Endpoint to Internet: Security Control Validation Using Threat Behavior Emulation

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers for making 2018 a success hi my name is Ken Jenkins we're gonna have a talk today about security control validation using threat behavioral based immolations did this talks Connor more focus for blue teamers but I think the red teamers in the room could kind of take it a Cal ittle bit away from this so what we've kind of done is you know instead of the full spectrum red teaming we break down into very small chunks and a focus of today's talk is on traffic so iterating through different types of c2 as I said my name's Ken Jenkins I've

been in iron net for about two and a half years I lead the red team there prior to that I was on a DoD Red Team Blue Team hunt team worked in a big sock prior to that was network systems engineering I retired about two and a half years ago from active duty hi I'm Stuart McQuarrie I'm a little confused about Michaels how they work no I'm serving ray I'm a Red Team operator and developer at iron net I focus mostly on UNIX operations for this is at a fortune 500 Red Team for that I was an officer in the Navy yes so big shout out to Greg Conte he's one of our mentors his senior

strategist at our company he leads a lot of talks I think he's been in blackout every year for I don't know forever good guy to follow on Twitter as well so disclaimer you see a lot of these at the talks this one right here is no different the big big thing is you know consult with someone before you start doing any of these activities and obviously we're not here to like preach about our company's policy and disclaimers there's kind of an outline will follow will address the problem that we see a lot of red team's they jump into a network they do their thing they give their out brief maybe their hot wash and then they jump jump to the

report and then that's about it every now and then there's some follow-on we talked about how threat emulation helps your environment you don't have to be a red teamer to do threat emulation in your environment we'll talk a little bit more about that and in bad days matter what we've done every time we show up to a customers excuse me a client's in environment something goes wrong so even no matter how much you plan for it with disgust a fortune 100 engagement that we had recently and Stu will jump into some of the coding emulators we have and and tools and then we'll close it up with some lessons learned so what's the problem you know our enterprise environments

have gotten so big the complexity is crazy defense-in-depth is is pretty deep and then it should be distributed how its managed between the IT team the governor's risk compliance team the sigh so steam the the the hunt team is providing over watching the sock so you know there's a lot of ownership there and you know there can be miss configurations along the way so we want to we definitely want to not make assumptions whether something's configured correctly and wanted to test the security controls so why do we what is emulation what's the you know to address that last slide emulation is more to the kind of counter those problems so you're not waiting til a bad

days occurred and you know you're your first breach and your organization has happened instead you'd rather exercise that a few times and you can you you know we see a lot of organizations doing tabletop exercise before they rehearse what they will do if it happen but they don't actually rehearse when it happens over fire prior to happens like hands on keyboard so it's good to conduct Sandman relations and like I said we're gonna break out very specific things we do for some of the red teaming that we do so what are uses of current cyber threat emulation mainly is to test security controls endpoint to internet but it's also people processes techniques of shoes excuse me people process

technology and then as I mentioned a moment ago you want to exercise that insulin response plan but you don't want to just exercise it on paper or in a sandbox one that we've been kind of working on a bit is testing sensors and network protocols so in a lot of our clients environments they have these huge gigamon tapped into spanning a tapping infrastructures and you know a lot of times that's not tuned effectively for the IPS is IDS's so we're kind of go into that a bit and show you how some of the gaps that we've discovered no matter how many tools you continue to deploy in your environment you're always going to find that

something's something's not deployed exactly as you thought it was you know if you're in the government maybe you're following Stig's but someone somewhere responsible you know didn't configure something correctly or it was a oversight or there was a drive-by fielding whatever it may be anyone we also work on as validating your vendors claims you know fancy vendor comes in with their box their appliance they're they're super sexy sales engineer comes in and starts demoing the product and you're wowed by it and you move to purchase you know it really works you know what we do here is we kind of show off how how our behavior analytics work next is a degenerate artifacts for our specifically it

generates pcap a bunch of log files and you can give that to your hunt teams to use for those IR exercises of the training and testing so how is it currently being done generally you know you negotiate with a I say you know go she ate you know client reaches out to you and you go see the contract you know if you come up with your objectives it's all about the customers objectives right not just what does the red team want to do and what can they get away with and generally red team's take the least path of resistance normally fish your way in or get some kind of assumed breach access and then from narrow and you

start conducting ops usually c2s a given so I I was at a class a couple weeks ago at Derby con and some of the red team's and Sarah say you know hey you know we have a hard customer so we just domain front that's just a given when we go in we domain front from start at the beginning and we don't really worry about c2 we we're really worried about keeping our access and seeing what we can do in endpoints and servers so not really iterating through so in what it what is within the c2 usually as beaconing or some kind of tunneling over to us exfil over DNS but definitely not iterating so what I what I mean about

