Bridging the Gap: Lessons in Adversarial Tradecraft

so I'm going get started this is bridging the gap lessons in adversarial tradecraft my name is Will Schrader my handle on Twitter and github is harm joy I am a security researcher and red teamer for the adapted threat division of Aris group were actually sponsored we love this conference I'm a co-founder with the active developers of the Empire PowerShell project which we will talk about a bit during this presentation I'm also the founder one the cofounders of power tools I wrote like power up power view a lot of the office of PowerShell tech and I'm one of the cofounders and authors of the veil framework actually spoke here last year I think in the same

room on some kind of AV evasion stuff underneath the hood for veil evasion in case anyone was here at that talk I'll talk to a few cons I love these sized conferences I love interacting with people and we're gonna do like a Q&A out in the hallway if anyone wants to talk about this stuff if we run out of time all right I'm Matt Nelson and it's my first time speaking at a con so be nice on Twitter enigma oak tree I'm a penetration tester and red teamer for a very scripted active threat division I'm also a developer on the partial Empire project and I love offensive PowerShell so if you don't use PowerShell with it so if

if you guys happen to have a drink and are playing a drinking game you drink every time we say PowerShell and I promise you'll stand up before you leave this presentation so kind of setting the stage this is what we'll be going over today I'm gonna kind of do some you know our definition of kind of a red team philosophy versus of pentest philosophy and really kind of one things one of the things that our group tries to embody is kind of bridging this gap between red team tradecraft and kind of shorter time pentest engagements we'll go over three specific subject areas I'll push you a push it real good Saul and pepper will go over kind of weak standard images and

how we kind of approach those some of the things we see we'll go over network and user hygiene so what we mean by this are things specifically like hunting for specific users on a network something we do in every single engagement most people do on a lot of engagements now well there weren't a lot of like hugely specific tools out there really approach that problems that we started to right or wrong also go over domain trust I've given a few talks on domain trust with one of our co-workers who's not here today Justin Warner we really really like Active Directory domain trust so you know I will talk all day about this whether or not we're at a bar or

whatever else so if you guys are interested in that please talk to me after and then the second third or second half of the presentation is going to be on the PowerShell Empire project which is a PowerShell post exploitation Bower agent that kind of links all this stuff together to help us kind of bridge that gap so we'll go over the you know kind of brass 101 all those kind of components and over some modules so that's gonna hate me for this I totally didn't switch out the slide decks because I told them I was going to troll him during this presentation during his first time on stage so invoke trolls poit it looks like you're trying to learn

some hacker cultural references Matt would you like some help with that is it yes no or I hate you will okay so Matt's a really sharp guy he's also young so we've been trying to educate him in a lot of these hacker cultural references so Matt do you know what this is no audience anybody somebody come on yeah it's a yeah it's whopper man come on you have no idea do you okay so I promise there won't be any more of those during the presentation yeah so kind of setting the stage pentesting red teaming and what we mean by the assumed breach mentality so pentesting I know probably a lot of people in this room are pen

testers the definition kind of varies how people define a pen test it could be you know a glorified Voland scan vulnerability validation or it could be a multi-person assault for you know several several weeks so the the definition between this and red teaming have kind of started to blur over the last few years you know some people to kind of use penetration testing almost as a dirty word now meaning you just rebranded an SS report we don't like to do that so I kind of view it as a reasonable balance you know breadth versus depth but the key for penetration testing is seeing how many problems you can find in a network you know and then

potentially depending on time frame seeing how far you can get for those particular issues but the key is you know what can you actually find it's a usually focused on finding these issues and not about kind of like training instant responders or something like that which is kind of how we tend to define red teaming so this means different things that different people as well some people focus heavily on physical ops some people do super in-depth social engineering a lot of people will do custom exploit development pure Network operation this kind of stuff we focus on kind of an adversary simulation pure network operations type approach so I'll go over the assume breach kind of mentality here

in a second but one of the common themes with this is for red teaming there tends to be an increased time frame and like a more person more permissive scope it also traditionally tends to have you know a lot more people a lot more money depending on the teams that are involved so assume breach we really like this phrase assume breach it was actually I don't know if it was coined but it was used by Microsoft in an office 365 red teaming white paper which is an excellent white paper if you guys haven't read it so you know with all these recent major incidents a lot of companies have started to realize that you're not going to stop bad guys from

getting in the front door right so move beyond initial exploitation you know try to harden your perimeter and everything like that but you know if you're going if your threat model involves a nation-state you're not going to stop them from getting in the front door right so companies need to start just implementing an assumed breach way of thinking you know I guess this kind of plays into defense in depth but you know how do you stop lateral spread you know how do you at least detect how do you shut everything down how do you detect c2 a lot of these components that people haven't traditionally thought about because they didn't realize that the threat models actually you know involve

