← All talks

Taste the Rainbow

BSides NYC · 201844:0633 viewsPublished 2023-04Watch on YouTube ↗
Mentioned in this talk
Tools used
AppLockerGoogle DriveRuler
Platforms
OneDriveSCCM
Service
Dropbox
Frameworks
Cobalt StrikeImpacketMetasploitPowerShell Empire
Protocols
LDAP
Languages
PowerShell
Concepts
Excel DDEPass the HashSoftware Restriction PoliciesWindows Management InstrumentationWord macros
Show transcript [en]

I work for NWR Enfield security we also go by The Branding of MWR Labs I'm actually a UK director but we do have a New York office out here um and as you can tell I sound very British I don't want to get too close to it okay it's like a stand-up show okay um I was like yeah so I am a director of the UK Professional Services Consulting division I have a long history of delivering technical penetration testing offensive type security and I specialize in an area that you guys are probably more familiar with or would call Red teaming except we call it something different and it's slightly different and that's kind of some of what I'm going to cover

in this talk but basically what I largely do are what we coin is like simulated attacks and that's where we put an organization through a live fire drill of you know they think a real Attack is occurring and then we Benchmark how they react to it and we use it as a learning exercise you guys probably think because this is a red team but there's some nuances that will kind of cover and that's what I want to try and do is explain what rainbow teaming is now it's not a new term it's not something that's going to be adopted it's not something that I'm promoting but it kind of captures what I'm talking about um as we go through the talk as well

we'll kind of get that covered off and I'm going to talk to you about some of our tradecraft that's mwr's experiences how we've approached red team type testing the types of tools we use the ttps we employ how they've matured over time what's prompted us to evolve in that way I.E what defensive challenges have we had to overcome so hopefully there's gonna be some takeaways for anyone in the room and by a show of hands how many sort of guys girls self-identify as red team is in here blue black gold purple so you're a full rainbow Team all right cool okay and also I'll wrap up the talk with some idea around uh defensive um

tactics techniques that can be used to respond to some of the tradecraft that we're employing rainbow tailing okay um so what is it why is there no pink team okay uh everyone's seen the movie nobody wants to be in the pink team but I'm sure as we evolve even further maybe it'll be a pink team maybe it'll be a move I don't know but we seem to be putting them into uh buckets of color okay so black team this is brand new no one's actually using this term properly uh it's essentially because you guys have red teaming and in the UK we see red teaming as being largely physical so of like burglary scaling fences and

stuff and we don't really do that in the UK it's not really the Forte many threat actors so um for reasons I'll explain a little bit later on but essentially this uh in the UK the bank of England uh have come up with a regulatory scheme for this type of assessment and they've put physical into a bucket called black teeny I'm sure you're all familiar with red teaming which is kind of the digital offense side of things which is you know you're phishing attacks and the like we break in with an implant or a piece of malware and then move to an objective blue often refers to the detection Response Team there may be separate

teams but quite sort of bucketed into the same thing so those are guys running your sock looking for your alerts maybe you know doing a little bit more proactive activities it could be your instant responders the guys that you know boots on the ground when you know the proverbal hits the fan and you've got purple now I've heard people uh mainly in the states talk about purple teams as in uh you have a red team a blue team and a purple team now for me purple team is more conceptual it's a relationship it's a collaboration rather than a physical external entity to a red and blue team it should be purple team used as a

descriptive language to articulate uh red and blue coming together for a common goal gol team now this throws most people people like what the hell's a gold team okay are you uh whether you're um in the red team or blue team and working within a business most organizations will have a group of people that come together in a sort of Crisis it doesn't have to be a digital breach it could be anything that that business is going through that it was it needs those sort of generals of the battlefield the guys that get come together and they're the ones that make the tough decisions they might end up sat in front of the press they might be

having to you know deal with the digital breach or it could be something else it could be a toxic spell whatever so a gold team is is uh that group and putting them through their paces and testing those

