 to you about how to sneak past the blue team of your nightmares. So in this talk, what we're going to do is we are going to assume the perfect blue team. What if we are against the imaginary blue team that does everything perfect, but we still want to fish them? How can we do that? Well, before I go into it, I am Otto Banst. And I am the founder of Compound C, which is a startup that is still in the early process. I'm still busy with setting everything up. But before starting on my own, I started as a red team operator at Invisio in Belgium. And I also worked as a penetration tester at EY in the Netherlands. Well, during this talk, we will go across the whole stage of a red team operator and how they set up a fishing campaign. And during each stage, what we need to into account, like what the blue team could detect from us. So first of all, we are going to look at how we set up a campaign. So we are going to see, OK, what do we need to take into account when we buy a fishing domain? What do we need to take into account when we set up the servers behind it? What do we need to then take into account once our fishing campaign is set up and we want to launch it? What are the things that we need to be careful of when we actually press the send button? And also, if we get our fish the whole way through the process, we have the fish on the desktop of our target. If they then press the execute, what do we need to take into account for that specific phase? So during this talk, we will go through all four of them and then see for each phase, which are the OPSEC requirements that we need to take into account. Now, this talk is important. We'll be using the purple team approach. So there will be two different kind of slides. There will be the red slides, which is like the red teaming, so the offensive side. And there is the blue slides. And on the blue slides, I will try to analyze how the blue team might detect us. On the red slides, I will see how can we actually anticipate that. So during this whole talk, you will actually see the whole cat and mouse game. It will become very clear on how the cat and mouse game during this play. During this talk, also, we have set up something like an imaginary company. It's called blueperfect.net. If you go to the link, you can actually see the site. And blueperfect.net is a seller of crystal clear water, but also has the perfect blue team. And we will try to fish them. All right. So during this whole talk, there will be different domains. These domains are all legit. I have all set them up. They can all be correlated because I made some mistakes in there. And this way, you can also follow along at home. Now, first of all, we have our scenario. We know we want to fish blueperfect.net. But how are we actually going to do that? First, we need our domains, right? Well, as a red teamer, and I need a domain, I want to make it legit. And there are different ways I can do that, different types of the text. The first one is typosquadding, in which I will try to use the domain, make some small alterations to it, so that for the naked eye, it's almost impossible to see for that person that it's actually like a spelling mistake. I will give a quick hint. All of the domains listed here, none of them is real. So especially, for example, the blueperfect.net with double R or the first one are the ones that I would not immediately see if I would actually be inspecting the link. Now, a second type is actually the combo-squadding. And that is where I will try to make a legit domain by using a random word and then pasting something next to it. For example, water-blueperfect.net or the shop-blueperfect.net. I still have full control over that domain. It's my domain, so I can do whatever I want with it. And it looks fairly legit to the original owner. All right, and then there is also a last one, which is double-ganger-domaining. If you have, if blueperfect, for example, has a gyra site, and in the gyra site, they have gyra.blueperfect.net, I can actually buy gyra-blueperfect without a dot, and then I have still have full access to that domain as well. Now, this is like a first step, but this is already a very important one. We need to be careful of this because defenders can actually detect domains being bought that are very related to their first original domain. For example, here we have a screenshot of the DNS twister and that is like an open-source tool that will go through all the different alterations of the different domains. So it will see like blueperfect.com, blueperfect.net, it will try to place a dot, it will try to make all the alterations that it can find, and then it will see are these already registered or not? And if so, it might be a very interesting part. If those are registered, you might want to block them because the chances of someone having blueper.fect.net are quite suspicious, right? So the blueperfect organization would already block us as an attacker on that part. And so this is an open-source tool, but there are still a lot of pay tools who also automate this process for you so that you can just keep hands off. Well, as an adversary, we actually want to avoid being detected that way. So a technique that I am very fond of is just take a domain that's completely different from all the other things that might be related to it. So I will just buy a domain which is called registrationportal.org, for example. Nobody will be able to trace that domain to blueperfect. Well, to make it still look legit, what I will try to do is, in the subdomains, I will add blueperfect.registrationportal.com so that if someone that is trained and is looking at the URL, they just see, they look at it, OK, it doesn't have any spelling mistakes. So probably it looks OK. Well, nope, it's not. But that's what we want, of course. But here, we also need to be very careful because if you are actually requesting an SSL certificate for your