1 00:00:00,000 --> 00:00:35,489 her here a second year here on out I grow up I so here year after all he's 2 00:00:35,489 --> 00:00:46,410 ever seen it may sound speakers service usually years here so there they have 3 00:00:46,410 --> 00:00:55,140 their threat to use her research shape and release several schools at my life 4 00:00:55,140 --> 00:00:58,800 with penetration tester much easier 5 00:00:58,800 --> 00:01:03,569 great work and higher power higher 6 00:01:07,290 --> 00:01:27,660 I switched over at the park which one to hit chart yeah you want your slides up 7 00:01:27,660 --> 00:01:33,479 yeah helpful we go off that spawned you talk to this up so like like yet he 8 00:01:33,479 --> 00:01:38,610 mentioned before the the talk with me on repurposing adversarial tradecraft and 9 00:01:38,610 --> 00:01:43,560 and as you said before I've been here before last year actually not giving a 10 00:01:43,560 --> 00:01:47,970 talk and i'm really happy i want to thank Mark first but just by let me come 11 00:01:47,970 --> 00:01:51,990 back and give me this opportunity to come back and see all the guys and and 12 00:01:51,990 --> 00:01:55,410 friends especially in augusta community so it's really nice 13 00:01:55,410 --> 00:02:03,750 we'll take it off I do not have a clicker so hopefully by clicking there 14 00:02:03,750 --> 00:02:10,080 will be good so little bit of introduction overview over the talk 15 00:02:10,080 --> 00:02:16,200 ah Who am I where I come from that's my background you know what are we going to 16 00:02:16,200 --> 00:02:20,640 talk about one of these ttp things and that eventually get into the adversaries 17 00:02:20,640 --> 00:02:24,988 are actually going to cover and go over so in this case I will just take it off 18 00:02:24,989 --> 00:02:29,220 by just a little introduction of myself as he said my name is ridiculously long 19 00:02:29,220 --> 00:02:34,170 Alexander room deco Harvey my parents absolutely hated me so they gave me that 20 00:02:34,170 --> 00:02:35,488 name 21 00:02:35,489 --> 00:02:40,920 I was just recently at last day of their script is actually friday i was a pen 22 00:02:40,920 --> 00:02:45,570 tester red team with them on a TD team and there's actually some guys here but 23 00:02:45,570 --> 00:02:51,450 i'll be making a huge move over onto the sony side to help them help them push 24 00:02:51,450 --> 00:02:56,548 for their red team capability on there soon as global threat emulation team so 25 00:02:56,549 --> 00:02:59,670 I'm really excited as you mentioned before previous soldier 26 00:02:59,670 --> 00:03:03,510 so for all those that are serving still really thank you and let's get started 27 00:03:04,290 --> 00:03:09,030 so some some background the development of this is obviously extremely tool 28 00:03:09,030 --> 00:03:16,440 centric talk just as title states it's it's based on taking adversarial TTP's 29 00:03:16,440 --> 00:03:20,910 and somehow immolating them in our red team tradecraft so in this case 30 00:03:20,910 --> 00:03:24,329 where I came from a heavy background in Python a lot of these tools are actually 31 00:03:24,330 --> 00:03:28,080 a very low level so they're gonna be written in c++ and that's low enough 32 00:03:28,080 --> 00:03:34,020 level for me it's I learn C++ about six months ago so hopefully the tools are 33 00:03:34,020 --> 00:03:37,020 solid they all run they all work but there's definitely room for improvement 34 00:03:37,020 --> 00:03:41,700 someone wants to contribute push some some changes and stuff like that help me 35 00:03:41,700 --> 00:03:47,850 clean up code to be highly appreciated and second I was obviously with a team a 36 00:03:47,850 --> 00:03:51,750 TD and a couple buddies of mine and they're all listed on there but they 37 00:03:51,750 --> 00:03:56,460 they went through through hell trying to help me and get this this setup because 38 00:03:56,460 --> 00:04:00,780 there's a lot of complicated stuff in here and a lot of techniques that I had 39 00:04:00,780 --> 00:04:03,990 no idea how to start or even get an entry point into building some these 40 00:04:03,990 --> 00:04:12,240 techniques so what is rat uh it's kind of a tricky name for or sliding for 41 00:04:12,240 --> 00:04:16,200 repurposing adversarial tradecraft and it stems from the traditional view of 42 00:04:16,200 --> 00:04:21,659 what red teaming also and it all stems back to wargaming eventually it's 43 00:04:21,660 --> 00:04:27,810 basically taking your force looking at the enemy's repurposing what they're 44 00:04:27,810 --> 00:04:32,580 doing and eventually advancing your trade craft or art form like a DoD 45 00:04:32,580 --> 00:04:38,310 standpoint you know elevating your capability as a fighting force so as red 46 00:04:38,310 --> 00:04:43,950 teamers we have to do this consistently the enemy or nation state X or whatever 47 00:04:43,950 --> 00:04:49,260 mavattam whatever group is out there of malware authors have a lot more time 48 00:04:49,260 --> 00:04:52,860 dedication and resources then you will have in two weeks to sit on a pen test 49 00:04:52,860 --> 00:04:56,580 or red team and achieve the same amount of coverage as they will 50 00:04:57,120 --> 00:05:01,590 so why is really important when it pushes the community forward and and 51 00:05:01,590 --> 00:05:04,500 most importantly you can educate yourself so that you can educate your 52 00:05:04,500 --> 00:05:13,320 client and also bring the newest attack angle to your tradecraft so little quote 53 00:05:13,320 --> 00:05:17,880 red teamers often differentiate himself from pen testers in that they emulate 54 00:05:17,880 --> 00:05:23,400 adversaries yet how often do we hear them talk about ad actual adversarial 55 00:05:23,400 --> 00:05:27,989 TTP's based off the road threat Intel that quote was for me by the way so 56 00:05:29,120 --> 00:05:32,780 is that illegal to call yourself I don't know but anyway so this is actually 57 00:05:32,780 --> 00:05:37,580 something that's like talked about quite often in the red team spaces that you 58 00:05:37,580 --> 00:05:40,639 know how often do you like as a red team or pentester you have enough time to sit 59 00:05:40,639 --> 00:05:44,270 down dig into like a threat Intel report and actually going to build those 60 00:05:44,270 --> 00:05:47,870 capabilities that probably won't even potentially help you on your test and 61 00:05:47,870 --> 00:05:51,380 that's something that will cover you know and and you have to make that 62 00:05:51,380 --> 00:05:56,330 decision as a tester decided that is worthwhile in pursuing so like i said 63 00:05:56,330 --> 00:05:58,099 before i'd kinda jumped over it 64 00:05:58,100 --> 00:06:01,430 taking time to analyze reports some of us kind of like eight on the threat 65 00:06:01,430 --> 00:06:04,880 Intel side and some say it's like boring or whatnot but it does play it's like 66 00:06:04,880 --> 00:06:10,400 role in developing these TTP's so like the Duke reports and the subject 67 00:06:10,400 --> 00:06:13,489 especially puts out like the technical reports are actually pretty extremely 68 00:06:13,490 --> 00:06:18,680 detailed for what they are and you won't be able to replicate some of this 69 00:06:18,680 --> 00:06:24,050 without it to be honest so the first the first step we're going to cover Dooku 70 00:06:24,050 --> 00:06:28,910 it's probably one of my favorite like now our families they have like tons of 71 00:06:28,910 --> 00:06:32,240 tricks up their sleeve and we're going to cover over some of the stuff that 72 00:06:32,240 --> 00:06:36,860 that they kinda like focus on one of the interesting things is for being such a 73 00:06:36,860 --> 00:06:41,180 like early threat actor in our space like they always say like that the red 74 00:06:41,180 --> 00:06:44,479 teaming pentesting is about five years behind and it's like totally possibly 75 00:06:44,479 --> 00:06:46,789 true like women data collection 76 00:06:46,789 --> 00:06:53,030 these guys were doing like remote registry collection with women before we 77 00:06:53,030 --> 00:06:57,080 were even thinking about using with me pot like offensively so these guys were 78 00:06:57,080 --> 00:07:01,729 on the cutting edge they labeled as an apt for a reason they have the ability 79 00:07:01,729 --> 00:07:06,169 to to you know have those resources to devote to this type of collection 80 00:07:06,169 --> 00:07:09,710 operations something really interesting about them is our network leveraging 81 00:07:09,710 --> 00:07:14,120 something as a red team ER that I found out very early on in the beginning was 82 00:07:14,120 --> 00:07:18,050 that while you have all these capabilities as a pen tester to sit in a 83 00:07:18,050 --> 00:07:22,099 network