now how does it all come about well I'm a little bit old maybe not as old as some in the room but definitely older than others and I've been in the industry within the UK for quite a while and what I've seen is from the very beginning very cowboy-like behavior is displayed by various different pen test firms and organizations that wanted to procure our services that were quite relaxed about them as well in the early days it was kind of okay you guys are the hackers come and break in put a file on my desktop and then I believe that you're any good then over time that kind of matured slightly people either because they started to employ pen

testers that crash networks brought down boxes and then people panicked and cried and screamed Etc and the reaction was okay then we can't allow this free reign to continue we need to test with very narrow Scopes control the risk and it became very compliance driven Almost Boring in cases definitely not holistic um but then we've kind of um come round full circle now is more and more organizations have been breached you've got a lot of threat intelligence terms out there they're releasing information about adaptive and capable uh real nation state threats as well as criminal groups that really don't operate like pen testers and obviously operate without any scope so the industry or organizations that are

looking to defend themselves against these types of attacks have recognized that a pen test just isn't going to cut it and now it's back to right come at me with all you've got let me see whilst the industry has matured on both sides organizations recognizing that they need to take cyber security that much more serious and vendors out there have also matured and used robust methodologies Advanced trade craft and tooling Etc this has been spurred on at least in the UK where we're really into our regulation by Regulators so there are various schemes out there government and Commercial and financial and other sectors that demand a certain level of or have an expectation that certain

organizations will have gone through an advanced level of cyber security assurance you can rubbish it or think what you want about certain schemes out there PCI being a good example but what they are great for has been a catalyst to get a lot of organizations to mature rapidly and start to at least think about cyber security outside of just a very narrow scope to pen test the main ones for me that I come across in the UK are the check scheme Crest Bank of England sea best which is a regulatory framework for testing financial institutions resilience to capable attacks and breaches and that's gone over into places like Singapore under the icast scheme and Hong Kong

sorry Hong Kong under icast Singapore's launches soon Kuala Lumpur and I know the US are looking at this as well so what these schemes have done is try to map out a methodology for delivering this type of test again what you guys would call Red teaming what I would call targeted attack simulations but hopefully we'll find a common lexicon it some way but there's been this attempt to classify it and that's why we've ended up with all the lovely colors but what we've also had is vendors coming along with their own terminology to confuse it slightly as well as you can see we've had full spectrum cyber targeted attack simulations I mean that's one of ours full spectrum attack

simulation cyber cyber site Etc and if you can imagine that you or an organization looking to procure some level of assurance against this sort of stuff and you're going out trying to buy this the language is so confusing how do you know what you're getting is that the same as that is that something different is that better is that worse so there has to be a common lexicon now I do not Advocate that is rainbow teaming that really is just me taking the piss a little but we do have to come up with something at some stage otherwise we'll end up with rainbow team in or full spectrum cyber I personally don't care what it is

called just that it's done properly and for me for something like this to be done properly it means going into a business speaking to the board about what their real concerns are from a cyber perspective I.E what threats do they think they're facing how resilient do they think they are what outcomes are they looking to to get from such an engagement and then I work my way backwards and design that program and it becomes a cyber security program which doesn't sound as sexy as threat emulation simulation full spectrum cyber or rainbow teaming but it doesn't really matter it's what resonates with the board now the problem is the colors at least do resonate with many boards at

the moment obviously probably not gold and black team out here yet but eventually we're moving in that direction

so what do these things mean to me okay and how do I go about one of these types of Assessments how would I build it out now typically when I get engaged with um a client that wants to prepare our services a lot of people want a red team because red team's super hot and sexy and everyone knows what a red team is and most board members have read it and some in-flight magazine and they come back to their business going I want a red team get me a red team we need a red team and then no one challenges them and goes okay we'll go get your red team but unless you've actually got a

benchmark of your own defensive capabilities against some kind of measurable standard how do you know how are you going to measure the success criteria of a red team a red team isn't there just to come along and slap you in the face and say aren't we clever it's supposed to be about helping an organization build up their defenses train their people and make them more resilient to attack or at least assist them with a detection response capabilities so if you're going to do that you need to measure you only had to have some kind of starting point and if you don't have that starting point what are you really handing that cash over for so my advice would be for any

