Simulation Hacking, the Good, Bad and the Ugly - Jacques van zijl

hi guys my name is jacques mansell i'm the national cyber defense specialist for microsoft in the canadian region okay today we're going to talk a little bit about and showcase you about simulation acting what is the good bad ugly about it can we utilize it is it something that we can use in the environment should we only use it or conduct it when you know we want to test something that is um not in a production environment or you know is there any any value in in doing it should we only get a real pen testing organization to do certain things okay so let me go and explain a little bit about what is simulation

but before i continue i just need to make sure everybody understand um i'm fully um i have autism so if i do say something i'm to offend you i do apologize in advance sometimes with my the way i communicate um i sometimes have no filter so um so i just want to let you know that i am autistic so um yeah let's let's let's keep going okay let's get back to it so i've been doing it for a number of years and we especially go and github we go and see what type of you know simulation programs are there and is available we play with them and we can sometimes see okay what software is

actually doing what it says it is and what software out there is trying to sell you a service okay and i will explain why that software is there okay so let's get right into it but before we understand what is simulation knocking we first need to go and have a little bit of a look how windows operate how the actual operating system operate um because that will really start to make sense once you get into certain things okay so what i'm going to do is i'm going to go down here and just explain a little bit here windows work in a complete isolation virtualization sandboxing okay so we you can kind of say we fake it okay

so you've got your applications on the one side you've got your windows platform you've got your kernel running and then obviously you've got on the right hand side you've got all the applications running which is it could be adobe it could be one rod windsor whatever it is doesn't we don't care what it's what it is and when you see that running you can sometimes see that um certain you know applications when you when you do the testing or when you want to do the hacking you don't get the results you're looking for okay now that's also because we have different bolts like remember when whenever we had built 1803 1809 and then we went to 1903 in 1909 and

then we went over to to um 2004 h2 build so every time there's a new build there's a new functionality or isolation we basically built in there okay so you have to keep that in mind every time we do have a new bolt you might find something has changed dramatically okay the hack that you tested or did work or let's say for instance build 1909 works or you put a certain functionality into it and then suddenly you update your machines to 2004 and um defender completely stopped a particular hacking from happening and and that's what we as microsoft are doing we keep involving the os okay we we we get about eight trillion signals a

day in all our data centers around the world and when we get that signals we need to really go deep into it to see what it is what is the changing functionality there once we found out what that is we will then rebuild it and repackage it and there will be changes okay obviously there's a big system that goes in the back end where we test it through a number of months before we just send it out to enterprise um but it's clearly state that microsoft has made a commitment to protect you against um you know those mitigations okay so as you understand how the isolation is working this particular format that i show you

has been there for quite some time however we basically fake everything in the back end okay so let's what do you mean by faking it in the back end okay so let's have a look if you look at dynamic general imaging okay and if you run windows just as normal vanilla and um and you've got your host files like your alsace and you know um any dll files and so forth the green means that is our actual file let's say that the style says file okay and the outsides we required in multiple software that you're running um let's say like a sub program or you know dynamics or whatever like that even if it's a third party program

we will actually create the host file and we'll make those file two three and four so that will mean it's linked to a certain file okay it's not the actual file so sometimes when i think they hook into a actual file or to get that particular passwords they're actually hooking into a dummy file okay so that password it's not there okay but it's a little bit of a if as well okay it also depends on the third party organization or the organization that build it what um is actually allowing it to do okay and that's where we can start start talking a little bit about you know your e3 type of licensing where it is using a

different method to protect and to stop but we'll get there okay then you will see in our smart memory you will see we used to have let's say food or dll and we had two physical ones okay so we've got the physically we've got a traditional vm1 and we had the actual host version in 2000 um mall 2004 what we actually did was is we um build it in so now the full dll is actually there but it is both of them in one file so the file and the actual fake and the sandboxing mode is there so when a hacker is trying to write a code now is he getting the right information or

are we actually giving him information which is in the sandbox environment okay that's a little bit of a secret source where we don't gonna go we we're not gonna really wrap dip into it because that's kind of how we differentiate from our competitors one thing that we have that nobody else have in the world is we have windows it's our operating system we understand how it works we understand how our security works in it and we built our um threat protection and our big um security play around the os okay that will be for obviously for your endpoint and that will be for server as well okay so and obviously when you're connecting to azure

