2017 q1 arcticcon - meet up - adventures in adversarial emulation
TRANSCRIPT
Adventures in Adversarial EmulationCommon Approaches and Trends
Q1 Meet Up
The Speaker OverviewName: Scott Sutherland
Job: Network & Application Pentester @ NetSPI
Twitter: @_nullbind
Slides: http://slideshare.net/nullbindhttp://slideshare.net/netspi
Blogs: https://blog.netspi.com/author/scott-sutherland/
Code: https://github.com/netspi/PowerUpSQLhttps://github.com/nullbind
Overview
• The Problem• The Goal• The Approach• The Difference• The Hunt• The Trends
The Presentation Overview
The Problem
The Problem
Companies spend millions on detective controls, but don’t know if they can detect common:
• Indicators of active attack• Indicators of compromise • Indicators of data exfiltration
The Problem
The Goal
Understand the company’s ability to identify and respond to common real-world threats
Understand how to improve detective and preventative control capabilities
Verify that third party service providers and products are detecting what they say they can
The Goal
Service Overview: Approach
The Approach
Service Overview: Approach
1. Inventory known controls2. Emulate attacks3. Monitor security events and alerts4. Identify gaps in controls5. Provide actionable feedback and
recommendations6. Provide Mitre style heat map
The Approach: Summary
Service Overview: Approach
Inventory Known ControlsInterview key members of the security and incident response teams to inventory existing preventative controls, detective controls and detective control boundaries. Common control placement and boundaries include:
• External network zones• Internal network zones• Wireless network zones• Email gateways, servers, and clients• Workstations and Servers• Network devices• Applications• Databases
The Approach: Inventory Known Controls
Service Overview: Approach
Emulate Attacksusing common tools, techniques, and tactics used by real-world attackers in multiple variations of common attack kill chains across identified detection control boundaries
• Threat agnostic• Many kill chain variations• Common tools• Common techniques• Common procedures• Mitre AT&TACK covers post exploitation pretty well
The Approach: Emulate Attacks
Service Overview: Approach
Monitor Security Events and Alertsin real-time with security teams:
• External network zones• Internal network zones• Wireless network zones• Email gateway, servers, and Clients• Workstations and Servers• Network devices• Applications• Databases
The Approach: Monitor Security Events
Service Overview: Approach
Identify major gaps in detective and preventative controls by working security teams in real-time during the test to determine which security events:
• Go completely undetected• Are logged• Trigger correlation rules• Trigger alerts• Trigger incident response
The Approach: Identify Gaps
Service Overview: Identifying Gaps
Provide actionable feedback that includes the information below so internal security teams can build better defensive capabilities:
• Log sources• Generic indicators of attack and compromise• Generic SEIM correlation rules• Preventative control options• Mitigation options• Existing controls
The Approach: Actionable Feedback
Service Overview: Identifying Gaps
Below are some notes from the Chris Gates + Chris Nickerson presentation at Brew con. Great notes for internal teams!
http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial-simulation-team-chris-gates-chris-nickerson
• Create a charter• Provide metrics - readiness/resistance to ttp + Pretty charts• Build an attack simulation lab with all preventative and detective controls• Work through the Mitre ATT&CK techniques in the lab• Continuously validate prod controls• Work closely with the internal team • Establish rules of engagement, procedures, workflows with internal team• Estimate resources people, servers, crack box, vms, access to defensive tools• document sharing to store and share info
The Approach: Notes from brucon
Service Overview: DeliverablesThe Approach: Notes from brucon
Source: http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial-simulation-team-chris-gates-chris-nickerson
Service Overview: DeliverablesThe Approach: Notes from brucon
1. Gather threat intelligence about and threat attributes
2. Compare to capabilities map (preventative and detective)
3. Predict likelihood of successful attacks before they happen
Source: http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial-simulation-team-chris-gates-chris-nickerson
Service Overview: DeliverablesThe Approach: Notes from brucon
Source: http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial-simulation-team-chris-gates-chris-nickerson
Service Overview: Deliverables
Source: http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial-simulation-team-chris-gates-chris-nickerson
The Approach: Notes from brucon
http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial-simulation-team-chris-gates-chris-nickerson
Service Overview: Providing Guidance
The Differences
Service Overview: Providing GuidanceThe Difference: Service GoalsService Type Service Goals
NetworkVulnerability Assessment
• Identify known and common configuration, patch, and code related vulnerabilities at the server and web application layers.
