BG - SECSMASH: Using Security Products to own the Enterprise - Kevin Dick & Steven Flores

all right I was going guys my name is Steven Flores what a we're gonna be presenting presenting on sex mash kind of a framework but owning enterprises with tools already in place so like I said my name is Steven florists I work for company called Tavor in Southern California I work as a penetration tester red teamer digital forensics as well former Marine so did that so and additionally on top of that I like to do research of offensive tactics and tool development plus I'm also copy master so hey guys my name is Kevin dick like really excited to be here if you guys also a red team erupt áfourá managed to threat practice for us overseeing our penetration

testing practice and one of the main leads as well on those projects like Steve you know really doing a lot of aspiring to be really prolific open source tool developer working on red teaming tactics not so much as the coffee team airs him and yeah he put hacker Mia 9000 that was amazing so alright so what we'll be talking about today so we're gonna talk about kind of order to the idea where this kind of idea came from with the attack scenario would look like from kind of start to finish on an attackers perspective the overview of what our tool actually looks like will do give you a live demo of it attacking an actual and a prize security

product and then we'll talk about mitigations and then close it off with kind of closing remarks and questions if anyone has any so or juices of this idea so over time our company we work with a lot of security vendors to deploy security products we work closely with them so we have to see a lot of these square products out there there in the current market you go to black egg or RSA you see all these tools out there that are being used so we see them all the time and during on the offensive side your penetration test we see them in these environments all the time so you know over time we started wondering

you know we see this constantly and the architecture of these things are interesting to say the least you know you look you know this thing could be used for evil potentially because at the other day it's got to look pretty deep level of access so one of our object for red teaming is you know understand your environment understand where things are figure everything out figure out where everything is and you know a you know a accomplish your objective eventually over time so we would leverage tools like this and attacks like this to accomplish our objective and get to areas and things that we place that we want to be at so what kind of give a little dummy and first what

you know infrastructure would look like for your organization you know you have your security solution deployed out there connected to all your agents we got you know you can running either save some part of fin or EDR you know Splunk you sim what have you so this is kind of basically what it looks like we'll talk well now we'll look about what a c2 infrastructure looks like you got your c2 server talking to all their affected endpoints ultimately it's the same thing these are pretty much legitimate c2 infrastructures that are already built for you and so you know why not leverage what's already existing to get where we need so targeting our infrastructure the key tasks for any red

team or penetration test you want to actually more of red team you want to set up a cell a stealthy c2 infrastructure obviously get your control of your targeted workstations and point servers what have you yet you know get you want to get to objective you need to move around so our DEA's why not take over what is already existing there's already a c2 infrastructure let's just use that and our original proven concept and research for this started off with Splunk a lot of times you go on engagements people got Splunk servers and you'd be surprised many times that there are left on credential toys default credentials instantly right there without ever doing anything you're in you're just owning a

massive environment in seconds pretty much and with like I've talking about before since we work with a lot of these vendors we see a lot of them have the same kind of capabilities where they can talk to these endpoints as well so that's kind of where we started off with it so normally in these endpoints they run as with really high privileges system and root level privileges so you know all your post exploitation techniques that you'd normally then you have elevated privileges you're there right off the bat as soon as you get access to this these security tools ultimately they acted like I said ultimately act is legit botnets see two infrastructures with sign binaries

actions that allow our attackers to do things remember e dump being processed dumping stuff like that this stuff that you know as an attacker you can leverage all the time file uploading file downloading it's a lot of things you can do with these tools we take advantage of the architecture so we're not really doing anything like exploiting any services it's just kind of taking advantage of what a blue team has at their disposal we're giving it to the red team now so it's secure projects or security products come a high-value target like you know normally doing red team engagements want to go for domain admin well with this you really don't need it right away

you can find your security product and get mass code execution in an environment without having to try to have the main prayers escalation to a domain admin level user and so ultimately I think the day we're using these tools for the complete opposite reason that they even around so we'll talk about the attack scenario normally doing the right team engagement you have your initial compromise getting your foothold you kind of do some post exploitation find out where you are where you want to be so target specific users go look to active directory look at group names to find a wealth information all the information is there you just have to look for it find out