plug in and just rock their network with responder that's not the 84 00:07:22,099 --> 00:07:25,580 same or is the design engineer true when it comes to trying to do that on a red 85 00:07:25,580 --> 00:07:28,609 team engagement things like inve and stuff like that made it a lot easier 86 00:07:28,610 --> 00:07:31,970 over the years with powershell but trying to do that natively before 87 00:07:31,970 --> 00:07:35,270 powershell you would literally have to roll in a custom complete custom 88 00:07:35,270 --> 00:07:41,570 application so that was complicated and they they do that they use w pad so apt 89 00:07:41,570 --> 00:07:42,460 x 90 00:07:42,460 --> 00:07:47,440 may have owed a 22 da immediately but why use that when the shortest path of 91 00:07:47,440 --> 00:07:52,330 resistance is just the user w pad and not burn their potential day so it's 92 00:07:52,330 --> 00:07:56,318 kind of interesting to see like this type of attacks being played out even 93 00:07:56,319 --> 00:08:00,849 though we're still using the pen testing roll interesting enough tons of driver 94 00:08:00,849 --> 00:08:04,449 management they have the ability start stop and we'll cover that actually 95 00:08:04,449 --> 00:08:10,000 that's one of the things we're recovering and persistence so i'll show 96 00:08:10,000 --> 00:08:14,199 you a quote next on the next slide about persistence but one of things that make 97 00:08:14,199 --> 00:08:18,099 them really unique is that they had the i guess you could say confidence that 98 00:08:18,099 --> 00:08:22,780 they didn't have to worry about in planning on a machine or server because 99 00:08:22,780 --> 00:08:26,080 they knew exactly where they were going to be inside the network and how to stay 100 00:08:26,080 --> 00:08:31,000 there long-term they could just stay in memory and not worry about the reboots 101 00:08:31,000 --> 00:08:36,549 or whether it be a you know the doctor not gonna be sitting on your average 102 00:08:36,549 --> 00:08:39,848 user desktop they're going to be sitting in like a server rack somewhere where 103 00:08:39,849 --> 00:08:43,839 redundancies and play for power and electric all those type of things just 104 00:08:43,839 --> 00:08:47,079 kind of shows you some of their TTP's and that's something that we can 105 00:08:47,079 --> 00:08:51,189 definitely replicate easily in our in our everyday life situation awareness 106 00:08:51,190 --> 00:08:56,860 and we'll cover this little bit later as well that the text running sniffer stuff 107 00:08:56,860 --> 00:09:00,250 like that so they had an idea that they knew that they would potentially could 108 00:09:00,250 --> 00:09:04,420 get caught and they're gonna keep an eye out for some basic situational awareness 109 00:09:04,420 --> 00:09:09,729 checks and of course 80 query eighties they were parsing a dsi and the JC 110 00:09:09,730 --> 00:09:15,040 enumeration to like a human-readable xml format and that's kind of what we're 111 00:09:15,040 --> 00:09:19,810 doing with power view on on like our team as heavy powershell based while the 112 00:09:19,810 --> 00:09:23,260 team was just on was at 80 was very heavy powershell based so it's really 113 00:09:23,260 --> 00:09:27,579 kind of cool to see like adversaries using those same exact techniques and to 114 00:09:27,579 --> 00:09:32,770 think that you're doing the same kind of like simulations them so the first thing 115 00:09:32,770 --> 00:09:36,220 as you can see this is like from the hacking team dumped the guy who 116 00:09:36,220 --> 00:09:40,270 basically said like hey i always use due to sell persistence and it's kind of 117 00:09:40,270 --> 00:09:45,730 true that about like I don't know two years ago staying in memory was the 118 00:09:45,730 --> 00:09:50,709 stuff a lot of exploits like you know you gently drop the disc you would 119 00:09:50,709 --> 00:09:54,160 almost always if you were gonna lay in some type of persistence you do some 120 00:09:54,160 --> 00:09:55,089 type of like window 121 00:09:55,089 --> 00:09:58,569 the million ways to like persist on a Windows environment rather be right 122 00:09:58,569 --> 00:10:03,759 registry keys or whatever so I wanted like take this this type of ttp that 123 00:10:03,759 --> 00:10:08,860 they developed and how can I go ahead and pour it over onto my side that's 124 00:10:08,860 --> 00:10:15,730 like feasible one they did in memory to talk about the location so this dictated 125 00:10:15,730 --> 00:10:21,279 like the survivability of the agent and basically where they want to implant and 126 00:10:21,279 --> 00:10:25,480 third if you're in memory it's a lot easier to avoid hips and things of the 127 00:10:25,480 --> 00:10:28,209 sort that would but like if you're dropping let's say a binary disk or 128 00:10:28,209 --> 00:10:31,329 something of the sort you have a higher rate like risk of getting caught 129 00:10:31,930 --> 00:10:36,399 so all those things kind of combined into a a package of that I knew that I 130 00:10:36,399 --> 00:10:40,660 could possibly go after this the driver for this was I had a few long-term ops 131 00:10:40,660 --> 00:10:45,009 they're like 30 days plus which is really unique in the red teaming side is 132 00:10:45,009 --> 00:10:48,550 usually only have like 30 like three weeks and that's pretty much the longest 133 00:10:48,550 --> 00:10:53,079 journey yet that's maybe with some out brief time too and I knew that like if i 134 00:10:53,079 --> 00:10:58,180 were to do this I would have the capability of maintaining long-term c2 135 00:10:58,180 --> 00:11:02,229 out of a network and so this was actually built and i'm going to show you 136 00:11:02,230 --> 00:11:08,079 guys but this one actually came in like just came in handy so it's kind of cool 137 00:11:08,079 --> 00:11:11,410 to actually see something you built have been used 138 00:11:11,410 --> 00:11:15,459 excuse me so some questions you have to ask yourself 139 00:11:16,149 --> 00:11:19,300 I kind of broke into four different locations of how or four different 140 00:11:19,300 --> 00:11:24,099 segments of how I'd like to analyze the situation one the target location to the 141 00:11:24,100 --> 00:11:28,209 system environment hardware platform and operating system is a target location 142 00:11:28,209 --> 00:11:32,679 i'm talking is it a data center is it only your backups power supply those 143 00:11:32,679 --> 00:11:36,819 type of things is it hardware is it is virtualized or is it a system enclosure 144 00:11:36,819 --> 00:11:40,360 is it in Iraq server all those things we can query with women which turned out to 145 00:11:40,360 --> 00:11:43,990 be extremely useful and then system environment things that you would like 146 00:11:43,990 --> 00:11:47,740 grasshopper head like low the latest boot time like I want obviously persist 147 00:11:47,740 --> 00:11:51,399 on the box it has the lowest or the oldest boot time and then operating 148 00:11:51,399 --> 00:11:58,540 system Windows Windows OS enterprise server stuff like that so I tactics room 149 00:11:58,540 --> 00:11:59,860 a few different angles 150 00:11:59,860 --> 00:12:04,629 I knew how to be a powershell so it's kind of the layout of it and i wanted i 151 00:12:04,629 --> 00:12:07,929 know i need to be able to target specific Oh using a network so in this 152 00:12:07,929 --> 00:12:08,709 case 153 00:12:08,710 --> 00:12:12,670 i use power views get that computer and was able to basically use that as my 154 00:12:12,670 --> 00:12:16,540 starting point to target specific net-like server oh you stuff of that 155 00:12:16,540 --> 00:12:20,770 sort then I could basically tech check to see if the boxes up obtain all the 156 00:12:20,770 --> 00:12:24,850 women objects that I needed for properties and then calculate values do 157 00:12:24,850 --> 00:12:28,900 a standard deviation wait a calculation off and then build statistics to see and 158 00:12:28,900 --> 00:12:34,660 like visually represent like a network segment for me to pick my location so 159 00:12:34,660 --> 00:12:39,100 it's kinda like every other standard powershell script out there has 160 00:12:39,100 --> 00:12:42,100 threading built-in so script blocking all that kind of stuff which makes it 161 00:12:42,100 --> 00:12:48,160 quite usable because obviously creating like I don't know if your network 20,000 162 00:12:48,160 --> 00:12:51,339 computers i wouldn't suggest running this but you could I guess 163 00:12:52,510 --> 00:12:57,610 and as I talked about before that this is just some tips for like finding a 164 00:12:57,610 --> 00:13:00,910 customer you for servers or something of the sort and that came out to be really 165 00:13:00,910 --> 00:13:06,219 helpful this bottom one with