far we've already achieved the objectives, reached everything, document, and from now on we start to make a little more noise." What do I mean by a little more noise? they start

to do more malicious actions, more noisy. So, for example, I will never do a DC Sync in an operation, okay? No way. Too noisy, completely unnecessary. But if it comes to a moment when the Blue team didn't wake up, they were sleeping, watching TV, then I do it to see if the guys are like, "Get it." Because if I get there and do a DC Sync and the guy didn't wake up for life, If I start filtering data, I don't know how much stereo the guy didn't see, I need to deliver to him: "Man, your situation is tense and dramatic. We need to do something to improve this." So I like this prism to bring

this vision to the client. And the famous "Being like a pen test" that we enter a little bit of the study of the people of the Canadian network. Here we have a little comparison that they made, that they observed in the world of APTs, what the APTs usually use versus what the pentest guys usually use. Nobody runs Mimikatz on Alva's machine, right? Bring the stuff inside your machine, and on your machine you run Mimikatz, but still use Mimikatz. So you can see that, for example, most of the tools that we see a lot of people bomb in the pentest guys, they won't run there. And there are other more interesting details, for example, this is

a study of the Chinese APT, which according to the US Department of State report, was responsible for the great violation of the American infrastructure. And here, I don't know if you can see it, because it's a bit shaky, but You have here the tools they used. You have CertiUtil, you have Meta... I can't even read what's here. Let me see on my computer, which is better. Good. You have CertiUtil, DNS-CMD, MechaCab, NetUser, WMI, XCOP, TaskList, SystemInfo, everything they used during this APT. Do you have any Pentash tools here? It's all about SysAdmin, the old people. Now the old people are happy. Where are the old people? It's all SysAdmin tools, man. You won't see the guy sending everything wrong, because the more things you send

to the machine, the more chances of being detected you have. So it doesn't make sense either. So, the reality of the threat, it distorts a lot from what the market has acquired and practiced. It's not that, the threat is not that. That's why sometimes when the guy takes an APT, it dances easily. Why? Because it's not used to detect that kind of thing. Good. Here, too, there's a bit of a timeline. What's the idea here? This is something else. You enter the network, and then, along with that early link I mentioned, the guy who's inside the network, what happens? Sometimes, he already has a script.py with the GPT chat, made with the GPT chat, that

he gives an enter and runs everything on the network. Then you have a timeline like this. Command execution in this timeline. If you look here, in a one minute space, it ran everything in a little bit. What's the problem with this? You create a behavior for entropy of some tool to detect you. ThreatHunt will catch you with force. When you bring to an APT, which again, is a shit of the equipment, sorry. you already have a big difference in the time of action of the guys. The guys even worry about that. So, at a certain moment, he's doing the persistence, then it goes on for an hour, half an hour, he does the discovery part, then,

in a while, the next day, he does something else, and he's making the life of the guy on the other side harder. And that also counts. Because at the end of the day, I need to prepare the guy to deal with the real scenario. Any doubts so far? How long do I have left? I think I ran too much. 15? Ah, it's time. Great! Well, we saw the difference between an operation and a pen test, we saw the operational behavior of the people who are running it, I also brought an example of an operation, of a real APT that uses and explains, and now I'm going to get into something more practical. I brought you some techniques, I don't want you to stick to the technique itself,

but the mindset, the way you think about each thing, okay? What happens? When we talk about APT, as we saw, they use a lot of resources that are already available by nature. By technology functionalities. Not because I'm going to code the amazing tool to use. There are specific cases, there are many APTs that have their own structures, they need to have, but if we talk about initial access, mainly you will see the guy run as far as possible. Because think like this: If you create a binary and you need to infect someone with it, you'll have a difficulty, you need a signed binary. So you'll have to find a way to sign this binary, there are many ways to do it, but it's already a challenge. And

if I tell you that we can do a phishing campaign, compromise a guy with a binary signed by Microsoft, legitimate by Microsoft, and using all the structure of Microsoft, but no one has taken it to this day, not even outside. It's something we've been using at Hakai for a year and a half, that we bring to our clients and everything, and that in the last year's 10th, the people from Unit 42, I think, which is Paulo Alto's research group, if I'm not mistaken, discovered a Chinese APT using it, and then ended up explaining the technique, and I started to include it in the lecture so you can see a little of the practice of the thing. And then, the title is very

suggestive: Microsoft loves you. Why? Because I'm going to use it all to make Chain as a whole. What happens? There is something called VS Code Tunnel. Does everyone know it? No? There are some who know it, and others who don't. VS Code Tunnel was created, just as they created everything to be cool, to be cool, to help the developer, to make a tunnel, and the guy could enter a VS Code via the web browser of life, and there he works remotely. But why use it just for that? So, as you can see there, you run the VS Code, which by the way has a VS Code.exe, which is a CLI, very cute, and it goes there to the VS Code structure, going through the Microsoft