you know a lot of times organizations will go in there and you see oh they're part of a group called Splunk the part of a group called tripwire they're part of a group whatever admin something like that that seems like a person we want to go after so we'll go after those users and also undestand that a lot of times we'll see these these users are using their Active Directory credentials to manage these products and sometimes even LDAP authentication which allows us to just move even quicker into getting to some of these environments so we gain access to our security tool and we and deploy our tool ASEC smash which can target really any of these security tools that

operate with this kind of level of access in environment once you do that you pretty much just have a massive c2 infrastructure that you can go and do it whatever you want and you're golden from that point so for the first part like I mentioned our user hunting you know hunting for domain admins great yeah it's gonna you have a high level of privilege but it's not exactly only always necessary we can hunt for the people that administrate or administrators for these security products so we'll go after those and additionally also a lolis domain admin accounts sometimes they're secure pretty well so it's kind of a little more time to take to get to that level of access

LDAP authentication you know like I said you sometimes you'll see it in a lot of these security products and you're you know you jump creds from memory using me me cats on box and then now you can just go and log into the security product and now you can get code execution everywhere and many these tools are implemented by contractors who don't always implement the best security as well you know you'll go into an environment and they have disabled accounts or old accounts that you know hadn't had passwords changing forever maybe you possibly still using LM hash things that really you don't want to do and they just leave the account in there because it's not very it's not managed

very well so we'll take advantage that as well and like I said gaining access using weak shared Crenshaw's contractors are kind of notorious for sharing their credentials sometimes when some of these tools default passwords like I said a lot of times you go into environments tools like Splunk no password and default password instantly you're done right there you can just go and everything instantly launch exploits I mean you look at 80 security tools most of them I had a Dex I had have had hex exploits in them you know slums had exploits tripwire code execution against these tarp others tools so you know just because there's security tool doesn't mean they're immune to you know software

vulnerabilities and you can just write casual zero-day and get access that way as well

so Steve gave a high-level overview of the tool kind of the purpose right now we're switching our user hunting to not only focus on ad where there's been a ton of tools for searching for ad users getting to domain admin and then of course completing your mission you usually have to go further than that to bypass network segmentation and get to other locations this is really saying you know we can actually use our hunt for people for these enterprise security tools or really any enterprise management tool that's spread across the enterprise and you're able to get a much higher level access than you would from even a DC in many cases so I want to go

into like more specifics here or specific product tripwire this is one of the products we've integrated into our tool that we can actually leverage as basically a c2 infrastructure if we have the credentials for it in the environment so basically we've followed the attack path that Steve has laid out where we've got the credentials to tripwire through user hunting or weak passwords normal Red Team activities right but we're going after those tripwire users in particular and what can we do with this tool this is just an example but tripwire is basically a tool for managing and tracking changes on endpoints and it doesn't in a variety of different ways there's real time agents that were flash on a change there's you

know file changes that will trigger on but we're interested in how we leverage it actually is something called a command output capture rule basically what this does is my red net stat on your system at a certain time run it again you know 20 minutes later see if there's a new listening port okay that's an alert well what this is doing basically is running an arbitrary command on that system as the system user in most cases so you can kind of imagine what commands you might want to put in there that you could use to actually start taking advantage of this so let's say we're on a red team we did user hunting we know trip wires using