okay okay so now that we have a little bit of a wrap how it basically look likes and how you know windows operate from here on we can go slightly a little deeper and talk a little bit about what simulation hacking is out there now i'm going to pop up a few websites we can go and have a look into some organizations that i basically use and why i use them and then um i will i will and we'll conduct a few hacks one or two hacks and then let's go and see what happens okay um also something that i want to just mention here um in this particular uh system we also built an operating

system very much like the miter attack framework system so if something happens we can let you know exactly where that hack is happening okay so um if you have an attacker that's busy you know doing the initial access the code execution cadential theft in the back in the operating system is kind of built just to stop you know that mitigations if you run defender of our security platform our edr platform it's going to basically stop stop the attacks okay from happening but it's also going to tell you how it's working okay purely because we have a very big global presence um in in in the cloud cloud form and that's why we can do it

you must understand here the scale we're talking about yeah we have 140 they keep on up getting more but we've got about 140 data centers around the world that is millions and of processing power available so if we found something okay it's a new code it instantly goes into that pool and it gets running in a sandbox mode and we can see what's in that code that it should not be in and actually help you so what will happen it it will create the file um and when we generate that file let's say it's a simulation that can file order file it'll take that file we'll send it up you'll get the information we send it back again and

you get your result okay and that's basically how we do our things and that's why it's so quick and fast okay now where does this play in the simulation world when you play with simulation hacking you have to be very careful what you do and what is the outcome sit down with your team and conduct what you want to do okay and you need to go and sit down and say what do we want to test okay because you can run into so much different avenues when you start playing around where it's not making sense um sometimes if you get your your answer and you might maybe get to the answer you're looking for okay

when you sit down with your team make sure it's very clear you want to do and focus on one thing so let's say for instance that's going to go and focus on credentials can we get credentials from our machines okay can we get it by dumping it can we get it by maybe doing you know extraction of it now when you start to play with like many cats and stuff like that almost any program will catch it even if you start to play around of invoke with mummy cats like invoke means is when you almost use a program that's running in memory and then you use memory caps to pull a certain file out or the you know password file out and

then you can use it to you know to get the actual password to come now this is where your operating system is playing a very big role if you're going to play around with um we're going to play with that with credential [Music] harvesting you need to make sure that you're licensed or let your your under layer is enabled which is credential god you're one credential to be enabled otherwise this is not going to work okay you might check it out and do your simulation acting or get a hacker to do certain things and then uh which you obviously asked to do um then they will get sometimes the password it because the the the trend if

credential guide is not enabled it means your password is not going into the tpm processor okay so let's just have a little bit of a look what i'm talking about so we're not going to have a look into our system and we go over here and we're looking at credential god [Music] i'll just find the spelling there okay so basically credential guide as in windows defender as a tool that um enables virtualization okay so the tool goes in it sits in a in a memory and it sits in a tpm processor and once you type in your passwords it will inject into that password system so if you actually go into your windows system and you type in create manager

you will see there's two different uh credentials there okay let me just make it a bit more clear more clean okay so you'll see this window uh web credentials and it is windows credentials okay your web credentials you will see websites okay so every time you go into a website you type in a password your information is going to be recorded over here if you if you obviously if you run it on edge okay different when you run it on chrome or firefox and so forth they keep it in their own double vault okay windows credentials is separate okay from the web um physically you know an operating system so what you will see here is if i lo if

i log into accounts and stuff like that it will actually go in and um take that code and protect against it okay and that's what you want to look in for you want to lock that grinder credentials into the tpm processor because you don't want them to actually or any hacker to retrieve that information and that's very key here okay this is your e3 license from a microsoft perspective my windows enterprise okay and you want to basically go and check that that functionality is enabled because if you're going to go and play around in the my top framework and you're going to play around by trying to grab the password or in you know extract the password

if it happens then it means it's not enabled if it doesn't happen and the password says sorry you cannot access it you know then you kind of know that you are protected against it another way just to check if you actually have it enabled you can go in and type and run and then type in mx oh sorry ms info ms info 32 which will bring up your your your system system state i'll just bring this across for you so as you see in the system state what you want to look is you've under the ottoman values you're basically going to check from a dma downwards okay what is enabled here because that is going to give you a