organization if you don't have that Benchmark to start off with go and get it and there's various ways to go and get it you can use your internal teams you can look at Frameworks such as attack which is a great Matrix a catalog that contains lots of different ttps in a matrix format and they've even extrapolate it down so you can emulate particular particular threat actors from TR reports that are out there and all you're really doing is making sure that all that security spend that you've handed over to various vendors for their little blinking boxes are doing what they should do and it's best example is Av okay everyone rubbish is on AV but at

least it catches a lot of crap and you don't want that crap on your network but at the same time you don't want to be caught out by that crap so if you've got AV you just want to make sure that it's working it's ticking along you don't put a lot of effort into it so run some automated test cases Benchmark that what you've bought is doing what it should do and then at least if you use something like attack you can get a gap analysis you know you're picking up these certain things you're not picking up those certain things you can go away and tweak those yourself or then you can start thinking about more advanced things

depending on your level of maturity now internal MWR we have our own tooling we have something called attack Sim where we can run automated playbooks and different trycraft and different sort of attack paths through it and we can Benchmark that detection response capability and help tweak it Caldera is an automated proof of concept very much in beta but it's available from miter as well and then you can roll your own like I said that framework is there those ttps every command you need to run you know whatever scripting language you like you can just script that up run it even if you have to manually type it in and just see the right alerts to the

fire okay then I would move on to what you guys probably call a red team and I would call an attack simulation which is basically you want to put Blue Team through a live fire exercise with a red team but we also drop in some of their own blue tea guys that will sit with the client's blue team to Benchmark their abilities as they go they can either train them and tutor them along the way by steering them in the right direction or they can just sit back and observe and get a true measure and produce that Gap analysis and also we embed some red teamers to give that purple team element either as part of the engagement or at the very

least at the end of the engagement our red team go in share all our tradecraft all the tools the boat attack that's what we did why we did it when we did it Etc and we're open to full interrogation by The Blue Team so they can fully understand the attack and then we might re-run various elements of it as well because it's a learning exercise that's where the real fun starts and that's where the real value is the value doesn't come by steaming in and smashing all the things and getting domain admin the value comes from showing how we did that how we operated within that environment why we did what we did when we did it how we

reacted how we adapted Etc ah the core of this is that red is there to skill up blue not to prove a point or have an ego we also like to include the gold team element it might be during the engagement you can get that crisis management team together if not once you've finished blue team have had their chance interrogated you gone through it all all the playbooks are open then do a tabletop exercise for that crisis management team re-run through the exercise using that as a Playbook and seeing how people react how they go through it there will not be any wrong answers you just want to see how people react under that pressure under what

would be a real attack with contextualization against their own environment so that's kind of rainbow teaming but don't call it rainbow teaming we've got to come up with a new name that resonates now the rest of uh this talk now I want to walk through some of our troycraft how we've evolved it over time and some um defensive tips as well as we go now I've personally over the past three four five years something like that worked with a team of guys where we've robbed a lot of banks gone into Minds done crazy things with you know crazy computer systems uh casinos all sorts of different places we've been into and over these years what we've seen especially with the

clients that we work most often with and go around the circle is that getting mature and mature all the time I'm going to talk about what I've come across and what my teams come across from my perspective some of this might be shared views you guys might have had similar experiences but what I do is um I talk to a lot of others in the industry that I've got relationships with guys at NCC guys uh context and you know context but you want other guys I know I think um MD SEC they're a UK firm uh you know you guys probably familiar with guys over at specs where Arts used to be at various group and we share tools we share

traycraft stories over beers Etc the feedback I've had is that these are shared experiences so hopefully you guys might get some resonance from them as well I'm going to be talking at a high level to get through it all but if anyone wants to grab me and go into detail afterwards you can buy me a beer or I'll buy you a beer it doesn't really matter I'm quite happy to talk about this stuff okay so very quick history lessons we go through so we used to start off six seven eight years ago where to get into an organization you just have to have a little poke at the perimeter there was always a weak service an API