LDAP authentication and it has we've got credentials to someone who has a tripwire group so pretty good indication we can pry login to tripwire with that we try Rinne okay what next the first thing to do is create an evil rule so you probably not want to name it you know sex trip rule or just name it something that would make it like blend in this rules can it be basically this where it has the the command that you're going to run now you have to check to trigger the rule to operate right so you're going to go ahead and basically assign that to a node and you can basically say run this command cap

output caps rule on this node by clicking check rule and it's gonna run whatever you had in that command ass system on that host now again the real advantage of this right let's say even we have domain admin credentials and those domain hammock wrenches are good for trip wire well maybe we can't get into the PCI zone from where we are now what would you do traditionally in a red team right you're gonna be pivoting you're gonna be opening tunnels you're gonna be trying to find the right host that has access to get to that zone well the good thing for you is these tools in order for them to work have to have access to

those ohms the other good thing is these tools are deployed to protect the most sensitive systems so they probably have access to the most sensitive systems so you get on them you push the code to your node and you get command and execution on there you could also obviously if you wanted to see a bunch of shells right in just put it on the root node and watch everything get owned running your rule but you probably want to do that unless it's in a lab environment and again ideally the command output capture will run and you'll get your agent lastly for tripwire you probably want to delete your evil rule don't want to create a

bunch of corrupt in your clients environments now that's just one example right now the problem is there's a lot of these tools out there that have similar capability but unless you've worked with them how are you going to know how to go through this our goal is kind of we want to make that easier for everyone as accessible as it is for for example taking advantage of getting domain admin active directory is basically the same thing right where you're basically now have command and centralized control over many systems in organization well a lot of these tools are very similar but they don't have the same amount of tools and support available for for everyone to use unless

they have a lot of experience with them so our goal here is to kind of unify all those options in a modular framework that we can basically use to handle more tools and that's what we're releasing as sec smash so really again this tool was intended to provide pen testers the ability to quickly discover and assess the system and leverage them during their testing without having to be an expert tripwire integrator or expert you know carbon black or Splunk integrator the tool will basically let you kind of not have to worry about the details and it's a basically a modular framework so that the experts are the people that have experienced those tools can contribute

their expertise into the framework so you can basically to that expertise on your pendous as well we obviously have some expertise in trip wire and some other products that we're releasing with the tool from the get-go but there's a lot of products that we you know haven't had our hands on and we'll kind of go into that later on what we're kind of wanting to get out of community involvement here so that's an idea of you know a specific example high level how the Tool Works Steve's gonna go a little bit more into the details on the use of the tool so you get on your environment first thing you obviously need to do is kind of do some

situational awareness find out where you are you know you need to do your discovery find out if there first of all a particular subnets that you can talk to you or any of these tools there can you you know find a method of identifying them so we have actually that built into it where you can give it a subnet single IP what-have-you and it will tell you if you if there's this whatever security product there's a module for is exist in this network so the module is pretty much set up as you have a red X for how you want to find the security product the port you want to target and just kind of basic

information for discovery as well so the discovery engine what it does loads these modules pick your module kind of you'll see in the demo later on what this kind of looks like so you pick your module give it your information that you need to give it and let it go and if anything comes back then you have you know that you have potentially found a tool that you can exploit or take advantage of rather the reddick like I said matches a specific results depending on the module and additionally you don't have to use our discovery methods you can use tools like an map eyewitness if anyone was in your her earlier saw a Christian sirs talk

he's developer of eyewitness which is a tool of pretty much law that takes screenshots for you based on IP address or what's running on specific protocols so if you want to find say look at everything running a web server an environment you run an eyewitness it'll give you the output back you can look at see any learning screenshot you know all the times for maybe internal penetration test you'll have the ability to just kind of go to those manually and see what's running during a Red Team when you're not on the internal environment physically then you know you'll have to do your socks proxy to kind of view that these are and this just makes it a lot

easier by going through taking screenshots sending it back to you so that you can see what's there so once we have our Discovery done we know that there's a tool there we have our creds say we exploited a user that has access to tripwire exploit view that has actually access to spawn something like that we do it we'll do our numeration so what we're doing is we're gonna be doing our numerating the actual service to see what nodes are connected possibly get more information about the environment what what is where so we'll call them in this - we call them controllers couldn't come up with a really great name to call a security product it sounds kind of weird so going

forward you'll only get the term controller and that's really what we're talking about so what right now our output comes back with the ID host name the ID referring to the ID in the security product the host name of that particular host and then the OS of what it is and so you can also run some arbitrary things with that as well that we'll talk about later so once you have your enumeration done you can either target the entire everything connected to that particular security product or controller rather and start just getting massive amount of shells or you can just target specific ones individually you know I don't need to own everything to you know make my point I can I want to

