BSidesMCR 2019: Offensive Development: How To DevOps Your Red Team - Dominic Chell

so my name is Dominic Chell work for a company based just south of Manchester called mb/sec day today most of my time spent are doing red team engagements you can find me on Twitter this kind of unimaginative handle of a bombshell and I just a quick disclaimer I'm not a devil expert the talk is mostly on red teaming on red team tradecraft and we're just looking how we can apply some principles stolen from the devops world into red teaming so before I start I'm just going to give a quick story so we're doing a phishing campaign we call a lot of time into crafting the perfect payload we send it to our user we get a shell the next thing we do is a

little bit of situational awareness we do a little bit of probing on the endpoint check that we're in the right environment see what privileges we've got we have often around looking on the file system see what we can find see if there's anything useful to us and suddenly your implant dies you've lost connectivity what's the reason for this so if we look into what the blue team sees they've got quite a sophisticated EDR deployment in this case we're just looking at crouched right they can see everything that we've done they've got a threat hunting team they can see we've empowered shell they can see Weaver and ipconfig they know everything we've done they've kicked us

out of the network so what is the problem well fundamentally defenses are advancing we're getting things like command line logging PowerShell script block logging some boxes EDR edp's application whitelisting Hamsi the blue teams are up in the game and they've got all this fancy tool and that's supporting them now this is a problem for us as a red team because we've got a growing investment just dfi our team can quickly burn an entire campaign that we spent weeks or even months mature putting together and building that trust with the user and we've lost it very quickly because of our port or aircraft so what I'm going to introduce to you today is a concept that I've been

working on within our team for a while we've recently started using it on engagements and it's moving away from the traditional crate trade craft of actually winning any operating system commands what I want to show is that we can actually abstract ourselves from this concept and actually only perform a red team engagement from an IDE we can do everything that we want to encode okay so what challenges might have actually posed to us was a few things that we need to be aware of if we go down this room so AM Z threat hunting they've got memory inspections so we need to be aware of that and how I'll show some concepts that I deployed in

instant to them I'm going to release to actually get around some of these we need to be aware of injection techniques so in this example I'm looking at COBOL strike will the power pick and execute assembly commands and COBOL strike use injection to inject the CLR into any arbitrary process whatever you define any malleable profile then how do we actually go about kind of building or tooling delivering it into an environment and running it and how do we prevent this this tool in getting identified and video if I are actually identifying any of our artifacts Willingham in their own environments so these are some of the things that some of the challenges that we might have

I'll talk a little bit about how we kind of approached it and how I kind of applied or address those challenges in the tool and I developed so what the first thing I did was really had a little bit of experience with some DevOps concepts and one of the if you are a DevOps person and you're probably familiar with the concept of having your own continuous integration continuous development pipeline I every time you're wanting to run at all you're building something fresh it's not you're basically in a position where you can continually distribute code condition continually distribute builds and that's fundamentally what we want to actually do we want to have process and a tooling in place that will

allow us to consume build and deploy our code within an endpoint continuously additionally some nice things that would be good for us would be to have a pipeline that allows us to use all the existing tools that are out there so I'm a lot of the kind of writing tools developed in PowerShell c-sharp so we might want to use those to basically get a foot up we want to be agnostic of NEC to platform because we don't want to kind of limit ourselves and see it's using one as specific implant we want to be able to modify our tools programmatically on the fly apply customizations to existing tools so for example maybe we want to run

something like Power View and we bootstrap Power View inside our own dotnet and we before that we run I could by Pan Am's II bypass before we actually want our own dotnet program so we can do that if we if we've got the ability to modify any tool and any code before it's run we can bootstrap our own code it before to disable protections but effectively what we want to do is is perform this concept of offensive development in real time so what I decided to do is kind of took these things that were nice to have and look at how we could kind of address them so if you're familiar with c-sharp you're probably familiar with the Roslyn

compiler basically allows you to compile source code in inline using the hidden C sharp again you may be familiar with dotnet core it's basically an open source version of the dotnet framework for hidden docker so what I basically did was took Roslyn and took dotnet core and used them to build a CI CD pipeline and used it to integrate into well in this case cohort strike but it is agnostic of any c2 framework so that's all I create it was called read pipe and it consists of three specific components so firstly the loader so the loader is basically every single time you you want to run something on an endpoint and currently it uses the execute assembly commanding

curve ball strike which will basically spawn a compare any arbitrary commandment you can define in a suspended state injection and manage CLR into that and that's basically the load of what a loader will then do is it will talk over a reverse port forward to the CI CD pipeline and it will retrieve whatever projects that you want it to to retrieve so the projects are basically either existing projects such as ghost pack so see about all those kind of tools reversed or it will basically take a command to generate an artifact well then xq is in memory or drop in to disk if you want to drop the artifact to disk and then the third component is the