and app or something it'll drop you into a shell you could reverse proxy you could use all your pen test tools it really wasn't hard and then you were straight into the environment and Away you went no one was really defending no one was really looking so in and out easy days aren't we clever then things got that little bit harder Defenders started going I don't want this to be as easy as it is anymore started plugging those holes getting web application firewalls you know all the usual stuff they went to the perimeter and locked it down so we have to think about okay let's go around the perimeter what can we do then and this is you know the age of fishing

we shifted over to basically emailing the meat suits sat at the end of the computer who are easy to trick and we sent them attachments or links to websites that pointed to something as simple as Metasploit autopone where it just ran through and goes what software you're running there's an exploit great away we go and again you're using your pen test tools there was nothing big and clever about that but it worked a lot again we felt like super ninja hackers but really were we all it took from the defensive team to respond to this sort of stuff was to start patching the desktops the browser plugins okay there's a lot of effort made by various browser vendors

and plug-in vendors to do code a little bit more securely and plug this down but it was generally we were using not zero days we're using patchable vulnerabilities months after patches have been available so this was like security hygiene they just had to get right a lot of those holes got closed the offenses went up shiny boxes came out that would detect this type of attacks they're easily signatured so if you were sending through a malicious PDF then someone somewhere had a signature part it was either in AV it was in a male Gateway scanner same thing when you were visiting a site that tried to trigger some sort of browser exploit they all had similar patterns people

didn't really customize them they're all coming out of met exploit The Defenders had access to the same tooling so it was easy to signature and sell you a box that could detect or block that so we would defeat it our fishes were getting caught our exploits weren't working we went from super ninja hackers to basically feeling quite crap we didn't have any shells and it would be quite an embarrassing thing to turn around to your client and say no couldn't get in because all your flashy boxes stopped us so in order to react we moved to more social engineering focused things if our exploits were getting caught because they're easily signatured that shellco we keep reusing from Metasploit is now

famous Etc then let's just abuse functionality in common applications on the desktop and I'm sure a lot of you are familiar with using word macros XL DDE PDF JavaScript Etc all of them have built-in functionality that allows you to execute commands or some level of code execution or built-in scripting languages that can be abused so all we were doing was abusing that feature and a little bit of trickery not trying that hard to get users to click on stuff that's why it was still usable but less so we were looking at different tooling Powershell was becoming the thing everyone was you know getting super excited about this powerful scripting language that was available in the

windows world for post exploitation um small scriplets could be dropped to disk you could customize them easily it was fun times AV completely missed it because it was legit stuff that was happening so there was no real hurdle to go past um we felt great again Super League ninja hackers apt one puttering Panda whatever we wanted to call ourselves he goes a go-go again beating up on the blue team but there was a real back and forth it took a war between every time we tooled up and advanced blue team would get some more tools and capability and detect what we're up to around this time as well uh there was lots of advancements in

post-exploitation techniques again sense posed various group spectraops Etc I'm sure most of you familiar with a lot of these Powershell Frameworks that are available they've matured a lot but at the time when they dropped they were seen as like new Magic it just made pen testing and red teaming type engagements that much easier you could get your shell you could load this Powershell it would do all the things you would get da it would draw you pretty paths on how you root in the environment Etc but the thing is they leave a lot of their artifacts behind lots of breadcrumbs they're easily detected it's just at that point in time not many Defenders were really looking for it or

doing much about it so then we had detection Tech that was evolving all these edrs next-gen AVS ETV ERS lots of acronyms that I you know I've lost what they mean now but basically there were products that were specifically designed to detect these type of post exploitation and exploitation techniques using the artifacts that were readily Left Behind uh apt Stoppers and the like they were built as reality is it did make the job that much harder getting past a lot of this Tech isn't easy it can be done and in some cases it's harder sometimes it's easier depends how much effort you put in but it's a hurdle it's another thing that we have to try and get past

