BSides Rochester 2018 - Detect Me If You Can

how're you guys doing this morning good got some coffee some energy drinks guys chose to come to my talk over here I actually went to the wrong building when I first got here and then they tried to sign me up for classes so they're like welcome new freshmen I'm like no I'm almost 40 so but apparently torque on is going on here to this weekend so I walk up there's this big old adventuretime this guy do and I'm like these sizes do it ever right yeah and they're like no this is not besides I think it's all right so I just wanna things thank you to b-sides Rochester for asking me to come out and

speak it's a little bit colder than Texas I left it yesterday was 84 so woke up this morning and chopped up my bed furniture for firewood and created a little fire in my hotel room so kind of got my blood warming up again so how many guys been into recon at all anyone there weekend a couple people all right so I gave this talk of every kind last year but I was talking with the organizers and they asked me to come out here and to kind of talk a little bit about how I do evasion and how I'm getting past a lot of defenses and then go over some of the ways that I actually see defenses

getting better so just a little bit about me my name is Ben 10 it's at least the alias my real name is milk but no one can pronounce it so 10 is way easier it just makes it avoids a lot of confusion I am a senior security consultant with trusted SEC even though I look like I'm a college kid or high school kid I'm actually you know I'm almost 40 years old now so it it's hard to believe that's one of our co-workers there and everyone called him my dad you know I have to say though when you're traveling and you like eating on an airplane as long as I find someone taller than me which is like 99% of the

people if I go like right by them especially like a business look and look like I'm third kid going on and they're like yeah go ahead little guy good and get on the plane it's okay first class all the time if you want to follow me on Twitter it's been 0x a hexadecimal little Indian one guy thought it was Ben Aqsa so I'm not sure where that came from a little bit of background I actually have done 13 years in defense I spent a lot of time in health care and dealing with 45 different hospitals this was along the time when breeches were just becoming when they were switching from paper to electronic so I got to endure all of

that it was super fun that's that's when I picked up her Ben for the last three years now I've actually known now for I've been to an offense so I started out with the company in bio Point which is in Michigan and then moved over to trusted sect up for the last two and a half years now I started out as a developer I started writing you know software application I probably coated over our a couple hundred different applications a couple million lines of code so I mean I've definitely done my fair share so I know what that looks like speaker trainer kind of going all around the world doing different things and I'm a runner it is the only sport where

height is really not a big factor so I can run so I run as much as I can so one of the one of the big things is you know perception right most people when they look at me they think I'm a kid they think I'm college kid whatever the case may be and it can be a little difficult when you're trying to convince a CEO of a multi-billion dollar corporation that I actually know what I'm talking about they're like oh we got the C team not the you know B team or the 18 we got the C guy this is the new intern it's actually helped me out on a couple of engagements when I break into

places they do think I'm the intern which is great I love it so I broke into a place was walking around and whenever I see coffee I stop and get coffee it is free coffee right it's I'm sorry it's out it's for me I'm stopping I'm getting coffee and it's a great time to talk to people so I sit there in talking like hey how's it going it's my first day I just graduated from RIT yeah and you know Here I am and everyone talks they they're like this especially like the the ladies that have been here for the longest they're like ah you're so cute like I know and then as I'm talking and

this guy comes up and you can tell he's an executive just by posture and the way is you know he's seven-foot thousand and he comes up and he's like new guy huh like yes sir yes yes sir I am always you sir ma'am you know yes sir and he's like what do you where are you at I'm like I'm trying to get NIT I'm still trying to learn a lot of that stuff really don't know much about computers and he's like stick with me son I'll teach you all the ropes don't worry like thank you so much after I completely just demolished them got into their data center stole all of their stuff and we're at a readout

meeting we're sitting around this big table with all the CEOs and like everyone's upset because I got everywhere this guy walks in the room and because apparently he'd been on all of these calls about somebody completely destroying their company that day and he walks in on the phone he's like that was you and I'm like yep and he's like son of a-- and he sits out right so so so the the point that i'm trying to make is is that when we're doing any type of physical penetration testing or when we're trying to break in whether it requires a visual contact or even a technical having you guys have a misperception is amazing for us I love being considered