get into a sensitive network PCI zone and have you I can target that stick with that particular IP address or the particular host get a shell on there or do what everybody need ultimately also you don't need to use our you don't need to use another say popular rat like you know something like interpreter Empire COBOL sure things like that you can just have command execution command output straight through this as well so you have the ability to kind of do whatever suits your needs for your particular engagement and like I said you can commute you read your command output so you don't really need to use something like Empire or anything like that so

I'll go and pass it back over to Kevin to kind of show you what this looks like in practice we're going to show you basically how to use the tool so one of things you also notice this Kevin's going through this is that the feel look and feel this is very similar to Empire we love using Empire time so I like the way it looks and so I kind of just designed it to look like that we have our little network here you can imagine that we are an attacker that's got it into an environment and we have a show on an internal system or we're doing an internal pin test and we're here for a laptop kind of a

regular network now that network has access to the tripwire instance let's say this trip artisans is invented just on the regular network well when you really can't see that ah if I can zoom in a little bit

but the tripwire instance you know you're trying to get into the PCI zone let's say to exfiltrate credit card you can't reach it directly now in this network kind of contrived example but we have that to require system that's a cure PCI zone system and we're going to basically use that bash so you use the tripwire system to get a shell on that PCI system so we'll go ahead and start out this X match and like Steven mentioned we have a discovery function built in now I probably recommend like you said to probably something like in map and eyewitness if you're gonna be more advanced those are obviously a lot more customizable and purpose-built well

we do have a basic one in here that you can choose in this case subnet you can have it scan the subnet but we actually know which server it's on so we're just gonna hit it at an IP run that it can sometimes take a while so just to save time we'll go ahead and just say we found one at this IP yes so there we gotta get Steve was saying we do the subnet enumeration it's not super fast that's why probably better to use and nap an eyewitness but this is good for confirming as well so I got my my target so I'm gonna go ahead and start a numerating and again the numeration

phase is basically to figure out okay I know this is a security product that I have access to what hosts are on that that I can actually get show up let's go ahead and see what our options are well first we'll set our username which is the administrator and set our password which is for secure and we're gonna set our target which is gonna be that person we just discovered again this mute host name or IP and lastly we need to set our model so now we're all set we can go ahead and run our discovery get a new rate which requires this and figure out what endpoints we have accessible to us so we

can see we have a bunch on here now I know the one I'm targeting what I really care about is in this is this IP now again this is as simple as possible soredemo wouldn't break in a real world environment you really be wanting to do it against an IP that being a different separate the subnet right imagine that's the case for now in this case they're on the same local subnet so this probably need to be necessary so I'm gonna grab this IP and I'm basically gonna want to exploit it so I can go ahead and go into the smash days now and I can see my my options have carried over I'm gonna go

ahead and set the endpoint and then I'm gonna be my payload ready so at the endpoint here now one thing to note if you don't set the endpoint it actually by default just hits every endpoint on there we might want to change that but it's kind of fun to do if you want like a load of shells coming through so I'm gonna start up Empire yeah once you do that you really can't stop it so you're just gonna have mass amount of shells coming in which is always fun the client might I always think so [Music]

shall I look what did I show again so one thing that we did is that we don't want to like make it kind of like look all ugly with like just a long payload so we just kind of made this string short but that the full payload is there it's just you can't see it cool so I'm gonna go ahead and run this now and it should basically reach out and pull that endpoint through our credentials and tripwire so demo got to be with us we should see the agent coming through

there we are initial agent so I can interact now one thing to note tripwire is kind of interesting because HTTP request basically doesn't end until the agent exits we need to do some tweaking to handle that a little better but I'll go next in speed see how our mother sits more value think bill via so you understand how that's working so we can see the info for agent we've got it I'm going to go ahead and exit from that now that's killing it and then we should see basically what that agent kills the sex match things should exit out of that loop and it's gonna do another request to basically delete that rule automatically so it's not in their