domain, so for example, I have registered the blueperfect.fileportal.cloud.com. If I have registered that, I need to be very careful because if I ask an SSL certificate, all SSL certificates are reflected in the certificate transparency logs. Those are public. Those can be searched by anyone. And there are actually some services like census.io that you can see here on the slide that index them all. And I can start looking for them. So for example, if I look for all blueperfect.wildcard, so just all the domains with blueperfect in the front, I will actually see popping up one domain that's called fileportalcloud.com. Even though it was nothing related, those certificate transparency logs actually got me busted. So this way, if I would have set it up, the blue team would have detected these two domains already, so the blueperfect.fileportal.cloud and the fileportal.cloud.com as well. Now, don't worry. There's still a way that we can actually bypass that. And it's like just one thing that's very helpful in its wildcard, SSL certificates. So instead of making a certificate for each of your subdomains, you can just use a certificate that's star.blueperfect.net. And this way, if I, for example, have the domain, salarychecks.com, if somebody tries to look for it, they will only see a star, and they will never see the blueperfect in those logs reflected. All right, so that is actually how we can buy our domains, get an SSL certificate for those, without being detected. Now, we have our domains, but we also need to set up the servers behind it. And those can actually require a lot of work. And I'm a lazy. I try to be as efficient as possible, but that also comes with its Opset mistakes. Because I try to reuse the servers, I try to reuse the IPs, I try to reuse the recategorization templates, I try to reuse the main names if I can just to save a bit of time. Because if I have to do the whole process over from scratch, it's a very tedious process. Well, this is actually something that the defenders can capitalize on. Because if I use same techniques in the same different parts, that means there is a possible correlation between the two. So defenders can start to correlate between, if I have found one domain, maybe there are other domains connected to it. So they can see, OK, has a domain been pointed to the same IP address? If yes, probably suspicious. It doesn't have the same HTML hash. Yes, probably suspicious. Image hashes with, there are different kind of ways to actually start correlating them. And one way that defenders really like to do it is they use a functionality of virus total. So virus total graph is functionality in which you can search for one domain. And then from that domain, it will start to graph out. It will start to correlate to other parts. So what you can see here is, here I typed in this example, fileportalcloud.com. And with this example, it will see all the different nodes. We see two IP addresses popping up. So within this functionality, we can just double click on the IP addresses. And it will expand from there again. Now in this graph, if you look carefully, you will also see instead of only fileportalcloud.com, you will also see one popping up that is wordofficeonline.com, which is here in the bottom. So this way, a blue team, if they found one of our domains, could already start burning our whole other campaign. And that's something that we don't want, because all the precious effort that we put in into setting things up just got burned in one go. And so this way, if we would have done all the mistakes that I've just said, the perfect blue team would have caught our fileportalcloud.com and would have found our wordofficeonline.com, which was another one of our domains. So we also want to break that, right? So we want to have the balance between being efficient. We don't want to set up everything from scratch, but we also want to break the correlation between the two. So we can do that in one way. So we can break IP, DNS correlations. So I will never use the same IP address for a server, or I will never use the same domain name. That's already one way that I can like split those up. Or another approach is I actually just want to point everything at the same thing while everybody else is pointing at the same thing. Let's say I use a CDN flum cloudflare. There are so many domains pointing at the same domain that it's actually like I become the needle in the haystack, right? Like on the blue team to actually find me out between the millions of other systems connecting to it. But even though we can break the DNS-IP relationship, we also need to be careful. Because if they found one of our domains, they can actually start with hashes and see, OK, where are there other sites using the same hash in, for example, an image hash using the same part of an HTML page. And there are different services. Here is one, for example, URL scan. And they scan the whole internet and the index, though. So they have a huge collection of all these image hashes. So if you would have one of our images and you would actually, so this is an image from fileportalcloud.com that I used, if I would make the hash, search for the hash in urlscan.io, you would actually see a lot of different domains popping up. And very interesting here is the fourth one. So salarychecks.com. This one had not been previously detected, but the blue team of nightmares could actually start correlating those all together to get to this domain purely on an image hash. So as a red team, we already feel if the perfect blue team would be doing a lot, we need to take a lot into considerations as well, right? So this way, they actually have the salarychecks.com. How can we try to anticipate that again? Yeah, we want to be the Blurred Red Blue Team by being the perfect red team. We want to break those hashes. We don't want to be a hash to be found into domains at the same time. One way