tunnels and opens the connection. At the time, the team was a research done by me and Thiago, who works in a company abroad. And we thought: "We can use this better, huh?" "We can. Let's use it." Here you can see how it works, its main, its help, there are some options and so on. A little bit of what is even better, why it is good. So we can say that it is safe for us by default, because, man, how are you going to block the Microsoft domains? You take that client who uses Azure, man, the guy no longer wants to block what has to be blocked, what will happen is that he doesn't have to block. The URLs are the same, they are suitable, support for

several doors, you can do it by leaving any door you want. And, damn, the service has global availability, man. You don't have to worry about your C2, everything is hosted by Microsoft. And tunnel inspection, depending on what is being used, it gets harder to do. And here we have a crumbling PowerShell code, that will download the VS Code.exe, will decompact the VS Code.exe, will run the logout to ensure that there is no open session, will start the code.exe process with the arguments of the tunnel and the name of the tunnel, and will throw it to a txt. And why? Because when you log in, it will give you a token, a code of 8 digits, if I'm not mistaken. And I

need to get this token somehow. So I create a TXT in the guy's machine and then I send this TXT to a remote machine. In this ugly example, there was the IWR post there, and then I get this. For the proof of concept example, I used the Interact.sh. Obviously, in an OP we won't use this. Today we will use a domain that is already hot, or we use a Microsoft blob, something like that. But this is a very simple example. And then you can ask me, "Liveira, great, good example, but sending a PowerShell to the guy is a mess." I say, "I agree." Again, for the high-ranking leaders, Macromower didn't die. Why didn't it die? For those who don't know, you can't

run Macro above 2003, I think, '97 or 2003, something like that. So, Microsoft... Who? That's it, Gatinho. So, Microsoft has disturbed our lives a little bit. But if you stop, from every place that the commitment to access comes in, we started to see another type of problem. In the past, you had a file server, right? The guy put the files there, everyone divided by permission, Oliveira, who is from TI, accesses TI, Pasquinello, who is from development, accesses development, this, that, that, okay. But then what happened? The wonder of Azure came. And today, on OneDrive, nobody cares about permission. The guy goes there, uploads the files, from the financial one, he doesn't remember that he has to restrict the folder. And then the secretary's uncle, who serves the coffee,

who has a login on the network, he can see the drive, search and find. And why am I saying this? Because think of a scenario where you've already committed an account, you're on OneDrive. If the AD is in Azure AD, synced and everything, he maps the folders and files that are on OneDrive to the guy's desktop. It's normal to see that. And I'm tired of getting templates that already have macros. Normal ones. Macros that the guy uses to do logistics, macros that the guy uses to do everything. The crazy one here looked at the girl here and said: "I think she does this." There was a charge here, bro. There was an intimation, you see?

So, like, you... You'll find several templates with macros. And what's cool about it? You don't even have to mess with anyone or put a macro that draws attention. You just edit this macro and add the malicious movement you want. I'm going to open a video here, of a POC, because I don't like to do live POC because the negativity is too big. You have a kind of heavy atmosphere, you know? Then things tend to go wrong. So go to the video. This video here, if you look at the date, is from 2024, which was right when the technique came out and I talked about it in one of the b-sides. And here, what are you going to see? Let's go. You

have the Windows machine, we go to the beautiful Excel, let's create the macro, the default behavior. I will not explain the whole code, because as I said, I will post this here on the blog of Hakai and I will put everything, little by little. But, to not waste time, I'll just say two things. What did I use differently in this macro of the conventional malicious mode? Not much. I used the odb_stream, as I marked there, and I also used the msxml, which is a Windows API call to execute some things. Why did I do that? You'll understand in the next POC video. But, in broad lines, it's to be stealthy. I don't use PowerShell, I

used everything via CMD, so I'm testing in the lab what is caught and what is not caught, and that's another thing, again, you can't do Russian roulette. In the middle of the operation, I'll send an artifact to the guy, I don't know if he gets it or not. Then he got it, fuck it. You can talk, champion. No. I'll show you later. I brought a live one here, bro. I'm crazy to take a process. Hey, Vizor. Are you recording? Oh, shit. Anyway. So, I inserted the macro there, as I told you. I'll save the spreadsheet normally. Close the spreadsheet. open it, you'll see that there's no temp folder there, and then we'll enable the macro. So you think about the normal day of Ms. Soraya, who arrived there,

