Introduction to red team operations

Introduction to Red Team
Operations
Sunny Neo (@sunn_y_k)
sunny@live.com.sg

#whoami
•Perpetual Information Security Student
•Penetration Tester @ Centurion Information Security
•It was really hard to get here - On and Off Fever
Last Night

Disclaimer
•All views are mine and not the company I work for or any
organisation that I am affiliated with.
•I take NULL credit for all the materials presented here
•I am here just to share the good work from awesome people and
have fun

Shout Out Raphael Mudge (@armitagehacker)
•Awesome resource on Red Team Operations
•Advanced Threat Tactics (2015)
https://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-cou
rse-and-notes/
https://www.youtube.com/watch?v=4w7krkqxRck&list=PL9HO6M_MU
2nf8Fa5bVefBW-9bg5Rx94_c
•https://blog.cobaltstrike.com/

Shout Out - Jeff Dimmock (@bluscreenofjeff)
•Awesome materials on Red Team Infrastructure
•https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-
red-team-attack-infrastructure/
•https://speakerdeck.com/bluscreenofjeff/building-a-better-moat-des
igning-an-effective-covert-red-team-attack-infrastructure
•https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki

Shout Out
•Anyone who shared their experience with me or answer my stupid
questions over Twitter / Slack (BloodHoundGang) / Beer(s)

Objective
•Share my journey on learning about Red Team Operations
•Bridge the gap between Penetration Testers and Red Teamers

Penetration Testing
•Scope Provided
• Limited to No Reconnaissance Required
•No Stealth required
• Scan everything in Scope
• Run tools out of the box (Did you rebuild the tool?)
•Simple to No Infrastructure setup

Red Team Operation
• Test your security investment in a realistic way – objective based
• Depend on the type of operations
• Full Scope Testing (Physical, Social and Cyber)
• Long-Term Operation
• Threat Emulation (Emulating a real-world actor)
Source:
https://blog.cobaltstrike.com/2015/07/09/models-for-red-team-operations/
https://blog.cobaltstrike.com/2016/02/17/the-threat-emulation-problem/

Red Team Operation
•Generally
• Limited Information Provided
• Require Stealth
• Require Appropriate Infrastructure Setup for the operation

Transitional Challenges
•Mindset
•Habits
•Scale
Pen Tester
Red Teamer

Mindset
•Boxed-in by Scope
•Emphasize on Coverage for Systems and Vulnerabilities in Scope
•Does not look for the easiest path to objective

Habits
•Guided by Mindset
•Scan everything in Scope due to emphasis on coverage
•Does not apply adversary’s tradecraft but whatever that gets the job
done

Scale
•No clearly defined scope - How to start?
•Excessive Information - How do you manage information gathered
along the way due to the vague scope?

Principles for Red Team Operations (Mine)
•Protect your Infrastructure
•Log Everything!
•Less is More
•Don’t Get Caught

Protect Your Infrastructure
•Why the need for Infrastructure?
•Why the need to protect your infrastructure?

Typical Penetration Test Infrastructure
Source:
https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastruct
ure/

Services Required for Red Team Operations
•SMTP Server – Phishing
•Web and Database Servers – Phishing and Storing Stolen Credentials
•Payload/Staging Servers – Storing and Sending Payloads
•Multiple Teamservers – C2

Shell Management
•Never do anything from just one shell and one team server
•Always try to persist and expand more shell accesses
•Red team infrastructure design is critical for covert operations
• Short Haul Servers – Initial Access + Post Exploitation Activities
• Long Haul Servers – Low and Slow Callbacks + Session Passing
•https://blog.cobaltstrike.com/2014/09/09/infrastructure-for-ongoing
-red-team-operations/

Redirector and Filtering
Source: https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastructure/

Redirector and Filtering
Source:
https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastructure/

Apache Redirector - .htaccess
Source: https://bluescreenofjeff.com/2016-04-12-combatting-incident-responders-with-apache-mod_rewrite/

.htaccess Blacklisting
•Jason Lang
(@curi0usJack)
•.htaccess to redirect
• known AV companies IP
address ranges
• TOR Exit Nodes
•https://gist.github.com/c
uri0usJack/971385e8334e
189d93a6cb4671238b10

Automate Your Infrastructure
• Painful to rebuild everything for each engagement
• Automate Infrastructure setup with CoalFire’s Red Baron TerraForm
Examples
• https://rastamouse.me/2017/08/automated-red-team-infrastructure-deploy
ment-with-terraform---part-1/
• https://rastamouse.me/2017/08/automated-red-team-infrastructure-deploy
ment-with-terraform---part-2/
• https://github.com/Coalfire-Research/Red-Baron