for an image that we can do it is if we take the original image, like on top, we can do different alterations. I can just change one pixel, and because of that, the whole hash of the image will be different. So if people would be looking to it, it will be different as well. There are different ways that we can also do it like a bit more properly. We can just turn the image around, and because all the pictures have shifted, the image looks completely different. Again, we can add some noise obfuscation, or we can actually start with colors, different colors, and then we break the complete hash. So every time we set up a server, every time we set up like a new landing page, we actually need to make sure that all the hashes are different. And then if we do that, we have an image which is obfuscated. We take our hash, we look for it, you will not find anything anymore, and then we, as a red team, we can actually sleep well at night without being worried of our domain being burned overnight. All right, so we've been through the whole setup, right? So we bought our domain, we have our servers, what's next? We just want to send everything, right? Well, before we actually hit the send button, there are different things that we need to take into account, different ways that we can actually be blocked during our send itself. And one of those ways is reputation-based filtering that they can do. So reputation-based filtering can be done on different ways. You're so a blue team can have some software in place that actually checks all incoming connections, and they will check, is that IP trusted, or does it have, is it linked to a phishing domain? Does it have a domain reputation? Is the age correctly? So if I have an age with less than 30 days old that's a super new domain, it doesn't happen often. So oftentimes I'm already blocked from beginning that way. I also want to look at my mail server reputation and also the content of my mail itself. And that is actually a lot of the things to take into account. Here, I've added two screenshots of common software vendors that I come across, which is like semantic and Talos intelligence. And what they do is for each incoming domain, they will check in the domain, does this domain, is this domain connected to category? For example, does it look finance? Is it just a redirector or whatever? And then each company can select, okay, I want to block all categories that are not finance or health or whatever. So again, this is something that can be very tedious to bypass, so we actually need to do a lot for it. And I can try to get reputational IPs based on just trying and getting an IP from a cloud vendor and then see, is there already like a bad reputation connected to it? If there is, I can just request a new IP and then I have a clean IP again. But that's actually one with a bit of a low reputation. What I personally really like to do is use an IP from Cloudflare because again, there are millions of packets, like packets coming into Cloudflare from millions of connections. Those IPs have a very high reputation. So by just blending again in with the masses, I can become a needle in the haystack and actually get a high reputation IP on the side. So that is very sweet for us. Also for mail servers, if I send my mail, I don't want to be blocked by, because my mail server is actually just non-reputable because it's not trusted. If I would set up a mail server on my own, I can be sure that it takes a hell of a time to actually be landing not in a spam folder but being accepted. Now, also the content is important. If I have a mail and it's urgent, COVID, whatever, you also see, Prince of Nigeria, I don't know. These typical phishing spams, all these keywords I need to try and avoid those. And there is one last one and that is the domain reputation and the age. That's the trickiest one in my experience. So for that, I use mainly four different strategies. One strategy to have a domain with a high reputation is to actually try and find vulnerable web servers on the internet, compromise those, and this way we can add our backdoors, we can just use that domain, and we have a domain with a high reputation. And the pro for that is it's very hard to correlate for a defender. From the outside, you can't really tell that this domain, which functions perfectly, is actually compromised in the backend. Well, the cons, of course, is I can't use it. I've never used it. It's illegal. I'm breaching other people's sites without having their consent, so I stay away from that. And also, it can be like tough to do all the scanning, process all that data, and then go and exploit those. There are some services that actually go and they automate the process for you. So for example, and show them if you have a business license, you can just check for all the systems, vulnerable to eternal blue, and then you just need to pick out, but I hope they don't sell these to threat actors and only to the good companies. Oh, okay. So that's a stretchy D1. It's not valuable for me. I hope it's not valuable for you guys as well, because we need to stay within the law, right? So a next thing that we can do is actually set up the whole thing on our own. So we buy a domain, we make up a server, we make it look like a finance page, for example, a fake bank, and then we try to categorize those. We try to age those. We just set everything up so it looks legit, and then we let them be categorized by one of these servers. For example, here with blue code, we can actually just put in our domain, say, we would like this to be categorized as this template. Could you please do that for us? And then automatically in the backend, they will start to scan the site and see if it could be correlated to the domain that we are requesting. And it's automatic, so it's fairly easy to get that done. But it just requires a lot of steps to do it, because we also need to still take