pretty clear picture of what your it has developed and enabled so as you can see over here credential god is running on a virtualized base server is running and we're running it in the security is configured for credential guard okay we're not going to go into the rest of all of these functionalities over here because then we're going slightly it's all part of um simulation hacking but we only have so many you know so we only have so many times so i just want to focus on one thing for now so once these are enabled and it's running you can then go in and then trying to conduct a hack and see if it is enabled so what we're going to do

is we're going to go into another machine we're going to go and check if cadential code is running if it's not running we're going to um actually enable it we're going to run it um and get it to work and then we're going to do the credential hack and then you will see what i'm trying to say about it okay so let's move over to more of a demo okay i don't really like doing um presentations it's pretty boring for me but um we all need to do it sometimes right okay i just want to connect to the system

okay there we go okay so let's go and have a look in our system this is a physical machine that's running let's go and have a look um if you type in run it type in info 32 sorry mse 32 what do we actually see okay

okay we do secret danger card is turned on however we don't see credential card is enforced so there's only one running we want to go a little bit more deeper into the credential system okay so if you enable it by running a gpu policy or you know running in tune there's another way to make sure let's definitely do run it and you know something is not working um you want to make sure um you can get it to work you can actually go and do this go here type in um it's called uh [Music] d g that's great and show god dg toolkit i think it was 9.4 it's the latest one i think yeah there we go all right there we go

yeah there we go dg readiness okay so obviously that's going to be in our system so we click over here double click there just extract that extract all of it what i like to do is i like to just take that and copy it to my c drive just makes things a little bit more cleaner and clearer there we go now we want to do is we want to navigate to that system okay so you want to run uh dg and then what you want to do is you can just run it clear like plaintext and you can say run and it's going to basically tell you what is your system capable what is it actually running at

the moment so this will give you a little bit of a of a tool to also see do you want to enable hvci do you want to enable credential guard and so forth okay so once you go in and you say i want to basically go in i want to say if the system is capable of running it so you will press that restart it says capable run it say run and there we go and basically it's going to do it it's going to run and it's going to write stuff into the tpm processor okay other variants that you require for your system to take effect now it's going to say rebooting system now soon if i'm going to reboot the system

obviously we won't be able to you know go further it's going to take about a minute or two so i'm not going to reboot it however what we're going to do is i'm trying to just show you is once you go and do a hack you need to make sure that you prep it correctly okay a simulation each section of your mitre attack framework requires maybe something like this to do okay and that's what you need to go and check out because sometimes what this there's a lot of fake programs out there that just run stuff and they say uh we've just run you know 20 tests on your machine and technically with the software that

you've enabled or the security gear if enabled we bypassed 17 of them and i need you and you caught three of them okay and then when you actually go and look into the system things doesn't make sense right um so that's what we see a lot okay so if you go hands-on into a certain thing you want to make sure that your team and yourself are following the right steps to get to that particular system make sure you read the documentation what what you need what you require to do like for instance this is credentials everything to credentials we need to make sure that we're protecting everything about credentials this is the underlayer of the

operating system okay sometimes if you do actually run if you have a high bolt like a bull 2004 in windows and you run and you don't have this enabled sometimes when you run a certain program or a hack it will actually stop it it also depends how you penetrate that software or how you penetrate that particular system if you're going to run mimikat we're going to catch you but if you maybe run invoke mummy cats in another software back indoor we might not get you okay but then you need to go and check why and this is the why why is it or not in it so you want to enable it in this way

so if everything that's password protected is in your tpm processor that's the kia okay it's almost like having mfa okay okay so now that we've run that which is fantastic let's go and have a little bit of a deeper section now let's go and have a look into what type of software can we use to conduct you know um hacking or simulation hacking okay so a tool i love using um github is a atomic red canary atomic red canary is um so i'm kind of i won't say yeah you get yourself citified on it when you run it so atomic great canary is a company that is but basically run everything in the micro attack framework okay they've got

all the instructions that you require the framework they are running everything is in here so you can just go in install it and make sure there's a few things you need to do for atomic red canary to actually work perfectly okay first you want to do is before you even you know start want to run this is make sure your software will not stop it okay because it's going to install if i'm a a bunch of files that looks like it's going to you know infect your machine so there's this the actual direct the atomic rate uh red team and if you go into it and you go into atomic there's all the files all the

