 Hello, my name is Paolo González and this is my college from Ramírez. We are proud to introduce the 80T Pound adversarial emulation and offensive technical collaborative project. We are proud to be at DEF CON this year. Besides, we like very much the offensive part and that's why we bring a tool called 80T Pound, which helps to perform the emulation of adversaries. Also, we want to tell you about the collaborative side of the project. First of all, let's introduce ourselves. I am Paolo González. I work at Telefonica in Spain, pre-innovation department where we are very lucky to play with cybersecurity and artificial intelligence. We develop several open source tools and a GR and try to contribute with crazy ideas. I am MVP of Microsoft since 2017. I have written some books in Spanish about cybersecurity and I am a teacher at several universities in Spain. My partner, Fran Ramírez, works with me at Telefonica in the same pre-innovation department focusing on cybersecurity and machine learning projects. He has worked several GRs in the USA as an assistant administrator and has written some books about Docker and machine learning. Before we discuss the tool and show the use cases firsthand, let's have a look at Meet the GTNC key. The emulation of adversaries has become extremely important in the red team work. It's an exercise that provides a glimpse into the potential for a real threat, like many others that both business and society have experienced to affect an organization. The goal is to be capable of verifying if the organization controls efficient and effective by detecting the threats or displaying working weakness in response to them. The purpose of a red team exercise started following demonstration of the exposure run risk level, demonstration of the business impact, demonstration of the prevention capabilities, demonstration of the detection capabilities, demonstration of the capabilities of reacting or addressing incidents. Now, we are going to speak about ETNC key. Meet the ETNC key is a database containing the most common techniques, tactics and methods being used by attackers. Tactics are the high-level vectors of attack. The techniques represent implementation of methods of attack. The organizations can perform an adversarial emulation and keep mapping the security controls that are applied with techniques. Organization can also have several security controls related to a given technique. The goal is to verify the performance and efficiency as regards the security control by techniques implemented. The Meet the ETNC key framework that it takes on the security bridge to show the starting point is the original intrusion tactic. Any activity that has been previously carried out will be covered by a framework called Pre-ETNC key. Now, let's find out more about ETNC bounds. ETNC bound is a computer security tool designed to emulate adversaries. The tool aims to bring emulation of a real threat into closer contact with implementation based on the techniques and tactics from the Meet the ETNC key framework. The goal is to simulate how a threat works in an intrusion scenario where the threat has been successfully deployed. It's focused on Microsoft Windows systems through the use of the PowerShell command line. This enables the different techniques based on Meet the ETNC key to be applied. ETNC bound is designed to allow the emulation of adversaries as for a written exercise plan to verify the effectiveness and efficiency of the organization control in the face of a real threat. What is the ETNC core PowerShell? PowerShell is released along with Microsoft Windows Vista. It's not naturally embedded in the operating system, which made it very interesting for both its IT administration administrator and pentester. Its new version includes a large number of new features and modules that will help to integrate interesting with the operating system and its menu tools. The first version was released in 2006. The first stable version. Okay, two versions appeared in 2009 with the release of Windows 7. Version 3 appeared in 2012 with the release of Windows 8. And later the last version, version 7, appeared in the year 2020. The idea under the ETNC bound to link the Meet the ETNC key framework along with the techniques that are implemented via the Microsoft Windows PowerShell command line. The many techniques implemented to using PowerShell support a high percentage of techniques laced in the ETNC key matrix that can be reflected. The project is also plurative. It means that the user can have his initial knowledge base based on ETNC key, but can import new implementations of the techniques used in PowerShell and Reliance using the techniques and tactics identified. We have used JSON format files to support this new code knowledge and import it in other environments where ETNC has been deployed. In this way the cooperative knowledge has become very significant. This facility is multiple users to share knowledge between several environments. The techniques are dynamic elements that are emerging through the evolution of offensive sheet. Now my colleague friend Ramíez is going to give you a little insight into ETT Pound. Okay, thank you Pablo and hello everyone. Now let's see what the architecture of ETT Pound looks like. ETT Pound has three main different components. The first one is the console. That is the PowerShell code that will be running on the Windows machines emulating the treat. After this code is executed on Windows machines, it connects towards a command and control and it waits for the adversary's commands to be emulated. The second one are the functions. These are the technical implementations that are mapped in Mitre, ATT and CK. This is interesting since any user can create their functions written in PowerShell. This makes ETT Pound collaborative and a project where any user can contribute with their knowledge in the form of technical implementations. All the functions will be carried out by the console when it is executed through Windows machines and the last one is the command and control MVC or C2. This is the ETT Pound control panel. From this panel you can set up the treat or adversary to be emulated. You can use already pre-setup treats or you can build your treat or test. The tools knowledge can be imported and exported from this panel since the user can create his content in the form of an implementation of a technique in PowerShell. In other words, a basic architecture scheme has two main elements from the networking point of view. The first is the agent or warrior. It's the adversarial