• Meet compliance requirements.
Network Penetration
Test
• Help company’s determine if identified vulnerabilities can be used to gain unauthorized access to protected networks, systems, application functionality, and sensitive data.
• Identify known and common configuration, patch, and code related vulnerabilities at the network, server, and web application layers.
• Meet compliance requirements.
NetworkRed Team
Testing
• Attempt to gain unauthorized access to an environment using paths of least resistance without detection and maintain that access for a pre-determined period of time in order to test the Incident Response Team’s ability to identify and respond to threats. This often includes non-standard scoping with very specific system, application, and data targets.
Threat Emulation• Emulate a specific threat and determine the ability to prevent, detect, and respond to it with in a specific
environment.
Defense Assessment
• Help company’s obtain a more comprehensive understanding of they’re ability to identify and respond to real world threats and potential breach scenarios. Executing multiple variations of common attack workflows across detective control boundaries while working with internal security teams to identify detective control gaps and misconfigurations.
• When blue team and red team members test a company’s environment together to build an understanding of their company’s ability to prevent, detect, and respond to real world threats at all layers of the organization. This requires much more collaboration and is broader in scope than a red team engagement. It is intended to test for the most common tools, techniques, and procedures used by attackers and malware.
• Test capabilities of 3rd party service provider.
The Differences: Service Goals
Service Overview: Providing Guidance
The Value: Service DifferencesService
TypeIdentify Server Issues
Identify Network
Issues
Identify Application
Issues
DetermineImpact of
Vulnerabilities
Determine Ability to
Detect Attacks
Identify Missing
Detective Controls
DetermineIncident
ResponseAbility
Vulnerability Assessment Yes No Partially No Partially No No
Penetration Test Yes Yes Yes Yes Partially No No
Red Team Test(Limited to Specific Scenarios) Partially Partially Partially Partially Partially Partially Partially
Threat Emulation(Limited to Specific Threat) Partially Partially Partially Partially Partially Partially Partially
Defense Assessments Yes Yes Yes Yes Yes Yes Yes
The Differences: Service Objectives
Service Overview: Providing Guidance
The Value: Service DifferencesBREAK TIME
Service Overview: Deliverables
The Hunt
Service Overview: Deliverables
Deliverables
• Search for known common indicators of compromise on scale
• Typically does not include EPP, HIDS, NIDS• PowerShell comes in handy for automation• Identify sample systems based on information
stored in DNS and Active Directory• Gather information via WMI, PS Remoting,
schedule task, and psexec (no agent)
The Hunt: Threat Hunting Overview
Service Overview: Deliverables
Deliverables
• Get approval• Some tasks require local and domain
administrator privileges• Just like scanning be aware of network
boundaries and controls that may block access the sample of systems
The Hunt: Don’t forget…
Service Overview: Deliverables
Deliverables
• Common hunting activities include targeting:- Files with known malware signatures- Windows services running unsigned binaries- Potentially malicious schedule tasks- Potentially malicious File and folder autoruns- Potentially malicious Registry autoruns- Potentially malicious SQL Server autoruns- Potentially malicious WMI providers and triggers- Web shells in internet facing web root folders- VPN or internet log in from strange geographic location or on off hours- Suspicious domain level events
The Hunt: Common Targets
Service Overview: Deliverables
The Trends
Service Overview: Deliverables
Deliverables
• Companies don’t know what controls they have and don’t have• Companies are missing major controls in critical network zones• Companies don’t configure controls correctly