all that might attack at uh t one zero three seven you know we're gonna run t uh t one zero zero three we just for credentials but you see they've got every little thing you require to test your system okay and then and each one of them requires something so that's what i'm gonna show you guys as well okay so once you install it and you run it one thing you want to make sure is you want to set your um your system so it actually can get it so you want to go set execution policy to unrestrict it uh don't run force because then it's obviously gonna um if you're gonna run force look at my spelling there

force then everything you can run in this machine later stadium unless this is a like a dim environment you're going to throw it away you can do it you want to set your execution policy then second you want to do is you want to then go in install the software and make sure it's working perfectly you'll see it will run the scrubs everything is working then you can start to learn their language of how they use the program okay so once that is all set and sorted you probably can run a little bit into problems with the fender if you run it or if you run your own program so if we run the fender

just make sure you go into security you go into your section over here you go down to um managed files and you go into add exclusions and you would like to add the actual atomic red team folder in there the exclusion it means it's not if the hacker is actually on you know running on on the system but remember your security or edr system whatever you're running to protect you is also running on the system so in my case i'm running um our mde um through protection so in our case what i had to do was uh to go in actually go in my system go down to uh where was this now autumn folder

exclusions and actually put it in as well that's atomic great canary so it will say everything that's running and seeing or atomic reconnect just allow it to run and the other program i'm actually using is purple sharp and i will get to that a little bit later because they're two different systems they're two different ways of simulation arching atomic grid canary you run from the system using certain xml files purple sharp use basically the net framework which is a different way sometimes you can get the same result but you want to do it in different ways right using a software or using xml file it depends what you want to do okay so once you've got that set um

let's um let's see how actually atomic red canary works or how this hack will basically conduct okay so first of all you want to speak to your team to say listen we're going to run this on the machine so record the name of the machine maybe they'd say it's a security process one or you know um security test one machine image or whatever you're running and as they if they get alerts coming in they you know want to know that you are doing that alert so send the email out make sure everything is done you don't want anything to be weaponized keep on well keep keep in mind sorry sometimes when you run software on your system there is ways that

hackers can get into that software and actually weaponize it okay i'm not saying it happens all the time or what happens with this software we have seen it so just be careful when you run it and you conduct a security that when you're done you turn off that particular machine that's got that software running and when your machine is back again and you do your your work and you've got your team and everybody's on that's on go mode then um that is all done and set okay so just keep that in mind okay so uh let's run it so if you install um atomic red canary you're going to run invoke and you're going to run invoke

atomic test okay then we're going to say t1003 uh listed and we want to actually see [Music] if there's more details okay so let's go into that and let's say show me a brief go so in this particular one there's two ways we can do this we can use gsc dump to gain information or we can do credential nothing with npp spy okay i want to check if actually 005 if we're not mistaken zero five is it in different version i could be wrong here that's it show yeah yeah yeah it's three okay sorry okay there we go let me say three details okay so now we want to go and test the system but before we even get there

okay this is that little disclaimer i said make sure your system actually have the software to test it so what you want to do is you want to basically go there and then you want to say show show brief show briefcase one and two okay now what you do is you go to the back over here [Music] and you want to say then you say um test number two space enter okay and then if you want to know what that what you're actually going to test this you can just say show details it's going to save from the top there okay so beginning test right in the top so it's credentialed is the conditional dumping and it says number two

and that's going to say the test gu id and this is what it's gonna say description change provider auto registry key parameters and creates key for the nsp after using login clear text password saved in c npp spy.txt clean update it deletes the files and university changes and it's going to pull information in from the web okay then it's going to use the powershell so this is a powershell x that's going to execute it and then it's going to run it in the destination folders and you can actually see the changing paths there so it gives you a little bit of a clear way of what they're going to do and then they're going to run a cleanup command

afterwards and then [Music] if that arc happens you will get you'll probably see it in this the sealant in bpy spy.txt okay right so let's see the output file is going to be in temp but the allow okay cool now also what you want to do is you want to see if you've got actually the dependencies so you want to then go into the back and then you want to basically say this and you want to say check requisites and it's going to go and check and it's going to say okay must be available to your local team directory try installing it by get so so we don't have it so it tells us they get to try to get it but dash

get freak it's gonna go and it's gonna actually there we go it goes and it downloads it and let's see let's run it again there we go so technically speaking now this is all set up and ready for us to do the hacking okay so now what we want to do is we say we're going to run number two and we say go for it there it goes and it's please log out log back in contacts password from this account is going to be located and in expire okay so let's log out and let's for this machine lock out [Music] and then we lock back in again