emulation and its code is in PowerShell. The second one is the root node or command and control. From this web application it is possible to manage the application of the treat to be simulated by the different deployed warriors. Also, you can manage the results of the emulation and make decisions about the controls. Everything is fully connected with the identifiers of the ETT and CK metrics. Again, from the networking point of view, the deployment of warriors over the network will be accomplished through different options. Remote invocation through the network privilege, invocation of remote machine without privilege, log-in invocation, etc. It is commendable not to include more than 10 or 15 computers in this process, as indicated by the ETT and CK. These exercises are simulating, but you must have a real as possible environment for better results. Okay, and now let's talk about the operational flows. These are the different flows between the console or agent and the ETT bound command and control. The first flow is the connection flow. When a console is running on a Windows machine, it sends a high command. When the console is running, it gathers information from the machine and then pass it on the control panel through this packet. During the warrior generation, the IP address to be connected must be specified. But this is discussed further below. When the warrior needs to register as a compromised computer, it sends a request through the HTTP POST method of the root node. Stating the warrior ID and the collected information from the computer. When this information is received by the root node, the data will be stored into the database and will be made available for the user. That is in order to assign the plan set in a treat and perform its execution. When all this information reads the command and control, it saves the information into a database and sends an OK signal. The second flow refers to the adversarial planning and execution process. The console or agent will ask for information about the treat plan to be performed. If the user has not created a treat plan for that console, the answer will be no treat plan. When there is already a treat plan created for that console, an OK signal will be sent. Later, the console will start asking for the functions that are part of the treat plan. For its function downloaded and executed, the results will be reported to the command and control. In other words, when the warrior connects to HTTP POST, it requests a new treat plan through the getPlan function. If the user has assigned already any plan to the warrior, it answers OK and the treat plan will be delivered. This plan is generated in a JSON format. More details about this file will be provided later. Once the treat plan is available for the warrior, it will perform the request of its function or task to be accomplished. This is made through the getTask function. A getTask function will be run for its technique implementation that the warrior requires to be performed in order to fulfill the treat plan. For its prior run, two values will be returned through the putResult function. The first one, whether or not the ATTCK technique has been executed successfully. In the second case, we get the output from the function that implements the return technique ready for a technical review that can check the results. OK, and now the third flow is the signed out flow. After all the techniques have been performed, the communication close and the treat emulation is finished. So the console will send the buy command. Therefore, the root node will also assume the warrior as dead if it does not report any activity for a long period of time. In the other side, the warrior will show activity if, before a treat plan is associated, the warrior is requesting a plan. Now let's talk about some key elements in the ATT Pound to go a little deeper. The console will be created from the web application specified, the IP address from where the console file will be downloaded. There is a file called console template that houses the instructions that will manage the connection, the treat plan and the connection close would mention it in the previous section. When the instruction provided is being executed on a Windows machine, the power cell code necessary to carry out of the warrior instantiation will be launched. The console has two parts with a large if in the middle. The first part of the basic starting path is the beginning of the thread. As seen in the previous section, a connection requests all VMA. First, a unique ID is generated for this instance of the 2B identified in the root node. Also, the information on the operating system where it's running is gathered. The second part is driven by a case that can happen in many thread emulations. The process where a privilege escalation or lateral movement to another machine produce a new privilege process or one that can be executed in another environment has been called splitting. In this case, the console will be invoked with an ID that it will not have to generate the warrior ID that identifies the warrior to the root nodes. In other words, if there is a plan with the thread task and the second task is a privilege escalation and this one is successful, then the third task will be executed in another process at an operating system level. But from the 80 pound logical point of view, it's the same warrior. That is, it inherits the same warrior ID. How do we find a thread? Simple, through a JSON file. The thread plan is generated in the root node according to the user's needs. The user can use real threads already created to reveal their threads and see the output of their monitoring techniques. The document format delivered with the plan is JSON. Let's talk about how create your 80 pound functions using the skeleton function. Any user can create or add features to implement techniques from the Mitre 80D and CK. Its implemented function is linked to a technique and one or more tactics in the framework. The main components from the skeleton functions are the technique to be launched or defunction and the main program. This main program will be in charge of managing the flow of the technique to be performed and this main program is in charge of another three tasks. The first one is request the necessary data to the root node for the technique to be executed. This is an execution prerequisite. The second one is check if the execution of the technique has been successful or not. The output will be stored in a true files variable and the last one is if there is some data collected such as credentials, dump, AP addresses or user enumeration that can be used by another technique because all this information will be dumped to a data store that has the root node. This scheme can be visualized in any of the functions that can be found in 80D Pound. 