system anymore yeah now what happened eventually so why not be worth watching pork butt

cool so I'm going to go back to the slide deck

so again tripwire is just one example this thing would it be that useful if it's a purpose-built tool for targeting tripwire I just use the GUI the idea this is not that you purpose target one thing is that multiple things in here that we can leverage as a rat okay you know this example we basically opened the Empire stager for the sake of demonstration but you can imagine you can actually just run single commands on here and use this as your rat you know one of the biggest challenges now people are talking about application whitelisting you're trying to get your payloads whitelisted you're worried about your traffic if you're using an existing product for your command and

control communication you don't have to worry about that not only are those signed binaries that are wireless by the domain the travellers going to look normal because it's already there and part of their at the regular systems and lastly there's kind of network whitelisting to these devices to make them work so you don't have to worry about you know conniving your way around the network in order to get what you want you just go directly to it so again the usefulness of this is really the integration framework that we build and as you saw in the the tool just basically free flow so there's authentication enumeration and smashing this is basically the execution we also

have the discovery dictionary but that's not a core part that's more in the menu and basically there's the class here where you could implement each one of these functions now most of the tools we encounter and you know most things that are out there run on HTTP so we felt basically a sub place of some class integrator called HTTP integrator and what this allows you to do is basically capture request flow your favorite proxy like burp or something and really just extract variables from responses and replace them in your future requests so you can have an array of requests chains for each step and each step of the way let's say authentication if it's multi-step that will get one variable

from its first request use that in the next one until eventually get the auth token barrier there's a couple key variables that they see the product for Framework news to use like the next auth token and host and command result so as long as you make sure that you're extracting them you're going to be able to get that feed in the product and it's probably too small for you guys to see here but basically the way it works is you can see we're basically putting the request in as a string and then we're going ahead and we have different extracts of messages when the cookie extraction where bases the deep sessionid we also arbitrary extractions using regular expression

matching groups so you basically can set up sorry about that guys I guess my mic turned off so the is that better great so the the regular expressions are good for basically you can do arbitrary extractions from webpages places things that use APR you'll use your could use JSON but if you're hitting you can actually scrape pretty easily using these regular expressions additionally you can also pass custom functions to these extractions so let's say you know it's too complicated for me to use a regular expression and the built-in extractions using like cookies or headers they're not in there you can just create a enumeration extraction that's gonna take these three variables the response the host and the existing

variables and do whatever you want with it this is an example actually for another product where we're basically just pulling them out of JSON really easily that might be something we built in the future where it's just a list things in JSON we're gonna pull out but you can imagine you can use this to handle nested objects or xml pretty any much any arbitrary data Reddick's is would work for those potentially but it's gonna be bigger pain you can just create your own function and as long as that extraction is then in the config it's gonna know to run that and the framework will feed it the response host in other variables so this setup for the HP integrator

really allows most functionalities so we don't have any logic for branching but in most cases you're just doing a single path that tripwire config that we just ran through in that demo is probably around 15 to 16 request templates and again they're just running through extracting variables from the response creating a new request and replacing those variables in that request in order to get you know cross-site request forgery tokens in there or IDs that it needs to scrape from the site to hit the next step and eventually just returning an array of variable so if the framework uses to do its activity so modules are a class of the integrate integrator class and you can do whatever you want in

these modules in addition to sub classing for instance the HTTP integrator which itself is a subclass of the integrator class by default basically you just have some info in there when you knit it in the discovery cough this is really basic it's just looking for this but you can imagine you could have a more advanced regular expression for different version for different things and the discovery engines gonna look at the discovery coffin being new up horse to look for this product on and know what things to find in the page in order to identify it has that product great so we're gonna go now I mean obviously we just talked about kind of how to use these things to