Red Baron
Source:
https://github.com/Coalfire-Research/Red-Baron/blob/master/exampl
es/complete_c2.tf

C2 Protocol Considerations
Source:
https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastructure/

Command and Control (C2) Security
• Protect your customer’s systems and data
• You don’t want your agents/beacons to be hijacked or confidential data
leaked
• Evaluate the C2 security based on
• Encryption
• Authentication
• Anti Replay Attacks
• https://medium.com/@malcomvetter/responsible-red-teams-1c6209fd43cc

Staged Beacon Process
Staged Payload
Public Key
TeamServer Victim
Meta Data
Session Key
VictimTeamServer
TeamServer Victim
Initial Callback
Encrypted with TeamServer Public Key

Staged Beacon Process
Tasks
TeamServer Victim
Task
Output
VictimTeamServer
Encrypted with Session Key
Encrypted with Session Key
Source: Raphael Mudge - Advanced Threat Tactics (2 of 9): Infrastructure
https://www.youtube.com/watch?v=3gBJOJb8Oi0&feature=youtu.be&t=49m55s

Log Everything!
• Important to have timestamped logs for
• Timeline of Events
• Clean up
• Investigation if anything goes down
• Empire and Cobalt Strike are fine…
• cmd.exe?
• PowerShell?
• bash?
• Metasploit?
• RDP?

Log Everything!
Tool Command
Command Prompt prompt $D$S$T$S$P$G
PowerShell
PowerShell Profile/GPO
Start-Transcript -Path C:psloggingtranscript.txt -NoClobber –IncludeInvocationHeader OR
Computer Configuration – Administrative Templates – Windows Components – Windows PowerShell -“Turn on
PowerShell Transcription”
Bash
~/.bashrc
#Enable Timestamp for Command Line and Use Screen to log session
PS1='D{%F %T} [u@h W] $ ‘
screen -L -Logfile engagementXX.log bash
#Expand History Limits, Enable TimeStamp and Append commands to History for multiple terminal
export HISTSIZE=
export HISTFILESIZE=
export HISTTIMEFORMAT="%d/%m/%y %T "
export HISTCONTROL=ignoredups:erasedups
shopt -s histappend
export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"
Msfconsole
~/.msf4/msfconsole.rc
set ConsoleLogging true
set LogLevel 5
set SessionLogging true
set TimestampOutput true
set PromptTimeFormat %Y/%m/%d %H:%M:%S

Less Is More: Information Management
•Don’t just collect information mindlessly
•Use as many scripts as possible to perform data mining
•Have some processes/tools to categorise the information/logs
collected so that it can be easily lookup
•http://www.harmj0y.net/blog/redteaming/push-it-push-it-real-good/
•https://vincentyiu.co.uk/cobaltsplunk/

Don’t Get Caught?
Toolset
TTPsTarget

Target
• Knowing your target
• Knowing what kind of controls they have
• Controls
• Email Filtering Gateway
• Egress Filtering and Authenticated Proxy with Domain Categorization
• IDS/IPS (This Gen, Next Gen, Future Gen)
• Sandbox
• Antivirus (This Gen, Next Gen, Future Gen)
• Endpoint Detection & Response
• Security Operation Center with Analyst looking at alerts

Tactics, Techniques and Procedures (TTPs)
•What is the mode of operation?
• Smash and Grab
• Diversion
• Long-Term Operation

Tactics, Techniques and Procedures (TTPs)
•Tradecraft – Bad Guy’s Best Practices
•Learn from the Bad Guys
• Threat Intelligence Reports
• https://github.com/kbandla/APTnotes
• https://github.com/aptnotes/data
• MITRE ATT&CK Framework
• https://attack.mitre.org/wiki/Main_Page
• https://github.com/redcanaryco/atomic-red-team

Toolset
•Are your tools suitable for the operation?
•Are you able to make operation trade-offs based on your knowledge
of your tools?
• What is the workflow of the tool?
• What artifacts are created?

Metasploit & Meterpreter
•Web Delivery Module with windows/meterpreter/reverse_tcp

Web Delivery Module Process
1. Run the PowerShell One-Liner to download and execute PowerShell
Stager
2. Stager fetches the (encoded) Stage (DLL) and pass control to the
Stage
3. Stage performs (decoding) and Reflective DLL Injection to run the
actual payload

PowerShell Stager on Wire
• Run the PowerShell One-liner to download and execute PowerShell Stager

Stage on Wire
•Stager fetches the (encoded) Stage (DLL) and pass control to the
Stage

EnableStageEncoding Option
•Web Delivery Module with windows/meterpreter/reverse_tcp
•EnableStageEncoding => true