into account if we use the same template for finance for three different domains, it can be correlated again. So we need to be very careful of that. Yeah, so the cons is actually, it's very time-intensive, and it requires a lot of OPSEC to do, but we can actually get it categorized as a category that we want. Maybe a quick tip, I don't know if you know this, but I would also always try to get it categorized as finance, health, military, or religion, because these four are very important, like they're very sensitive data in there, and companies will actually eliminate those for deep packet level inspections. And so deep packet level inspection is where all the traffic is going through one system. They see what's inside, if it's okay, they send it through, if it's not, they just block it. Well, if it's, they check if it's military, health, or whatever, they will actually just forward it because they say, this is sensitive data, we can't touch this hands-off. Well, actually just the red team packet coming through. So that is what I always like to do. A third one, and it's actually not a very known technique, it's a technique that actually found by accident almost, and that is to use a suffix domain. All these blue code vendors, what they do is, they go and they check domain domain. So for example, domain.com, and for that, they will just give a category. But if I have a suffix domain, then I just buy a domain from someone already vending a subdomain to me. Let's say for example, we have the top domain, which is .com.nl, someone bought .com.nl, and they are selling all the different subdomains for it. For example, I can then buy a phishing .com.nl from them. These vendors have not taken this into account, so what they are checking is just .com.nl, which for me is sweet, right? So I can just use their reputation, their age. Oftentimes it's like I get a reputation of 26 years old, I technology and internet, like you can see here in this slide, and it's a very simple way for me to get a categorized domain. Now the cons of that is also because I am using .com.nl, it looks a bit weird, so people might get suspicious of it, but in my experience, I never found this as like a limiting factor. People just click it even because it doesn't have a spelling mistake, I guess. And the fourth strategy is if you also want to have a bit of a shortcut, you can use one of these vendors, one of these CDNs, and use the domain of them. So one is, for example, blueperfect.azureedge.net, so in which we use the Azure CDNs. We can use Fastly, we can use Amazon Cloudfront, we can actually start using SharePoints, so set up a whole SharePoint server on our own, make it public, so that other people can connect to it. And the good thing here is also those domains have a very high reputation, but the con is it's often against the terms and conditions of those companies, so you need to be very careful not to get blocked. Don't do this on your main account. We almost got banned because Azure, at a certain point, they started to come up very heavily against these types of techniques, and we almost got our whole company wiped on Azure just because we were going against the terms and conditions. So that was for us a time where we said, oh, okay, let's stop. So be very careful when you do that, preferably set up something on your own. These are also very good for domain fronting for the people who know this technique. I don't have the time to go into it, but if you know it, it's very useful to use these as well. Here I've come to three different parts of the whole setup, but you need to be taken into account. You don't always need to set up your whole sending domain. You don't always need to set up your whole landing page or actually like the payload server. Those are things that you can actually try to bypass and just to save up a lot of time, right? So first one is if I want to be avoiding to have the sending mail, I can actually use these public services, like I can use a Gmail account, I can use an Outlook account and send my mail from there. This way I don't have to set up anything. Everything goes automatically, and the chances of that mail landing in the mailbox of my targets is very high. I can also use social media. I can go on Twitter and just contact someone of my targets immediately, send them a link, and then I'm done. The next thing that I also can do is I can avoid trying to set up a landing domain, and that is just really trying to make my pretext not need one. So they don't need to see a web page in order for them to feel like it's legitimate, that don't feel like it's a fish. And I also can avoid the mail-sending domain rather than the payload server. And because I can avoid the payload server, I can use these public services, like for example anonymous GitHub gist. I can just put my payload on there, send someone the link, and this way I did not have to set up any of the domains with the whole categorization part of it. I can just bypass those. Well, this seems like a lot simpler, right? But on the other hand, it also limits our possibilities but as a red teamer. So it's a very viable approach, especially because these are texts are highly targeted, so the chance of it succeeding is a lot higher. We have also a huge time reduction. Most of the time that we need to set up everything up in like two weeks, we can just reduce to setting up a fake LinkedIn profile, for example, and then actually sending our fishes from there. Also, we focus more on the pretext instead of the technical part, so we can make sure those pretexts that we use, the scenario that we use, is like really head on and will make the user click on the link. And also, this is a lot less opportunity for a blue team to detect us from the beginning. Now, why am I not always taking this approach? Again, because it's highly targeted. Companies don't always like that we are targeting one person and as an