you know PO in an enterprise but I think an important distinction for everyone to keep in mind when they walk away from this we're not saying like tripwire is vulnerable we're not saying these tools are vulnerable it's just you have to be careful in how you deploy them you have to be careful what your assumptions are when you're deploying your your security model right a lot of people now are realizing you Active Directory okay I need to keep that more isolated have separate domains for critical zones but you gotta under you have to understand that the security products that are managing your most critical host need to be treated basically the same way as those the most critical host because

once you get into those security products you get access to those critical systems as well so I'm gonna pass it off to Steve is gonna go through some of the pile of all hardening steps you can do so you know I Kevin was saying that you know you can take advantage of these tools but if they're harden properly it's gonna be a little more difficult and right now one of the things that our tool isn't have the ability to handle it is two-factor authentication but you know manually you can it's always gonna be a bypass for this time that kind of thing but hardening techniques would dictate that you should use multi factor authentication on in these tools that

can use it a lot of these now EDRs and next-gen AVS and stuff like that have the ability to implement multi-factor authentication inside them so we won't you know always say it's pretty good to use that it's you know will stop a lot you know a lot of people that don't know how to bypass probably stop them in their tracks and you know you could also trigger users that if you're on a red team that you know there's someone in your network trying to access say when you hear sensitive tools another thing also segmentation I mean these manage these management interfaces should be in a segmented zone that is difficult to get to not just you

know out there and the user net where everyone can just immediately access so you know you don't want to know what you people think of segmentation is like okay where's my sensitive data for my PCI zone where's so and so you know all the places where they slept is managed should also be thought of in that same way you know networks and domain levels as well don't share your 80 regular ad users with the manage the password to manage these tools like a previously just said have isolated network for these things hardened the environment should be as hard and as the servers are we recommend have jump boxes VPN you're pretty much your normal segmentation

techniques that you would implement in any enterprise should also be applied to these and like I said as well account segmentation you know you want to not use the same credits that you would use for the management interfaces that you would for your Active Directory how how easy it is to compromise Active Directory credentials at the same time you know a lot of tools or a lot of these environments will have LDAP configure with that it's kind of you know I would say don't use that but that's you probably put some people would probably say you should use that so that's just my personal take and then also harden your products as well you know you deployed trusted SSL certs you

know if you get into the habit of just using trusting and untrusted as a cell stop sign cert with the particular product then you know an admin can just go to it see that it's untrusted yeah whatever and you could be manually meddling the admin at that time goodies creds and then just doing this whole attack so you know SSL certs well although kind of sometimes think is little benign or not important can be important in this situation using strong passwords make sure it's up to date on patches you know someone finds that our senior tool do all these things yep so those are some high level hardening recommendations and really the ethos there is to make sure you're protecting

the systems as well as you are your endpoints now obviously a lot of you guys might be already doing that but part of the reason we made this tool are really talking about this is we've had a lot of success here where these don't get as much focus as they need to and there's situations where we can really leverage them and to get into a lot of places and use them some ironically there's also specific hardening for these tools themselves that we can go through now obviously we can't go through everything in the rule in the world but you know the three ones we're releasing as modules I wanted to touch upon and show how you guys could

pardon these and what things you need to worry about with them so if tripwire we obviously showed that rule creation is is gonna be really huge you want to make sure you're monitoring that if if someone's changing the policies in tripwire on how you know what commands are being run both rules and actions which also can run execution you need to be aware of that so these changes really should only be happening during a change window and if it's happening outside of that you know something might be going on and you can be alerted on that additionally we talked about kind of account segmentation and making sure that you know someone who has let's say

you have two domain fours someone who has domain admin on one low trust forest can't log into a tripwire instance that manages systems in a high trust force right same idea intro tool make sure you limit rule in actions permissions you don't need your internal audit team to be able to change rules or one commands a system on arbitrary host right so be careful when you get people access to these systems to not give them the keys to the kingdom spunk is that one of the first ones that we actually leveraged good thing about it since it's a monitoring tool it's really good monitoring keeps great audit logs you really want to be looking at the

deployment server in this case Splunk has a deployment server that can basically use to send configurations down to two other Splunk systems which can include the porters that you're installing on your endpoints now those configurations can basically be like hey run this script every five minutes so this is another tool that you can use in order to go endpoints so you want to watch for that deployment server modification you want to watch for new app installation because if an app gets installed on your Splunk server that basically can be running whatever codes in the app under the privileges at the flung server and obviously it has permissions then to change the deployment server configuration to then

pone your endpoints so you want to make sure you're watching those and again Splunk is great with this because it has great audit logs one thing don't make it you ever user admin again I know as a contractor I probably had admin to tons of the sublime consensus and you know using something like sex match I could've basically had access to most critical endpoints in all those environments you probably wanna limit who you're giving admin and closely monitor it and when you can just onboard users as regular users you don't want them running searches not editing deployment server configurations you also want to make sure you run for it is is a low level account a lot of times you just

run the installation it will install it under the system user which obviously is not good if an attacker is leveraging deployment server to run exploits against those endpoints if it's a low-level user that that only has access to say the log files it needs to and not the whole system Tommy's still not good someone's getting code execution under a certain user context but it's a lot better than getting code execution the system one more thing for Splunk you also don't have to use the deployment server that's not a core component of the this point platform if you don't use that there's really no way to leverage that in this case there's a lot of existing processes and tools right

ansible puppet things like that to manage deployments and manage configurations you're probably enter off using an existing hardened process and again make sure that process is hardened as well and can't be leveraged carbon block is another one of the tools we're gonna be integrating in this and basically the way it works with carbon block is you can it you can start a session with any endpoint in carbon black and basically run again our Retreat commands a system that then themselves don't really get logged in the standard carbon black areas so if I'm running PowerShell dot exe and spawning a shell if I just did that in the command Pro in the system carbon black will freak out if I'm doing

it through carbon black there's a lot less alerts now you can still see that through monitoring so you want to make sure you test that run those commands and make sure you get some insight to how those are happening and you have some high on that to see if it attackers in there also the way this tool works is it open sessions those users and so if you're seeing a ton of closed sessions to to the endpoints that's probably not normal activity look at the commands that are being run on those sessions it's being kept as a log and see what was happening you want to keep an eye on that you also can disable the the go

live server if not needed to avoid that functionality so that was you know kind of high level of the tool again just to leverage basically existing really c2 infrastructure environments during your red team's and also to give back to the community and use your expertise in these in these tools to basically contribute to this modular framework so the next step is we're gonna release this next week after her summer camp is over the alpha release the module API may be somewhat subject to revision so we might switch things around with requests and stuff like that if we find sort of things where it's really not working well so just keep in mind if you are going to work on a module here you

we may have to change some things but we should have that you know hard enough pretty quickly here we're launching with multiple modules to start with so tripwire splint carbon black response and Google rapid response those are going to be the floor we start with we're familiar with them so we can we can put them in there but it should be relatively straightforward to add more modules and again we're really looking for hopefully community involvement here so these my infant modules the amount of time it takes to implement them greatly berries can take hours today's carbon black I think it took us like two or three hours tripwire took like a week it was just so crazy like how you know the

requests go back and forth the real effort is getting access to these solutions for analysis right so a lot of times the first time we encounter some of these things are on pen tests and of course we can manually leverage them and use them but it's hard to build a repeatable module around it without access to that tool so if you have that tool in your environment or you have that to a lab you don't be great to you know get your expertise on there and help out the community now yeah the one thing is like we were trying to contain him because that one's just crazy and all the things that can execute on

endpoints but they're really doing it afar so yeah also has Kevin loaded too so we have kind of a forum main ones were launching initially but there's other other ones that were kind of eyeing as well that we're in the works of building out so those should probably be coming shortly after we have our initial release yeah you'll see those when they come out any questions yeah I'm just curious if you guys have the capability perhaps like through a layer to attack I get a cookie for administrative workstation and do you have the capability to replay a cookie to authenticate to that and keep that session alive and still keep kind of similar kind of things in my second

question you I'm sorry to be a hog have you guys considered or are interested in the use of abusing business continuity and backup disaster recovery products in such a way where you can run a command and run a backup but still kind of get the same kind of thing I've used those as well so I'm just curious you guys are interested in that so those are great questions and good kamma as well so for the first point the modules are pretty arbitrary if you want you can basically set a variable to be the cookie variable and you could build a module around you know this cookie interception and for the password you just set that cookie now we don't have

anything in the tool itself that make it easily right now to basically have a tool mine that cookie itself but if you're able to get that cookie and you had a module designed around using the cookie instead of the password it should be pretty straightforward now I think what a good idea like you mentioned it might be easy to just say have the same module an option for both I think that'll be really cool to make it more flexible at this point it doesn't but that's part of the reason why the module API is still we're saying it might change because there's a lot of things that we're still looking into and finding as we go along and for the

second part that's absolutely right I mean there's we started with security products because we're in the security industry we've installed these products we're familiar with them but there's a lot of things out there that you could leverage for similar ends backup and recovery sounds like a great one I don't have personal experience with that but I could imagine it sounds like you used that on engagements and that could be a good one to even put in here other tools like Jenkins or DevOps tools are also you know prime I know people probably ever changes a lot on pen testing because it hooks there's so many things anywhere there's an opportunity to basically do that command and control

traffic it doesn't have to be a specific security product is something that could be a good potential for for this or for just a strategy in general on your pen desk also kind of going back to Kevin's first point is a lot of times during engagements we don't you know if they don't have their domain creds being used to me tools what we like to do is just get their browser profile download that and take it information on that you usually will bypass two if a with that get the cookies out of that and can use them our tool right now can use api's and I believe session cookies if I remember correctly so if you you know

you didn't really see I'm actually probably digitally see on the demo but you could if you don't set a username it's going to default to thinking that's either an API or session cookie so you can use that like I said if you you know say on network analysis or detecting someones browser profile then you could get that information but again that would work out of the box because the module is designed if it plays that password field in a specific area so yeah if you had a module that basically put that password in a cookie fielding at you put the cookie in there but I think you know it'd be easy that basically an author

can feel that then goes to that if it sees that so yep thanks so both Splunk and tripwire have some dangerous configuration settings I think we're normally on by default often to make it easy to install new notes and whatnot or to manage and do remediation instead of just monitoring so if you're willing to give up some of that capability you can tighten it down any thoughts about about that or about having your tool maybe suggest more secure configuration settings yeah I mean I think security by default is really important I mean we've seen this for from knowing with Microsoft products on people exploiting that forever but it's not only Microsoft and Windows these tools like you said

have similar can have similar in secure by default configurations now part of what we think is we obviously don't to reduce the functionality because part of what makes these tools so good and so useful for us is that power right I think what's important here and what I hope you guys come away from it's not that the tools are bad or that there's problems with them but that you need to make sure they're really protected because they aren't basically one of your highest crown jewels so I would say actually no keep that functioning on there obviously if you don't need it turn it off but but protect the tool itself and monitor it so you know if

it's compromised and make it very difficult to compromise and that way you can still leverage it to its fullest while avoiding mitigating you know the chance or risk of something happening as much as you can safety profile they might not hear me I guess I'd like to have a maximum safety profile and a maximum capability profile and maybe something reasonable in the middle so you know two or three profiles of configuration settings that you could switch between now make things a lot more easier than the current you know 500 options you have to figure out itself

so I think I've have some experience with this as well and I think the big thing is that vendors aren't putting out hosts minimums as far as permissions no we're not following that if we followed that that's gonna limit the impact of these things massively and you go on the vendor sites and you can't find that there recommendation is route great yeah everything works I hope this helps build pressure on the vendors to do that to release those kinds of guides yeah absolutely you know like kind of Kevin was alluding to that you build this to kind of get the word out there you know make sure the vendors are not just kind of doing things

mildly they're you know securing things well you know giving best practice guides for the people that they're selling these tools to so yeah definitely any other questions great perfect thank you guys [Applause]