opened the financial planner, blah blah blah, enabled her macro, it already downloaded, generated the output, in this case, we are authenticating via GitHub, so I don't know if it's been a while since I saw it, there. It generates this GitHub output with the token there in front, And then it sends it to Interact SH. Obviously, in an operation I wouldn't use Interact SH, or a blob from Azure, or S3, whatever, except Stealth. We take the code, authorize it in the VS Code, and you'll have an open tunnel that will establish... There it already maps the GitHub, which I'm already authenticated, and then it will open the beautiful shell, the naked shell, which I affectionately call "naked shell", inside the machine. Here you have a shell inside the machine,

the guy is infected, from here to there, it depends on your imagination. You can work, go up a proxy there, that is not caught, and work via proxy, you can get an agent of C2 that you have already worked better, the idea is here. And obviously, what is the first step after you get a shell? Persistence. My brother, you got a shell, first you have to persist access. This is another important detail. The guy did an OP, "I don't have access" and the guy starts, "LSD, Nmap..." How much? 3 minutes? What the fuck? Damn, you see, right? It's his fault, I'll have to stop. Fight with him. And then comes a little bit of the question that Manu said there. In this case, I used

Crowd. For those who don't know, CrowdStrike is one of the most sold EDRs in Brazil. It's almost 80% of the places. It's a very good EDR. I think it works very well. It's very annoying to deal with, to do the bypasses and everything. And here we're going to do the same POC. So to save time, I'll show you. The crowd is installed, its sensor. I'll skip the Excel part because the guy is getting nervous. All right. You've seen everything here.

"Oh, fuck. He's mad. He's blind. It's shit. I'm gonna need to give a chop to the next speaker." "What time is it, Mr. Moço?" "Oh, so, we're not having lunch. We're gonna stay here, straight away. Let's hack something." "Man, you think there's another speaker?" "I'm kidding. I know Anquise gets mad. Let me." So, here we've seen a little bit of the following. Let me go back because it got tense here. So, it opened the shell, here is the CrowdStrike panel, you'll see Falcon's address there, and here's where the process comes. I'm showing the name of the PC, which is the same PC that is there with us installed, and then I'm showing that there's no detection. Nothing,

it won't get anything, it doesn't alert anything, info, nothing, nothing, nothing. Why doesn't it alert anything? Because there's nothing for it to alert. It's a signed binary from Microsoft, legitimate, doing a legitimate function and working in a 100% legitimate way. So, you can have EDR, HDS, NIDS, whatever, it won't work. There are ways to protect yourself from this, to do tuning in detection tools, mainly, but it's a very interesting trick with very low probability of detection. Here is the same trick, but we put it on a physical device. This was done by Duny Boy, he works with us, he's more in this hardware hacking part. So we have both a little pendrive, I forgot the name now, and this, cat, how much he used

this guy there, at the time we used this guy there because my dog ate the Digipark. It was kind of on top of the time, so we used this guy. And the trick for this physical head was the following: there was a receptionist, and we had already done the recall on the location, and she left several charging cables to help people, right, bro? Like, "Hey, charge it, give it a charge, you know?" Then we said, "Hey, I need to charge it here." We plugged it, distracted her, had a good chat with her, and when she blinked, she had already executed the same chain, the VES code, exactly the same thing, activated differently, not by macro,

obviously. and it ran everything and then opened Shell and so on. Another little help here. How many here know about objects.com? It will be difficult for me to give an introduction because of the time. But in a simpler way, Visual Studio has an object.com, which is an interface for development of... for DTE, for development of environment in general, and I can execute the command, it has a method of execute command. So with that, I can also do the following: call the execution of some things remotely. I can automate the process, make it a kind of brute force of the CLSID, which is default, depending on the Visual Studio version, and then I can not only consult, send files, but I can also run

commands. So here, in this case, I sanitized because this print was from a live client. So I managed to run commands on a Dev machine. Usually the Dev machine has a lot of access. So, the restriction on developers is smaller, because they need to work faster, and because developers are complicated creatures. Here's a little bit of Microsoft documentation, and then I'll go back to that context. All this I'm talking about here, this part of the decon that I'm running a lot, is in Microsoft documentation, it's not a mystery. And then there's another alert for the people. Understanding how things work properly is crucial, once again, for you to evolve in your career. Why? How many of you know Specter Ops? It's a

very good American company, especially when it comes to Active Directory. They were the authors of the failure of ADCS. Do you really think the guy was looking for ADCS or was he understanding the operation and seeing suspicions that it could subvert something? Because for that I need to understand the operation. I talked to a person who thought that ADCS was the name of the attack. And it's not, man. It's the same thing when I say: "You fell into the network and will do the numbering of the AD." Because everyone knows that if you are a user with any kind of permission, you can do AD consultations, find out who the users are and everything else, right? And all of this is done via