iterating is you know beaconing intervals the different jitter intervals are you switching domains as you know every other callback or or are you using different types of DNS tunneling or your sub domain sub domain links the queries are they a certain size are you changing that up or you just sticking on what's publicly available that's been signature eyes and then generally we do it as well we buy a good reputation domain maybe off expired domains net and then we you know we kind of park it we have a static site up that keeps the reputation building before we go to excuse me before we go to a customer engagement we may go and check to see if I what's that what's the

reputation look like now we try to discover what that customers proxy is before we get there and see if our domains are categorized correctly but then we live off of that those one or two domains that we use while we're in the environment you know a lot of red teams have the short and long haul coms you know they probably have a some kind of DNS beacon in you know for long haul coms and then for short all coms are probably using some type of beaconing but they generally don't iterate off of that or use different intervals except when they go interactive so exercise an endpoint only there's a lot of talks going on about how to privilege escalate

out of bypass or you know AppLocker different EDR solutions we've got one of celebrities in the in the conference room bow up sit in the front row he's got a really good blog going on you know exercise and end points but we're not really stressing the network this networks kind of a given for red team's if Network segmentation isn't quite right and the proxies aren't tuned correctly generally just go in write in and out of the network often the defenders sigh so's whatever it may be they don't work directly with the red team's maybe it's just for a pro services engagement you come in you give your hand the objectives over to the to the red team you agree upon it and then

you start exercising that but afterwards long-term you know there is like that iterating through training with the sock or the other defenders really doesn't happen a lot so I kind of touch them the next bullet a lack of training afterwards I don't think you should leave an environment with some some tool you're in there or some technique that you know you're not kind of sharing with them and saying hey we might want to go look at this maybe you don't turn it over completely and then I don't think we've talked to a red team that lately that does anything with like domain generation algorithm so we like to test this in environment so DG a DJ's domain

generation algorithm it's a you know it's a algorithm that creates a whole bunch of queries and the malware developer at one point time has registered domain that he knows that algorithm will query out to will create a query inquiry out to that domain and then it has command and control C to rendezvous so you know we like to iterate through different types of DG a during our engagements so all right well the red teamers in here you're like yeah thanks can you know planning you definitely got a plan so what some of the things we realize is sometimes we we were too real with with our CT and it doesn't benefit the defenders if they

can't if they can't catch it are they just not aware of those techniques other times it's perceived as not real enough so you know you've got to find a healthy balance there for the for the sock team that really to really feel like they got something out of it and then you know not not to be negative here the sock may or may not care so it may be MSSP it may be a contracted red team that doesn't belong to excuse me contract a sock team that doesn't belong to that organization or they're just being pummeled with tickets and alert triage that they just can't participate any engagement they're just waiting for the aftermath of the engagement another

thing is sometimes use malware you know you want to use malware disk it instills confidence in your the client that you're working with so we have defamed malware that we used so we're building these emulation is based off of you know Intel reporting that has occurred one thing you don't want to do there in these engagements is focus on the minutiae so you know my security controls will detect within this beacon interval and with this amount of jitter and you know this amount of subdomain label queries of and in bike shedding this is once to do kind of turn me on to with developers so you know you're buying a mansion but you're worried about the the color of

the bike shed that's it's a being built next to it you know you that's not really what the goal of this is you're trying to focus on the little things and see how your security control with security controls work so avoiding the bad days we've all had them no matter how well you plan you're still going to have them so we definitely run everything prior to an engagement generally we have a we have a pretty robust testing infrastructure we also are contracted with a company called sim space it provides us a really nice training environment so nothing we detonate everything before you go to a customer size we kind of know what security controls how they'll react we

know what our stuff looks like looks like on the wire before we go and we try to keep it as simple as possible but at the end of day we're still in we're trying to emulate characteristics of you know advanced threats clear written scope of testing so often times you can go in and do something very complex and it's kind of it's kind of out of bounds so we you know we we we separate this from like full spectrum red teaming and then communicating your infrastructure ahead of time telling your customers your clients what exactly does your infrastructure look like where is their data going how is it encrypted at rest and in transit especially if you're

doing any type of exfil so communicating that ahead of time is really pay dividends for us it's you know it's pretty pretty wide open when you're talking to a particular client on this and then having everyone know what's going on so we see that some of the the the responsibilities of securing the enterprise are so distributed for large fortune 500 fortune 100's so it's good to try to bring everyone in so to kind of know what's going on we ran into one environment where the proxy was not controlled at all by the sock or even under the site so as an IT team and it took days to manipulate that proxy if you need to whitelist something so that