individual because they don't want their employees feel focused of a certain test. So they are often very careful with these kind of tests, so that makes that we need to take a group of six or seven. It's also not possible if you want to do this with credential fishing, then we again need to set up the whole page for credential fishing. And it's also less flexibility. So we have gone through the whole process. So we have our domain, we have our server setup, we have passed all reputation-based filtering. And now, our fish, we can assume the user opened it. It is on the workstation of that specific user or target. Are there still things, have we won already? Well, sadly, if we were up against the perfect blue team, we haven't because they might have a lot of the endpoint hardening measures in place. And these are like the five most common endpoint hardening that I've seen come across. So the first one is macro execution hardening. This is actually one that I haven't seen a lot. I wish I hadn't seen it more. I, this would have blocked me so many times, but it's almost never enabled. So the first one is Mark of the Web. Mark of the Web is only recently becoming like by default by Microsoft, so we have to step up our game as a red team or anyway. But also the, maybe good to explain, Mark of the Web, what does it do? If I download a Word document from the internet, I get it on my computer, all macros in those documents will be blocked by default. They will not be able to execute, like whatever the end user is doing, it will not work at all. But I can try to bypass that again. Also, they can try and make only the execution of signed macros available, and that would block us in the whole process. So if we have the Mark of the Web, we can actually try to bypass that with zip files. So if we put our document in a zip file, the zip file has the Mark of the Web, we send the zip file over, it's downloaded, has the Mark of the Web, the user expands it, and because the content itself does not have the Mark of the Web, we can actually bypass that already. And also with the signed macros, we can just sign the macro with our own certificate, but the problem with that is if we sign it with our own certificate, it's expensive to get our own certificate, we need to put it on our company name, so it immediately gets traceable back to us, and also it is quite extensive. If we have burned one of these certificates, we cannot use the GAN anymore. So that's actually quite a lot of work into it. So if you are a blue teamer, please try if this works in your company, it will block me almost 100% of the times. So the next thing that we can look at is AppLocker and Attack Surface Reduction. So these are two ways that they can actually avoid the execution of certain payloads. With AppLocker, like a blue teamer in the configuration put in some rules, for example, Exis can only execute it from this and this and this location, the same for DLLs, for scripts, for installer files. So with AppLocker, they can do a lot to block us from the beginning. Well, this AppLocker has, for me, never been really like a big issue, because mostly we've just been sending Word documents and those Word documents get executed by Word, which is actually allowed, and this way we can get our payload on there. And on the other hand, there are a lot of bypasses for AppLocker. Here, I've added like a link as well. This link contains so many bypasses that you just need to choose a couple and then try and see if it works on the company. The con to that, of course, is we don't know exactly what rules are into place in that company, so we're not entirely sure if we send a fish that it will be executed or not. Now, one thing that I do am very careful about and that is Attack Surface Reduction. This is a feature from Microsoft that comes with an E5 license. So if you buy Defender for Endpoint, this comes with it, and it will block a lot of different things from Office applications. So one of the rules that they do is that they will block Office applications from creating child processes. So if I have my Word document and it is trying to spawn a cmd.exe to make a command, it will be blocked automatically by this rule. Now, me as a Red teamer, I try to bypass everything. So one of the things that I try to bypass here is just make someone else execute as a command. One of the ways is task scheduler. I can ask task scheduler, can you please do this cmd.exe with this command and execute it for me please? Another way to do it is with com objects. So with com objects, I could make another program actually execute my command that I want to do. So that's already rule one bypassed. If I want to go and with the second rule, the second rule is Office applications that create executable content. So let's say I've got a DLL, I'm planning to do a DLL hijack with my Word document. I tried to get a DLL in a certain place, so it's like executed by another program again. This rule would block me from downloading the URL and writing it on disk. There would be blocked, right? Well, actually apparently they are just looking at the extension. So if I write, if I write to a .txt file and then rename it .dll, tada, I bypassed it. So a lot of these rules are quite simple to bypass, but you need to take them into account because if you don't know, they're quite effective. Also one important one is that I can't inject into other processes from Office applications. And this is one that is a bit of a troublesome one because if I am contained in my Word document, I try to migrate to other processes just to have more of a stable beacon. And this is one that I can actually try to bypass, by using a PeepIt spoof. And PeepIt spoof is where I say, OK, Word Office, so Word is not anymore the parent application, it's actually now explorer.exe. So if I would try to inject into another process, it would see, OK, Word is trying to inject block. If I