and if that okay so there you go in the air you're going to c drive and there you go didn't work so the file isn't there actually what is that rpc settings maybe it's that far let's have a look no okay so the hack didn't work okay because there is no foul so that's kind of how we can actually see because it says here please log in log out back in again and then it says on the bottom here it's going to be an impressive txt so that doesn't work but why didn't it work so let's go and actually have a look it's it's it's all while we because but we have to go and have a look

why didn't this work

ah there we go

okay so our edr system has actually detected it and it's basically killing it okay so that's why it didn't work so if we're going to go into automatic investigation um we will see it's actually running at the moment so it's actually doing the investigation at the moment okay the clear log files okay so hence it wasn't working okay so it's running um investigation on this particular file on the particular hack that we've done so that means we actually detected it and we stopped it okay so that is something that we want to see in our environment right you know incidents and stuff like that so it could actually see there's some um yeah there'd be a suspicious file

incident on the endpoint okay so the good thing is we've stopped it we stopped the hack from happening so let's do a recap we we checked our windows were working we didn't say is simulation uh we want to do a simulation arcing can it work in our environment did we do the due diligence to actually go and check that we um install and run for instance credential guard making sure that our system is prep to stop it and like the blue team and then number three um number four sorry let's run the actual hack and see if we can stop it okay if we saw an npp spy.txt file obviously what we've run but didn't detect it okay and that's

when it's actually there don't think it is sometimes um a bad thing if if it's actually mpp spider txt what you need you can find out is why you can't detect it okay now we detected it and we stopped it if that file was still there we have to go back again and check our security did we check the underlayer that we check if the credential got was enabled correctly or is the program or security program that we're currently running a third-party program we're running can it actually do that can it actually detect stuff like this okay there's a lot of different versions of this actually that you can run i just run this particular one but this

i mean you can run i don't i i deliberately didn't want to run something like mummy cats because almost everybody can detect mummy cats i wanted to run something a little bit differently okay so guys this is just one of the might attack framework okay there is literally hundreds and hundreds that you can go and test in a micro attack framework okay and you can you can see exactly how a hacker's been conducting so if you want to follow a specific hack for instance doing a spear phishing email link going through all them trying you know do a blue blue team red team exercise i i think there's a huge potential for simulation hacking and companies in the red team that can

grade a red team in a company that can actually do this okay we don't always need to get you know a hacking company in to do it you can actually do it internally if you do it correctly and you understand it correctly and you follow you know to follow the guidelines and stuff like that um you can you can really do this you know correctly be careful using kali linux okay and i'm gonna tell you why in a nutshell anything that you run with kali linux is open source okay one two if it doesn't work in a production system and you actually test against that system the chances of it breaking it or break that server or

whatever you're testing is pretty big remember it's trying to hack it's trying to grab information or creating a full process or something like that to gain access or doing something okay it doesn't care if it's actually breaking a system or not when you run something like mummy cats for instance um a lot of software will actually grab it but it's kind of a straightforward way of well i say straightforward way but you understand what i'm meaning a straightforward way of doing it um if you run the atomic rate canary for instance there is ways that you can run in this and there's obviously you're gonna get help right you can reach out to a team

and say hey guys this is a big community i've done x y and z and what can i do to help when you run kali linux you you completely basically on your own and people are kind of asking me always should i go and do my hacking you know ch and all that kind of things like that to kind of run it ch is not going to learn you how to hack it just tells you what is hacking you want to go a little bit deep like two to three levels deeper in it in the end of the day it comes down to experience you can have all the certifications out in the world but it comes down to

experience and hours and hours and hours of testing and playing and see where it comes in it's one thing to hacked another thing to protect okay so this is what i think is what what you can use this is definitely looking into simulation software be careful what software you're using out there there's a whole lot of software that is just um [Music] like selling trying to sell you a service um be careful for those reach out talk to people reach out to the community reach out to myself if you want to on linkedin javantel on linkedin um and i will um guide you and see what i can help obviously if my time permits guys my name is jacques vintel i'm the

national cyber defense specialist for microsoft in the canadian sup it was an honor to do this event with you guys i hope it was informative you learn something and you know always try to detect protect and respond keep safe out there and have a good day cheers