to be a kid except when like you call the police for a local neighborhood issue and they roll up to your house in the middle of the day and instead of them saying like hey what's the matter they go shouldn't you be in school so that makes it a little bit difficult right but but overall it's fun I really enjoy people miss miss miss underestimate news the word I was looking for I loved being underestimated because what it means is is that you guys have an expectation of what I can and can't do without even knowing who I am and I love that I love getting on an engagement especially when you get a blue team they're like yeah you're not

you're not going to get past us we've patched everything we're running defender we're running this we've got this week s and now understand there's there's a lot of technology out there that over the last year and a half huge huge improvements on the defensive side love it to a certain extent but we can still get around most of it and the thing about it is and what I'm going to show you today is most often times than not I'm not using exploits I'm not I'm not using exploits I'm using your system exactly the way that you designed it so often times when I get in I haven't exploited anything you guys let me in I want to talk to you guys about

this guy by the name of Frank William Abagnale jr. probably one of the most impressive people I've known and so so there's two ways to get into cyber security is either you study really hard you go through you workout you do an intern maybe about you know seven years later and might you know get senior level or you do some federal crime do a year or two in prison and then open your own business right so you have two different avenues of choice here whatever you guys want to choose but Frank William Abagnale jr. and if you do any type of research on him you know that like he was this confidence trickster but he was

best known for being this check forger right and you know writing different checks being able to cash those without anything he was also an imposter most people know from the movie and everything else like that but he was an airline pilot now III fly a lot I really don't want some imposter flying my plane right I really don't a physician I mean you know I mean maybe that'll help you maybe he'll solve something that the doctors won't again I don't want you operating on me a US Bureau of Prisons agent and a lawyer the thing about Frank is that not only was he just good at at manipulating people and talking with them he's actually escaped like he was in the back

of a police car and escaped by the way this is Louisville Kentucky Kentucky and I have no idea what happens in Louisville Kentucky you get this picture what was more impressive is that he actually escaped from an airplane while it was on the taxiway from federal agents so obviously he was caught worked cut a deal worked out with the you know you know agents whatever helped them out created his own company now works for the FBI National Academy and does all this stuff right so it you know he's you know doing much better than what he was and most people know him from this movie right which is really where this talk has designed off

of and I want to show you the scene kind of reminds me a little bit my high school I didn't personate the teacher though hopefully we got volume do you know one seventeen friendships

[Applause] sounds like a penis so I want to point it out this is where the light clicks the guy says yeah he looks like a substitute teacher what went well okay here we go here we go [Music]

not a big nollie not a big Nelly not binocs ah somebody please tell me where you left off in your textbooks excuse me people if I need to ask again I'm gonna write up the entire class take your seats

Chapter seven you please open your textbooks to Chapter eight and we'll get started excuse me what's your name red get up here in front of the class here and read conversation number five

les francais Solomon so here we have a perfect situation of somebody having a perception based off of visual cues and under estimating now the effect of matter is he did he was not a teacher but how do you know how do you know that I'm not a hacker right I don't I don't have a hoodie I don't wear a mask I don't look anything like most of your computer-based trainings that you have at your corporations I don't you know I look just like anyone else I look normal and yet people underestimate it the same is true with most traffic so I get it we're talking about technology and where does actually you know Frank all of this you know rolling what just

hold on we're getting to it all right there's some other people that I want you to know about that maybe you may not have heard about anyone know about Karen Thomas Karen Thomas operated a train for three hours when he was 16 years old he actually rode the train and the only reason he got caught was because he went too fast private Wakeman Sarah Rosetta Wakeman was a woman who served in the Union Army during the American Civil War under the male name of Lyons Wakeman Weightman served with company H which is the 153rd New York volunteer imagery and her letters written during her service remained on read for nearly a century because they were stored in the attic of

her relatives caryl an Israeli author and motivational speaker he was born on the 21st of April and in Germany to a German Jewish family he escaped prosecution from the Nazis by masquerading as an ethnic German his life story is told about Europa Europa which is loosely based on that autobiography so why were they successful why was Frank Abagnale jr. successful why were all of these people successful in manipulating and tricking people it's because they blend it in when you think about what your technical traffic when I'm on your network my goal is to blend in a lot of times you get pen testers and they get on your your network or whatever and they're like

yeah we're just gonna throw everything at you we're gonna you know you know light it up well that's kind of like blending in like this time to feed my babies