say Word is doing it, but the parent process is actually explorer.exe, then the application service will say, OK, let's go ahead. So that's one way to bypass that as well. A next rule that I need to be careful of is actually that they block the execution of obfuscated scripts. Obfuscated scripts, this rule, even with heavily obfuscated payloads, I never really had a lot of troubles with it. The rule just doesn't trigger correctly all the time. So it just doesn't trigger correctly all the time. I think that actually, if you have a highly obfuscated payload, you should be more afraid of the antivirus than actually of this rule, because you just passed through it. And another one is that they block you from making Win32 API calls. So that would block you from making the process injections, trying to interact with the system. But this can also be bypassed quite easily, because if I have a Word document and this attack service reduction sees that that Word document is trying to read from the kernel.dll, they will just block it straight away. I can't even open the document. Well, if I try to first copy the kernel.dll to my custom own location and then use that kernel.dll, it is bypassed again. So as you see, these rules can be quite effective. We can also be bypassed quite easily if we just know that we need to take them into account. So these are the most important ones. But if you really want to dive deeper into all the attack service reductions, I've added a really helpful link in here. It's like a white paper with a lot of the bypasses, and you can just use it and go through it, and you will learn a lot about it. Now, another thing that blue teamers can try to block us is by file filtering. If I have a domain and somebody tries to download an EXE, the chances of that being wrong are also quite high, so you want to block that from the beginning. So this way, companies can block the download of exit files, of DLLs, scripts, and it can go on a lot further. But there it's again, we try to camouflage it. So we just put it in a zip and send it through. If there are software that actually look inside of zips, we use an encrypted zip, so they can't look into it, and then we send the parser to the user. So those are all valuable strategies to bypass these. This is more of a question of, you need to know what you're up against, and also, you need to know how to, you can be very creative to bypass these. And then a last one that is very important for us to take into account is if they have a good EDR in place that might block us already from the beginning. And bypassing EDRs is like a whole day course on its own, but I want to just give you a couple of nice, quick tips on how to bypass one of the common problems that I came across. And one of it is actually, you can avoid a lot of detections if you decouple your execution versus the execution of the Word document. So if, for example, a user clicks on a Word document, a DLL is written to disk, that is then three, four minutes later on read by another process, it's very hard for the EDR to correlate this together. If Word would be spawning a cmd.exe, Word is never spawning cmd, so that is a very obvious correlation and that would be blocked. Well, if I can separate those, that will help a lot for me. A next one that I've struggled with quite a lot is that the EDRs are blocking Word because it is doing a suspicious call to the internet. And I can understand that they block it, but I've tried a lot of things to bypass this. But in the end, I found quite a valuable solution that is comobjects. With comobjects, I can make a comobject from Internet Explorer, so Internet Explorer is downloading my payloads and this way it is away from Word. Word is not doing the connections, Word is not doing the connections, but a small instance of Internet exploring is doing it for us. So this is one that you need to take into account. You might come across it, so that's an easier one to bypass then. And also the suspicious sub-processes, that's something that I just said. So take it into account that you need to try and decouple those. Now, this has been a lot of information, a lot of information to take in. Well, actually, as already said, with Compound C, I'm starting my own business and it will actually be to teaching people how to fish properly. So with Compound C, I will be sharing, like I will be sharing a lot of the techniques that I am using to do proper fish. And if you want to learn it, if you want to go more into detail into it, you can already sign up on the academy.compound.c link, maybe put in your email and you can keep up to date when the course is already, if you would be interested. Now, this was my talk. If you would like to stay connected, feel free to connect with me on here. And then I would like to thank you all. Thank you for your amazing talk. We have about 10 minutes left for any questions. If anyone has any questions, you can walk up to the mic stand in the middle of the walkway and you can ask your questions to us. No one has any questions? I think it was a very clear presentation. Sorry? Oh, yeah. True. So, I actually have a question. So you were talking here about the perfect blue team. Obviously, don't they always face the perfect blue team? Sometimes you're just not as good as you expect them to be. So do you have any tricks or techniques to estimate the capability or maturity of the blue team and then determine how much time you want to spend in all the techniques as you showed? Because otherwise, it's just a waste of time. I think it's mostly just checking how mature a company would look from the outside and how mature you would expect them to be. If you, for example, go up against a bank, you would expect them to be quite mature so you would implement a lot of these strategies. If you're up against just a random company that is, like, for example, in biogenetics or something, they don't