the ldap query so that was helping me find like 166 00:13:06,220 --> 00:13:09,220 Windows 2008 servers 167 00:13:11,270 --> 00:13:16,430 so as I mentioned before I had a few different sections that I want to like 168 00:13:16,430 --> 00:13:20,810 go after an attack and i had to build like basically a persistent 169 00:13:20,810 --> 00:13:24,949 survivability rating which is pretty cheesy sounding but I'm i basically had 170 00:13:24,950 --> 00:13:28,280 no I knew I had to have a couple different properties and have waited 171 00:13:28,280 --> 00:13:31,430 because just because you have a low boot time doesn't mean that i want to sit 172 00:13:31,430 --> 00:13:34,969 there live there things that like ten percent would be the women system 173 00:13:34,970 --> 00:13:39,710 enclosure I feel like that's quite important verses you know the window s 174 00:13:39,710 --> 00:13:46,940 class so I took those calculated the huge weight value of them and was able 175 00:13:46,940 --> 00:13:51,590 to build basically a statistic off of each individual computer object and then 176 00:13:51,590 --> 00:13:57,410 I could pass that to a vm check and and they are and they a desktop check and I 177 00:13:57,410 --> 00:14:01,670 could like split apart the network that way so i could say okay maybe I want to 178 00:14:01,670 --> 00:14:07,130 persist on the desktop side versus server side or front of persistent vmas 179 00:14:07,130 --> 00:14:14,510 vs servers so in certain cases this is like completely my version of what I 180 00:14:14,510 --> 00:14:18,350 feels important there's no like rhyme or reason specifically for those numbers 181 00:14:18,350 --> 00:14:23,600 except for I felt like those were the values that they should be designed so 182 00:14:23,600 --> 00:14:26,990 as I talked about before 183 00:14:26,990 --> 00:14:30,920 just some basic calculations cackling the standard deviation calculate the 184 00:14:30,920 --> 00:14:34,910 variance the reason why use the standard deviation is it gives me a good idea if 185 00:14:34,910 --> 00:14:37,730 you know like the house standard deviation goes you basically have an 186 00:14:37,730 --> 00:14:41,630 average like baseline in your network so all these computers that are like let's 187 00:14:41,630 --> 00:14:48,410 say a 500 restart like everyday and that would be like a certain rating and I can 188 00:14:48,410 --> 00:14:53,780 basically pipe that in to calculate the variance and then find myself locations 189 00:14:53,780 --> 00:14:58,699 in the network which have higher like outside of the standard deviation zones 190 00:14:58,700 --> 00:15:02,090 and those can find me spots were like okay maybe this computer not part of the 191 00:15:02,090 --> 00:15:07,970 GPO policy that restarts every night and I just actually put together a quick 192 00:15:07,970 --> 00:15:12,530 demo just for time sake here so we can go ahead and play that fast 193 00:15:14,160 --> 00:15:20,759 I'm just run through some like the the basic commands 194 00:15:20,759 --> 00:15:29,579 I'm sorry everything excuse me so I basically set it up to like mac Sosa to 195 00:15:29,579 --> 00:15:33,479 have a small domain as you can see it builds all the objects passing through 196 00:15:33,480 --> 00:15:38,189 the pipeline like so you could do like raw data processing with it like off the 197 00:15:38,189 --> 00:15:42,360 pipeline powershell which is really nice and then I basically build those values 198 00:15:42,360 --> 00:15:47,069 and then i calculate the survivability mean so those are like 3.23 there's not 199 00:15:47,069 --> 00:15:50,310 much deviation in these boxes but you could see that they were detectives 200 00:15:50,310 --> 00:15:56,339 windows on you know uh those were detected as the ends and and that sort 201 00:15:56,339 --> 00:15:59,370 of that kind of was really helpful for me in large datasets this becomes 202 00:15:59,370 --> 00:16:03,899 extremely important because querying 500 boxes by hand on a server like in a 203 00:16:03,899 --> 00:16:07,199 server like oh you would be really complicated so this makes really easy to 204 00:16:07,199 --> 00:16:10,199 use easy use of it 205 00:16:12,930 --> 00:16:22,500 ok or not that's not good 206 00:16:22,500 --> 00:16:25,529 whoops 207 00:16:25,529 --> 00:16:34,260 the second thing we talked about network leveraging so like I talked about before 208 00:16:34,260 --> 00:16:40,020 they did use network leveraging for their attacks so why can't we as pen 209 00:16:40,020 --> 00:16:45,750 testers or red teamers I knew that one thing that made Dooku and a lot of these 210 00:16:45,750 --> 00:16:50,820 like advanced pieces of our extremely unique is their modular build they have 211 00:16:50,820 --> 00:16:55,589 the ability to load up modules and then run the specific models in certain 212 00:16:55,589 --> 00:16:56,490 locations 213 00:16:56,490 --> 00:16:59,220 that's why you ever read like somebody's high like some high-level technical 214 00:16:59,220 --> 00:17:03,089 reports they generally ask people are the reach out to communiqué if anybody 215 00:17:03,089 --> 00:17:06,870 has seen other modules in these IOC's please hit me up so I can analyze them 216 00:17:06,869 --> 00:17:12,419 and they definitely have modules for different attack platforms 80 query all 217 00:17:12,420 --> 00:17:16,110 that kind of stuff so it was really unique to it a lot of these war modules 218 00:17:16,109 --> 00:17:22,979 inside a nucleus platform and also the the sniffer portion something that that 219 00:17:22,980 --> 00:17:27,329 I thought was really cool is that they had the ability to do like p capture and 220 00:17:27,329 --> 00:17:31,260 network alteration on the target host which usually requires like a kernel 221 00:17:31,260 --> 00:17:34,920 driver things of this or this will kind of lead us into this this next section 222 00:17:34,920 --> 00:17:40,830 of of network leverage but I'm and and those types of drivers allow you to do 223 00:17:40,830 --> 00:17:44,820 some of the road injections packing manipulations stuff that you generally 224 00:17:44,820 --> 00:17:51,540 can't do I on a Windows operating system without the kernel space execution so 225 00:17:51,540 --> 00:17:56,010 there's two options you have user mode in our case we're actually gonna go over 226 00:17:56,010 --> 00:18:01,440 both i'm going to cover user-mode capture so using winsock to and then 227 00:18:01,440 --> 00:18:06,540 that's completely native 22 completely and c++ no external libraries all 228 00:18:06,540 --> 00:18:11,220 written so that you don't have to worry about like importing the packet dll from 229 00:18:11,220 --> 00:18:16,320 from one gap when pcap and then also kernel mode which obviously gives you 230 00:18:16,320 --> 00:18:22,800 full full full rights over the entire you know network stack and gives you the 231 00:18:22,800 --> 00:18:26,168 ability to do fullback capture the injection part 232 00:18:26,169 --> 00:18:29,619 interface within desk and and some of the network monitoring that you would 233 00:18:29,619 --> 00:18:36,580 like one at sea in a full-feature rat so just like quick cover of how i went 234 00:18:36,580 --> 00:18:40,330 about doing this something new to this once this side is that as I said it's in 235 00:18:40,330 --> 00:18:45,699 c++ so we have to have a deployment method my choice was reflective DLL just 236 00:18:45,700 --> 00:18:49,659 because of the portability of it it makes for easy integration with other 237 00:18:49,659 --> 00:18:54,009 tool sets like cobalt strike just a question does anybody actually use 238 00:18:54,009 --> 00:18:56,379 called strike here 239 00:18:56,379 --> 00:19:00,789 ok so we seem to use that we were using a heavy on our team 240 00:19:01,480 --> 00:19:06,669 it has the ability to do reflective DLL injection so there's your modularity 241 00:19:06,669 --> 00:19:12,279 right there you have the ability to expand a rat without recoding the entire 242 00:19:12,279 --> 00:19:13,600 thing 243 00:19:13,600 --> 00:19:18,039 so in this case we're going to go through certain capture building an IPC 244 00:19:18,039 --> 00:19:23,169 thread talking to that remote process uh and we're talking to that reflective DLL 245 00:19:23,169 --> 00:19:27,220 injected into met in them into the process base so you can't just capture 246 00:19:27,220 --> 00:19:30,190 the output of that you can't just talk to it once it's like you create that 247 00:19:30,190 --> 00:19:35,019 remote friend it's gone it's like shelter injection you basically have no 248 00:19:35,019 --> 00:19:38,139 way of talking to it after that you have to have some type of like IPC 249 00:19:38,139 --> 00:19:43,869 communication with it and