nation-states we also kind of like you know doing things like post breach activities or kind of exercise in incident responders along this way all right that brings us to bridging the gap so as will mention pentesting red teaming kind of have a different methodology red teaming historically been for teams with a lot of people a lot of money and a lot of time and times kind of the biggest factor pentest normally are like a week or two you can't really get advanced adversarial tradecraft in in a week or two so our approach has been to take the advanced tradecraft that has been four of the more advanced teams and kind of push that tradecraft down to people that are

in crunch time frames who have lack of staff or staff and then you don't have a whole lot of money and we're PowerShell fanboys PowerShell plays their really big role in this we also try to kind of you know build and distribute a knowledgebase of these tactics so we give training you know we do lakhs of blog posts and we're actually pretty open book in our group we pretty much give away everything you know anything we figure out we're able to publish on all the tools we do everything is open-source it's all BSD license and us all and github so we want to help try to give back to the community as much as we can so why do we

use PowerShell PowerShell has kind of been coined as Microsoft's post exploitation language which has been mentioned a few times by it's a really great quote by Chris Campbell and if you haven't checked this stuff out definitely go check it out by default PowerShell is installed on Windows seven and up and it has how many of you have interacted with PowerShell but it has full access to the dotnet framework it's a Microsoft sign and trusted binary so it gets by a lot of application whitelisting solutions and it has direct access to the win32 api so a lot of stuff in the tools that we are I interact with the win32 API pretty frequently and then a

la system will assemble malicious binaries completely in memory so a lot of the ops that we do operate completely in memory and nothing ever touches disk so it kind of emulates the advanced tradecraft that a lot of the more advanced teams were able to replicate over an extended time frame and so it's kind of been referred to as a toy language over the years a lot of people have kind of written it off because it is a scripting language a lot of people don't see a scripting language is something that you can write a full malware agent in and as you can see on the slide there it's a recent offensive talk where they kind of listed out all

of the public PowerShell offensive frameworks frameworks and you can see I'm set bail framework and power up power view Empire pretty recent in Schenck mess boy and then Powercat this was actually from a defensive compras conference virus bolt in 2015 so I think appointment this is while it's been written off for a while defenders are finally starting to wake up like oh yeah this is this is bad and guess what bad guys have been using it for a long time and so all of this has kind of created a weaponization problem so there's a lot of offensive capability written in PowerShell that's out there and Power Cells really sexy and so it lets us do a

whole lot of different things and so a lot of people recently have been diving offensive tools in PowerShell and they've just kind of been scattered all over the place and people have picked up the scripts and they don't really fully understand what's going on into the hood so it's been really hard for some of the penetration testing methodology to adapt kind of how to use PowerShell securely and that B we've heard a lot of people love running PowerShell scripts directly from github accounts that they don't control so people can just change to change the code and they're just running it willy-nilly so a lot of the existing tech hasn't always been completely straightforward PowerShell kind of has a

learning curve and it's in a sense it's a little different than a lot of the other scripting languages but it's also really really powerful so the people that haven't quite adopted PowerShell yet we're hoping to kind of solve the weaponization problem to make it easy and understandable for them to operate efficiently with sit with the scripting language again that's kind of the point that um Empire was kind of focused on solving which we'll go over in a bit so weak standard images this is the first of the three sections we'll go through you know a standard image tends to have a lot of issues associated with it which a lot of companies don't tend to realize

so but first a met there's Clippy again sorry did you know that was Clippy I don't know do you know it's like okay you know cookies you know you happen to know who this is or who distributed the bumper stickers okay okay all right good job man good job so standard images organizations typically utilize some kind of standard base image for workstations sometimes this varies per business unit sometimes it's distribute across the entire organization very frequently we've seen in large large and a fortune 200 fortune 500 companies this can sometimes be contracted out to third parties because the the organizations don't actually want to manage it well people don't seem to realize that this is that the security of this image

matters a whole lot these exploitation of this or if you find some kind of flour issue with the initial base image you might have a way to early spread to every single workstation in the entire organization well you guys think like okay really would any company actually have an issue and there you know the image on every single workstation the entire enterprise I can assure you it happens very frequently one of the things you know kind of a classic Pervez method right so we say no we don't really like to focus on kernel exploits and generally we don't really throw exploits almost ever or at least recently or you know very rare cases you might throw on we really like to use