[Music]

right it doesn't work they could obviously tell you that you're a fake they can obviously tell the ear afaik when I do my technical traffic my goal is to blend in I want you to think that I'm just a normal user I don't want you if I'm doing a physical pen test I'm gonna I'm gonna make you think down the in turn if I'm doing Wireless attacks I'm not gonna sit there and put up you know rogue access point that says haha pwned this says David's iPhone right that's all it says that's what this is I'm not gonna try and make it super elite the problem becomes when we look at defenses they're being done incorrectly

because defenses are being designed around disclosures instead of discovery

they are if you think about defense so you think about MMS 1701 zero you know for the like the first time it came out everyone was cool and then March came around and everyone was not so cool and then all of a sudden you know April hit and everyone's like oh my goodness hatch all the things right and then you built your defense around that disclosure all the while I wasn't using MS 1701 zero in fact we didn't start using MS 1701 zero until probably mid to late of the year because it had a 50% chance of blue-screen in your system which wasn't I mean we're here pen testers we're not here to break things

it was a 50% chance but we were still getting da when you look at defense a lot of times they'll focus specifically on antivirus like that's the first go-to and please understand that none of these things by themselves are brought are wrong and it's all good to have layered defense we want this it's just a focus of a priority then they go to patch management maybe they'll have an IPS they'll put sync clients on every box whatsoever had a client once they had 15 different things running at the background it was great but the user couldn't do any work they're not bad they're not all bad it's just not the focus of security is not

being focused correctly they're being focused on the wrong thing like this was an actual TSA agent stealing Woody's gun because guns aren't allowed on planes so I want to talk to you something a little bit differently about when it when it comes to how defense should be done and it should be done in this order of detection deflection and deterrence now detection is a very plain it's detecting that behavior deflecting means stop the attack and this is where your antivirus and everything else can come in and the deterrence is gonna be policies procedures patch management things that will actually put in place that will deter me one of the things that we'll talk about in a little bit is paths of

least resistance so I was on an engagement and I had system administration on five different boxes I'm going to town I am just destroying this company and we like to have an open communication while we're doing a pen test to say hey this is what we've got well I contact the client and I'm like hey I have you know system level access I'm just about letting you know just about to the point of da you know giving you an update and they're like oh really yeah yeah I've been I've been on this box for the last you know you know five hours or whatever the case may be okay while I'm on the phone the VPS that I

was connected to it blinks like it goes black and that comes back and I'm like that was weird so I'm sitting there and then I go to open up the command prompt again all of a sudden the program has been blocked by your system administrator I'm like no that's not cool and we'll get into that in a second so so then I go to PowerShell this program has been blocked by your system administrator I'm like okay so then I go to one of my other five boxes and none of those are blocked so during the pen test they blocked my access and are like yeah you should have had access to those anyways okay so that's not the point of the pen

tests so they block PowerShell and I couldn't use PowerShell so I wrote a program called not PowerShell and drop the binary on the system and continue to own the systems right and so that's actually available out of my github page not PowerShell and so you can actually run it you can run any PowerShell code that you want and it does not so PowerShell dot exe is not PowerShell and if you're doing application blacklisting where you actually like block powershell that exe it's not it's that's not gonna stop PowerShell right it's just not so that's that was the reason I wrote not PowerShell was because when I was doing the pen test they were trying to shut it