focus on security. So for them, you can skip a lot of these measures already, but you need to be careful because it's always a balance, right? But then this way, we can already make a first estimation and then also just from experience, we know which financial institutions are better than the others. So we can already make our estimation ourselves beforehand. Yeah. Did you also, for example, monitor your logs or set up some, like, honeypot systems to monitor if the blue team is actually taking actions? Is that your opinion worth taking spend and time on? It's honestly, it's something that I haven't done much to try and detect what the blue team is doing. But it would be definitely very interesting to know when you should, like, leave one campaign alone and not put more indicators into it. Cool. Thanks a lot. Yes? So you just explained to us how you actually were able to bypass some of the technologies that you already encountered. However, how would you deal with that if you are in a blind environment? How would you discover what technology the company that you are trying to attack is actually using? Do you mean from the external, before we launch the fish or when we're already busy with the fish? No, after the fish you can attack. After the fish? Yeah, so for example, bypassing office protection, so you might, for example, encounter an issue having your payload executed, but how would you actually know that they are using specific type of technology so you can bypass it in a specific method? So one of the things that I like to do if I'm not sure what I'm going to come up against is with our Word document, we will actually inject in the Word document itself, so we stay in the process and this way we have minimal of rules from the attack surface reduction that might be triggered and block us. So because we are then in the Word process itself, we can then see and do a reconnaissance on the system, we can check, okay, what attack surface reduction rules do they have, if they're an app locker and then with those into place, we can then try to go further into it. Thank you. You okay, in the back? Yeah, hi. Would you say that putting a link in an interactive PDF while trying to fish for credentials is more efficient than having the link in the email itself? I always put it in the email itself because it's like one step that you can avoid the user to do. So they can just open the link and the fishing page is there. If you do the PDF, they need to open the PDF, click on the link, so it's an extra step for them. But of course, I understand why you would do it in a PDF because then you don't have the scanners going through it. I can say, Cloudflare, I love Cloudflare, you can actually use the bot protection from Cloudflare in front of the link and this way, the bot protections cannot, the automatic analysis cannot see what's behind URL and this way, the user can just click on the link and go and the bots can't see anything. We're all familiar with the Google Chrome red page which is suspicious. So do you have some kind of controlled redirection that in case your landing page goes red, that you would change that redirection to another page which is, let's say, green? Do you mean that if one of my pages is already burned? Well, I think if your domain is already burned, you should stay away from it. Don't try to correlate other domains. Okay, so don't try to correlate other domains to it because that might just get them burned straight away. What I try to do is just avoid them from being burned from external. So I will use always a domain that looks legit. For example, the same finance template that I used to let it be categorized and then only, like for example, the packets that are necessary for the backend, those are forwarded, the rest always see the front. So Google, they use automatic scanners for the internet and then based on that, they will see if it's suspicious or not and I will just try to block those scanners from the beginning on so they don't have a chance of marketing it as suspicious. I see, but my question was about after you launched your campaign and you've sent already a lot of emails to the employees and everything. Let's say you finished your sending and then your page burned. Yeah, well, if it's burned and I don't have any measures for that. If one of the pages is burned, then it's just useless and then we should stay away from it. Don't try to make it redirect to another page, for example, because then that other page might be burned as well. Okay, thank you. No problem. So with the company you're sending up to teach people to fish with red teaming techniques, have you also considered your platform being used by actual adversaries? To include in the fish, like in the course? Yes, know that they can use your platform to get to know the techniques to send actual fishing emails at a very high level. It's of course indeed like the very ethical question, right? If I'm putting out all of these techniques, who will actually be able to access them? Will I be teaching more like the bad guys than the good guys? And I'm actually convinced that because we are like limited in what we can do, we should be able to have more information on our side. So with my course, I try to teach more good guys than bad guys. So the balance is tipping more towards the good guys. Okay, thank you. But it's indeed a very good question, one that I've been thinking about a lot, like how could I maybe like make a shifting in that, but it's very hard because I would need a background check for everyone then. And there are already like a lot of courses for hacking and those are also free for everyone. So I just hope with that there are more good guys actually learning it than the bad guys. Okay. Right, so I don't think we have any more questions from the audience. Do we have any questions from online? No, so this is it. Give it up again for about for this amazing talk.