was very difficult to deal with one thing we do I didn't I didn't bring it up in the slide deck but we track everything so we have source destination we have the technique we're testing we had in you know we have remarks that we leave behind and we provide that to the client it's basically an entire list of IOC s they get based off off based off the traffic that we've generated in their environment so for planning our goal here isn't to test every single security control it's the tested a very specific technique or you know it with the rise of behavioral analytics is to focus on a particular analytic just to say you have

that analytics beaconing or our domain generation algorithm or any kind of c2 over DNS do you know have you tried it I know most socks don't really have the ability to try all those things they probably have to rely on a red team and most red teams are using pre-canned tools every now and then some of the really advanced ones develop their own but a lot of those tools don't get brought to every engagement like I said at least path the resistance again we mentioned appropriate the appropriate personnel being informed and then we we generally have a menu of items that we know we're going to emulate before we arrive we know exactly what tool we're

going to use we generally provide the client a list of emulations will run at specific times from in brief all the way to out brief and final report and then we tell them why we're going to use it like if we have a certain emulation as it's been developed we generally try to map it back to a known threat so we're not just coming in here to show off the weakened code or that we can create emulation it's more like hey this is realistic apt such-and-such use this apt such as ice use that and they if you can't detect these you're probably not going to tech other other threats and then obviously written permission this

kind of goes without saying but I've seen I've seen going to engagement where the right person wasn't involved from start to finish and then they show up when you show up so just try you know that's just something you have to work through when it occurs but if if you have that if you kind of understand their work chart before you are going it is very helpful so gotchas we've always had gotchas so you know we we generally look across a different a V and in proxy vendors and say hey you know how are they categorized in our domains what is the threat what does the reputation of our domains look like you know we query

domain tools for all our domains and we constantly try to have them parked you know with where they're getting whether they're not truly parked foot and it having a plan B that's actually been tested so I'll discuss that here in a moment the other thing is don't leave your devs out of reach fortunately for me I have a really good dev on a couple of really good devs on the team so they're never really left out next is make platform agnostic tools so you know we agree upon a lot of things in statements to work with with clients but when you get there you may get handed a different OS maybe it's Linux maybe it's

a VM you brought with you maybe it's your own machine maybe it's a victim they identified for you so we try to make platform agnostic tools so I was talking about a fortune 100 earlier you know this this organization is large pharmaceutical they had every security product that you can imagine several EDR solutions on the endpoint they had a manís service provider providing overwatch who was pretty sophisticated they had a fusion cell they had a sock and then he had a security team within their IT team which is pretty interesting and he had you know they've they pretty much participated in the exercise so we agreed we've deployed them a vm because they said absolutely

not you're not bringing in your laptops that's just not that that bypasses all of our policies and that just that's a huge violation but they would take a vm so we pack us up a vm had our framework on it we sent it forward deployed in their hypervisor gave us SSH access to it then the victim they provide us gave us gave us RDP access to that victim so that was pretty interesting pushing tools over over to it so we quickly we quickly started you know run our tools off the victim they provide us but we continuously had to change up our infrastructure to match what was going on on this one particular is interesting

they had a pretty lockdown proxy but like ml and GA domains top-level domains where we register them on site that morning just to have spares and those actually worked some of the more secure ones some of the more the ones that had the reputation actually didn't work so what I'm seeing is if your domains category if your domain has got a good reputation generally it gets out if your domains on categorized maybe maybe not so you know for the red team's I'm sure it's pretty obvious but you definitely want to look across that before you show up with their proxies one thing we notice here as well there was some DNS round-robin in our network so every time

a query from from our c2 over DNS would go out like about every fifth every fifth query would go to a different DNS server internally which is you know for the defenders in the room think about the complexity of that we're trying to use like a signature eyes tool or some kind of behavioral analytics that means you're likely only seeing every fourth or fifth query or one in five queries maybe so you know they had to retune that kind of their gigamon infrastructure that to test that but no one in their organization was really looking at that so you could you could exfil over DNS all day long and it wasn't a problem and for the tools they

had internally that would catch that that just wasn't enough Network artifacts for to trigger anything they had in their environment also you know if you know spanning a tapping infrastructure saturate or is filtering going on if you're not catching like you know if you got a beacon is going every ten minutes for an hour that's six beacons inter-arrival six six beacons in arrival in an hour if you have if you had a bit of sampling or hour saturation and environment you probably you might get three or four or five of those beacons so not enough to trigger analytic maybe not enough to trigger a sensor so they also relied we Level II relied heavily on IDs and IPS signatures