and there's nothing worse than gearing up for an attack launching your attack and a flashy box is what stops you it's also embarrassing and you go through major waves of self-doubt I don't know how many of you like to the red teaming are you always 110 confident that in every engagement you're going to get in and not have to try hard so you have to stand there and think really hard about your plan how you're going to get in and if something like this defeats you and you've got nothing else in your bag um but it is still human being versus machine we're still going up against pieces of tin computer programs that are predictable that we know we can beat

it's just the amount of effort that goes in but sure things are getting harder and we're really having to turn our money now and Defenders keep up in that game all the time I've heard a lot of red teamers slag off blue all the time like those lazy guys they're never going to catch me I'm awesome but really they've been put in a hell of a lot of effort in the more conferences I go to where there's offensive talks there's a lot more Blue Team guys in those talks they come along to get you know that little bit of advanced knowledge what's coming at me next what can I do to prep for it also Microsoft themselves have done some

great efforts to basically steal away Powershell from offender from offensive red teamers and also threat actors it's kind of no they want it back it wasn't designed for that you're not having it we're going to build in all the security features and we're going to take your toys away and they've done it quite effectively okay it's you know lots of restrictions again you can bypass some of them but you have to work hard for them everything's logged or your artifacts are left right and center to me Powershell is dead if you're using Powershell in your offensive operations then you're going to get burned for most organizations and rightly so it's time to let it go and

move on Defenders are using things like app Locker software restriction policies whitelisting and again the use of this counter argument when you recommended this stuff going that's too hard people will moaning complain but as soon as they see how effective it is then they're all on board and they've been mature about how they roll it out they'll pick a small group of users to try it on expand that group see how effective it is and roll it out and we've been banging on about it two organizations for years now they've listened to that advice they're rolling out and the benefits of that and there's lots of organizations that we go up against that have this everywhere and

it's effective very effective so Defenders now have quite an Arsenal in front of them they've got all of these built-in Microsoft tools for free they're not having to pay third parties for them the products are effective now you'll find umpteen different uh talks at various different conferences calling one of these Technologies out as crap and showing how great they are because they got past it but I know it's tired when you talk about layer defenses but a lot of these products they're all turned on all working in unison they're very effective even if you've got one bypass one bypass in most modern organizations is not going to get you past the next piece of Kit or the next piece of Kit or

that piece of software but Defenders again as I've gone through the years at this point was still a large over Reliance on technology so it was still humans versus machines and humans are always going to come out on top until these guys and this took hold threat Hunters fronters whatever you want to call them this stuff's a game changer this is blue teams taking this very very seriously this is blue teams going I've got all my boxes I've turned on all my preventative controls I've got all my detective controls I've got a highly tuned response team nothing's firing everything's calm it's cool and instead of sitting back and going there's nothing to do here thinking I reckon someone's popped us

somewhere let's go and look let's go find them so as you're gearing up to attack one of these organizations you haven't even launched your attack yet but they think you're in and they're already looking for you which is a big game changer you have to be much much more on your toes there was a talk this morning by um uh I can't pronounce his name I'm going to get it wrong Mauricio there you are you were taught this morning again was kind of on this concept what I saw from your talk was the same attitude and philosophy that I've seen in a lot of blue teams now is that we've got all this tin we're using

it but it's not my tools it's not my kit and same from Red teamers if you guys are relying on the tools that are given to you that you download in that's open source and you're not crafting your own then you're going to get burned same as blue teamers relying on this stuff I've seen a lot of blue teamers picking up their own tools crafting their own tools doing their own investigations and actively going out there and hunting in their own environments and those guys are winning hard so it's about this stage where I have lots of self-doubt I'm feeling quite defeated I might just go back to pen testing because it's a bit easier