misconfigurations so services are great for misconfigurations kind of the old you know pen test 101 ten years ago is you know your se bin SE config bin path kind of thing you have the apples associated with the service itself are vulnerable you might be able to reconfigure it you really don't see that anymore but very frequently we see the binaries associated with services not being locked down so if a company deploy something custom or even things like I don't know a Cisco VPN and certain versions they tend to not lock down the permissions for the binary so if any user can overwrite the binary for a service you can custom compile whatever you want you know can add a local user

it can do an agent or whatever else you overwrite the binary and you reboot the machine and then you can get you know code execution you can add local users and do whatever else we still see this like a lot more than we should is kind of one of our go two's another method which is pretty cool is service DLL path hijacking so there's a there's a search order for dll's whenever a service or a program starts up it's gonna look you know when it's its current directory it's gonna look and see windows system32 and everything else and there's a path of like six six places that all tend to look whenever it loads up dll's that it

needs for extra functionality the last place is going to look is every folder any users or the sorry the system startup path directory so if you have write access to any folder in the path and you custom compile a dll I think it's W OBS ctrl I always forget it have to look up the exact name and you drop that DLL into a particular writable folder then when that service starts up it's actually going to load up your malicious logic so this just works on Windows seven at the moment I don't think I haven't seen one actually disclosed for Windows eight or ten but um it's very very frequent for Windows 7 so if one installs like Python or Perl or a

lot of these things that do an extra folder that are added to the path and that folder is not in Program Files or Windows you can nine times out of 10 we've seen you're able to actually drop the malicious DLL and prevent so again you also have to reboot the box which sucks but whatever so we started going through a lot of these common profess vectors from misconfigurations and the first red team I was on several years ago my boss made me examine every single service executable permission by hand it was super annoying it's like well I guess there's this thing called PowerShell I should probably automate it right you know this it's what it's used

for is for system automation so power up is a tool that I end up writing when the first tools that kind of came out for the power tools toolkit it automates all the common windows Mis configuration privilege escalation vectors so it's all it's all separated by function but if you use the invoke all checks which is pretty much what we do most of the time that'll run through every single check on a system and say okay there's a miss configure service or there's a leftover sysprep or you know kind of the Encyclopedia per this or miss configuration so we we always run this usually very frequently will tend to find things unless we've assessed customers multiple times we also do some

manual inspection of kind of the standard image so any custom software any custom image um you know custom services or anything like that will actually do pretty similar to kind of dynamic malware analysis to where you know checkers are dropping any files is it a local password change or binary something like that and I think we're for for for for going after local password changer binaries that are custom role because no one ever does them right even if they think they do them right or run them through an obfuscator so if you have reverser on your team it's super super awesome so custom internal development is one of the most common root causes of escalation vectors we tend to see in the

field if people dev this custom stuff and roll it out to every single image they don't actually do secure your view of it if it's not a cost product so even if it is a cost product they're still sometimes stuff that pops up alright so network and user hygiene it's very easy to find targets within a network so in almost every network we enter we would consider a dirty network that kind of breaks into two little classes of where you've got a network hygiene where a sysadmin will throw up a tomcat or Apache box and not lock it down we have default creds whatever you may have and that kind of provides a really easy point of pivoting if you need to I

mean there's user hygiene which we see more frequently than network hygiene a lot of old users people have you know people will come and go within the environment and they leave user accounts unnecessary admin users so admins that shed have or that have access to things that they probably shouldn't have access to overall we delegated groups and this is a really big one and so nested groups within Power View you can kind of break them out and see and this is kind of opened up a hole and most of the engagements have been on recently and to where people have administrative or elevated access to parts of the network they shouldn't have because people don't

understand that the groups that they're in are also in groups kind of that are nested within each other so inadvertently they have administrative access to two different parts of the network and then long-running interactive logon so they'll leave token just laying around so if you're not able to dump passwords or whatever tokens are a really easy way to just kind of grab and run if you pop a box that's not rebooted often or they leave and these interactive logon tokens just laying around and it's really easy to hop on there god what you need and just kind of run around when the first network or one of the first things that we do when we

pop onto a network especially if it's dirty is to hunt and so we don't just spray and pray and it's very surgical in the way that we find what interesting users might have access to what we need to get to we pop the box me me cats and then do we want their credentials or tokens and then kind of just run around at that so you and talked empower you in 20 seconds Power View is one of the second tools that was written there's kind of a networking domain situation awareness tool which a lot of the next sections will cover so invoke user hunter is a function within power view that we use very very

frequently and what it does is it allows you to strategically hunt for users that you're interested in a network and where they might have sessions from so if you've got administrative access to a majority of the workstations and you're interested in a certain user you can find where that user is logged in and you can go and you can specifically target them and what power of you de or what invoke user 100 does is they will query Active Directory for all the hosts and I'll make that as a target list and they'll do the same for the users of a target group which for example domain admins so if you're looking for domain admin you can match it up against the