other than that traffic wise that was it so but didn't get caught on the endpoint the proxy catch it and went out the front door so i'ma kick it over Stu for a second well for the majority of the rest of the talk to kind of go into how we do these in relations so Stu primarily codes most of our in relations along with the rest of team but and he's got some pretty interesting things he'll share with you so I'll kick it over to him real quick

thank you sir hi I'm Stuart McMurray I got all the emulations so talk about what exactly we mean when we say we run an emulation and a client environment and furthermore how the blue guys can run them without having to involve a red team pay for a red team so what do you mean by an emulation well it's a thing that does a thing usually it's a program there could be a script sometimes just like command we'll see a couple of those that we've run and the idea is it does something hacker ish it make some some usually Network but no reason we couldn't do endpoint stuff and we have as well something that is meant

to trigger an alert or test the bounds of a sensor or a EDR solution or whatnot so broadly speaking with Skol an emulation they tend to be malware ish a lot of what we use could with minor tweaking be used actually to have C 2 or actually do have X Vil but say it's no need to introduce risk we're not trying to prove yeah we can get coms all the way in and out that we're trying to say hey we're where does our emulation we're C's me where does our tool stop where does EDR stop alerting and start saying yeah that's probably all right and then these are generally much smaller in scope so when I write these I write them thinking

okay I'm gonna do one thing and I'll put it on a box it'll run and I'll get a result so I'm not thinking okay I got to deploy this everywhere I need to be able to pass a shell to that guy so it's very very small in scope also cheaper than red teaming we found these are actually pretty good from a science point of view from a hey let's do some security research so not only can we use them red or blue side we can say hey yeah I'm testing this neat theory hey I want to see I found a workaround for this thing so it makes a good one first they have to work so that

don't work you don't get it very far from that and then they have to work without help from IT so Ken was mentioning the one time we tried to deploy a VM we did to play the VM and then IT was like yeah and you actually have to go through this windows in point to get to the VM and you got a Citrix yourself to the windows endpoint to get to the VM and that that really isn't what we need so yeah make them make them work without eyeties help it's also means make sure your domains don't need white listing or maybe they do maybe that's what you're testing but generally the simpler the better also they don't

trip unintended defenses so if you're testing like hey do we see something that makes really long DNS queries you write it you put on the box AV flags corn seams it quarantines the box maybe done that before that you know you don't actually you test your goal you test that something works you're not testing whether or not the one defensive tool you're trying to work trying to work with works it's kind of luda to when we went that that one pharmaceutical company you don't necessarily know what sort of targets you're gonna run these on it sort of endpoints we found we get on site you know the people in the meetings planning meetings we're not

necessarily the people who ought to have been in the planning meetings and so like no you can't do that who let you do that here here's this one box you get it's really old hope you have something that works so having things that generally work everywhere that also means not a lot of dependencies Ruby's a cool language ruby gems are less cool so if you need like this many dependencies maybe maybe we don't code like that so we started doing these were like okay well one you're late bad guys will have domains that look really sneaky we'll have Google login code at UK for example ID please don't go searching for that that was not

one of mine but we'll have things that are you know nobody's going to see him it really doesn't help in the sense that you know we'll get we'll get past our tools or be caught by the tools that were meant to be caught by but going back through it it's kind of hard to look it's like you know if you're not paying attention Google with a 1 instead of now looks enough like Google you'll miss it and that's happened so instead of things like that register things like I love kittens calm really long really visible probably not actually used by somebody malicious these tend to be cheap especially if it's blue team joining these things you probably have

actual defense to do and for something you're going to run for 5-10 minutes maybe to test a thing you really don't want to spend a week of dev time on it so you know simple cheap not not hugely complex and then finally credibility for these we will go we'll run these and almost all the time we get back yeah but you know that wasn't real malice it were real malware we would have caught it and you have to have some way of saying well actually yeah just let me change this it could be we're not going to do that for you because we don't need to put you at any more risk than you are but

credibility is a actually a pretty important part of this my secret weapon for all the above is go the programming language it's quite easy to learn quite easy to use and it compiles for just about everything you're going to find in an environment mainframes actions mainframe target so I encourage anybody who's going to run these two to look into it so a few things that have learned doing these as far as especially safely but just coding these in general it works a lot better if um relations do one thing and do it well when we started we had this really great large framework it had everything you could possibly want built in and it had