actual engine which is basically just a dotnet core web api that receives the requests for projects compiles them in memory and it will obviate them and encrypt them deliver them back to the loader and run them in memory on the employed so if we look at this this kind of process we basically have your your user operating on your c2 clam it's got an aggressive script that's buildings COBOL strike and you say I want to run something on this specific endpoint so you might you'll say I want to run the loader and I want it to run like rubus for example that would execute assembly on the loader go through the clouds with vile or whatever you using for your C to

the loader will run in memory again on the endpoint it will then talk over a reverse port forward back through your c2 framework to the read PI API rip PI it will build modify deliver the compiled tool and then encrypted format key to the endpoint and back to the user and then that that gets run and you see you see there was all sinem not sure that that's the kind of workflow at all every tool that you want to run with the loader and has its own profile and these are really easy to graph basically it's just a block of JSON that looks a little bit like this and you just tell it the name of the

tour what you can point it to the source code of whatever tools you want so I just got all the tools up the PowerShell and C sharp tools I'm using on engagement just got them all sitting there in a directory I just write wrote a little profiles quick for each one of them like this and just say this is where the source code is compiled it with this version and they've got that framework and these are the dependencies the reference libraries that are using this tool and then they get stored in a sequel like database and they're accessible from that from the pipeline so let's look a very simple example first of all wow it's been that bigger

okay how far is big enough so see if I see it so what's going on is effects effect just started up the pipeline tool and I'm just reading it in an IDE so this is actually waiting on my laptop the implant is actually on a separate network talking through is all CDN to an Amazon host to over SSH tunnel to our internal network where the team server is and then I'm SSH into the team server doing a port forward to the the CEO CDI pipeline on port 5000 so that is actually all then getting forwarded over an SSH tunnel so that's why it takes a couple of minutes because it's going through as or CDN to Amazon to over SSH

tile into our internal network and then over another SSH trial to my laptop so you can see it's not it's not one that's all I'm just gonna I sell and I'll show you again because I think it runs again the first example we're just wearing the XE the second one is giving some more complex arguments does he like an S for you attack so you can see the get requests basically hit the pipeline to all that's running on my laptop and it's compiling it up and I'll scroll it on this this example again in a second and as I said the pipeline will encrypt and obfuscate the the tool that's word in memory I'm going to scroll up here and

show you and it's encrypted with keys that I derive from the environment so you can only ever be one even though he already memory it forces its own decryption key and ones on the endpoint in memory that's the first screen yeah there we go so so what else does it do I mentioned that we might want to actually evade analysis so whenever a tool is Bill fundamentally what we're going to do is just lob the scope of that tool this the reason for this is it makes it harder for anyone who's doing threat hunting based on memory to actually triage what is getting one on the endpoint because it's different every time so you're not going to have

two tools that are running the same tool running on two different endpoints with the same memory signature because the tools are for skaters so this means if you're doing memory inspection it's going to be harder to Eisley find these tools running and the way I approach this is using a library called confuse wrecks and basically confuse our exes and open-source protector for.net allows you to do things like confront control valve this geisha it'll rename all the resources it will encrypt strings all this kind of cool stuff that our protectors do computer X is is quite simple to configure basically there's a configuration file that sits within the the red pipe source code it looks a

little bit something like this and basically you can just pick the options that you want to apply it's or protection so in this case I'm just saying you know rename rename multiple sources and their puzzle item will basically compile the tools to the intermediate language it will then use confuse erects to obfuscate the intermediate language and create the compiler on that code x let's look at an example of what this might look like so what I'm gonna do is now just encrypt natural artifacts that we're going to drop to disk to answer station the video first one okay so this time what we're gonna do is you can see down here I'm basically just saying upload an

artifact that I'm going to drop onto this remote at this this host you can see it's now retrieve the artifact from the pipeline just dropped it to disk you can see the artifacts actually here and I'm just going to run the artifacts just to show what it does it basically just stages and you and you see too so you can see that new implant wedding and the Mars just popped over here we've got a second one on the desktop so on the desktop workstation and that is basically just a shell code injection into Internet Explorer with people spoofing so you can see the payment processes Explorer if we take the artifact and we drop it into da peak to

have a lot what it's doing second what you'll see is that the actual artifact is completely obligated so if we took a look at the various function names all those also as you can see is it's not trivial to read out or such to go in mind there and actually the shell code that is contained within the artifact is keyed to the host based on the environmental keys that are derived from the endpoint so you can't actually decrypt it without the keys and the keys are group forced every time it's run so we've got you can and you can create dll's and axes with this with this process and dot map and because this does injection you can actually also

just remove the exit e after you've run it because it just stages that need a second staging

okay so I mentioned that we want to actually protect our tools the reason for this is because if we're if we're developing new techniques were writing code on engagements we might have our own hauling that we want to protect the IP of we don't you know we don't want the boy team to kind of find these artifacts find these tools and drop them on to you know virustotal that kind of thing because they come into the public domain they're going to get signature so because we're using this approach of compiling and programmatically building our tools every time we can actually key them so King is basically the concept of taking a payload and then we use either