I'm having to work so hard with every element of my attack my phishing attacks how do I get in what am I going to use how am I going to go about it I'm going to get beaten by this I'm going to get beaten by that and blue team's kind of you know the one with the ego now prancing around waving at me and going ha you suck and it's kind of embarrassing and defeatist and you think well yeah maybe I do a bit am I going to come against this what am I going to do now what am I going to do next Okay so do I give in no but I have to sort of retool and

rethink about how I go about it and try and put some of that negativity to one side so we put on our big girl pants we go back to the plan always have a plan it should be an iterative plan one that takes into consideration the defenses we might come across and one that's adaptive and obviously one that's never linear but also it breaks down into very simple steps we need to get a foothold and persist somehow we need to do some Intel some Recon some osin learn about the environment we're in and then we have to move Sharp because we've kind of got to figure that even if we have got in someone's going to come

and find us and when they find us you don't want to get booted and start all over again once we've done that we've found a little dark corner to hiding we maybe do some more Intel some more Recon gather some more information make some more plans and then we execute our attack and then we get out alive quick sharp-ish before we caught

so we need to do our homework now this you'll notice John Lambert up there one of the things that we have to consider as well is not just the blue team that we're going up against John Lambert and some friends of his advertise a lot on their Twitter feed stuff that they find in virus total and other places that they come across and they make a big deal about these campaigns now he's come across quite a few of our campaigns and advertise them and now luckily they haven't come back on us but it's not just the organization's blue team you're going up against there's other organizations out there watching their back we've had our clients receive certain notifications

that they're actively under attack and they haven't seen a damn thing because of the likes of John Lambert out there so he needs to be in your upset considerations we've got a number of different lures that we go to fishing is generally the go-to strategy still there are more I'll cover some out in a second but you have to consider once you start your fish you launch that attack you've got no idea where it's going to end up and you've got to consider that it could be John Lambert it could be someone else you could get burned before you even get going payloads what are we going to do with our malware how are we going to get past

all these shiny boxes how are we going to get that implant on a box well we're gonna have to obfuscate it we're gonna have to encrypt it we're gonna have to customize it for the Target that we're going after now again some of this was touched on in some talks earlier about how to smuggle your malware into an environment but this has to be the de facto standard now you have to be doing everything you can to hide your payloads from those boxes smuggling past and various different sandbox technologies that are in play various different detectors and the way the most effective way to do that is to encrypt them use the sandbox evasion techniques and various different

bypasses there's a lot of prep that goes into putting one of these payloads together and there's some tooling that can help with that we need to uh so Cactus Torch from MD SEC and Sharpshooter that's coming out in a week or two these are really good tools for generating um loaders or you know stages Etc whatever terminology you're more familiar with using more esoteric techniques that a lot of different detection capabilities tooling on able to spot various different pieces of client-side script and then different kind of a processor code loading approaches and you can use stageless custom executables staging has been so signature like Metasploit Cobalt strike only recently changed and allowed that to be malleable so you're going to get

fingered straight away by Blue if you're staging your malware so go stageless use com dll hijacking techniques Etc that stuff largely flies under the radar we have our own implant that's still in development we may or may not release it called inappropriate touch and this uses some well we try and employ the latest techniques memory evasion techniques and things like that um it still works in Dev but you we've got a very we rely on Cobalt strike under the hood everything we develop is developed to work with that as well and I'll mention something like that in a little while but fishing isn't your only way if everyone's looking at emails coming in or websites everyone's on the cloud now

everyone's using various different uh communication tools whether it's some kind of mail client or chat client or collaboration server and a lot of these are single-factor authentication is anyone familiar with the have I been poned efforts which is basically an online catalog of various breaches and dumps and it's the same sort of thing if you can go and grab those people are lazy the ReUse password that might get you in or you do a bit of intelligence use your brain figure them out you can normally find an account once you've got a Skype chat go in a Yama chat an email whatever it's easy to get them to run your payloads and no one's watching for

it also there's various functionalities within them that can be abused and you can get into SharePoint upload a macro enabled document to something that someone's going to open again it's just employing those techniques two-factor authentication sort that out but most people still on one fa and some good tooling again from MD set like link sniper that'll help you automatically identify the endpoints and brute force them sense post uh released a tool called ruler that will allow you to abuse functionality within Outlook to execute code based on various trigger conditions we also put out some tooling called peas which allows you to abuse exchange active sync protocols to read file systems and things like that that's

quite useful and you can see where this is going people are releasing more and more tooling that's available to look at more esoteric insertion vectors so what about phoning home again there was another talk a little earlier by I'm not going to do Brandon surname because I don't want to upset him uh but also Brandon and Andrew Johnston a little bit earlier did a talk where they mentioned uh symmetric and isometric C2 channels now what we've developed and we'll be releasing this in a couple of weeks sorry it's not out now but if you follow the feed we'll push it out and we'll be releasing the framework potentially not all the modules that go along with it

but essentially this allows you to use the external API functionality of cobalt strike to implement your own custom C2 channels where you have full control over them the malleable you can we've got modules for Dropbox Google Drive OneDrive Etc and we can blend in within the environment using existing business tools so that any threat hunters or you know flashy boxes that are looking for this stuff we can fly and blend in you know living off the land Etc also you don't want to get burned once you are in with your implant we've gone to all this trouble to get our insertion Vector either by phishing bypass those defenses either come in through Skype or whatever it may be once you're in

do not use Powershell it will get you burned immediately by most mature organizations okay and I know this some Frameworks out there some tooling that's about I'm not Powershell I'm just a rapper around system.net automation but smart people are looking at as well so that's going to get you burned or if you're retool doing it that way again it's not going to last long usually in this case we've got an implant it's going to be a matter of time before we get caught and get booted out so you want to do the least amount of things to get you burnt so use things that don't often get detected like wmi talk using bespoke and legit protocols

such as ldap if you want to move laterally use the tools available to you I love SCCM I can use it to hunt users I can use it to pop a shell on another system somewhere else in the environment and I don't leave that Telltale network connection this says I did pass the hash over there if I'm going to do something like pass the hash or pass the ticket do it custom most tools available don't do it in an RFC compliant or protocol specific way if you're going to use these protocols make sure those protocols look like the protocols that are being used in the environment you're in best example is most tools do not put in the AES key

when you do a pass the ticket attack and most tools will trigger on the fact that that's missing if you put it in it flies under the radar because it should be there so don't be lazy with your tools understand how they work understand how the protocol works and if you're going to abuse it abuse it as it was designed to be abused so that's techniques tool tradecraft Etc that you can employ that are technical that's about your tools and you know the latest shiny shiny that comes out but we're doing people versus people here now I'm not a Psychology major or anything like that but if you can figure out how someone thinks how they'll react if you can

predict that you can abuse that and that's kind of where I get a lot of fun so turn an organization's defenses against themselves there's a big push at the moment for orchestration how do you do things at scale how do we connect all the systems pull back all the information etc etc again it's that over-reliance on technology if they're going to over rely on technology and make automated decisions on that technology then abuse that technology so I might send in a piece of malware that's got fake indicators a compromise and my real indicators of compromise will only be triggered when the real Target uses them again via encryption because my Target's got it or whatever it may be that's

running a Sandbox and a blue team takes away the ilcs and then blocks those C2 domains and Pats themselves on the back and thinks we're done here and doesn't send a threat Hunter out then we've got a longer time to carry on with it or if I keep getting burned within four hours I make a plan for what I need to do in that four hours most Defenders will think that I'm going to go through a linear methodology I'm going to follow one attack path I'm going to come in as soon as I breach I do XYZ but the second time I breach I don't need to do XYZ I need to do ABC because I've got

information I've got Intel I've adapted my plan and I do something different if the blue team doesn't adapt my attack and I can predict what their behaviors are I'll get by them I might use persistence mechanisms that arisoteric can't be detected I might breach and then leave that alone and walk away and a Defender that looks at the environment and can't see how I persisted then nukes the machine thinks it's clean but I've backdoored a template file and a file system or I've put in an Outlook rule into exchange there's nothing on the box I wait six months I wait 12 months I sit in my trigger and I'm back and it's happy days if they didn't account for that in their

playbook then I win smoke screens this is fun if you feel yourself being chased that you've seen C2 jiggle down people are probing your infrastructure and then use diversionary tactics launch this Adidas attack spam the entire entire like internal domain with malware that's going to fire alerts on all the boxes because it's stupid malware everyone eyeballs shift and then you get on with what you need to do these also aren't just my tactics these are all been played by various different threat actors in the real as well okay so how do you respond to these ttps what can you be doing as a Defender and sadly it's still quite boring I'm not gonna say like the email Gateway

Solutions it's all 101 scan incoming mail run it in a sandbox do it for every web download put two factual authentication everywhere make it harder make it really hard for an attacker all these defensive Technologies get beaten on all the time and people slag them off and say I can get around it I can do this on a tricky aren't I clever in the real world if you keep coming across another layer another layer another layer there's increased opportunity for you getting burned for the defensive team to learn new tactics and to keep shutting you down there's some really great models from Microsoft now the red Forest I mean you want to make that attack path as

complicated and twisty and turny as you possibly can the red Forest is a difficult concept to get your head around it's also a lot of hard work but if you can get there there's a load of security built into Microsoft Enterprise environments now in the latest versions server software that you'd spend a lot of money on buying from third parties which you no longer need to spend but the endpoints run everything patch everything make sure everything's up to date all the Microsoft stuff whitelist all the things SRP I know it's hard but it's doable and when it's done well it makes my job so hard to get that for all to get my post exploitation tools on there to push

along and again it's about you know deploy antivirus people hate antivirus but it's effective at catching really low level crap get the low level crap out the way focus on the better stuff but the key point for any defensive strategy is people you need to invest in your people if you're an organization you've got a blue team or you're Outsourcing It Whatever model you have you need to be giving them training education putting in through these type of live fire exercises making sure that they're honed they're trained they're fight ready they're familiar with these tactics and techniques and they've got the tools to react to them yes use technology but humans should be using technology as tools not the other

way around I just want to put up a slide that thanks these people for their papers their tools things they've shared with me either directly or indirectly I've leveraged a lot of it over the years and I know there was a talk slightly earlier about dot net malware and the increase of it should really read the paper from malware unicorn about some advancements that are going on there on how to detect.net malware through various different instrumentations right now when I say Powershell is dead everyone's looking around how do we retool what do we deploy now what do we shift to and a lot of people are looking at net as a viable vector and kind of on pause with

that at the moment because of that research and it's something you should read upon and have a look if you're going to take this seriously okay so that is the end uh please have a look at the Twitter feeds some of that tooling will be announced in the next few weeks and go grab it play with it and have a look at it

[Applause]

please shout them out I will happily answer any that's it Michelle is dead [Music] okay so this is my experience the clients I work with the kind of operations that I run and my team runs if we use Powershell we're going to get booted out and done and the client's gonna go I'm not really going to pay you I'm not saying it's for every organization out there but most of the organizations I'm working with most of the defensive capabilities that I see in teams are Beyond Powershell get fined under the radar for them there are organizations where I'm sure you can run them up still with Powershell but I'd say if you want to be serious about your

offensive capability you need to be retooling and thinking about an alternative

it's dead to me the paper from malware unicorn will also show you where Defenders are going now with it it's not just the features that are available in Powershell to detect it now and all the technology that's come along with it people are looking at how all these Invasion techniques are being employed and jumping ahead of the game and going I wonder where attackers will go and we'll still go and we'll start defending from there right so that's it thank you

thank you

Related talks

6:35
BSidesNYC 0x04 CFP Information
BSides NYC · 2024
52:00
Metrics Mess: Why the Lack of Clear and Common KPIs Undermines SecOps
BSides NYC · 2023
49:30
Infrastructure as RCE: How to abuse Terraform to elevate access
BSides NYC · 2023
45:13
Analyzing volatile memory on a Google Kubernetes Engine node
BSides NYC · 2023
36:35
Hunting Threat Actors using OSINT Forensics
BSides NYC · 2023
25:15
Inside Cloud Attack Paths: End-to-End Adversary Simulation
BSides NYC · 2025