every bug you could possibly want also built in so learn quickly okay we'll just write one tool to do one thing to test one thing and we'll write one tool to just make HTTP beacons over and over alright one tool to emulate Zbot our Zeus you know and it actually works pretty good that way another thing I've learned is to handle text streams so it's really easy output JSON you can read JSON into your sim spunk loves JSON till you actually have to grab something out of it until like spunk isn't doing quite what you need names like let me grab text dreams tend to work and it's real easy to write something to convert

that into whatever format you'd like to use with safety comes readability and maintainability they go hand-in-hand and this comes usually later when you say hand turn um make this thing do this thing and the intern is like I can't really read this but I think here's where I need to change it you forgot to mention that that affects that and that affects that so readability maintainability just good general software engineering principles go a long way to make these safe and just to work well testing is important if you don't test you never know what you're going to come into and speaking testing the unexpected things the last bullet expect the unexpected hey your malware is still running I don't know we kill

standard out but it's still running so testing typically you have to test these to a point you're never quite sure because you know it's not running in the exact target environment but testing as much as you can is very important so I could go over a couple of the emulations themselves around a couple of specific tools both of these are publicly available both worked pretty well so the first one is DNS botnet actually wrote DNS botnet originally for a CCDC the defense competition took me a couple nights I had the problem in the competition that one of the universities was they learned that anything with the network socket was bad and any malware that used a network socket didn't work

anymore so on the red cell that minor minor heartaches it was like only leaves a socket open for a couple seconds sure it worked it worked really well and then and then we to client was like hey we'd like you to see what happens see if you can get out of our network using DNS okay just happen to have this tool so and it does one thing comes over DNS and then over time it's evolved I changed the query sizes made the query sizes configurable we had an incident where one of the clients was like hey so you're supposed to do Deena stunning work yeah I worked really good like well we didn't see any you show us

what you did me showed him in we were using 16 byte labels 16 character labels they're like well it's not DNS tunneling it's 18 character labels that's DNS tunneling one could argue that when one could also keep a good client so just a little configuration option and hey we had DNS tunneling there also it's really common will get manager types we're like hey I read about this thing do this thing somebody read about DNS over HTTP and somebody else read about DNS over its domain fronting excuse me so what does that know pretty trivial change actually it's go so it compiles to a single binary we found that just dropping it on a dropping it on a

Windows host dropping it on a Linux box which reason it'll be well it runs and it's defang evil it was originally written for C - so it has C - built-in but act e Fang and it said of setting shell commands back and forth and shell output it just give it a number and we'll send you some bites back assuming assuming the demo Divinity's like me so we have this as a debian boxmeer i'll read that apologize if it's small back there um so we have this I'm gonna run it I'm just gonna begin to example.com by the way this is there's some networking under the hood so that this is not actually example.com this is it goes to a box I have that is

it and it's running and this should be a Windows box here we go notice the defang we'll see that in a second and both these will be canary thirty seconds at most longest there we go so we see in heyo TCP dump I was awesome please please write we're not gonna see that and IO timeouts are right angry demo gods cool so let's see to be doing more or less the same thing so we have the upper left here it's working on the windows box grabs an ID just from a network card when I originally ran this I had no good way to like say hey you just use this IP address so it's whatever IP address it can find work

worked really good until I had a whole bunch of docker hosts with all the same IP address and tournament oops you can also see sort of the idea yeah so we can see the roughly what the queries look like hey that was in the play button more demo anger demote divinity angry cool and then there we go it's running Windows Linux I'd you can see it beacons bottom left side here we can see the beacons and you can see it guys these numbers it uses just to avoid caching beacon beaconing hey we start the TCP dump and then there you go so will interact with implant the 100 implant that bar there apologies will go

away their good will interact that will task it to run a you name and in a second you'll see on the right side the output comes back it's really long it's really ugly actually gets by a lot of things so it's a nice takeaway for clients so task the Windows implant the fe8 do your implant just to give us a hundred thousand and twenty four bytes back give it a second to pick up the tasking um you can see up here on the upper right you know the implant was like yeah I ran that it's good to have log it's good to have time-stamped logs because I'm very really similar to be like hey what did you do and when do

like let me tell you there we go so there's our kilobyte of tasking coming back do that because it's um you know is no reason that unencrypted DNS comms couldn't be intercepted probably not there's no reason somebody couldn't change the text record to say like blow everything away alright

there we go those are backup pictures for even angrier demo gods so we have some takeaways for both the red side or the blue side doing this on instead of hiring the red team ratings are expensive and often not pleasant to deal with so I'd like to encourage blue team's it's easy maybe maybe not this tool necessarily but some of these we'll see a few examples of tools that are just quick easy wins anyway so from the red side the first thing we learned especially the first time we're doing is you're like okay how do we get execution on a box that is well defended and the answer is you put a binary in the box