list of computers and what it'll do is I use win32 API calls and it will enumerate sessions of the logged on users and then match it up against your target list so what's really nice about this is you don't need administrator rights to do this and as you can see here on the graph this is kind of how it looks on a network as you've got the attacker box and I'll get all the computers from the domain controller and then it'll take that target list that you've given which could be domain admins and it will go out and it'll check the sessions for every every computer that it received and one thing one really important thing is if stealth

is kind of something of priority and this function does reach out and it touches every single computer which can be very very noisy and will probably get you caught given that he knows what they're doing well it depends how many people know of networks that actually monitor SMB communication in that kind of way there some but yeah so there also is a stealth option which this used to be called invoke stealth user hunter and given the recent and to O rewrite of Power View it is now just an option within invoke user hunter and what this is takes advantage of is kind of an old red teaming trick and what this will do is will query Active Directory for all

users and it'll reach out and it'll extract the home directory the script path in their profile path out of the the fields for that user and it'll attempt to identify the likely file servers that exist domaine and it'll take that and it will run through and it will check the sessions that are associated with that file server so what you're able to do is kind of pinpoint where people are logging from based on the fact that they've got a Drive map back to a file here and it gets you reasonable coverage and with a lot less traffic because instead of touching every single computer you're touching just the domain controller and you're touching just the

file server now this is kind of what it looks like with on network the attacker box gets caesar home directories from the domain controller and then it will query for the sessions for the user group that you're interested in on the file server and inadvertently each workstation has a session map back to the file server so you're with just touching that file server you're able to determine what workstations or what user is on what workstation one note too is that this is also much faster so this tends to be kind of our go-to and if we can't find the results we need we might run through the more kind of noisy better coverage option and most if not

the very high majority of organizations have terrible terrible privileged account hygiene and this makes our job really really easy because there's often a way to get elevated access that the org doesn't know about due to something like nested groups or group delegation so domain trusts are what you shouldn't trust Active Directory this is my favorite topic ever but first hey met do you know there's Clippy again do you know who this is I know yeah I swapped them out do you know what movie this is from or who these are yeah it's hack the planet bro come on so Active Directory domain trust 101 domain trust allow separate Active Directory domains to form interconnected authentication relationships it

essentially just links up the authentication components for you know two domain controllers are a couple domain controllers and different domains it allows this authentication traffic to flow between them so you can do things like put users and one domain into groups and another or give certain groups access to different resources a trust allows for the possibility of privileged access between domains but it doesn't guarantee it I have to put a little star here because I'm gonna go over some of the city history stuff for the inner forest here in a few slides so there's kind of one caveat if you're within a forest boundary so Active Directory domain trust why does this matter I remember hearing about trust a few

years ago there really wasn't much information out there I'm like okay there's a trust what can I actually do with it so red team's often will compromise accounts or machines in a domain that's trusted by their actual target so this might be a subsidiary this might be a dev domain this might be something else so this can allow operators to exploit these existing trust relationships and hop through kind of the trust mesh which will show some options you can actually do for that so you can either use this for persistence or you know kind of escalation to actually compromise the entire forest I've written a whole bunch of stuff so you can't really see it there these

slides will actually be online or after the talk and will tweet out B size D see I've got a several different posts that kind of walk through in depth on Active Directory domain trust so Power View has a ton of functionality within it to enumerate and abuse domain and forest trust relationships so there's these local commandlets for like getting up for is getting up forest trust gonna force domain all that kind of stuff the weird awesome powershell naming convention a verb - noun but these can do things of saying like okay my current domain you know what domains actually have a trust with it but I think it's cool is that if it trust exists almost

all the functions and Power View at least the ones that use kind of like the LDAP querying functionality can utilize a - domain flag so if there is a trust you can say okay give me all the users or all the groups or all the domain controllers in this foreign kind of trusted domain and super easy just - domain whatever the domain is you have to remember all the you know nested LDAP syntax or you know ad find or whatever else that people have been doing historically so no more ml test he did well NL test is awesome but also it's a pain so mapping the mesh one of the other things we'll start to do is if an

organization has a large number of interconnected Active Directory domains it kind of forms this kind of mesh component which I'll show visualization here in a second there's a function in power view called invoke mapped domain trust what this will do is it will get all the domains that your current domain trust and I'll go to each one of those and say give me all those that those trusts and it kind of recursively goes throughout the entire mesh and getting every single kind of relation ship that it can enumerate there's also a - LDAP flag so by default it will actually try to reach out to the domains the LDAP brain functionality will actually go out and reflect it through