down this is another piece that we found on some of the pen tests is that some of the organization's they are so focused on winning the pen test that they lose the value of the pen test and I get it you guys you know there's some organizations out there that this is based off their budgets you want to make sure that you're spending the company good if I come in and rip everything up it's gonna make you look bad but I disagree with that method mentality and if you're in a management or executive position and you punish your team because of a bad pen test that's wrong the pen test is meant to be a team

effort where I help you find vulnerabilities so that you know how best to secure your system the pen test is not a report card it's not a test it's not an exam it is me pointing out new advances new techniques some of which we've not released that we're able to bypass your controls so let me talk to you a little bit about how I get around some of your defenses so this is an nmap command seems pretty straightforward if you don't know all of the switches like the first time I looked at nmap and I saw all the switches I'm like I'm never gonna learn all these things but after a while it gets you get used to it anyone

know what g88 does like if you look at all of your end map tutorials nowhere does it list a G in there do you know why so when you sent out a port scan oftentimes it will put the source port as the destination port okay TCP doesn't work that way right when you connect to something it chooses a random port for it from from the source port to connect to the destination port so for g88 I'm actually telling it to set the source port 288 does anyone know what TCP 88 is Kerberos now how many of you guys are inspecting all of your Kerberos traffic's on Wireshark yeah I don't think so so this goes under the wire

SS does anyone know what this is yeah so what's called a half-open so what's the three-way handshake if I say syn you would say ACK and then I would say syn ACK syn ACK snack right hey how's it going doing well awesome right three-way handshaking what SS does is hey how's it going awesome and I closed the connection I don't send the cynic it's a half-open right so there's not a fool connection there all I'm looking for is can you hear me and then I move on right PN does anyone know what this is no ping I don't care if that I don't I don't need an ICMP right I actually had somebody tell me to

ping port 80 once I'm like that's not the way that it works you can't ping aboard ICMP is a different protocol and for no DNS resolution I don't want to hit your DNS servers this set support for 45 SMB is a super-awesome port I'll I care about the open stuff oops and we care you know it gives the IP range now when when most people don't realize is when you do an nmap scan if you do like the normal normal scan it'll do the top 100 if you do it or the eff scan it'll do the top 100 if you do just normal ports it'll do the top 1,000 right so with nmap I only do one port at a

time

because 99% of the time I'm gonna find something on one of the you know top 20 ports that we always do it web SMB LDAP DNS all your database servers all of those you know there's a couple of other other ports that we have that we use but we have like like 20 ports that we always hit for when we find it and generally we don't have to really go beyond that because you have just enough miss can miss configured with those 20 ports that I really don't care about the other 65,000 so I do one port at a time that's it so I'm not getting on your network and running a thousand ports so I'm not

tripping up any IDs I'm not not tripping up anything else I'm doing one port at a time and I'm blending in remember we're talking about Frank and how he was successful my goal on your network is to blend in I don't want to come in as a bull in a china shop I'm gonna be blending in don't mind me I'm just a little guy I don't know what I'm doing ignore my traffic so if we look at this there's also another way that we can do some of this stuff have you guys ever heard of responder anyone who's okay do me a favor just just because I want to hear who has not heard of respondent can you raise your

hand please I know people don't like the post okay I love this this is amazing you're either gonna be like that's awesome are you gonna cry one of the two depends on what you're doing

let's make sure my ports are closed [Music] you Oh

okay let's look at my interface you know study three so that when you do a DNS query does they need to know the proper order of DNS queries now this is important so it first goes to your localhost file so if I'm looking for you know been computer name been it first goes your localhost file if it doesn't find it where does it go DNS if it doesn't find out DNS where does it go where I didn't hear you what was it so so it'll go out and then it'll do what's so if you have envy and S&L M&R enabled it'll actually do a n BN s LM in our broadcast now n BN s stands for

NetBIOS name service L LM n R stands for link-local multicast name resolution so what it does is say hey does anybody know who Ben is and normally it comes back with no I have no clue responder says why yes yes I do know who Ben is I'm Ben come talk to me so if you're if you're in the lab here right now my recommendation is that you don't do this right now it's a lot of you some of you are on company laptops or whatever so if you're don't run responder on the network right now because you might get someone - just disclaimer okay I'm I'm privately locally - here so it's not gonna be a

big deal so if I type net use can you guys see that okay or is it a little too small let's make it a little bit bigger

net use / / Ben 10 dot RIT dot let's do land sher does this exist yes or now know

[Music] what that is that is a computation hash of the three-way handshake with SMB we can take that hash and crack it offline so if you have a misconfigured service on your system that's constantly broadcasting out to the wrong host name or just in general you accidentally type the wrong thing we can capture your hash and oftentimes this is how we get first access to your system with no credentials at all we just start running responder and see what comes back so at this point have I exploited anything no I'm using the system exactly the way it was designed I haven't exploited anything I haven't launched you know the low orbit ion cannon I haven't done anything I haven't

opened up medically and already I have a hash that I can dip offline if I can get a user's credential without exploiting anything that's golden right so want to show you something else here

so a guy by the name of Casey Smith and I think that if you haven't heard of him you will want to follow him immediately especially if you're going to be in defense because he makes defenders cry I'm sub T s vb t ee he created a he realized that on every computer I think from XP forward has this nice little program called msbuild and msbuild does exactly what it sounds like it actually builds a c-sharp application that you have on there which is great Linux has this by the way to natively it's called X build so if you're on a Linux box X build is just the Linux version of Imus build an X field will

actually build a dotnet binary for you which is really really handy so Casey actually wrote found out that you can import some of your c-sharp code into the msbuild XML file so I was like that's neat so so I decided that I was going to take my not PowerShell which is here and so you can see that I you know I already had the the the core for this and then I realized that I could invoke PowerShell directly in memory without actually touching disk which is also super awesome so I have this neat little invoke memory NPS and then it went with my coworker Larry spawn who Spoonman 1091 and we created this brand new tool called NPS payload and every

tool with ASCII art is awesome right so that's the only way you can do it so if you guys want to check that out it's actually out untrusted sex github repository we released this at blackhat last year we used it for a year with zero detections the moment that we released it like it started getting popped all the time we do have a workaround for this that is evading every detection but we're not releasing it yet sorry so let me show you this so let's say I ran responder I got your credentials right login to the box whatever way it could be just here's a thing I'm all for are you peeing into a box if I can RDP and

you don't have any restrictions on there I'm already peeing into a box you'll hear a lot of people say don't already know a box you'll get talk caught you're not gonna get caught like I log into RDP all the time if I can RDP in and there's no other authentication mechanism knows no cert signing I'm logging in or that box I don't care I have yet to have someone detect me the only time that someone detected me was when I was da on a box and I was logged in and I could see them log in and then they tried to deactivate my account and then they would log off and I would just re-enable it and so it

was this cat mouse game for a little bit like I was disabling the account re-enabling account the same thing I thought I was having fun the guy was probably pissed but like it was it was going back and forth and then all of a sudden I just kicked him off the server you know it's it's I have no problems already peeing into a box so then what you do is you can use is you can use this nice little tool I have here

MPSP load and what this does it actually generates a payload for you with using that NS build exploit or a technique I should say so I'm gonna choose one number two is our brand new one it's a c-sharp one it doesn't a memory I'm not releasing it and unfortunately I'm not going to demo it here right now just because we want to keep it somewhat internal but we do have a direct c-sharp one so that doesn't touch disk just to let you know make you happy and then we're going to choose our reverse HTTPS we'll choose our IP

and that's it now I've got some instructions down here on how you can actually launch this and get the payload over there I'm gonna show you a couple different ways so the first is you'll notice that we have this msbuild XML file so if we open this up

you can see it's just an XML file yeah there's my payload and there's my not PowerShell and that's pretty much all it is pretty straightforward stuff and it just so happens that because of the way the MS Bell did build is is that anything in this code thing right here it'll run so thank you ms build so I can actually take all of this code if I want I can paste it in here I can put it in the temp directory not a virus really no kids right now there's no temp directory I could just put it in CPS F not a virus but I'll put it in tools here all right so what you can do that is to do msbuild