and you run it so yes annalen binaries work pretty well it was never before seen by a corporate environment when I ran it anyways by the way this tool has gotten a little bit of news on the Twitter's recently so if you run it in virustotal flags I apologize another thing we learned make wire comms flexible like we had the people we were working with it was like no it's 18 bytes not 16 it's a little bit of flexibility is nice also a little bit of hey yeah if we just change it up your sensors don't see it we were we had a key base it's a key logger among other things and we just like put an X in the

query it was HTTP issue yeah just put an X and like oh that was an easy change didn't catch it so yeah make the coms flexible because at some point you'll be you know the tools say okay that's bad then you say well wait what are the other balance of the tool I'm repurposing tools is when appropriate is good generally I'm a fan of knowing exactly what your tools are doing which usually means writing your own but sometimes especially throughout the tool you use it from something else it's great along with getting code execution having somewhere to host your tools that will get actually on to targeting unless you're testing like hey is anything going to stop something from downloading

things like onedrive or Dropbox or ec2 or excuse me that s3 they work pretty good for actually like getting the tools on target without somebody saying hey uh block de binary's sorry so another thing have your commands ready copy/paste just having a bunch of pace tables and you'll develop these when you're testing when you're developing and testing the tools but it saves a lot of typos it saves a lot of hey manager I'm a blue guy but I have this really cool red thing and then you typo it and then a box shuts down when you're like oops sorry so um yeah does be that in VMs not not what somebody important is watching and the

last thing is to set up your infrastructure ahead of time we all do that of course but set it up like weeks of time a to let the domains mature get categorized get domain tools do not say they're terrible but b-because strange things happen so have them set up a long time before and then every so often go in check case this thing work hey this thing work um and make it look appropriately viewed I know if we're testing whether the defense of tools catch malicious things you can't make it look like totally benign time do anybody any good you're like well yeah so it looks normal to me but appropriately denied if you're not testing domain

reputation have your domains normal ish if you're not testing like geoip stuff we had a client that blocked any IP addresses from a large number of countries of which Togo was one and I was using some Togo IP addresses that didn't work too good blue-blue had a few more takeaways than those it was a bit i opening when i ran this one the first thing you learned to see stand-alone binary they worked pretty good you drop a standalone binary to disk to the desktop it ran they got a few more smoke queries out of that one so another thing blue learned was that wire coms are pretty flexible you don't really have to follow RFC's dns it's like this one in

particular do not follow like 150 RFC's yeah we change it up just a little bit no they go you nuts can't do that okay so suggest and they got a lot of value out of that they learned that even if your malware isn't super cool elite run by the KGB they can actually still work enough um everybody wants to find an apt everybody want to say oh yeah we caught apt one or choose your group doesn't necessarily mean that the malware isn't gonna work isn't gonna cost you money in the end but you know people generally defend against blue also learned that DNS is kind of hard to see Ken alluded some round-robin we found and they

caught most of it we had a client where an X domains came back as the reason I forget their upstream DNS but they're like hey here's a parking page instead of your next domain what kind of normal kind of gave us credibility work pretty good it's worth but yeah DNS and then we had another client who was like ah here's our solution for DNS will encrypt all the DNS Edison was DNS over HTTP or DNS over TLS well crypt all the DNS and then they're like hey we're not seeing your emulations what's up with that so maybe that's that wasn't helpful it was a good good lesson could take away for them the last thing for this tool is domain black

lists are not always effective domain white lists are not always effective so when you whitelist things that are like good category good category category name like hey look at my medical article on nose hair it's awesome and I cited Wikipedia then hey works pretty good and blacklist hey these are the bad domains and we generally try not to register domains on site but every so often it's like cooking right of good ones you know you need to do more than we expected or I worked all right the next primary next emulation is PS beacon this is on github by the way you know spot in that the link right there PS beacon here we go

it's a github gist so apologies for the short short really long link we de client was like hey yes so you know you do all this HTTP stuff we read about things it's just like query answer query answer Linux lady came up in some kind of conversations and by cake how's it look on the wire so I wrote and it was a Windows endpoints that we were using at that point so I wrote a little PowerShell script that was more or less the same thing as the little bash bash what would be a one-liner up there notice critically the important kicker part is not non play and that goes back to the makes things reasonably realistic

yet I mean it's gonna pipe to stand it out but could write to Ben sh-she could write to her shell I'm in there's a 60 minute there 60 second Beacon scuse me it's pretty much exactly what Linux lady did accepts on a Windows endpoint and non cron so it was cheap to write definitely hit that wicket and I was like minutes to write and over time it's evolved features we've added we've had a jitter in there so you know something to say a we've just noticed every minute something is happening that's bad so if it's between like one and three minutes might be good might be bad it's good to test the limits of your tools and then

the user agent is settable that you can configure it to be whatever you'd like one point we're running this and they're like hey that tool was cool but nobody uses power shells IX the right of you are excuse me in our environment so and that really wasn't they were doing what they were trying to catch so yeah but generally it works pretty good a couple little snippets of code so this is the config the things you can set a but be defaults and the defaults are very important when you hand something to somebody say hey please run this and that somebody's like what's man line and you're like please double-click this having the settable defaults is really quite helpful

