2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation

Adventures in Adversarial EmulationCommon Approaches and Trends

Q1 Meet Up

The Speaker OverviewName: Scott Sutherland

Job: Network & Application Pentester @ NetSPI

Twitter: @_nullbind

Slides: http://slideshare.net/nullbindhttp://slideshare.net/netspi

Blogs: https://blog.netspi.com/author/scott-sutherland/

Code: https://github.com/netspi/PowerUpSQLhttps://github.com/nullbind

Overview

• The Problem• The Goal• The Approach• The Difference• The Hunt• The Trends

The Presentation Overview

The Problem

The Problem

Companies spend millions on detective controls, but don’t know if they can detect common:

• Indicators of active attack• Indicators of compromise • Indicators of data exfiltration

The Problem

The Goal

Understand the company’s ability to identify and respond to common real-world threats

Understand how to improve detective and preventative control capabilities

Verify that third party service providers and products are detecting what they say they can

The Goal

Service Overview: Approach

The Approach


1. Inventory known controls2. Emulate attacks3. Monitor security events and alerts4. Identify gaps in controls5. Provide actionable feedback and

recommendations6. Provide Mitre style heat map

The Approach: Summary


Inventory Known ControlsInterview key members of the security and incident response teams to inventory existing preventative controls, detective controls and detective control boundaries. Common control placement and boundaries include:

• External network zones• Internal network zones• Wireless network zones• Email gateways, servers, and clients• Workstations and Servers• Network devices• Applications• Databases

The Approach: Inventory Known Controls


Emulate Attacksusing common tools, techniques, and tactics used by real-world attackers in multiple variations of common attack kill chains across identified detection control boundaries

• Threat agnostic• Many kill chain variations• Common tools• Common techniques• Common procedures• Mitre AT&TACK covers post exploitation pretty well

The Approach: Emulate Attacks


Monitor Security Events and Alertsin real-time with security teams:

• External network zones• Internal network zones• Wireless network zones• Email gateway, servers, and Clients• Workstations and Servers• Network devices• Applications• Databases

The Approach: Monitor Security Events


Identify major gaps in detective and preventative controls by working security teams in real-time during the test to determine which security events:

• Go completely undetected• Are logged• Trigger correlation rules• Trigger alerts• Trigger incident response

The Approach: Identify Gaps

Service Overview: Identifying Gaps

Provide actionable feedback that includes the information below so internal security teams can build better defensive capabilities:

• Log sources• Generic indicators of attack and compromise• Generic SEIM correlation rules• Preventative control options• Mitigation options• Existing controls

The Approach: Actionable Feedback

Service Overview: Identifying Gaps

Below are some notes from the Chris Gates + Chris Nickerson presentation at Brew con. Great notes for internal teams!

http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial-simulation-team-chris-gates-chris-nickerson

• Create a charter• Provide metrics - readiness/resistance to ttp + Pretty charts• Build an attack simulation lab with all preventative and detective controls• Work through the Mitre ATT&CK techniques in the lab• Continuously validate prod controls• Work closely with the internal team • Establish rules of engagement, procedures, workflows with internal team• Estimate resources people, servers, crack box, vms, access to defensive tools• document sharing to store and share info

The Approach: Notes from brucon



Service Overview: DeliverablesThe Approach: Notes from brucon

Source: http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial-simulation-team-chris-gates-chris-nickerson




1. Gather threat intelligence about and threat attributes

2. Compare to capabilities map (preventative and detective)

3. Predict likelihood of successful attacks before they happen








Service Overview: Deliverables


The Approach: Notes from brucon







Service Overview: Providing Guidance

The Differences

Service Overview: Providing GuidanceThe Difference: Service GoalsService Type Service Goals

NetworkVulnerability Assessment

• Identify known and common configuration, patch, and code related vulnerabilities at the server and web application layers.

• Meet compliance requirements.

Network Penetration

Test

• Help company’s determine if identified vulnerabilities can be used to gain unauthorized access to protected networks, systems, application functionality, and sensitive data.

• Identify known and common configuration, patch, and code related vulnerabilities at the network, server, and web application layers.

• Meet compliance requirements.

NetworkRed Team

Testing

• Attempt to gain unauthorized access to an environment using paths of least resistance without detection and maintain that access for a pre-determined period of time in order to test the Incident Response Team’s ability to identify and respond to threats. This often includes non-standard scoping with very specific system, application, and data targets.

Threat Emulation• Emulate a specific threat and determine the ability to prevent, detect, and respond to it with in a specific

environment.

Defense Assessment

• Help company’s obtain a more comprehensive understanding of they’re ability to identify and respond to real world threats and potential breach scenarios. Executing multiple variations of common attack workflows across detective control boundaries while working with internal security teams to identify detective control gaps and misconfigurations.