exe and then point it to that file but before I do that I actually have to set up my listener so I'm gonna come back to my box over here we also have this RC file which is nice because you can do MS console - our MMS build RC and it's gonna load up Metasploit and then put all of the stuff from that thing in there and it starts a handler the other thing I like to do is load sounds if you've never done load sounds on Metasploit it's amazing and you'll see why so then I can come over here I can do msbuild point it to this text file even though it's an XML I just named it txt

msbuild doesn't care exit that's mutts by the way there we go we got our session there we go have I exploited anything No no exploits so far okay so the other thing is it's like well we prevent writing to the disk and and we're gonna spectacles you're inspecting text files are you okay you're inspecting log files oh okay well let's say that you are fine sounds good to me I'm gonna exit out of here and I'm gonna take my msbuild NPS XML and I'm gonna move it to my Samba share

so I've moved it over to this really not a virus that log file and I'm gonna start up my Samba service and the great thing about msbuild

oh I didn't start the hold on

there's my session

let's try the skin make sure my job still running so the great thing about this is that we can just use the UNC path go to shell then there you go by the way I turn that on for a CCDC one time which is the college they leave college cyber defense competition and it unfortunately I launched it out to all the teams and I was like you got to show you it's a shell excellent thanks excellent I salute stop look at that then I touch disk no have exploited anything no do you see the difference here when you build your defense around disclosures you're missing this because I'm blending right in with normal traffic you now have to begin to think on the

defensive side how am I actually going to be looking for stuff like this right I just use SMB I didn't I did exactly what everyone's doing every day I just pulled in a file and it's a log file you're not scanning log files I mean if you are agree but it's on my box so you're not scanning it then I've already got a shout

you so there's my demo Hey look here we go venture time see it just was happened so let's look at the other side how are they caught so Karen Thomas he operated the Train a little bit too quickly around one of the curves so they keep the censors on that right and so that they basically are like why was this train going too fast so they investigated found out that she actually just liked trains a lot the door was open he went in and started operating the Train like what's the big deal man people got to work on time who cares right he was only caught because he went too fast I get caught what I get

too fast all my networks if I try and scan too quickly if I try and pop a box too quickly if I don't take my time and effort to do that I'm going to get caught what about private Wakeman well actually she wasn't caught she actually went she's buried in Lyon as Lyons Wakeman her letters and the record of her military experience were discovered more than a century after her death in a relative tak attic she successfully got through all of the detection of the military to figure out whether she was a man or not now I don't understand how that's possible but she did it I mean it's a modern-day Mulan right I mean

it's a modern day you know thing what about Solomon peril he was discovered by his girlfriend's mother but she didn't turn him in so he was caught but he didn't get turned in now how many times on a pen in a in a situation at your corporation where a user will identify something out of the ordinary but they don't turn it in and we'll get to that in a second what about Frank he was eventually arrested in Montpelier France when the air force attendant he had previously dated recognized him and informed the police so if you're gonna be a pen tester don't date the people that you're breaking into just a little tip pro tip right so how

do you get me what I've shown you so far now there are ways to do like you can do msbuild you can look at the process suspection you can use system on a look at that but what about responder how do you detect responder activity anyone I will just pee camp the entire thing and read it I'm sorry you can you can disable NBN s ll M&R absolutely how it breaks a ton of stuff so if you get with a new upstart company yes they probably don't have anything legacy if you're at a company that has any legacy software whatsoever chances are you're gonna break something right and it's a very difficult thing yeah

so that's true so but how are you gonna catch me at two o'clock in the morning cuz I don't sleep right how are you gonna detect me how are you gonna and here's the other thing think about it what happens if I'm a legitimate employee you gave me creds I didn't even have to get that but let's say I want to get yours so I'm already on the network I'm already doing this so how are you going to do this so it's a good thing you asked cuz I wrote a neat little tool called invoke honey creds

you always running everything administrator please makes my life easier

so in boat County creds is a neat little tool that I wrote and it's specifically written in PowerShell I've got a Python version of it coming out here soon but similar to a honeypot what this does is it actually injects a set of fake credentials into the wire the only way somebody's going to see these is if they're doing P capture or responder that's it these credentials do not have to exist in your domain at all but what you want to do is when you set this up you want to make it look legit if you setup a user ID is in you know fake domain slash we're gonna get you I'm gonna know it's a fake account right

that's like people setting up honey pots when I hit a honeypot and it responds to all top 1000 ports okay it's an epod yay you did it right oftentimes people set up the honeypot and walk away they don't check any logs they don't do anything about it if you're gonna do it do it make it make it make make me want to use these credentials so what you would do is typically do like you know RIT North America right that's a even though it may not be the RIT made that domain may not exist it looks legit right RIT North America I don't know if there's an RIT South America but you know whatever right and then what about

this one does that look legit absolutely that's ECM updater sure why not and then put in a password right let me make sure responders are not running

you

okay oh I have to try my SME hold on

okay so you can see that my NSA 0xa box there is trying to come up with who its SMB traffic but don't worry about that so if I press ENTER there what this is gonna do if I'm actually gonna kill responder and it's injecting these fake credentials into the wire right now it's all it's doing so the moment that I put up responder look at that it's looking for our itna there's that NBN s query Oh what do we see oh and I have a previously captured hash there so I do two things one I actually send the hash it didn't display on the screen because I already had it I forgot to clean clear the database but I also send

it clear tax credits if I give it a tack or a hash or clear text creds which is he gonna use first clear tax credits wait why am I gonna try and crack a half pass our hash that I may or may not be able to when I've got your clear tax credits you know what's cool is that even though I haven't even used these credentials you have an alert on this side saying that someone's actually running responder on your downside this shouldn't use this should always be blink and I will say that this has to be done in every broadcast domain so that's whatever that some that is whatever that some that is you have to be in the same

broadcast domain so that you can do envy and ask queries because those are limited to broadcast domain right it's that'sthat's the only caveat to this so you would have to run honey creds in every broadcast domain that you've got so the moment that you get a 200 here you know that someone's running responder on your network and you have an early warning indicator this should never complete RIT and a does not exist there's no reason for this to ever complete ever never there's no false positives with this so this is what's called creating a path of least resistance we as an attacker we I don't like to have to work hard unless you tell me that I'm not gonna get past

your defenses then I write new tools just to piss you off right that's the idea right I don't like to have to do extra effort so if I see a tomcat box with default creds I'm going after your Tomcat box with default creds because that's gonna be an easy win for me but if you set up a tomcat Tomcat box with default creds that's completely isolated and all of a sudden someone logs into it and drop some malicious war file on there you're gonna have an early warning indicator that you've got a malicious actor on your network the idea is to put you can't detect me everywhere you can it I don't you did there arc we have dealt with every

corporation on the Fortune whatevers and I'll tell you I have seen budgets from super small to oh my goodness I can't believe they don't own their own country budget they can't ingest it all and they don't have the money time and resources to be able to do it well I don't care what company you're at you can't do a hundred percent so the idea is to put your detection around a specific area and make a path for that attacker to go to it this is one of them put this out there you're going to get an early warning in warning indicator that someone's on your network trying to do malicious activity the other thing is is that

when you think about detections you're focusing on the exploit I want to go back to that you're focusing on patching and vulnerability management and that's great but is anyone ready for maize Patch Tuesday right now are you guys prepared for maize Patch Tuesday do you have those vulnerabilities already you know Microsoft already has those vulnerabilities in clay right they're writing the fixes right now which means there's vulnerabilities exist that you don't know about that you can't patch so if your defenses are built around the initial vector you're always going to be playing catch-up it will always be this whack-a-mole security where you go after in the moment that something comes up you're like bam bam bam and you're get