your current domain controller so even if your kind of network segmented off if there is a trust you'll be able to get the information and also six dub one of the other authors on the power tools project has a tool called domain trust Explorer which can perform nodal analysis of this outputted data meaning you know centrality you know shortest paths that have this stuff I think the coolest thing is it can generate graph ml output of the raw data from invoke mapped domain trust you can then use open source you know graphing tools like we use wide because it's free there's a walk through of this whole thing on some of the blog post we have and you can

turn what a domain setup looks like into a nice pretty graph that's awesome for out briefs to where a lot of these organizations actually don't know how the mesh actually works in their organization so it's these uh you see like the directional arrows so if there's a one-way trust it'll just be one arrow if that's bi-directional there's two and the colors actually mean something I think I usually forget it but I think red is parent/child Green is external and blue is cross link so we run this on pretty much every engagement in large enterprises and we can figure out oh if we popped out here and we want to get to crown jewels like how do we

kind of hop through this domain authentication component again we often understand a organization's domain kind of trust mesh better than they do by the end of an engagement we've had clients actually ask us for the raw data and the graph ml and everything like we actually need this for a system many because we never had this before you know most places you know you you inherent networks and then you know you add in subsidiaries and you do whatever Ellison is this giant thing it's it's a legitimately hard problem to kind of visualize and manage so the mimic has trust pocalypse this is thanks to John Metcalf who's actually up here pyrotech in the front of the audience and also

Benjamin Delpy gentle Kiwi so the author Mimi Katz and Sean worked out that Mimi Cutts golden tickets I hope most people hopefully are familiar with they can accept Sid histories this means is it's like a migration component for Active Directory to where there's a Sid history attribute in these user fields the basically says oh you used to be in this group here's like the city of the old group what this means is is is is if you compromise a domain controller in a child domain you know like you know somewhere in here right so not the forest group is somewhere in the child domain you can create a golden ticket that has enterprise admins for the force

route in this in history and this can let you compromise the parent domain so most people don't realize that the domain is not the trust boundary the forest is the trust boundary but most places that we've actually assessed even the admins that have set stuff up really don't realize that the forest is the trust boundary so they'll do you know like a segmented dev domain or something like that well that's where all the we won't worry about securing that will have like secure you know whatever between it but that doesn't matter anymore because if you compromise any domain admin credentials in the entire forest you can compromise the entire forest this really kind of terrified me and

blew my mind when I first realized it it's already changed the way we've operated on the last few engagements this is only a few months old but again domains are not the trust boundary forests are so if any domain controller and your entire enterprise is compromised ever you just have to keep calm and rebuild the entire forest according to Benjamin Delfy this is stolen directly from one of his tweets so like and again it's it's really super easy I've done this in the field it works and using invoke mimikatz from Joe Bialik that encompasses all some of the Damini has binaries you can do all this while staying off of this and if anyone thinks that attackers or adversaries

have not already been doing this then you know I know what to do so those are kind of the really pretty quick kind of three of the cool areas that our group has made specific progress n ru parts of progress over the last couple years and now we wanted to bring it all together and talk about empire first things first the still not be possible if it was it was built on the shoulders of giants that you utilizes a lot of work from a lot of other people were no way claiming that we invented all this we did not invent Mimi cats or vocally any cats or you know anything else it's um the power

sploit project from Mike Mac Raber Chris Campbell and Joe Bialik lead Christian TIFF Ken the Carlos Perez has been 10 Shawn Metcalf subti everybody in the offensive power ship community has been awesome they've an enormous help and you know a lot of the functionality you'll see is built on the work of all these awesome guys I don't know how many of you are familiar with empire but so what does empire empire is a fully functional post exploitation agent written completely in PowerShell so operates completely in memory and it's kind of a goal was to provide a modular framework to be able to integrate some of the offensive tool sets and projects that have kind of come

out in the PowerShell community recently and it's kind of in conjunction with that it's to help defenders prepare for PowerShell tests so a lot of defenders aren't prepared for PowerShell attacks and a lot of people don't know what it looks like on their network and a lot of them don't do command-line auditing so it's really easy to run and operate completely in PowerShell without getting caught and kind of the goal of the project was to change that to see Howard's to show them how easy it is for somebody do get into a network and operate completely in PowerShell while giving them and cares are compromised to what a powerful attack attack might look like so Empire has a few methods of

execution it's post post exploitation so it doesn't throw exploits and if you can run a command on a target you can launch an empire agent so it starts out as a small stager which is implemented either as just a manual command you can manually execute it so one-liner um encoded command or you can export it out as a bat or a macro or VBS to deliver in a client-side attack and the listeners they sit server-side the service is written in Python and it stores all the configurations and a back-end sequel Lite database and so it's really easy to track and as things come in and as the listeners catch your agents it's really easy to kind of track the information

that's received from those agents cool and we'll go over the modular components here in a second but the stagers are actually modular eyes so I'm KC's gonna sub T submitted like a new one for each ta stuff to us and it's very easy to just kind of like drag-and-drop and like customize stuff if you guys have internal you want to use real quick on the empire staging process we thought a lot about this you know we messed up certain components there might have been an RC e those disclosed to us that we trade to fix which we did fix but Empire staging that little one-liner the map described is gonna reach out to control server

it's gonna get a little blob of a few skated text that text is a are sorry that text is going to be a key negotiation stager that has an aes key embedded within it that a yes key is static per server it's assumed to be recoverable and burned by defenders that's not what the security Russell on the client is then going to generate private public keys and then wrap up so my kind of staging configuration information with that public key and send it back to the server the the server is going to use that public key and Crips and Amaya's AES session key and some like epoch and like kind of synchronization components and send it back to the client the clients

going to decrypt it post some more system foe back to the server and then it's going to finally get the agent this scheme is called encrypted key exchange it uses you know symmetric encryption to exchange asymmetric encryption which is then used to exchange symmetric encryption the point with this that I think is cool is it offers perfect forward secrecy so even if defenders packet capture this entire process they can't recover the randomized AES key and every agent has a completely different AES key per box so even if people memory image the per you know a compromised system they'll get you know the the key for a particular agent but they won't be able to decrypt the entire mesh I first

met do you know what this is it's Clippy again you have no idea what that is that's a captain crunch whistle do you happen to know what tone it uh no no 2600 man no is that in a cereal box yes it was in the cereal box man it was used for the control of phone systems is original phone phreaking stuff okay so the module categories for Empire everything again I mentioned super modular drag-and-drop you don't know you don't have to know how to use PowerShell to actually use Empire which i think is kind of a cool thing so we have to separate it out we have a code execution you know shell code injection we

actually have a way to easily pass sessions to a cobalt strike or Metasploit or another control server you have keyloggers screenshots you know host management there's over a hundred different modules one of my favorite is troll sploit at the bottom that's a natural set of modules it does things like change people's backgrounds and also uses a was it can play thunderstruck by opening up a hidden IE window opening opening up a video and then it'll emulate the key press to turn your volume all the way up so they can't actually turn it down and it'll play thunderstruck in the background so and fun fact you may be able to task any module to all of your

agents at one time so if you wanted to Thunderstrike all the incident response department you totally could do that with environment and there's a ton of like persistent stuff you know again a lot of this draws off of like the power sploit project w my persistence you know run key stuff we have alternate data streams we have a lot of cool stuff then all the Power View and power up functionality is actually encapsulated within it I think this is the coolest thing with Empire and again we're we're not claiming that we're writing some super awesome advanced undetectable Maur that's not the point and we didn't do that even if we wanted to claim it was

the point with Empire you can develop stuff and adapt extremely quickly so there's a huge amount of PowerShell stuff already out there like we mentioned so if you can write functionality of PowerShell you can drop it in a module in a custom module and have that already loaded up for your agents so there's kind of a metadata container kind of in the MSF style type thing so you have your script embedded in it you have you know authorship and description all those types of things but we also have options for does this module need administrator privileges is it OPSEC safe so does it drop a file to disk or does it display something to users and they were like prompt you you

know an additional kind of safety check so we really built this tool to kind of play into the tradecraft that we tend to do for engagements so we'll go over to the modules really quickly if you guys are more interested in empire our be size Las Vegas presentation goes into the stuff a lot more depth or again just talk to me outside and I won't stop talking about it so the coolest module outside of Mimi Katz of course is PS inject so one of the things we're realizing building this agent was it was like well okay I'm gonna block down PowerShell dideoxy I'm gonna throw into app Locker so there or I don't have to worry about

powershell malware anymore right there's a lot of admins that tend to think like that so we realized it'd be really nice to have our powershell agent running and processes that are not PowerShell dot exe so how does this work a few months ago in the spring Jes and I gave a talk at Carolina con called drilling deep or deeper with Dale's power tools and in it justin released a tool called invoke PS injector it wraps up Li Christians or Tiff's kins project called unmanaged PowerShell what this does it was a C program that will load up the manage dotnet run space in AC program start a PowerShell object and then invoke whatever code you want so justin

transform this into a reflective DLL and then embedded it all in a powershell script so if this functionality behind the scenes does is it'll use a powershell script to inject a dll into another process which will load up the dotnet run space and it'll patch in like our little key negotiation stage your component and then load up our agent running in something that's not PowerShell which i think is pretty cool so we don't have process migration but we at least have process injection for the entire agent this is kind of what will look like we've got a nice little welcome to the internet unicorn but a PS injector you know injecting this DLL which is actually he termed reflective