then building the pcap receiving the actual data 250 00:19:43,869 --> 00:19:51,519 filtering it and then obviously writing it to disk so the windsock the windsock 251 00:19:51,519 --> 00:19:56,590 process is is a little bit complicated but it's also pretty simple like in the 252 00:19:56,590 --> 00:19:59,859 retrospective thanks finding the documentation for this stuff is quite 253 00:19:59,859 --> 00:20:03,820 complicated though so the cool thing is i put together now all the there's a lot 254 00:20:03,820 --> 00:20:05,168 of bullets here and stuff of that sort 255 00:20:05,169 --> 00:20:08,619 I wouldn't really worry about those too much they're just more or less refined 256 00:20:08,619 --> 00:20:11,799 we want to come back and reference some of these like actions and why did things 257 00:20:11,799 --> 00:20:15,549 you can come back and take a look at you know each step that I went through so 258 00:20:15,549 --> 00:20:19,418 the WCA startup which is the windsock application handle you have to obtain 259 00:20:19,419 --> 00:20:24,609 basically I'm obtaining 2.2 which is supported from windows 95 all the way up 260 00:20:24,609 --> 00:20:29,109 into windows 10 which makes it across platform which is amazing if as a 261 00:20:29,109 --> 00:20:32,859 developer for when you're developing attack like attack platforms and stuff 262 00:20:32,859 --> 00:20:33,730 of that sort 263 00:20:33,730 --> 00:20:38,320 so once you do that it's kinda like you would see in any other application you 264 00:20:38,320 --> 00:20:39,840 create a socket you bind to it 265 00:20:39,840 --> 00:20:43,529 and in this case you only going to grab IP version 4 and above 266 00:20:44,130 --> 00:20:47,789 so you're only going to grab layer 3 of the OSI model and above imagine so 267 00:20:47,789 --> 00:20:50,640 you're not gonna be able to get the ethernet packets and that's a limitation 268 00:20:50,640 --> 00:20:55,409 of a raw socket in windows so it's really important to know you're not 269 00:20:55,409 --> 00:20:59,610 going to get full pcap and you're going to miss some things but for the most 270 00:20:59,610 --> 00:21:03,360 part you're gonna get like all your HTTP and ICMP like kind of stuff anything IP 271 00:21:03,360 --> 00:21:08,340 protocol and then the most important part is the dose I axle which is 272 00:21:08,340 --> 00:21:12,809 actually telling like a call in the colonel telling the WCA application to 273 00:21:12,809 --> 00:21:16,500 turn into promiscuous mode and setting that up and that enables you to actually 274 00:21:16,500 --> 00:21:21,450 receive the IP version 4 packets that's really cool i didn't know about this 275 00:21:21,450 --> 00:21:27,299 before I didn't think it was possible but there's some interesting resources 276 00:21:27,299 --> 00:21:32,309 out there that are all spread out you know text documents are like 1995 and 277 00:21:32,309 --> 00:21:36,360 you could kind of find these things and then eventually receive just like you 278 00:21:36,360 --> 00:21:40,799 would call which is just a blocking function on on obtaining the packet data 279 00:21:40,799 --> 00:21:48,418 so then we talked about creating the the IPC thread i chose to go with named 280 00:21:48,419 --> 00:21:53,309 pipes because I would be using it later on in in the development cycle so in 281 00:21:53,309 --> 00:21:57,840 this case I use like a language agnostic way of going about it so i created pipe 282 00:21:57,840 --> 00:22:02,699 and I can also communicate with those same name pipes in powershell so however 283 00:22:02,700 --> 00:22:05,760 i get to communicate to that thread i can make it happen 284 00:22:05,760 --> 00:22:08,940 it gives you as an operator life choices if if it's something that's built into 285 00:22:08,940 --> 00:22:16,080 your rat if it's something that is also you know compatible with powershell like 286 00:22:16,080 --> 00:22:18,928 there's many ways those tons of ways of going about it so if you're in a 287 00:22:18,929 --> 00:22:23,520 restricted environment it makes for easy work and then finally as i said before 288 00:22:23,520 --> 00:22:27,570 you're not a lot of the functions all the filtering all that stuff is native 289 00:22:27,570 --> 00:22:32,730 in c++ and built by hand with custom structure and some of that sort that way 290 00:22:32,730 --> 00:22:36,270 it's completely naked you don't have to include the libraries of the winpcap 291 00:22:36,270 --> 00:22:40,710 like development package so it makes it really easy for you to go and like take 292 00:22:40,710 --> 00:22:46,799 all this conglomerate of code and and like kind of tweak it for what your what 293 00:22:46,799 --> 00:22:51,389 your i guess like requirements are so in this case is just an example of like all 294 00:22:51,390 --> 00:22:52,050 the 295 00:22:52,050 --> 00:22:55,230 a couple of the structure put together for for building the pcap headers and 296 00:22:55,230 --> 00:22:56,490 all that kind of stuff 297 00:22:56,490 --> 00:22:59,700 oops 298 00:22:59,700 --> 00:23:03,750 so and finally uh how do we deploy this we talked about this before 299 00:23:04,590 --> 00:23:08,909 reflective DLL injection this is like this stuff is really really cool and 300 00:23:08,910 --> 00:23:13,650 Stephen fewer I mean the guys I don't know he's like project yes it's amazing 301 00:23:13,650 --> 00:23:18,090 like they have that type of you know on your name to to say that you built that 302 00:23:18,090 --> 00:23:23,970 type of like attack attack my phone is really cool but so why why reflective 303 00:23:23,970 --> 00:23:27,840 DLL someone you might not know what reflective DLL Tsar it's the ability to 304 00:23:27,840 --> 00:23:33,570 load in memory a deal out so traditional you have to load these things off a 305 00:23:33,570 --> 00:23:38,850 disk-like you can't just generally load like a PE there's no call in the windows 306 00:23:38,850 --> 00:23:43,110 api like API sector might just a load a dll from memory like it just doesn't 307 00:23:43,110 --> 00:23:48,270 work that way and see if they basically built over a reflective loader so that 308 00:23:48,270 --> 00:23:52,320 gives you a really big selfie advantage that allows you to load the library's 309 00:23:52,320 --> 00:23:56,790 without registering to the the pet the process and environmental block and also 310 00:23:56,790 --> 00:23:58,379 allows you to hide from like it 311 00:23:58,380 --> 00:24:02,430 enumeration of the process itself that and it won't yield in the process 312 00:24:02,430 --> 00:24:08,670 modules that kinda gives you in memory stealthy and it allows you to deploy it 313 00:24:08,670 --> 00:24:13,350 with ease because you can you don't have to worry about writing this deal out of 314 00:24:13,350 --> 00:24:16,860 disk so you you just protecting yourself from potentially hips and all these 315 00:24:16,860 --> 00:24:21,090 other different antivirus solutions and also allows for that module design that 316 00:24:21,090 --> 00:24:24,929 we talked about before dll patching all those kind of things are in tons of 317 00:24:24,930 --> 00:24:25,980 projects 318 00:24:25,980 --> 00:24:30,570 medical uses it and there's tons of projects i use this but that there's the 319 00:24:30,570 --> 00:24:34,679 kind of the basics of how it works you basically attain a byte array shoving 320 00:24:34,680 --> 00:24:38,940 the memory you read write execute the memory first obviously shoving the code 321 00:24:38,940 --> 00:24:46,350 for the dll obtain the offset for the dll export create remote thread in the 322 00:24:46,350 --> 00:24:49,139 process this kind of probably reminds you if you've done shelter injection 323 00:24:49,140 --> 00:24:53,370 kinda reminds you of something of that sort and then from that point on you 324 00:24:53,370 --> 00:24:57,629 basically reflectively load functions that are needed for the front the the 325 00:24:57,630 --> 00:25:02,760 threat itself so finding kernel32.dll so that they can call those functions for 326 00:25:02,760 --> 00:25:05,760 the low library and then finally you can execute dl may 327 00:25:05,760 --> 00:25:15,540 and here is actually a quick demo of the of it actually taking place and I think 328 00:25:15,540 --> 00:25:18,540 this time I'm going to 329 00:25:22,610 --> 00:25:28,969 just going to do that so I don't have to deal with that again so it with the 330 00:25:28,970 --> 00:25:32,330 reflective DLL package that you build and all that comes with injector exe 331 00:25:32,330 --> 00:25:33,770 which is awesome 332 00:25:33,770 --> 00:25:38,210 so you can basically inject right into itself it's for a quick testing in this 333 00:25:38,210 --> 00:25:42,770 case I basically just ran the project started up the pcap started and built 334 00:25:42,770 --> 00:25:48,139 debug . p pcap at the top powershell is actually talking with that reflective 335 00:25:48,140 --> 00:25:54,830 DLL and starting the packet capture at this point I'm basically just capturing 336 00:25:54,830 --> 00:25:57,889 some network traffic you can kind of see it grow or it's like 17 kilobytes this 337 00:25:57,890 --> 00:26:03,230 point i send a command to reset so now we're back down to zero and you 338 00:26:03,230 --> 00:26:07,520 basically can do all these types of different like post I guess I like you 339 00:26:07,520 --> 00:26:11,750 want just want to throw this dll up and then not being able to stop it like you 340 00:26:11,750 --> 00:26:17,120 could just have a boxes crash itself by running pcap for the entire life of the 341 00:26:17,120 --> 00:26:21,229 box being up so that would be a problem like i said that's that's why you have 342 00:26:21,230 --> 00:26:25,190 to have some type of of thing like this so then right when you're done whatever 343 00:26:25,190 --> 00:26:29,600 tools that you want to use maybe you like you write a custom encoder to drive 344 00:26:29,600 --> 00:26:34,010 drop this to like am across the encrypted store in that store could be 345 00:26:34,010 --> 00:26:37,879 later on decrypted which is what these which Dooku did with virtual file 346 00:26:37,880 --> 00:26:45,350 systems and boom you have full pcap just like you would you would see with with 347 00:26:45,350 --> 00:26:49,100 with like a with wireshark the one thing you're missing if you notice is the 348 00:26:49,100 --> 00:26:52,580 check sums for the ethernet headers do not match up and that is the only 349 00:26:52,580 --> 00:26:57,110 function that I did not get right with crc32 bees requires a secondary function 350 00:26:57,110 --> 00:27:02,090 i just haven't gotten to it but someone to help with that be amazing and that is 351 00:27:02,090 --> 00:27:05,059 how you do the win 352 00:27:05,059 --> 00:27:07,970 pcap 353 00:27:07,970 --> 00:27:18,380 and this is this is really cool 354 00:27:19,520 --> 00:27:25,160 this all led to basically driver loading at the end of the day one of the main 355 00:27:25,160 --> 00:27:29,960 things that I wanted to do was being able to deploy winpcap and have that 356 00:27:29,960 --> 00:27:36,380 ability it in a red team environment to deploy a package that can be all 357 00:27:36,380 --> 00:27:43,520 self-contained and actually execute this code so that leading into kind of like 358 00:27:43,520 --> 00:27:50,629 what I want to be going about this well one critical design like we were talking 359 00:27:50,630 --> 00:27:54,290 about before Dooku has a ton of platform like capabilities right so they need 360 00:27:54,290 --> 00:27:58,370 that these helper capabilities of loading drivers like traditional sign 361 00:27:58,370 --> 00:28:03,020 drivers of course you can't get in the kernel mode without having like a sign 362 00:28:03,020 --> 00:28:06,290 driver if you didn't know that so I mean there's still like legitimate 363 00:28:06,290 --> 00:28:09,230 functionality but there's different ways of going about it like we're going to 364 00:28:09,230 --> 00:28:13,040 cover both there's like a service creation working we can use SC to create 365 00:28:13,040 --> 00:28:18,020 a driver or you already engaged NT load driver get in the kernel space so we're 366 00:28:18,020 --> 00:28:21,470 going to cover both those and soft somehow like how this capability can 367 00:28:21,470 --> 00:28:27,230 kinda integrate into your red team testing methodology and and finally one 368 00:28:27,230 --> 00:28:29,900 side drivers this is something like not a lot of people are talking about but 369 00:28:29,900 --> 00:28:34,190 actually just popped up and products are and and and they they actually use a 370 00:28:34,190 --> 00:28:40,550 vulnerable driver to get code execution in kernel space and then was able to 371 00:28:40,550 --> 00:28:46,639 move there on sign npf driver with the modification driver for wimpy cap into 372 00:28:46,640 --> 00:28:51,350 into the kernel space and get code execution that way that's really cool it 373 00:28:51,350 --> 00:28:55,760 it shows you that just because you have the latest patches whatever maybe if 374 00:28:55,760 --> 00:28:59,420 they get system and they can drop vulnerable kernel module which getting 375 00:28:59,420 --> 00:29:03,920 system is not hard any privilege escalation will get you there and it 376 00:29:03,920 --> 00:29:08,000 happens quite often you basically getting a kernel mode without without 377 00:29:08,000 --> 00:29:11,930 too much too much of an issue because those those code-signing starts are good 378 00:29:11,930 --> 00:29:12,440 for that 379 00:29:12,440 --> 00:29:15,500 that driver and there's nothing you can do about that . currently with the 380 00:29:15,500 --> 00:29:18,860 remote but like how already could revoke the whole driver but then you would 381 00:29:18,860 --> 00:29:21,290 break tons of like back compatibility 382 00:29:21,290 --> 00:29:29,180 so like I like to start with every other arm capability kind of built like why 383 00:29:29,180 --> 00:29:34,070 would I want to do this and I think one it's really cool to have full pack 384 00:29:34,070 --> 00:29:37,490 capture and the ability to potentially build like a double pad like attack 385 00:29:37,490 --> 00:29:41,930 platform with reflective DLL and two because you know building like direct 386 00:29:41,930 --> 00:29:48,320 replication is pretty cool and so that's kind of why the two methods that we 387 00:29:48,320 --> 00:29:52,159 talked about for a sec driver loading that's using a service control manager 388 00:29:52,160 --> 00:29:59,660 to basically start and stop the kernel driver and basically you go through a 389 00:29:59,660 --> 00:30:02,540 small little set of events that to make this happen 390 00:30:02,540 --> 00:30:05,960 it's not it's not complicated easy to implement its dirty though it leaves 391 00:30:05,960 --> 00:30:07,280 behind a lot of artifacts 392 00:30:07,280 --> 00:30:12,740 it's a service creation its registry edits it's everything that happens from 393 00:30:12,740 --> 00:30:17,300 the time of loading and also requires like requires you to basically drop your 394 00:30:17,300 --> 00:30:22,190 your path known to to the service controller so like a summer to look at 395 00:30:22,190 --> 00:30:25,820 and see like you know evil driver assistance or whatever they're going to 396 00:30:25,820 --> 00:30:31,070 know that it's basically loaded and then finally the NT load load driver which is 397 00:30:31,070 --> 00:30:34,669 an undocumented windows functionality which actually is being used by SE 398 00:30:34,670 --> 00:30:40,610 driver loading to in to load that driver from user space into kernel memory and 399 00:30:40,610 --> 00:30:45,919 this allows for the full and deaths like application that we've been talking 400 00:30:45,920 --> 00:30:52,970 about with winpcap so how do we go about building SE driver the building SE 401 00:30:52,970 --> 00:30:54,260 driver version first 402 00:30:54,260 --> 00:30:57,110 the first thing I had to do was obviously I had to come up with a way to 403 00:30:57,110 --> 00:31:00,379 weaponizing it we talked about reflective DLL so I just kept this to 404 00:31:00,380 --> 00:31:06,080 the entire talk weaponize it wrapped into collective dll it basically decodes 405 00:31:06,080 --> 00:31:12,919 a large base64 char array and drops the required files the disc opens SE manager 406 00:31:12,920 --> 00:31:17,690 creates the service deletes the service starts the application is required for 407 00:31:17,690 --> 00:31:21,200 whatever p kapoor user-mode application you're going to run and then cleans up 408 00:31:21,200 --> 00:31:28,100 after itself so just like a little background knowledge on when winpcap 409 00:31:28,100 --> 00:31:32,389 what's actually happening there's quite a bit of layers of abstraction of taking 410 00:31:32,390 --> 00:31:34,880 place to get you into that point where you're actually 411 00:31:34,880 --> 00:31:39,560 going to be interacting with the colonel as you like i said the packets are 412 00:31:39,560 --> 00:31:43,610 coming in house extracting it through sdio interface between the nic driver 413 00:31:43,610 --> 00:31:49,370 then the nds interface itself which is like the networking portion of this of 414 00:31:49,370 --> 00:31:54,770 the stack basically talks with nds protocol drivers which interfaces with 415 00:31:54,770 --> 00:31:59,930 the upper edge of kernel space which is the NPF driver and then from there you 416 00:31:59,930 --> 00:32:05,000 have to require to have two different DLLs that are in on disk in the system32 417 00:32:05,000 --> 00:32:10,220 path which our packaging LOL and WP cap dll package deal elbows all your driver 418 00:32:10,220 --> 00:32:15,110 communications and then WP cap abstract all those with api calls for easy 419 00:32:15,110 --> 00:32:21,860 application code execution something interesting is it's quite complicated as 420 00:32:21,860 --> 00:32:27,290 in every single less has a different type of dll and different type of driver 421 00:32:27,290 --> 00:32:31,070 depending on architecture so if you actually going to strap the MSI package 422 00:32:31,070 --> 00:32:35,090 that does the installer you could tell us five different deals for packet WP 423 00:32:35,090 --> 00:32:42,350 cap has 23 different drivers so i have only tested on x86 710 and 64 so those 424 00:32:42,350 --> 00:32:45,080 are the required ones just for the matrix of someone to fill in the rest 425 00:32:45,080 --> 00:32:48,020 and go to the testing that be great there's probably a lot of operating 426 00:32:48,020 --> 00:32:54,350 systems that need to be tested and and figuring out which ones are drop as for 427 00:32:54,350 --> 00:32:58,459 the service creation as i said before not all of its relevant particular to 428 00:32:58,460 --> 00:33:01,550 you but if you ever want to go right replicate this is the kind of stuff you 429 00:33:01,550 --> 00:33:05,149 need you need to be able to open SE manager at all access giving full 430 00:33:05,150 --> 00:33:09,800 privileges to st manager you need to basically create a service you need to 431 00:33:09,800 --> 00:33:14,659 have set as a service kernel driver and then you basically need to have it on 432 00:33:14,660 --> 00:33:18,080 start demand which is manual start you can basically set it up to start the 433 00:33:18,080 --> 00:33:22,699 service control the service so you're basically setting a stop signal and then 434 00:33:22,700 --> 00:33:28,220 finally deleting the service and this is actually the demo 435 00:33:32,970 --> 00:33:41,760 so first thing i do check friend PFF PFF driver not loaded yet we're gonna 436 00:33:41,760 --> 00:33:46,590 actually go ahead and I built these three applications that basically do i 437 00:33:46,590 --> 00:33:52,980 get interface listing using the winpcap libraries all compiled all set up for 438 00:33:52,980 --> 00:33:56,039 use if you want the visual studio packages or they're all they're easy to 439 00:33:56,039 --> 00:34:01,230 use and easy to deploy so I'm basically gonna set it up as ms Colonel service 440 00:34:01,230 --> 00:34:07,980 i'm going to go ahead and inject that and that deep reflective DLL and and try 441 00:34:07,980 --> 00:34:12,449 to get those those three that driver setup and the to deal with drop the disk 442 00:34:12,449 --> 00:34:17,399 so once I know I'm good for the debug messages which you can just remove if 443 00:34:17,399 --> 00:34:20,489 you wanted to obviously probably leave them in there i'm going to go ahead and 444 00:34:20,489 --> 00:34:24,178 do a driver query to make sure that it's actually been loaded and at the correct 445 00:34:24,179 --> 00:34:29,040 name so even though its network packard filtering driver i basically you can set 446 00:34:29,040 --> 00:34:33,359 the service query as a different name so it sets the register Keys as though so 447 00:34:33,359 --> 00:34:37,770 it kind of gives you a little bit of a little bit of ease their setting those 448 00:34:37,770 --> 00:34:40,739 up which is kinda nice you can just name whatever you want to that way if 449 00:34:40,739 --> 00:34:45,388 someone's actually doing driver monitoring they would see that's that at 450 00:34:45,389 --> 00:34:50,099 this point I'm basically going to get the interface once i have the interface 451 00:34:50,099 --> 00:34:55,589 do it for that i'm going to send it to the packet dump which is just actually a 452 00:34:55,589 --> 00:35:00,570 built-in example package you can get with the wimpy cap driver collection and 453 00:35:00,570 --> 00:35:04,980 send it the the device and actually collect right from the box 454 00:35:09,220 --> 00:35:18,098 and that's from going from no driver to obviously fullback capture which is I 455 00:35:18,099 --> 00:35:21,099 think it's pretty cool 456 00:35:25,810 --> 00:35:36,279 and finally the NT driver driver loading with the reflective DLL as well so this 457 00:35:36,280 --> 00:35:37,330 one little bit different 458 00:35:37,330 --> 00:35:41,470 you're actually calling undocumented functionality this one took quite a bit 459 00:35:41,470 --> 00:35:46,540 to get right and there's just not a lot of resources out there obviously is on 460 00:35:46,540 --> 00:35:50,080 documents not supposed to be used this way these are functions that are being 461 00:35:50,080 --> 00:35:54,819 called on the backend that you generally as a like operating with the win32 462 00:35:54,820 --> 00:35:58,270 subsystem would not be able to call so the first thing I had to do was 463 00:35:58,270 --> 00:36:02,050 basically enabled privileges if anybody's ever looked like malware the 464 00:36:02,050 --> 00:36:05,770 first thing it probably does is sets up like every privilege can possibly 465 00:36:05,770 --> 00:36:09,099 imagine just runs those like SED but privilege is probably the first one just 466 00:36:09,099 --> 00:36:13,839 so you can do process injection all that kind of stuff so i basically need SE 467 00:36:13,839 --> 00:36:16,839 driving privileges i need to go ahead and write the register Keys that we 468 00:36:16,839 --> 00:36:22,869 talked about uh actually find NTD ll get the handle to it run the command and 469 00:36:22,869 --> 00:36:28,660 then finally unload the driver with the same exact the function so this is kind 470 00:36:28,660 --> 00:36:36,759 of like a step-by-step the code is is not too complicated but the first thing 471 00:36:36,760 --> 00:36:39,040 you're gonna do is enable this privilege like to talk about you 472 00:36:39,040 --> 00:36:42,099 obviously you're doing it locally to the Rope a process that you're in so you 473 00:36:42,099 --> 00:36:47,920 just open handle your process you are obtained the the the process token you 474 00:36:47,920 --> 00:36:51,700 adjust the token privilege and then you send it the privileged that you want to 475 00:36:51,700 --> 00:36:56,859 the two to load up so once you obtain that and you're good to go you have the 476 00:36:56,859 --> 00:37:01,359 right like admin rights on the boxes are on high context obviously you create the 477 00:37:01,359 --> 00:37:05,470 registry keys that you're required for the services the system path system type 478 00:37:05,470 --> 00:37:10,810 uh service start an error control which are just D word values and a been path 479 00:37:10,810 --> 00:37:14,259 basically that you would pass to a service creation but the service 480 00:37:14,260 --> 00:37:17,859 creation manager and then you actually go down to the next step which is 481 00:37:17,859 --> 00:37:21,890 loading the driver the first thing you have to do is you can just include 482 00:37:21,890 --> 00:37:27,470 the NGF well i think some there's like one example out that does it like none 483 00:37:27,470 --> 00:37:30,200 of these the other examples on the internet right now compile like you 484 00:37:30,200 --> 00:37:35,029 can't find an example that compiles with actually doing this function so when I 485 00:37:35,030 --> 00:37:39,050 found out is you have to actually get the module handle four NT dll then you 486 00:37:39,050 --> 00:37:43,460 have to get the process the proc address which are pointers to NT on load and 487 00:37:43,460 --> 00:37:49,280 unload on load and the unicode string then you pass the the subject that you 488 00:37:49,280 --> 00:37:54,020 just created to the unicode function which then gives you a pointer to at ra 489 00:37:54,020 --> 00:38:00,740 of your your actual you're like your string path and then you can pass at the 490 00:38:00,740 --> 00:38:05,450 NT load driver which and loads the driver and returns an NT status of 0 if 491 00:38:05,450 --> 00:38:09,109 if complete and if it doesn't it passes some numbers that i have no idea what 492 00:38:09,110 --> 00:38:12,110 they do 493 00:38:12,620 --> 00:38:21,950 probably will never figured out it so as talked about before there's some of the 494 00:38:21,950 --> 00:38:26,990 code i'm going to be loading it as evil driver just so just so you can have an 495 00:38:26,990 --> 00:38:30,799 idea of the registry key and creating i'm gonna go ahead and use the same 496 00:38:30,800 --> 00:38:37,400 exact method that what we used before which is the service creation to sorry 497 00:38:37,400 --> 00:38:41,060 the inject dll weapon organization 498 00:38:45,650 --> 00:38:54,109 once the the driver is loaded as you can see basically I'm just gonna do a quick 499 00:38:54,109 --> 00:38:58,819 driver query to make sure the driver actually made it into in into the kernel 500 00:38:58,819 --> 00:39:03,470 mode i'm just going to quickly search for just $MONEY just to prove that 501 00:39:03,470 --> 00:39:04,879 actually worked 502 00:39:04,880 --> 00:39:08,089 nothing too fancy happening here and then obviously once you have this all 503 00:39:08,089 --> 00:39:13,788 set up you can go about the same exact way as you would be for with with 504 00:39:13,789 --> 00:39:18,920 anything else so that you could do on the pcap or whatever you need to do this 505 00:39:18,920 --> 00:39:22,309 could be an individual module that does the just the loading of the driver and 506 00:39:22,309 --> 00:39:26,029 then you can reflect the injection our driver that does all the pcap stuff so 507 00:39:26,029 --> 00:39:29,119 that's the NT loader method and that is all going to all this going to open 508 00:39:29,119 --> 00:39:33,529 source if you wanna go check it out use it for whatever you gotta do and it's 509 00:39:33,529 --> 00:39:38,029 already pre Paula pre-built with the reflective DLL project so everything's 510 00:39:38,029 --> 00:39:50,299 almost near weaponization ready and I think we're getting close last 10 511 00:39:50,299 --> 00:39:52,369 minutes 512 00:39:52,369 --> 00:39:59,869 and finally apt 29 so as the last felt the last group we're gonna be looking at 513 00:39:59,869 --> 00:40:07,069 they have a unique basically a unique set of skills that's that's pretty cool 514 00:40:07,609 --> 00:40:12,799 there's been a lot of research on these guys and did they have some crazy stuff 515 00:40:12,799 --> 00:40:15,769 out there if you're very right red like hammer toss and some of the methods that 516 00:40:15,769 --> 00:40:21,439 they use the juicy to is just crazy will use anything anything everything which 517 00:40:21,440 --> 00:40:27,829 make them really hard to hunt down so what makes them kind of special one with 518 00:40:27,829 --> 00:40:32,690 me if you've ever wanted anything about them they utilize will be heavy and as 519 00:40:32,690 --> 00:40:36,499 somebody that's been getting deeper and deeper into the internals I want to like 520 00:40:36,499 --> 00:40:41,209 replicate some of that ability with c++ which like you probably think it's 521 00:40:41,210 --> 00:40:45,019 pretty daunting and it absolutely is like something in powershell it's 522 00:40:45,019 --> 00:40:50,598 extremely as you get when the object in the rock and rolling and and with with 523 00:40:50,599 --> 00:40:54,049 with that in mind they use a lot of PowerShell so it makes sense for them to 524 00:40:54,049 --> 00:40:56,538 use a lot of women it's easy to integrate you shall the script I felt 525 00:40:56,539 --> 00:40:57,380 before 526 00:40:57,380 --> 00:41:01,220 yes it's big lot of propaganda objects but it's easy to use like the return 527 00:41:01,220 --> 00:41:04,249 types are easy to pass properties pipeline that makes like life so easy 528 00:41:04,249 --> 00:41:11,058 and then finally the most give me that the nones about them they had had people 529 00:41:11,059 --> 00:41:15,890 talk about it before Mandaeans talk on on like basically hunting these guys 530 00:41:15,890 --> 00:41:19,519 down is insane if you have a watch it's like from shmoocon got to see it live is 531 00:41:19,519 --> 00:41:23,209 really cool and then obviously mad greater has in some of his buddies have 532 00:41:23,210 --> 00:41:28,609 talked on uh why am I so sexy so that definitely good talks if you haven't 533 00:41:28,609 --> 00:41:33,589 looked at him like kind of like deep-sea diving into me operations himself and 534 00:41:33,589 --> 00:41:37,038 then persistence not agent persistence not like where I'm going to store but 535 00:41:37,039 --> 00:41:42,650 these guys are well equipped and they're producing samples by the day like if you 536 00:41:42,650 --> 00:41:45,890 really listen to talk it's inspiring like these guys are generating 10 537 00:41:45,890 --> 00:41:50,299 samples like a week pretty much and one of them is completely different than the 538 00:41:50,299 --> 00:41:55,279 rest of them so as you can imagine the re efforts that like figure these guys 539 00:41:55,279 --> 00:41:58,369 out figure out where they are and like get rid of these guys are network is 540 00:41:58,369 --> 00:42:03,289 insane and then finally agent development which is something i'm going 541 00:42:03,289 --> 00:42:07,609 to move into necks in something that they do well multiply Oh Sees make it 542 00:42:07,609 --> 00:42:11,690 really hard to hunt them down and it makes them big be able to persist in our 543 00:42:11,690 --> 00:42:15,289 long-term if you're only read as a couple strike and that's all you have 544 00:42:15,289 --> 00:42:20,420 developed once burn burn it's done but if you're using like backup agents just 545 00:42:20,420 --> 00:42:23,630 like you would think c2 structure if you're going to build c2 structure for 546 00:42:23,630 --> 00:42:27,950 your command control you're gonna have a initial fishing access server a 547 00:42:27,950 --> 00:42:31,910 operational server and then a long-term or a long-haul server for your backup 548 00:42:31,910 --> 00:42:37,730 they do the same thing with their mouth where so i wanted to build like a 549 00:42:37,730 --> 00:42:41,809 long-term agent it's it's it's really POC at the moment but it has a lot of 550 00:42:41,809 --> 00:42:45,049 really cool stuff in it that think that people would love to see and have 551 00:42:45,049 --> 00:42:48,440 examples on some stuff out there like there's some code out there but I have 552 00:42:48,440 --> 00:42:51,140 it all one good place for anybody want to take a look at it 553 00:42:51,140 --> 00:42:56,328 basically the entire nation itself is built the shelves built its in Pierce 554 00:42:56,329 --> 00:43:02,960 c++ in-memory logging obfuscation of all the strings standard calls for anything 555 00:43:02,960 --> 00:43:07,069 you'd like one to see an agent like sleeping jitter all those basic stuff vm 556 00:43:07,069 --> 00:43:12,049 detection AV detection some using women some using the standard API calls and 557 00:43:12,049 --> 00:43:15,650 process listings shell commands the whole shebang everything you'd want in 558 00:43:15,650 --> 00:43:18,650 the standard agent and then since it's a long-term agent the only thing I really 559 00:43:18,650 --> 00:43:22,489 needed was some method of getting secondary code access or code execution 560 00:43:22,489 --> 00:43:26,930 so I built in $YEAR full show called objection and process injection with the 561 00:43:26,930 --> 00:43:29,839 token manipulation stuff so if you actually want to go look at this code 562 00:43:29,839 --> 00:43:35,058 and have like you know like see actual running code it's all there is a lot of 563 00:43:35,059 --> 00:43:38,269 stuff like you can get a peek into it like hacking team dump and stuff they 564 00:43:38,269 --> 00:43:41,149 have some dumps out there someone would be complicated 565 00:43:41,150 --> 00:43:44,720 a lot of the comments are all in like you know French or wherever like you 566 00:43:44,720 --> 00:43:47,899 know there's tons different languages like are operating on that that code 567 00:43:47,900 --> 00:43:51,739 base and eventually the coolest part will be monitoring which is something 568 00:43:51,739 --> 00:43:55,099 that the defensive the defensive side is using heavy service creation process 569 00:43:55,099 --> 00:43:58,849 creation and driver loading so why should I care about those type of things 570 00:43:58,849 --> 00:44:02,839 if you're a Hyundai our guy like that's like bread and butter right now the 571 00:44:02,839 --> 00:44:07,190 ability to go and detect these kind of things are are priceless 572 00:44:07,190 --> 00:44:10,400 you know things like uproot which is but built by Jared action 573 00:44:10,400 --> 00:44:13,500 I got caught on an OP like a training up with that and 574 00:44:13,500 --> 00:44:17,280 with my pants down so it sucks when you get caught by these type of things but 575 00:44:17,280 --> 00:44:20,550 it makes you like think as like an attacker what can i do this like to 576 00:44:20,550 --> 00:44:23,130 detect them doing this back to me 577 00:44:23,130 --> 00:44:27,900 um so think about how you can capture memories from compromise compromise 578 00:44:27,900 --> 00:44:31,260 machine that you as I can I our guy we're gonna bring over USB stick with 579 00:44:31,260 --> 00:44:34,800 memorize on the mandiant your plug this thing