80D Pound is a collaborative project where the goal is to share knowledge through treat plans. For the reason, the tool allows sporting user-generated treats and importing them into other 80D Pound instance. During the treat plan generation or query, the export plan option can be used as shown in the image. Once the file is stored in JSON format, it can be shared with the community. The JSON file contains all the information to recreate the treat plan with all the tasks and implementation of techniques involved, even if these are not available in the new scenario. Now, let's look at some use cases. In 80D Pound you can execute the four or noun threads and the threads or adversaries that we create. With our custom threads we can make our own version of a noun thread with 80D NCC techniques selected by us, create our own version of an attack with 80D NCC techniques and perform an execution of a thread, noun or created by us, that implements our own functions through the skeleton function. In this section we will perform different scenarios and explain them. Okay, in this first demo let's see what our warrior is. To do this, we will create the warrior in this option and copy the code that 80D Pound delivers to us. Then we go to the computer where we will make the adversary or treat test, paste the code, it will be executed in a new PowerShell and finally it connects with 80D Pound downloading a console. If we go to home section we will be able to see the computer where the warrior is running. Here we have the architecture data, the process dash is running the AP address to which it belongs and the warriors identified. In the plan section we have some predeterminate treats as we can see here. Like WannaCry, NotPetya, Flane, Dark Comet or Dooku. Let's select for example WannaCry and here we can see the techniques and the 80D NCC tactic identifier that forms this version of WannaCry. We could use it against a warrior, launch the warrior plan and finally execute it step by step all those techniques that correspond to WannaCry in this case. In this second demo we are going to gather information to verify that there are different techniques within 80D and CK and 80D Pound to be able to collect that information to recreate the malware treat. Next we are going to do a privileged escalation technique that will split the 80D Pound console process in two. One without privilege and the new one with privilege. The first step will be to create the warrior, copy the code, go to the power shell, run the code and finally obtain the warrior executed. Okay now let's go to the plan option, create a new one, select the gathering tactic where we can see here besides the implement techniques. We also have the discovery tactic where we can see some 80D and CK techniques generated. In this case we are simply going to make a selection of the processes that the machine has. We will add this technique then we'll go to the escalation of privilege where we are going to use a bypass of USC technique named 1088. We add it, we put a name to the treat and finally we will create the plan. Once we have the plan created we can select it here. We see the elements of our plan with which Mitre tactics the mapping is performed and we can identify the warrior. Over the warrior we want to launch it and finally we launch the plan. At this moment the 80D Pound console will start working and it will read the plan and here we have the pending task. If we go to the result option we will see how the first technique has already been executed, invoke the process which is just a collection of processes. We can see success if we refresh it or we wait for a little while. We will find that USC bypass has also been successful and we really get a double process. The one of the left is without privilege but the one on the right is a process in which instructions with privilege are being executed but we had no more technique after the privilege elevation of execution. In the 80D Pound technical part we can see the techniques output. We can check the processes that the computer has and here we can also see the UAC bypass result and here the second demo. In this third demo we are going to perform an escalation of privilege but also a credential stamp. To do this let's create a warrior pointing to the 80D Pound IP panel, copy the code and run it on the PowerShell console as we see before. Here we can see the information about the new warrior connected to the panel and now we are going to create a plan. The new plan will have a privilege escalation. We will use again 1088 that is the USC bypass and we will execute a credential artist tactic using a power dump but we could also use nimicats to perform the credential dump. The interesting part is that once we get the privilege escalation working we will get a new process with privilege and this process will be able to perform the credential dump. Okay so let's create the plan, deploy the treats, select the treat, select the warrior and finally launch the plan. Okay and now let's go to the 80D Pound output section and here we'll be able to see the techniques or tasks pending execution like the 1088. If we give it a little time we will see that it has been successful. This new process with privilege has not been created yet, we will see in the next address. Here we can see the console without privilege and this second panel where we find the credential dump is still running. We can see that the power dump technique is finished but where can we see the results? Like in the previous demo here we can see the output that this technique has in this case the USC bypass while the second technique executed in this process the credential dumping has returned us all this information. This information is very important. As we see here we have users user ID has LM has NTLM as I said this information is very important because we will be able to use it through a data store. The data store can be used by techniques that are performed afterward for example a lateral movement technique can be used this hashes and these users because of this data store. This is a very very important element within ADD Pound. In this fourth demo we will perform the following scenario. First an escalation of privilege, second gradient dump or gradient dumping and finally we will make a lateral