pick into another process it loads up the done and assembly kicks off the download cradle and then we have our agent running in something like Alsace which actually works which really surprised me I was expecting everything to crash but if you have the entire dotnet assembly is loaded up into LCS it's probably a pretty big indicator of compromise because why would you ever possibly do that we actually go over some defensive stuff in the b-sides LV talk they're a are a lot of host indicators that Empire will drop so again not trying to fool or get by manual defenders our big goal would be let's get by as many kind of automated solutions as we can to push clients to

doing you know the host memory analysis and actually doing that triage and getting to that point if you do get to that point it's a scripting language so guess what the script is entirely in memory if you dump if you just do a memory dump of it you can get the entire agent it's not trying to hide there's no off you station if you do command line on the script block logging and you power five and you turn it all the way up you're gonna get the entire agent you know Specht out to the event logging to us we don't view that as a huge huge problem because if a client actually correlates all those logs like we're

trying to train them to get to that point so at least you know we think that's a good thing personally so as it was mentioned before Empire contains a partial version of Mimi Katz and it's just it loads in a basically four encoded DLL of Mimi Katz obviously thanks to Benjamin Delpy and Joseph Bialik for the implementation a lot of people use Mimi Katz specifically for dumping creds for memory and there's so much more goodness than what a lot of people will realize and you can do things golden ticket silver tickets a lot of the pass the hash functionality skeleton keys and one of the most recent ones DC sink which is nauseatingly amazing and so when you use Mimi Katz

within Empire it will Empire has an internal credential store so it'll store hashes and plaintext passwords of all the credentials that you dumped so it'll take the output and I'll parse it and I'll throw it in this database and you can use it will assign a cred ID to each credential and then within the modules you can specify could ID and just automatically run that module using that set of credentials so it makes it really easy to kind of cross correlate the credentials you have to and the modules that you want to use to to operate that whether that be lateral spread or whatever you may have them so for example you could use this as like a

golden ticket catalog after you dumped a bunch of DCs you can just go through and it'll pull the CID hit you'll pull the domain Sid and all the kind of configuration information and you can just say cred ID golden ticket this domain and then have all your access so now you're gonna do those a picture we're gonna do our demo standard gods versus humans I promise I didn't change the video Matt okay so this is about a ten minute video and after that we're pretty much done so kind of setting the stage with this you know we we fished a user they were local admin and we actually ran bypass UAC so we had to

implement our own bypass UAC purely in PowerShell luckily most of the kind of you know the deal hijack functionality and everything was you licensed and Metasploit and everything like that so we can kind of adapt you know the hijacked locations for it so masking and their rate through the rest of the video that's gonna show doing a multi-part domain compromise using Empire entirely hopefully you guys can kind of see that I know the yeah you can probably explain it okay so yeah the way this starts out is Yoanna is a normal user elevate dump their creds as you can see this is running Mimi cuts and everything's run it the big job they run is jobs so their background and as you

can see here the all the credentials are stored in the credential store and they're each assigned a cut ID and you can use that here so in the situation you know we we hit a box with DFM logged in but we see that there are credentials in memory for a user named cauri and so you can use a module for gannett user which is in power view to get the information or what groups this Cori user which we don't know who he is what he might be a part of as you can see here Corey is a workstation admin so he likely logged in or off that box to do some sort of maintenance on some

random PC that some of elevated user and so now we've got what we might consider an elevated user within the network who might have administrative access to all of the workstations and we can kick off a user hunter for that specific user and it takes a few seconds sir so by default it's on its umpires fully asynchronous so to me like right now it's like a 5 so I can call that to get the task and so you'll see it's got a session from this specific IP and that's the user so when user Hunter hunter kicked off we saw what we were looking for users then and domain admins group and we saw that we'll as a domain admin and he had the

session from this IP and so we're able to verify that this Corey user which we now have creds for could potentially be a local admin I'm it's always good to verify before you go and try and pop the box it's just good tradecraft to make sure that what you're getting ready to hit you're actually going to be able to hit instead of I'm just going after the local administrators both machine without needing privileged access for it so I think it's one of the cooler functions economy and he's sitting there recurse flag which means any results that come back I need the results that are groups it's gonna go to Active Directory and get all the members

of those groups and workers all the way down to get you the set of affected users who could administer that machine yep so we can stay at workstation admins is in the local administrative group on that workstation and it'll with South users in the workstation admins group and Cori happens to be that potential user that we've got so we are now able to laterally move over to that box using WMI which is amazing it's our default for lateral movement I'm it's really clean and enjoy save and it's just a really good way so as you can see here and you can set the listener and then you set the computer name to either the host name or the IP and then you can see