in your gonna get a kernel mode 580 00:44:34,800 --> 00:44:38,310 dumped onto the USB stick and you're gonna take it back but when you plug 581 00:44:38,310 --> 00:44:42,480 that in you have you have some risk that you're obtaining like your plug in USB 582 00:44:42,480 --> 00:44:47,820 Drive in your potential you have to load lower kernel module or kernel driver 583 00:44:47,820 --> 00:44:52,800 into kernel space to get that kernel memory dump so I as an operator of these 584 00:44:52,800 --> 00:44:55,650 things you need to think of and all those kind of things lead into like 585 00:44:55,650 --> 00:44:59,550 service creation like silence if you read the OPM reports they got if they 586 00:44:59,550 --> 00:45:02,730 were to detect the service creation of silence being created or installed on 587 00:45:02,730 --> 00:45:06,030 the system's maybe this maybe the hackers and OPM would not have gotten 588 00:45:06,030 --> 00:45:09,570 caught just thought like you know because they got caught 589 00:45:09,570 --> 00:45:13,860 according to port by kishore clogging and eventually like driver creation of 590 00:45:13,860 --> 00:45:17,490 us have things that you want to see so I don't have much time so I'm going to 591 00:45:17,490 --> 00:45:21,419 pound through this basically the core agent has three different threads that 592 00:45:21,420 --> 00:45:26,310 do all the collection pushes them into a a monitoring thread which it has a JSON 593 00:45:26,310 --> 00:45:31,710 array of vector a vector of JSON array rules better then basically have like 594 00:45:31,710 --> 00:45:37,860 agent panic modes that are set so here is actually a rule creation taking place 595 00:45:37,860 --> 00:45:42,930 on the side left side you have an actual json rule like detecting let's say 596 00:45:42,930 --> 00:45:47,580 wireshark the exe or the executable path has wireshark in it and then it has 597 00:45:47,580 --> 00:45:49,170 panic settings for sleep 598 00:45:49,170 --> 00:45:52,710 exit the agent true and report the trigger obviously you can call fire 599 00:45:52,710 --> 00:45:57,060 shotwire truck you'd probably want to stop all I communications so I had false 600 00:45:57,060 --> 00:46:01,230 so all those people like granular as things you can set up and then you 601 00:46:01,230 --> 00:46:04,470 eventually have a rule trigger handler which and handles like zeroing out the 602 00:46:04,470 --> 00:46:08,730 agent cleaning your heap and doing things like that so that if you get 603 00:46:08,730 --> 00:46:13,320 caught and you do have they don't know how like one thing that has memory like 604 00:46:13,320 --> 00:46:17,010 analyst you want to know how far they got right so if they have my memory 605 00:46:17,010 --> 00:46:18,690 logging outlet and they can detect it 606 00:46:18,690 --> 00:46:21,840 well they might just know everything I got a I did but if i can get rid of that 607 00:46:21,840 --> 00:46:24,840 first and they got my agent not too big of a deal 608 00:46:25,819 --> 00:46:28,969 and then finally here's a here's actually process creation event taking 609 00:46:28,969 --> 00:46:33,079 place on the command line a service creation event as you can see like this 610 00:46:33,079 --> 00:46:36,979 is the pathname of creating a windows system32 cmd.exe service that would 611 00:46:36,979 --> 00:46:42,589 spawn a response service at a given time and then finally I'll rule triggered 612 00:46:42,589 --> 00:46:46,009 which actually is inside the agent so I'm just gonna do a quick demo on this I 613 00:46:46,009 --> 00:46:48,049 think I have enough time 614 00:46:48,049 --> 00:46:58,880 I'm really close but I think it's about a minute or two so i have a POC handler 615 00:46:58,880 --> 00:47:02,239 anybody knows anything about the Empire side i'll actually be trying to 616 00:47:02,239 --> 00:47:05,779 integrate this with Empire eventually or they laid universal controller be coming 617 00:47:05,779 --> 00:47:10,549 out soon and this will give me the ability to actually like use this on a 618 00:47:10,549 --> 00:47:14,119 usability scale-like out like right now it has all the core agents bill 619 00:47:14,119 --> 00:47:17,209 everything's there as you can see actually just received a command to do 620 00:47:17,209 --> 00:47:21,739 around a shell command which was a dirt and other side it's just receiving 621 00:47:21,739 --> 00:47:24,890 output so anything like you would see on a normal like agent handler you have 622 00:47:24,890 --> 00:47:28,249 that ability it's all there for you using the cryptic logical api's that are 623 00:47:28,249 --> 00:47:31,578 built into windows all the encryption base64 it's all built there it just 624 00:47:31,579 --> 00:47:35,449 needs the the core orchestrator handler now mom right there you just kind of 625 00:47:35,449 --> 00:47:39,739 cologne example of the of process monitoring taking place inside the agent 626 00:47:39,739 --> 00:47:45,289 itself and it's just kind of setup to print the screen right now just 44 you 627 00:47:45,289 --> 00:47:51,109 know aesthetics so you can see the tasks that you see prop execute and then also 628 00:47:51,109 --> 00:47:55,729 with the command line arguments the process named the event type where it 629 00:47:55,729 --> 00:47:58,669 came from the path all that kind of stuff so you got really granular 630 00:47:58,670 --> 00:48:00,079 activity 631 00:48:00,079 --> 00:48:04,099 here's a service creation we talked about before it's on it's an event 632 00:48:04,099 --> 00:48:08,119 filter set for like every second so basically i can receive all that stuff 633 00:48:08,119 --> 00:48:13,219 for service creation all the all the fancy stuff and this allows me to do 634 00:48:13,219 --> 00:48:18,380 that type of post-processing of the actual I are functions taking place on 635 00:48:18,380 --> 00:48:23,809 the box and respond accordingly it gives the asian itself it gives it leverage 636 00:48:23,809 --> 00:48:27,709 the to the operator that they could not do situational awareness and give it 637 00:48:27,709 --> 00:48:31,399 like at twelve o'clock at night so things that like you would generally do 638 00:48:31,400 --> 00:48:33,920 your safety checks when you get on a box you might not be able to do at twelve 639 00:48:33,920 --> 00:48:37,759 o'clock at night or it you that might be sleeping for a day at a time that aging 640 00:48:37,759 --> 00:48:39,109 that agent has to have 641 00:48:39,109 --> 00:48:43,788 one type of capability in the back end to survive and this is kind of what I 642 00:48:43,789 --> 00:48:48,019 built so in that case it monitored a wire truck being and triggered an 643 00:48:48,019 --> 00:48:54,288 execution and basically exit the agent and that is the women monitoring agent 644 00:48:54,289 --> 00:49:06,049 and finally the last slides key takeaways all the techniques talk about 645 00:49:06,049 --> 00:49:09,410 our kind of like they're used in you know they've been talking about their 646 00:49:09,410 --> 00:49:13,910 documented somewhere well document some of them are not hopefully the mass 647 00:49:13,910 --> 00:49:17,660 amount of c++ and power show could have put together helps somebody all the 648 00:49:17,660 --> 00:49:23,569 written visual studio 2015 on Windows 10 updated image in all compile perfectly 649 00:49:23,569 --> 00:49:26,660 that's like I don't think like if you were to go looking for some of this 650 00:49:26,660 --> 00:49:30,109 stuff getting something that will pile is literally the hardest thing you can 651 00:49:30,109 --> 00:49:33,529 imagine like it's insane like unless you're looking at some forms from like 652 00:49:33,529 --> 00:49:36,079 the nineties that's about it 653 00:49:36,079 --> 00:49:40,220 some key takeaways obviously the techniques and the TTP's are awesome 654 00:49:40,220 --> 00:49:44,029 really awesome to kind of integrate kind of show off you know something like the 655 00:49:44,029 --> 00:49:49,069 team's palace and all that kind of stuff so i think i think overall it was a 656 00:49:49,069 --> 00:49:52,819 great experience I got to learn a lot about coding got to learn a lot on a 657 00:49:52,819 --> 00:49:57,710 low-level operational level that stuff that as an operator you can debug issues 658 00:49:57,710 --> 00:50:02,269 even if you have like a paid tool set and finally all the codes are going to 659 00:50:02,269 --> 00:50:07,038 be open source and they can be found on my github a q-switched a QE what this 660 00:50:07,039 --> 00:50:10,099 basically just a list of someone wants to take a look at them later 661 00:50:10,099 --> 00:50:19,609 any questions no questions 662 00:50:20,809 --> 00:50:23,680 okay thank you 663 00:50:23,680 --> 00:50:25,029 yeah