• When blue team and red team members test a company’s environment together to build an understanding of their company’s ability to prevent, detect, and respond to real world threats at all layers of the organization. This requires much more collaboration and is broader in scope than a red team engagement. It is intended to test for the most common tools, techniques, and procedures used by attackers and malware.

• Test capabilities of 3rd party service provider.

The Differences: Service Goals


The Value: Service DifferencesService

TypeIdentify Server Issues

Identify Network

Issues

Identify Application

Issues

DetermineImpact of

Vulnerabilities

Determine Ability to

Detect Attacks

Identify Missing

Detective Controls

DetermineIncident

ResponseAbility

Vulnerability Assessment Yes No Partially No Partially No No

Penetration Test Yes Yes Yes Yes Partially No No

Red Team Test(Limited to Specific Scenarios) Partially Partially Partially Partially Partially Partially Partially

Threat Emulation(Limited to Specific Threat) Partially Partially Partially Partially Partially Partially Partially

Defense Assessments Yes Yes Yes Yes Yes Yes Yes

The Differences: Service Objectives


The Value: Service DifferencesBREAK TIME


The Hunt


Deliverables

• Search for known common indicators of compromise on scale

• Typically does not include EPP, HIDS, NIDS• PowerShell comes in handy for automation• Identify sample systems based on information

stored in DNS and Active Directory• Gather information via WMI, PS Remoting,

schedule task, and psexec (no agent)

The Hunt: Threat Hunting Overview


Deliverables

• Get approval• Some tasks require local and domain

administrator privileges• Just like scanning be aware of network

boundaries and controls that may block access the sample of systems

The Hunt: Don’t forget…


Deliverables

• Common hunting activities include targeting:- Files with known malware signatures- Windows services running unsigned binaries- Potentially malicious schedule tasks- Potentially malicious File and folder autoruns- Potentially malicious Registry autoruns- Potentially malicious SQL Server autoruns- Potentially malicious WMI providers and triggers- Web shells in internet facing web root folders- VPN or internet log in from strange geographic location or on off hours- Suspicious domain level events

The Hunt: Common Targets


The Trends


Deliverables

• Companies don’t know what controls they have and don’t have• Companies are missing major controls in critical network zones• Companies don’t configure controls correctly

o No internal resources capable of configuring controlo No vendor was paid to configure control

• Managed service providers are not catching real attack TTPs• Controls implemented with vendor defaults that don’t detect most real attacks• No internal network logging• Logging, but no correlation• Alerting, but no response• No tracking of metrics over time• Disconnects between systems like AV to controllers

o Completely unmanaged or don’t sync fast enough

The Trends: General Trends


Deliverables

• Wireless network zones• External network zones• Internal network zones• Email gateways, servers, and clients• Windows Endpoints• Linux Endpoints • Web Applications• Databases

The Trends: Control Boundaries


Deliverables

• No wireless attack detection (wireless or LAN)o Detection features not enabledo Detection features not available

• WEP still used in manufacturing in warehouses and assembly lines

• WPA2 PSK still used about 25% of the time• WEP and WPA2 PSK cracking

o No detection

• Evil twin attacks (attacking wireless endpoints)o No detection

The Trends: Wireless Networks


Deliverables

• Minimal ability to detect scanning an attacks• WAFs are missing or misconfigured• OWASP top 10 vulnerabilities allow remote

Access• User and email enumeration via public resources • Lots of internet facing interfaces that support

single factor authentication that can be used for pivoting and dictionary attackso VPN, Citrix, Terminal Services, VDI, Web applications

The Trends: External Networks


Deliverables

• Port scan detection can be avoided in almost all networks using Nmap –T2 or below

• Port / vulnerability scan detection occurs more via endpoint protection than via network IDS/IPS controls

• Null sessions still yield user and computer lists

The Trends: Internal Networks


Deliverables

• Almost no one detects network attacks: o NBNS MITM, LLMNR MITM, ARP MITM, VLAN tag spoof, Switch trunking, rogue

DHCP, rogue PXE servers, unauthorized PXE downloads, etc

• ARP spoofing is never going to die o Vendors are still creating devices that don’t support ARP spoof detectiono Most companies don’t enabled the detection or prevention features when they do

exist

• PXE downloads have been more commono Download to VM + Mount HD + Backdoor for accesso Domain deployment account password in sysprep fileso Domain deployment account password parse from VM memory fileo Domain credentials can then be used for to start domain escalation



Deliverables

Network Isolation Bypasses• Direct access to services in isolated environment

directly or though trusted hosts o Identify trusted hosts via logon events

• Use management systems to execute commandso Group Policy, patch, and configuration management systems