I'm also if you're using link by the way a little little takeaway uh link like Smiley's and PowerShell does not like Smiley's typed in like link likes turning things into Smiley's specifically is the core of the code it's actually a really simple tool that we use very frequently and defenders actually get a lot out of it a lot of like oh wow that worked ok retool our change the procedures or what have you I mean the core really is just somewhere in here yeah system donut that website to download string pass a URL and pipe it out and all and then yeah but you're not actually running anything like okay we we didn't want to but you know if you

really need to you can change a few bytes right there demo gods hey there's an AI term update by the way okay seen to produce tweets okay so we're asking me hey is that Mike gonna work and I was like yeah no problem thank you sir so here's what it looks like on the wire also command line parameters and it looks exactly like you'd expect from curl in a loop or assistant on that web client loop somewhere between three quarters a second in a second recorder it makes a request and that's pretty much it again I'm not please don't go views them example.com if you can but it's not light and that that's that tool

and we get a lot of mileage out of something that simple so rid takeaways things we've learned and by red I mean blue blue guys acting red or the red guys doing this tools evolve over time when we started this it was that big now it's 80 odd characters or 80 odd lines or so and we've just had different needs over time like I was talking to user agent next thing we've learned running this is to let built-in systems be built in systems and do what Bentsen systems do our original incarnation of this was written and go go can handle Windows proxies and read W pad and all that fun stuff or you can write a line of

PowerShell and it works just as well so we've had the same issue with DNS like okay we need to shoot this at the right DNS server or just let Windows do the DNS you talked about the configuration from inside the script this is not to say like go to line this and change this this is not to say like okay here is said said will change it or here's a vim find in replace you know just something at the top um constants or what-have-you is nice let's configure eight your command-line arguments okay well then looking a little take away IX I'd if you are actually works pretty good so again we're like okay how do we run this

they're like our execution policy is to prevent that and the profiles won't let you do anything and you're like okay we'll just pull it down and see if it works so actually work pretty good and was nice little finding for them too um also while writing this certain certain managers who may or may not be in the room like to ask for features and certain managers usually know what they're talking about historian because I don't be fired anyway so he's like hey Stuart you got to put you got to make you set up a user agent that's what's gonna get it Scott oh yeah you know I'm doing other things here you gotta make it set up oh yeah so

sometimes future peek is a good thing it happened it happened but generally generally say no and that's less to maintain unless that can go wrong for sure last little red takeaway is there's this blurry line between what is a shell script and what does the shell command there between a script in a program that's pretty obvious compile it it's a program but the difference between is shell script in a command go back here script or is that just a command on four lines and you know we've had people are like hey you can you can do things but just don't run any script scripts or something we don't want so staying within the spirit of what was asked is you gotta make sure

that you're not gonna anger people so poor blue with such a simple tool they're like oh it's a simple tool no problem so our blue guys have come up with various sim queries to find powershell run from the desktop and for the download execute thing they're like yeah sure we'll look for that now it's kind of funny when you're like you show somebody something and they're like oh give me a second and then ten minutes later do they come back and say hey I ran this query was that was that you a month ago and you're like no looks like me but that wasn't me I don't know what happened with that one they wouldn't

tell me so blue also learned that PowerShell profile is an execution policy and whatnot they work in some cases if you have PowerShell to for backwards compatibility and you turn them off they don't work very well at blue in this case he put code on a safe site and pretty much anything hosting text that where you can put up text and it's trusted by the environment it'll come right back down so they had a blue team that had a bit of a mental adjustment about what is safe and what we should allow and also that HTTP works pretty good logging needs to be used and inspected and if you don't you end up looking like that I think but you know

they're like hey if we got all this PowerShell log you can't get anything running and then they're like we don't look at the PowerShell logging so please pretend we did we've had teams find the beaconing detection intervals like hey yeah everything no we're not gonna we don't even bother if things beacon at minute intervals because the Maryland DMV MVA does that when we've had teams like well I mean an hour every day it's not gonna really cut so it's it's especially these tools nice to find exactly where those bounds lie the best thing we found it was a blue and a red thing was that PowerShell and next you can use different proxies so we were