o No internal resources capable of configuring controlo No vendor was paid to configure control
• Managed service providers are not catching real attack TTPs• Controls implemented with vendor defaults that don’t detect most real attacks• No internal network logging• Logging, but no correlation• Alerting, but no response• No tracking of metrics over time• Disconnects between systems like AV to controllers
o Completely unmanaged or don’t sync fast enough
The Trends: General Trends
Service Overview: Deliverables
Deliverables
• Wireless network zones• External network zones• Internal network zones• Email gateways, servers, and clients• Windows Endpoints• Linux Endpoints • Web Applications• Databases
The Trends: Control Boundaries
Service Overview: Deliverables
Deliverables
• No wireless attack detection (wireless or LAN)o Detection features not enabledo Detection features not available
• WEP still used in manufacturing in warehouses and assembly lines
• WPA2 PSK still used about 25% of the time• WEP and WPA2 PSK cracking
o No detection
• Evil twin attacks (attacking wireless endpoints)o No detection
The Trends: Wireless Networks
Service Overview: Deliverables
Deliverables
• Minimal ability to detect scanning an attacks• WAFs are missing or misconfigured• OWASP top 10 vulnerabilities allow remote
Access• User and email enumeration via public resources • Lots of internet facing interfaces that support
single factor authentication that can be used for pivoting and dictionary attackso VPN, Citrix, Terminal Services, VDI, Web applications
The Trends: External Networks
Service Overview: Deliverables
Deliverables
• Port scan detection can be avoided in almost all networks using Nmap –T2 or below
• Port / vulnerability scan detection occurs more via endpoint protection than via network IDS/IPS controls
• Null sessions still yield user and computer lists
The Trends: Internal Networks
Service Overview: Deliverables
Deliverables
• Almost no one detects network attacks: o NBNS MITM, LLMNR MITM, ARP MITM, VLAN tag spoof, Switch trunking, rogue
DHCP, rogue PXE servers, unauthorized PXE downloads, etc
• ARP spoofing is never going to die o Vendors are still creating devices that don’t support ARP spoof detectiono Most companies don’t enabled the detection or prevention features when they do
exist
• PXE downloads have been more commono Download to VM + Mount HD + Backdoor for accesso Domain deployment account password in sysprep fileso Domain deployment account password parse from VM memory fileo Domain credentials can then be used for to start domain escalation
The Trends: Internal Networks
Service Overview: Deliverables
Deliverables
Network Isolation Bypasses• Direct access to services in isolated environment
directly or though trusted hosts o Identify trusted hosts via logon events
• Use management systems to execute commandso Group Policy, patch, and configuration management systems
• Jump hosted are on the user domain and have accessible non-two factor management ports open
• VLAN hopping• Switch Trunking
The Trends: Internal Networks
Service Overview: Deliverables
Deliverables
• Companies seem to have three goals - Test click rates / user awareness over time- Test technical controls - Inject FUD for budget procurement
The Trends: Email Attacks – General
Service Overview: Deliverables
Deliverables
• Service providers – missing some known evil attachments, doing some test execution of links, html
• Servers- not blocking evil attachments• Client – allowing execution of untrusted
clickonce and java apps• Office – people like to allow macro, those who
don’t often let users change the setting in security center
The Trends: Email Attacks – General
Service Overview: Deliverables
Deliverables
Payloads - Links• Direct links to executable files• Links to uncategorized and untrusted sites/IPs
Payloads - Phishing Sites• Untrusted ClickOnce allowed• Untrusted Java applets allowed• Capturing password is handy when there are so many
single factor interfaces exposed to the internet• Considering looking into XSRF to execute command on
web apps already opening in insecure browsers - anyone done that?