movement from computer with windows 7 to the computer with windows 10. First we are going to play a warrior on the windows 7 machine. Okay as we have done in previous demos we type in the ADD Pound IP address and finally create the code. We copy the code from Power Cell and run it on windows 7. We copy the code from ADD Pound and run it on windows 7 on Power Cell. Okay once executed we go to home and obtain us before the new warrior running windows 7. Okay well now let's generate a plan where the first step is to execute this technique for example by the counts D1078. Okay the second technique is an escalation of privilege and third technique is a gradient dumping and the fourth step or fourth technique will be a lateral movement. Okay now insert plan and select a plan new plan or new thread and we assign a warrior ID to new plan. Okay and look at Resules view and we have that data store. Okay these are techniques about the new plan and data store we add an IP address to the data store. Okay well reference the web page several times until the lateral movement is complete and the technique of lateral movement is complete. Now ADD Pound is still executing all processes now refresh the web page several times until the lateral movement is complete. Okay observe that we have an ADD Pound console running on windows 10. Yeah then now we can conclude this demo form. Okay now we are going to a speech about demo five. Well in this five fifth demo we will work on an all-in-one thread concept where we will automate the service discovery and the discovery of machines with them within a network as a threat or an adversary could do. The data discovery will be stored on the data store by a technique being used then we will perform a privilege escalation obtain a new privilege process on the windows 7 machine then we will make a credential dump thanks thanks to that privilege escalation where we will acquire houses and users then we will make a lateral move where we will use the houses users and the IP addresses from the computers within the network to try to make to make that lateral move through the mid-hdc key technique. In this way the whole process is fully automatic so we can test the effectiveness or efficiency of security controls within the organization. We will start as always by generating a warrior in this case we check the IP address again copy the code and go to PowerShell to paste the code okay okay in the home section we will see the console connected soon here we see the data now we go to the plan section okay waiting for the warrior and we go to the plan section we create create a new plan begin with discovery tactic using the T1046 technique where this port scanning will allow us to discover computers okay we add the technique to the plan indicating an escalation of privilege and then credential dump with power dump or mimicants and finally the last technique again a lateral movement okay and threat name deathcon demove 5 and and all in one and threat description blah blah okay we put the name only one create a plan and link it with the warrior we go now to the results okay well first allocate plan and now we go now to the results we see the console begins to work um now we can see here the task to be done and the scan begins one moment here yeah the scan is a technique that into Ali can take create a long time can be seconds or meals uh so we will speed up the demo a little bit so that this part goes as fast as possible okay once the scan has finished we will be able to check that it has been successful and if we go to the data store okay now we go to the data store we will be able to see the computer ap addresses that are currently alive on the network um right now the second technique that is the escalation of privilege has also also been successful so the process has been unfolded and right now the process dump credentials okay if we refresh the page we will see the credential dumping has been successful too and if we go to the threat data store we see that we have IP addresses users and has this the this has to scan be a diet from here directly like any data from the data store and the changes will be saved by clicking on the update code okay for the threat to finish we will have to check if the result is correct or not in the lateral movement we must consider that these techniques are used to test the efficiency and effectiveness of the security controls within the organization therefore certain implementations may be dated and avoid the solution of some codes okay now a new process on windows 10 has been implemented there are no tasks and we have performed the lateral movement in other words the threat has moved from windows 7 to windows 10 from one machine machine to another over the network and we have also done the whole process of a threat that is real for us detecting computers in the network trying to escalate privilege dumping and accessing information such as assets and finally a lateral move with one of the techniques that can be implemented within the lateral movement most tactics in this sixth and final demo we are going to export the threat plan and then import it into 80 pound to make a simple example we can choose not pedia select the threat get the techniques to use and proceed with the plain sport in this button we export this knowledge we if we want to share knowledge with other users our threat knowledge that we already have created or even even techniques that we have implemented in power cell and add it to 80 pound we could create any plan set an aim create the plan choose it and proceed to export it okay if we want to share this plan with another user we will send him the json file which we are going to open to see the content okay json opening json file in firefox okay okay as you can see even the function definition right in power cell exactly as we have created it is transferred so if we want to share this information with another user we can export those plans containing the functions there that we have created in power cell and edit to 80 pound and send this json okay it's very simple and collaborative way to provide the knowledge to other users with offensive techniques within the 80 cq mapping well this is the last demo and i will pass the word on to my partner friend okay so that's all feel free to visit the 80 pound github and download the software this is a new tool we are currently working on and we are adding new techniques also the project is collaborative and everyone can help the project grow and now we are ready to answer any questions you may have about