Bridging the Gap: Lessons in Adversarial Tradecraft

As companies scramble for a way to keep from being the next Sony, they’ve started to search for ways to simulate the sophisticated attackers they now face. Organizations that have started to adopt an “assume breach” mentality understand that it’s not a matter if they’re compromised by these advanced adversaries, but when. Red team engagements allow an organization to better exercise their technical, process, and personnel defenses, but much of this advanced tradecraft has been historically restricted to teams with large budgets and timeframes. Our approach is to help push down some of this advanced tradecraft, so testers can utilize these powerful tactics in assessments of all types. This presentation will cover our view of the “assume breach” mentality, and the approach for our red team operations. We will then trace through several areas where we’ve made efforts in bringing advanced tradecraft to even constrained engagements. We’ll cover privilege escalation, user hunting, domain trust abuse, persistence, and data mining, along with the tools and techniques we’ve developed to help with these tasks. Adversarial tradecraft isn’t just for red teams any more. Will Schroeder (Researcher at Veris Group's Adaptive Threat Division) (@harmj0y) is a red teamer and research lead for Veris Group’s Adaptive Threat Division, and is one of the co-founders and active developers of the Veil-Framework. He’s also the founder and one of the main developers of Veil’s PowerTools, a set of offensive PowerShell tools. Will has presented at a number of conferences on topics spanning AV-evasion, post-exploitation, offensive PowerShell, and red team tradecraft. A former national lab security researcher, he is happy to finally be in the private sector. Matt Nelson