you get upset because you can't detect it you can't stop it I've got something right now that no one has except for my company you right it's because I was on any gig and someone told me I couldn't do something so I wrote into tool so you can think that company so how do you so how what are some other signs at how you can detect me whenever I get a box regardless of how I got in regardless of the initial vector I'm gonna be doing several things no matter what looking for Who I am looking at users that's gonna always be a 1 if you see a net user command and it's not that's

outside your normal behavior like why no dia is gonna be on the domain admin the the main controller running net user of all 5,000 of your boxes you're going to be using the MMC that that's part of that I'm not command /c reg msbuild gonna be a big one W script and if you haven't you need to have a basic understanding of PowerShell Windows Server 2016 a nano server do you know the only way that you can administrate are those PowerShell there's no GUI I want to show you one other thing that you'll want to keep into consideration I know a lot of people are looking at specific command line usage I'm going to show you something I

actually haven't even released yet how about that you guys want that you guys want to see something new that I haven't released yet you guys want to see it you want to see it alright you might cry so there was this neat thing that I saw the other day where you can actually do something like this echo Who am I CMD - never seen this you know what the dashes take in from standard input so when I pipe that Who am I command it's actually gonna take it in and there's my Who am I and as what's me is that when you look at the 46 88 event ID which is new process created the only

thing you see is this I'll show you so we look at our windows logs security oh I hope I did did I turn it on on this one I mean I'd have turned it out on this one oh no it's I might not have turned it on this one bummer okay well you have to trust me on that one so it's 46 88 the only thing you see is this Simeon cmd.exe you can also do cool things like this

you can also do things like so this is what I haven't shown everyone so you will get to event IDs and you can somewhat see in there so here's what I do has ever seen this

you oops

and then if I go like this

goodbye forensics you know why none of those commands show up in the Event Viewer at all and the other thing is is that whatever I type after the co n does not go anywhere type con it just takes in from the standard console so I can type all of my commands in that type con save it to a file of anything legit run it delete the file you have no insight at all I've not released that so there you go what you guys think pretty cool people are crying I don't mean to make it sad so a couple of things real quick acid identification is really important knowing what assets you have if you're not ingesting your logs you need to if

you don't know what event ID 46 88 is you need to if you're gonna have any chance of knowing who I what I'm doing look at user behavior evaluation analytics you ve a that's gonna normal baseline activity versus not normal base like the activity if all of a sudden been in accounting starts using carrots and pipes to standard input that's probably not a good thing I doubt they're doing cybersecurity stuff in their spare time creating those paths of least resistance you can't detect everything so make me invite me to go someplace where you have the most detection z' empower your users with education education not training training and education are two different things training I don't have any investment in

you whatsoever if you take what I have to say if you go to one of my trainings I will train you if you don't learn it it doesn't make a difference to me I still get paid education is different I care enough to make sure that you fully understand because your success of the impacts mean and if you want your users to do that you need to reevaluate how you're how you're educating them so I have a lot more here but we're running out of time talking about flat networks like I get it like if everyone ever comes to you and they're like hey you have a flat network get get over it it's it's done

there's nothing you can do that's like that's like trying to add a basement to your house after it's been built while people are still living in it and you can't cause disruption it just just stop please just stop all right set up your knacks do it properly I actually had an act that the only bypass was pressing escape at the 802 to 11x prompt a hit escape and it let me on yeah you need to test those things disable ports that you don't need there are not everything needs a dynamic address you guys realize this right not everything needs DHCP there are certain situations where static is actually going to be better and not having a DHCP

server in a certain subnet it's gonna be great because if you don't have a DHCP server and I plug in you're gonna get an alert it's gonna be great I encouraged ELQ is a great system if you're not using it use it there's actually a lot people that are using carbon black and Splunk and they're actually dumping everything to ELQ so I actually do trainings on ELQ I actually teach you how to write alerts and stuff like that so if you're not doing it make sure you guys are looking into that and then I think that's about all the time I have here for so far so thank you guys very much I appreciate it

and enjoy the rest of the conference [Applause] oh

thank you very much thank you