(Reflective) DLL Injection Overview
Process B Process AAttach
Write DLLPath or
Write DLL ContentProcess B Process A
DLL
Process B Process A
New Memory Section
Allocate
Memory
Execute -
LoadLibrary /
Reflective LoaderProcess B Process A
DLL
Process A
New Thread
Source: http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
Step 2
Step 1
Step 3
Step 4
*For DLL Injection, DLL File has
to be written to disk

Staged Meterpreter Memory Artifact
Payload:
windows/meterpreter/reverse_http

Decoded Stage

Actual Payload (metsrv.dll) Running

Metasploit Paranoid Mode
•(Generally) Metasploit should not be used for Red Teaming because
most of its payloads can be hijacked and many signatures have been
created for them
•Use Paranoid Mode if need to - Payload UUID Whitelisting and SSL
Certificate Pinning to prevent hijacking
•Use “reverse_winhttps” instead of “reverse_https” to enable SSL
Certificate Pinning for Stager

Cobalt Strike
•Adversary Simulation Tool
•Features
• Team Operation
• Client Side Exploitation
• Asynchronous Post Exploitation
• Covert Communication Flexibility

Cobalt Strike - Default Staged Beacon

Cobalt Strike - Default Stage Memory

Cobalt Strike - Default Beacon Memory

Cobalt Strike - Default String in Stage and
Beacon

Memory Detection Heuristic
• Thread or Memory are not mapped to a file
• Static Image Size
• RWX Page Memory Permission
• Known Strings and PE headers
• William Burgess & Matt Watkins - Advanced Attack Detection
https://www.youtube.com/watch?v=ihElrBBJQo8
• Raphael Mudge – In-memory Evasion (1 of 4) - Detections
https://www.youtube.com/watch?v=lz2ARbZ_5tE

Cobalt Strike – Malleable PE
•https://www.cobaltstrike.com/help-malleable-c2#memory

• obfuscate: “true” – >=3.11
• Reflective Loader does not initialise any unnecessary PE headers in allocated
memory section for Beacon
• Mask DLL Import Tables
• Obfuscate any known strings for Beacon
• cleanup: “true”
• Free the memory of the Stage
• module_x86 / module_x64
• Module Stomping
• LoadLibrary a DLL that is not loaded and copy Beacon DLL into its memory space

Demo

•Additional Modification Options
• prepend – Prepend strings before the
DLL headers
• strrep – replace string found
•Could be used for Threat Emulation
• peclone known malware binaries
• Configure based on known YARA rule
strings for malwares

Cobalt Strike – Best Practices
•Things you could do to make your beacon harder to be detected
• Use Malleable Profile and PE
• Do Session Prepping
• Use “spawnto” to change the default process for Post Exploitation Activities
• Use In-memory .NET Assembly Execution for Post Exploitation activities
• Avoid using Stager
• Avoid using PowerShell
• Avoid Remote Process Injection

Cobalt Strike – Best Practices
•Recommended to Read/Watch
• https://blog.cobaltstrike.com/2018/04/23/fighting-the-toolset
• https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-
eats-its-tail/
• https://blog.cobaltstrike.com/2017/10/25/modern-defenses-and-you/
• https://blog.cobaltstrike.com/2017/06/23/opsec-considerations-for-beacon-
commands/

Other approaches to Detect Beacon
Source: https://twitter.com/jackcr/status/992390807268352001

Other Reference
• https://medium.com/@malcomvetter/safe-red-team-infrastructure-c5d6a0f13fac
• https://www.netscylla.com/whitepapers/Crestcon18_Common_Pitfalls_in_Redteaming.pdf
• https://blog.cobaltstrike.com/2013/06/28/staged-payloads-what-pen-testers-should-know/
• https://www.slideshare.net/44Con/44con-meterpreter-internalsv2
• http://buffered.io/posts/staged-vs-stageless-handlers/
• https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/
• https://www.blackhat.com/docs/us-16/materials/us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digitally-Signed-Exec
utable-wp.pdf
• https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
• https://www.slideshare.net/JoeDesimone4/taking-hunting-to-the-next-level-hunting-in-memory
• https://ketansingh.net/make-executable-harder-to-recover-from-memory/
• https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Int0X80-Anti-Forensics-AF.pdf
• https://www.veil-framework.com/least-privilege-removing-unnecessary-memory-permissions/
• Michael Hale Ligh, Andrew Case, Jamie Levy, Aaron Walters (2014) - The Art of Memory Forensics: Detecting Malware and Threats in Windows,
Linux and Mac Memory

Introduction to red team operations

More Related Content

What's hot

Similar to Introduction to red team operations

Recently uploaded

Introduction to red team operations