The Trends: Email Attacks – Payloads
Service Overview: Deliverables
Deliverables
Payloads – Images in HTML emails• Determine physical location of individuals• Determine firewall egress rules • Determine allowed file attachments – work about 60%
Payloads – Executable File Attachments• Only a handful typically get through, but Office Macros still work
a lot• User’s often have rights to disable office security features• Interesting that .application ClickOnce apps seem to make it
through.• Shortcut files + UNC path injection – not tested yet • Working on basic toolkit for testing links and executable file
types…
The Trends: Email Attacks – Payloads
Service Overview: Deliverables
Deliverables
Payloads – Executable Files
Note: This is purple teamy…
1. Send hundreds of executable file types as attachments
2. Parse inbox on client to determine which ones make it through service provider, server, and client
3. Cross reference extensions with application file extension associations on their gold build
4. Create proof on concept payloads to illustrate risk
The Trends: Email Attacks – Payloads
Service Overview: Deliverables
The Trends: Email Attacks
Service Overview: Deliverables
Deliverables
- Missing and broken two-factor- Missing hard drive encryption- Missing and disabled endpoint protection on servers- Missing ability to detect common persistence
methodso File, Registry, Application, and Database autorunso Windows Serviceso Windows Taskso WMI triggers and providerso Log in from unexpected country o Log in during unexpected time
The Trends: Windows Endpoints
Service Overview: Deliverables
Deliverables
• 80% of companies can a Domain Admin being added• Most companies are blind to almost everything else• SPNs are very useful for server and user targeting• Active session scanning can be useful for user targeting (DC, File, Citrix, and Exchange servers
yield the best immediate results)• Bloodhound can be very useful if you have enough time to map escalation paths• Kerberoasting, and ASREPRoast are very used for domain escalation• Password dumping, DCSync, ntds.dit via Invoke-Ninjacopy.ps1, NTDSUTIL, VSSADMIN• Group Policy modifications• Net logon script modifications• Sysvol DACL modifications• User and computer object DACL modifications• Delegation of privileges – password reset, replication etc• Group policy passwords are disabled in most environments, but some companies forget to clean
up the XML files and the passwords are still valid• SID history works in most environments to escalate from child to parent domain• Lots of user and domain admin password sharing• Lots of domain admins sharing password between domains
The Trends: Windows Domains
Service Overview: Deliverables
Deliverables
Linux Endpoints- No centralized detection capabilities- Sudo configuration issues- World readable/writable daemons and cron scripts - Common issues like heartbleed and shellshock- Excessive share privileges
- NFS mountable as root, grab keys, and authenticate- SMB writable to everyone- FTP writable by anonymous (web roots are the best)
- Shared NAS between servers for lateral movement via home directories
The Trends: Linux Endpoints
Service Overview: Deliverables
Deliverables
• SQL Injection• XML entity injection• Upload functionality• Application publishing platforms like tomcat, jboss, etc• Database and domain credentials are stored everywhere
o In codeo In web.configo In application.configo Connection string cheat sheet
https://gist.github.com/nullbind/91c573b0e27682733f97d4e6eebe36f8
• Code repository auditing can usually be bypassed once you have system on the box and can run as the service account
The Trends: Web Applications
Service Overview: Deliverables
Deliverables
• Common platforms include SQL Server, Oracle, MySQL and Db2
• Almost no companies audit beyond failed login attempts• Database teams seem to identify failed login attempts
more than AD or response teams on average• Excessive privileges allow normal domain users rights to
login• Lots of vendor defaults and unsupported versions• Escalation via weak passwords, UNC path injection,
shared service accounts, and database links
The Trends: Databases
Service Overview: Deliverables
Deliverables
• Servers and DCs with direct access to the internet!• Tons of options in most environments without detection:
o TCP Ports 100% Authenticated outbound on 80/443, reflection through trusted sites, and unauthenticated outbound on various ports (21, 22, 23, 25, 53,110)
o UDP Ports 50%o ICMP Tunnel 50%o DNS Tunnel 80%o SMTP Tunnel 100%o Skype Tunnel 100%
The Trends: Data Exfiltration & C2
Service Overview: Deliverables
The Questions?