we set the karate to four which is the credential store for the plaintext passwords of Cori you run this you'll get an agent back from that box that we just determined that we wanted to go and target and we are running as an elevated user on that box that has a domain admin logged in and so now what's really nice is you can PS will list all the processes running and you can filter to what you want to inject so we've got kind of a list of safe processes to inject into DW and being one of them so you can filter for what processes are running with a name DW and by typing PS DW m and so it's really a quick and easy

way to pick what process you want to inject into and you can set use PS inject which is an alias for the PS inject module set your listener which is test and then the process ID and then if you go ahead and run it what it'll do is it'll do and what Will's talking about previously the invoked is injecting it will inject a Empire agent into DW M you can see that we've got a process running as we'll which is a domain admin and on that box within ewm and now what you'll be able to do is yep so you'll get the domain controllers just it's a good way to verify that actually running his domain admin given

whatever they happen on the network so what domain controllers are default reset or exists on the network and then I don't remember flight C dollars or not so this will give the output of the name the way this is set up is there's where we landed in a child domain which is dev that loud that local and then the root domain is just lab that local and so the whole idea is to hop the trust up from an elevated user and then you can see and just to verify before you do anything it's always just good tradecraft to verify that you're actually running as a domain admin you can see taller the domain controller and

then this is another module so all this all of the are most of the most frequently used functions in Power View are in the network situational situational awareness path with an empire and then this will get the domain trust that exists and as you can see dev that lab that local and loud that local it's a parent-child and the trust is bi-directional and this is where things get really scary so do a user to Sid for the actual labs or the root domain all the information yep so you'll get the care bTW GG SID so you'll resolve that account too as Sid which we'll use in DC sync to do evil stuff and if any point if you've got a

long-running job you can type jobs and it'll lift what jobs are running and then you can kill those jobs if they're taking too long or if you don't need them anymore or for whatever reason it's important to note you want to cut the 502 off on the miss Sid because what you'll end up doing is really you want the actual domain so yeah and this is DC sync so we're going to DC sync the child domain controller first Active Directory domain controller replication protocol when the partner Falls to where it pretends the local workstation is a DC and goes another DC and says hey please replicate all this information to me meaning the hash of

this user so you can get hashes from remote abilities without installing an agent or doing code execution on those boxes so we'll be able to pull a care be ttg of that account using DC's thing so as you'll see and what's nice is when you do this since it's a function and me me cats it will actually populate the cred store with the credentials and you'll see that here in a second and that makes it really easy to use those credentials to throw into the golden ticket module which will be able to see so as you can see here could ID 6 is our care btg hash for a b c 2 which is the

domain controller for the child domain and you can set the code ID to that particular credits probably 25 different steps yeah and you can just do whatever user you want and set the SID and then you'll at the end you'll add dash 5 1 9 which is I believe the ending portion of enterprise admins that's important because I did this video like 4 times and didn't throw that in and it never worked I was getting really really really sad used to be an enterprise admin for the entire forest please can be access to everything so you know if you're a defensive guy like getting all the logs and everything for this like how do you think that would actually

look when you're doing some kind of collection that's gone oh and then like yeah and then run GCC components

I'll let that run this will actually with me me cats it'll inject the ticket completely into memory is not saving the ticket off so nothing is touching disk so you can see that totally an administrator was created for the current session in the the dev domain of the child domain and we can go back the DC sync and then just set the domain to the root and then set the user to the cavity GG of the root domain and then executed and what this will do is it will pull out the the hash the care bTW GG of the the parent domain the root domain and I forgot to highlight it so I figured I would guess amazing did you

really blew my mind the first time I heard

no yeah yeah well after you here in a second yeah look something has the entire forest yep from a starting point lateral spread escalate all those kind of components DC sync pop up the trust entirely using PowerShell staying off a disk entirely a memory so cool let's see yeah all right we have a few minutes left and that's pretty much it for now again these slides will be online after tweet at BCC again everything here is open source the parasol Empire github organization has the Empire project and the power tools project we actually have complete documentation for the Empire project on PowerShell Empire comm we spent a lot of time actually spec'ing out how to use it how to set everything

up and making a slick interface for it if you're interested in it or you know hitting a hit myself up or Matt up or I don't know if anybody had any questions either now or you can hit this in the hallway if you rather talk after so that's pretty much it so thank you guys so much really appreciate it and thank you thank you Matt for being a very good sport for me substituting the presentation energy oh and we have Empire stickers if anyone wants one after