LDAP, normally, right? And if I tell you that there is a LDAP monitoring on the network, how are you going to collect this information? It won't, the test is over. That's fucked up, you know? So there's another thing called DWS, which is Web Service, which encapsulates LDAP's queries in another protocol, and it only de-encapsulates within the AD. So if there's any network monitoring, it's not caught. So a trick just for you to research later. But all of this, again, is the operation of the thing. It's not a hacking, it's the operation, the way you're going to use it, that will denote the hacking of the thing. Also a little more syntax, some conditions, to execute the remote code execution on the developer machine, it needs to have some enabled

conditions. Which, by experience, I usually find, because it installs a lot of things, it needs to use a lot of Visual Studio stuff, so it ends up having, but it's good for you to be aware of that. Here's a print of the Chinese APT that uses this trick of VS Code, from the study of the guys at Unity 42. A little bit of how to prepare, right? And then it comes to consolidate everything I'm talking about. Study the basics, know what you're doing, don't stick to the execution of tools, know how things work, know that old question, "The ICMP protocol works on which OSI model layer?" Fuck. You're old, don't tell. Fuck. Nobody knows. Then you say, "Oliveira, why is this important?"

Because if you need to use the ICMP protocol, which you can use to do a lot of things besides ping, in a DLP context, you don't do the minimum How will you think about it if you don't know the basis? It won't work. I'm a keen reader of threat reports, so I like to see what the guys are doing, how they're doing it, and there are many houses that bring that to you. CrowdStrike, Mandiant, Falcon, there are some people who make some very cool threat reports. So, like, take some time to read them, see what the APTs are doing, how they're doing it. "Oh, man, the report says more or less how they're doing it, but I don't understand." Fuck, man, go inside, go study. If

he did it, you can do it too, man. Got it? exercise the concatenation of failures, which is the chain of things, don't stop with that shit like that, there's a joke from the guy from Pentest that finds an XSS and puts there, alert 1. I even said that there in the hack, if you get an alert 1 of fucking, I'll punch someone. You know? You can do a lot of things with XSS, man. Extend your imagination there. And... Is there a junior operator? There is no junior operator. Fuck, Oliveira, how cruel. I can have a guy that I'm preparing for operations, but there's no way for him to be a junior operator. Because I'm going

to put him in an operation where he's going to be with a multi-cloud environment, with EDR, with Windows, with Mac, with I don't know how many programming languages. How am I going to ask a junior to do that? He can learn, no stress, he can be following a senior operator, a real operator, already trained, prepared and such, to learn. But to take a guy who is a junior and say: "No, I'm a junior operator", for me it doesn't close much. Today, within Rakaio, we have a team of pen-testers, and there are people who are more prone to this side of operations, we are identifying and migrating these people into the team, little by little. Report.

How much time have I spent? Let's give it a 10. 10 is good. The narrative of the facts. Here's another problem. The offensive team has the habit of expressing themselves like this: "Fuck, bro, you have to learn how to write a report, man. You have to learn how to pass what you think." Again, you'll get to the executive and say to him: "Look, I did an unhook of the crowd strike, bypassed him and dumped El Sais." "The executive will look at you and I'll put the L-size on your hair, my clothes, how does it work?" He doesn't know what it is. So you need to show him what it represents as a risk to him, to his business, what impact it has. So you need to learn to properly

narrate the facts. Second-plan items, during an operation it's very normal to run into vulnerabilities that didn't take us to the goal. So sometimes I find an XSS, I find an SQLI, that doesn't take me anywhere or to the interest, this has to be in the report too, so usually we describe all the chain below, we put the second-plan items and the presentation between the blue and red, right? Again, it makes no sense to have red team if there is no blue team, so I need to sit with the guys, understand what happened, even to the guy, "but I had an alert for that, why didn't I get it?" Because there is no log, because the

alert is written like, well, my forehead, what was missing to get it done? And then another important point of the report comes in, we use timeline in report, so I tell the story of what I'm doing. So if I logged in at this time, it will be there. If I scaled privileges at this time, it will be there. Why? To be able to make the retrohunt of the thing and be able to see where it missed or where it didn't get it. Executive presentation, which is a little bit of what I said, of the situation of being able to properly narrate the facts to an audience that is not technical, and thank God it's over.

I'm tired. I'm going to help the guy there. You're free for lunch, but if anyone wants to ask a question, they can. I've already helped you, right? Anyone wants to ask a question? Come here, guys. Who wants to ask a question? Come here, because then we can have a chat and we can free the guys. - - um - -