a local or remote resource to basically in this case AES encrypts the tool based on our whatever decryption key now the decryption key may be known it can be it could be embedded if you wanted to embed it in my case I just brute force it based on environmental factors that I read from the environment or you could kind of take this further you could have it so that the key is read from like an SPF record or a DNS text record you could have and then once you've done your your stage of kind of running your tool your artifact you just remove the key and then it's never actually been in the environment and nobody can actually

decrypt what's going on that's fundamentally what King does so what happens is when the loader runs on the end point it does extract some extracts multiple environmental keys if we're using cobalt strike and then the loader gets one with execute assembly and then the keys are submitted to the red pipe API I've also kind of modified this in that that you can have it such that the keys are read from the comb on strike dates model so they're not actually ingested on through the loader as well so they're never actually in memory either and then basically the the API responds with the encrypted artifacts or tool mas encrypted based on whether those keys are and then the

loader brute forces then finds the entry point and then uses like assembly download to it soon we're now the kind of benefit of this approach this kind of offensive development approach is really that we don't actually have to heavily interact with the operating system at all we can kind of we can do everything that we want to do in code so if we look at an example let's say we're on an employment wanting to do some discovery you know traditionally maybe you use something like fine stirrer or PowerShell to search for files that might be on that end point now that would look very pretty in the kind of telemetry within EDR so how do we kind

of solve that well as I mentioned like offensive Feltman cache you solve that for is because you can do a whole word team engagement almost just by sitting in your IDE writing things as you go along so if we look at an example here what I'll show you is demo will show you how kind of powerful this is so I've got man vs code open and I basically got some c-sharp code that just searches any users folder for text files and so I'm just going to tell the loader to run to run that code now with the offensive development project and it will you'll see it'll just give you a list of text files that exist in the IT admins folder

it takes a minute or so so I guess brute-force the decryption key comes back and we've got a list of text files so what we can do now is just on the fly we can just say okay search these text files and look for the string paths were and let's just add you know an extra line and saying you know we'll just add some things our a print statement saying you know hello b-sides and all we need to do is just save this and then run the same coin again on the point that we will all but rarely run this because it's being retrieved from all that top every time so we can actually do everything that we

want to do from the IDE we don't actually have to run any commands on the operating system anymore so again you can see here and it should hopefully what it's a video so does it give you a different result this time yeah so you come back and you can see now with it the codes on something different than we've researched with a fire we find passwords and we've got our kind of statement so what's next well this is still something out working on it hasn't been widely tested outside proof of concept I am looking at like how we can avoid injection so my kind of idea at the moment I've been playing around with a tool called door knob which will

convert dotnet axes into position independent shellcode so my kind of idea is we don't actually have to inject into a new process and inject asilah why can't we just run shellcode in RM process and what it avoids process creation completely so something I'm working on at the moment then I'm also also just need to add more tools more configs get it working properly in docker and then just release it was blog posts and things the stuff us on the horizon try work I think it's only fair to mention Adam who's sitting up at the back who did some work on creating DevOps tool chains for red teaming using Azure DevOps and then also David Owen if

he's here sort of this morning but they've did a really good project called shot compiled which is kind of similar in that allows you to run arbitrary c-sharp on the command line through through couples right and then finally we are hiring so if anybody is interested you know in search of us I would play it's supposed to be a gif is awesome great film was well the way and I think I was got any questions I've got literally two minutes left of moose yeah it does that's how it would use the loader so the aggressor scripts basically which means the loader to locally so to the to your construct clan and then that's how because execute assembly works that the

farm needs to be on your machine so that's how they execute something runs the loader you can say what my another idea that I was working on was um basically we can create the loader with the tool embedded inside and the arguments embedded inside and then you run it through execute assembly you don't need to reverse ball forward that's another option I was looking at but in that scenario you can't get them but the only keys that you'll ever be able to have are from the curveball strike dates model you're not going to be able to get additional keys outside of the environment unless you extracts them in another way so you would have to

have like an initial process like a c-sharp process that runs first gathers lots of different keys from the environment feeds them back to the server so internet is continent keys and then you could do it that way the reason I do this this way of the reversible thought was just give more flexibility for getting different keys and the other questions basically because it's noisy as hell threateners know about all the different commands that people run it's very easy to build a storyline in DDR based on telemetry people were the commands on operating systems so

yeah so I mean like I got my egg whites to say I wanted to an IP config I've just got a version of I've become for that one and don't that if I wanted to learn you know search on the file system you can just build on that code over for common things that you might want to do and then you've got all the existing tooling things like you know the ghost pad tools and that you can run on the partial scripts that you can run and bootstrap them through this this technique is anymore what's right I mean you are going to deliver a Adamo XE to the end point every time but they're pretty small to be honest see how you

mean sorry you mean in terms of spice of truffle the detection that will though that the is all happening over your normal CT frame where this all encrypted up anyhow on rats through SSL so it's still going to be it's just like winning execute assembly on on AB office anyway yeah yeah then we're going to wrap up and thank you very much [Applause]