having a devil of a time pulling our code down just typing it into Explorer it's what the client gave us and like hey I try this IX IWR thing surely it's blocked whoops all right so I live there's actually three emulations apologies what time we were we were having a pretty rough time at a client and they're like hey get some DGA on the wire you know find something and I was like okay and I did this and this is a this is the first one we'll see that it's just you know really simple 30 second tested appropriately off off their network but you know it was pretty fast it was it worked and then of course

they came back and like yeah but that's not actually malicious but I said well okay imagine those random bits and by the way the batch random variable will give you like 15 ish bits of random ish number indefinitely and yeah that's not random like well place dig with curl replace random with the md5 hash to the day and I could Sh so and then you you know you know what days are gonna be running it you can hash it maybe tour an hour in there if you want more domains than anybody cares to block it was nice little lesson learning thing like to leave you with some easy wins some some little things that you can run red-blue

management IT whoever can run just to test things so port scanning netcat has a built in port scanner turns out yes I mean it doesn't do any fancy but it just makes it since an ack-ack 10 a connect sort of deal also teeing it to port scanned out or whatever log file is great it's really good to have a especially time-stamped copy of what you've done lateral movements been getting a lot of news lately because generally it's hard to see inside of network it's not as well instrumented SH has that built in it's working with a team that were they were dead terrified of the wiper that was that was their shtick we were going

to defend against a wiper Sounion happen not that long before we are all we have to plan for the wiper what's a Wiker it's a wiper brute-forcing creds test of lockouts happen on your website test if something's gonna alert and say hey this dude logging in about a hundred times toast if the fax machine you just bought will let you in user share dict words is on at least max and the bsd boxes and I think most Linux distros last set easy wins exfil this this is not an original concept friend of mine is like yeah you wouldn't believe what security I asked me today and he's like so we just had this box that had flat high

usage high network usage I was like that's weird he's like yeah somebody was SC peeing off their code base for days it was more or less that domain fronting also has been getting a lot of news lately domain burning is actually pretty easy to test is that you have to find a benign domain in a bad domain that are front able please roll your own don't use anything you're not allowed to DNS tunneling same things been getting some some news lately that will test what happens if you have a bunch of queries to a parent domain with different subdomains eNOS over HTTP especially in the last like four days I've been noticing a lot on Twitter especially

Google's kind enough to provide us something replace name with something that is not going to get anybody I mean don't don't use something actually malicious don't be like a threat Intel unless that's what you're testing Wester testing if you're threatened till stuff works and then for the managers who like buzzwords DNS over to me in front of HTTPS works pretty good - thanks - all right so I hope you guys got some entertainment out of that imagine working with them all right he likes cats as you can see so some of the key takeaways from what we discussed today defenses are complex threat emulation you know allows the fenders to kind of test this red team's eye I recommend you

kind of add this to your arsenal but blue team's everything we did there is very easy and emulate a lot of the tools that Stu discussed earlier are being released planning I don't know how many proxies we've run into how many firewalls we run into signature things that the customer the client doesn't know this in their environment to cause us issues when we arrive and that's with really well rehearsal good rehearsals prior to to our engagements and as you saw some of these emulation they're just PowerShell one-liners from many folks in the room could because spin these up in seconds and they have just great value without having to go out and buy a you know third-party tool

or you know fancy license to do these things I would say don't invest in those things until you have proven that these things get caught and then simple tools you know some of these are you know a couple megabyte binaries that's just because go is really fat when you compile it and the rest and the rest is you know again the one-liners and then always a challenge challenge the assumptions because hey you know cuz cuz a tool says it does something doesn't necessarily mean that and also sometimes the the only adversaries is some of these clients are seeing or read teams that are sharing techniques so they may be getting really good at defending against

you know the different red teams are partnered with but are they ready for that apt that's kind of come in so iterating through these miniscule thready emulation scenarios as you know be pretty beneficial so where do you go for more information still kind of talked about he loves tore up tour he loves tour also he loves Go Go language for developing some of our emulations he's released DNS botnet publicly and a PS PS beacon we through a gist out there for it and then some of our easy wins that you saw on the last two slides you briefed so you can go and pull all those down

all right

awesome so we used to work for Air Force general and we were told we have 50 minutes so we're sticking to that any questions any air force in the room time hacks things like that no time on target no all right so here's how you getting in touch with us if there's any questions we could we have we have a few minutes also we can talk outside [Applause]