• Jump hosted are on the user domain and have accessible non-two factor management ports open

• VLAN hopping• Switch Trunking



Deliverables

• Companies seem to have three goals - Test click rates / user awareness over time- Test technical controls - Inject FUD for budget procurement

The Trends: Email Attacks – General


Deliverables

• Service providers – missing some known evil attachments, doing some test execution of links, html

• Servers- not blocking evil attachments• Client – allowing execution of untrusted

clickonce and java apps• Office – people like to allow macro, those who

don’t often let users change the setting in security center

The Trends: Email Attacks – General


Deliverables

Payloads - Links• Direct links to executable files• Links to uncategorized and untrusted sites/IPs

Payloads - Phishing Sites• Untrusted ClickOnce allowed• Untrusted Java applets allowed• Capturing password is handy when there are so many

single factor interfaces exposed to the internet• Considering looking into XSRF to execute command on

web apps already opening in insecure browsers - anyone done that?

The Trends: Email Attacks – Payloads


Deliverables

Payloads – Images in HTML emails• Determine physical location of individuals• Determine firewall egress rules • Determine allowed file attachments – work about 60%

Payloads – Executable File Attachments• Only a handful typically get through, but Office Macros still work

a lot• User’s often have rights to disable office security features• Interesting that .application ClickOnce apps seem to make it

through.• Shortcut files + UNC path injection – not tested yet • Working on basic toolkit for testing links and executable file

types…



Deliverables

Payloads – Executable Files

Note: This is purple teamy…

1. Send hundreds of executable file types as attachments

2. Parse inbox on client to determine which ones make it through service provider, server, and client

3. Cross reference extensions with application file extension associations on their gold build

4. Create proof on concept payloads to illustrate risk



The Trends: Email Attacks


Deliverables

- Missing and broken two-factor- Missing hard drive encryption- Missing and disabled endpoint protection on servers- Missing ability to detect common persistence

methodso File, Registry, Application, and Database autorunso Windows Serviceso Windows Taskso WMI triggers and providerso Log in from unexpected country o Log in during unexpected time

The Trends: Windows Endpoints


Deliverables

• 80% of companies can a Domain Admin being added• Most companies are blind to almost everything else• SPNs are very useful for server and user targeting• Active session scanning can be useful for user targeting (DC, File, Citrix, and Exchange servers

yield the best immediate results)• Bloodhound can be very useful if you have enough time to map escalation paths• Kerberoasting, and ASREPRoast are very used for domain escalation• Password dumping, DCSync, ntds.dit via Invoke-Ninjacopy.ps1, NTDSUTIL, VSSADMIN• Group Policy modifications• Net logon script modifications• Sysvol DACL modifications• User and computer object DACL modifications• Delegation of privileges – password reset, replication etc• Group policy passwords are disabled in most environments, but some companies forget to clean

up the XML files and the passwords are still valid• SID history works in most environments to escalate from child to parent domain• Lots of user and domain admin password sharing• Lots of domain admins sharing password between domains

The Trends: Windows Domains


Deliverables

Linux Endpoints- No centralized detection capabilities- Sudo configuration issues- World readable/writable daemons and cron scripts - Common issues like heartbleed and shellshock- Excessive share privileges

- NFS mountable as root, grab keys, and authenticate- SMB writable to everyone- FTP writable by anonymous (web roots are the best)

- Shared NAS between servers for lateral movement via home directories

The Trends: Linux Endpoints


Deliverables

• SQL Injection• XML entity injection• Upload functionality• Application publishing platforms like tomcat, jboss, etc• Database and domain credentials are stored everywhere

o In codeo In web.configo In application.configo Connection string cheat sheet

https://gist.github.com/nullbind/91c573b0e27682733f97d4e6eebe36f8

• Code repository auditing can usually be bypassed once you have system on the box and can run as the service account

The Trends: Web Applications


Deliverables

• Common platforms include SQL Server, Oracle, MySQL and Db2

• Almost no companies audit beyond failed login attempts• Database teams seem to identify failed login attempts

more than AD or response teams on average• Excessive privileges allow normal domain users rights to

login• Lots of vendor defaults and unsupported versions• Escalation via weak passwords, UNC path injection,

shared service accounts, and database links

The Trends: Databases


Deliverables

• Servers and DCs with direct access to the internet!• Tons of options in most environments without detection:

o TCP Ports 100% Authenticated outbound on 80/443, reflection through trusted sites, and unauthenticated outbound on various ports (21, 22, 23, 25, 53,110)

o UDP Ports 50%o ICMP Tunnel 50%o DNS Tunnel 80%o SMTP Tunnel 100%o Skype Tunnel 100%

The Trends: Data Exfiltration & C2


The Questions?

Technology

2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation