 Herkese merhaba, herkese merhaba. Bu Erdem Er. Gökberk, benim arkadaşım burada. Herkese merhaba. Sessizlik for joining our session. Red Team'in partisi için çok mutluyuz. Sessizlik for our session is executing Red Team scenarios with built-in scenario plays. Herkese merhaba. Herkese merhaba. Gökberk. Red Team Operator ve Penetrasyon Testeri. Tüm ünlü günlüğü ve vücudumlu qued Hornucu vealar tarafında ürün ve adı varlığına güven şarkı bir şey ben vermeye başladım. Beraber, As吧ifikasyon chased bir ünlü günlüğü ve ünlü günlük il penguin-banaiful tüm ünlü günlük ileride vücudum, I plan and conduct full scope rettim engagements that simulate realistic and targeted attacks. Also, I am responsible for performing host infrastructure penetration testing, web and mobile application testing, social engineering engagements, source code revives, and wireless penetration tests. In the past, I have given several presentation on malware analysis, red team operations, exploit development, and IoT security. Thank you, Gökberk. And my name is Ardener. I have about 10 years of experience in IT and information security. During this time, I had a chance to work at research institutes, a Fortune 100 company and a bug bounty company. I took roles in development teams, in security operations and application security teams. We are focused on security tool development, penetration testing, and one-route assessments. Currently, I am working as an application security engineer. Today, we are going to talk about our tool called Red Team Built-in Scenario Place. Also called Manticor platform. We are going to demonstrate how to execute some adverse simulation scenarios like a ransomware attack with this tool. We'll start the discussion with a brief introduction to what Manticor attack framework is. Then, we'll discuss the challenges concerning adversarial emulation and this relation tools to show a little bit about why we need to build, why we wanted to build such a tool. And later, we'll talk about the features of this open source scenario place. To the end, we'll demo the tool and we're going to show the user interface, some scenario cards on it. And we'll execute some sample scenarios like APT 29, LOL beans, and a simplified ransomware scenario using the command line client. Finally, we'll finish with the future work. Alright, let's start. So, as we all know, red team activities are one of the fastest developing solutions against today's cyber attacks. And recently, the number of tools that propose to help red teams is increasing quite rapidly. And following this trend, we have also created an adversarial emulation tool for red teams. This is an open source tool and its aim is to aid a red team to execute several types of attack scenarios. It also gives more visibility to the blue teams to see what's being executed on their endpoints or what malicious traffic is going through their network during a red team exercise. So, the initial version of this tool was presented at a previous red team village event back in May. And since then, it has been improved with scenarios and it has been published on GitHub. Basically, we have categories of scenarios as network-based and point-based and APT group-based. And there is also a section for blue team techniques, showing some hardening controls related to executed scenarios. You can find the GitHub professor link on the slides here. All the scenarios inside the repo that we are releasing are mapped to the Mitre's attack framework. And the techniques and the tactics can be found in this framework. I'll talk about the framework in a minute. You'll see the reference numbers, the attack IDs of the scenarios of the techniques. Inside the configuration files for each scenario if you go to the GitHub repository. But we will go into detail about this. So, what is Mitre's attack framework? Now, for those of you who see this for the first time, let me briefly explain it. This is when you visit this website attack.mitre.org, you see a matrix of items called attack matrix of enterprise. The columns of this matrix are tactics and tactics are mainly the objective of the attack attempt. The goal that an attacker tries to achieve. So, you can see 12 columns here. Each of them represents an attack goal. And under each attack goal, there are techniques. And each of these techniques has an attack ID with it. So, in total there are 12 tactics listed in Mitre. And these tactics have around 250 different techniques. This framework is a great knowledge base classifying these adversary tactics and techniques that are used to attack targets in real life. Of course, this framework is not only beneficial for red teamers, but also organizations are also benefiting from it to learn about attack methods. And the framework is open to any person and organization for use at no charge. And just like how OWASP's top-down framework is being embedded in most application security tools. A great resource like this one is becoming a fundamental reference of red teams and adversarial emulation tools. So, our open source tool is no exception for this. And as I said, there are 12 tactics. Almost chronologically starting with the initial access and going to the impact goal of an attack. So, in the initial access part, the attacker is trying to penetrate the target. And then comes the execution, when the attacker is simply trying to run a malicious code. And the list goes on, actually. I'm not going into details a lot. Just to see some examples for techniques, let's take the execution tactic. So, for the execution tactic, there are 10 techniques listed underneath it. Some of these have some subcategories as well. The techniques listed here are about the methods that an attacker can use to run code. Basically, execute a code on a local or remote system to reach their main objective. This execution tactic is also often interconnected with other tactics. For example, as a red teamer, your execution technique of using command and scripting interpreter could be running a PowerShell script to perform a file download from a remote server that will be used for the discovery goal. So, it would be related to the discovery goal in that sense. You can check out the market's websites for more details. And we have seen that there are many great talks in the program about this framework. And we suggest that you check them for getting more insights about it. We just tried to mention the technique and tactic idea here. How we mapped it in our tool. Next, the offensive teams have some common exercises like vulnerability assessments, penetration testing and adversary emulation. Skipping the first two, the last one, adversary emulation is what we focus actually right now. And it's an activity where red teamers, as the name refers, try to emulate or imitate how an adversary performs during a real life attack. The platform build demo here is focused on adversary emulation. As I said, performed inside the network of an organization. So, in a way, you can think that initial access tactic has been achieved. And we are moving on to the other tactics. Therefore, we can say that this tool will be most useful for internal red teams or purple teams. Şimdi buBIk Lemeli'nin neşe first of all emulating adversarial behavior is costly. Çünkü, bu teknikleriz kompleksiyon ve kalan zamanı var. Ve bu, maalesef actörlerle ilgili maalesef eklendiği bir yolu vermelerinde yutuldu. Bu yüzden, adversi emülasyon aynı çayla. İki şey, senaryonun halkı. Sonradan, senaryonun halkı , senaryonun halkı için de halka alamadı. Bu yüzden bunu de yutulduk. Aynı Autumn ve Gibson Çalışmanı ve Blue Teams canlı çalışmalarımız Yunan bir anda görüntülerle devam ediyoruz. Blue Teams poemi elden serum alışverişi yapabiliyor. Ama bu yüzeç için daha çok müzik menüksiz olabiliyor. ve daha az üretimlerine'si ekran yapmak için, daha altından mutlu olmalı. Gerçekten leislerinin bu tişînlerinde, Ertuğruluk üzerine hava etkili olan hacilerin son bir sürü ve yayın örneğine Red Team'in en iyi bir tepkisi. Yüzgün bir tepkisi var. Neden? Çünkü bazen red team'in en iyi bir tepkisi yaratılabilir. Ama tepki konfigüre değiştirebilirsiniz. Bir de bir de bir de bir de bir tepkisi yaratılabilir. O yüzden de aynı tepkisi yaratılabilir. Bu yüzden en iyi bir tepkisi yaratılabilir. O yüzden de aynı tepkisi yaratılabilir. Ve tanta bir tepki yaratılabilir. Bu, çift alçası ekonomik çift bir bir tepki yaratılabilir. Bu sefer bir tepki yaratılabilir. Bu sefer bir tepki yaratılabilir. Bu sefer bir tepkisi yaratılabilir. ücretsiz günmette hayat zamanda kainat ve banka olarak adlı bir işsizlik var. Vizibiliyi sıkılmasına dair bir ücretiamaz. Ne kadar çok daha fazlasız bir lastiklik tüm están sinnerulation heldiyle tutup elde edilen şarkıları tota hala hala hala hala hala hala hala hala hala hala hala hala hala hala hala hala hala hala hablaya Platforms'i. Bu sefer Renat Öreter için sefer total passemler has Formula 1'i ödeyebilirsiniz. İlahat üniversite ve ö는 örneğineimizde çatakçı veya birçok oran terror Whenever Bencik mineyi finally, relation tools are too complex for creating and updating scenarios. They don't have a general structure like a standard model for scenarios. We tried to standardize this by a scenario model in the JSON format that you can see in the slide. So we have the ID specific to the scenario with the initials of the tactic used there. Taktik names, description and name of the scenario and the mapping to the MITRE ATTACK framework. We also have the type of the scenario, like it is an endpoint scenario, it is a network or an APT. And also describing the platform, the operating system that it targets. And so overall the Mant Corp platform, as we call it, this built-in scenario place has the following features. First of all, the tool and the methodology we use in emulating adversarial attacks with this tool is open source and therefore this is very cost effective compared to commercial tools. We prepared a scenario environment that makes it faster and less complicated for red teamers. They can easily apply the tests from different open sources, like atomic red team or red cannery. It gives red teamers the access to the scenarios according to specific attack types as divided in MITRE categories. And what's more important, the blue teamers will be able to see these attacks within a transparent process. The config files clearly show the sources of threat scenarios and the payloads used within it. Of course, organizations may still prefer to perform the blind engagement, blind red team engagement, depending on their security maturity. But the blue team, a visible engagement plan can be much more helpful for most of the organizations. And so blue teams, we talked about blue team detection and prevention to distribution of scenarios. We saw that commercial and open source tools mostly bias towards windows environments. The number of scenarios is distributed like 60% windows and 20% for macOS and 20% for Linux environments. With the community support, it's possible to increase scenarios on the mac and linux side as well, and therefore balancing this distribution would be a good product at the end. With this platform, APT scenarios can also be recreated and visible to both red teams and blue teams. Since everyone can contribute, red teams will have the chance to add advanced attack scenarios in their toolbox. And build a community to protect and improve defense against attack and red scenarios. Now I will stop sharing the screen and your back is going to tell you how we structured this tool, showing the GitHub repository and finally the more exciting part. It will show the demo of the tool and finally we'll talk about our future work. Hello again. Now we will continue with the presentation. Now we will look at public threat repository. For this presentation, we released some complex scenarios on our GitHub account. We are mapping these scenarios to the Mitre. So far, we published three complex scenarios named as APT 29, LOE beans, and ransomware. Next, this public repository includes public denown scenarios. You can see this on our GitHub repository. Later, we will go deeply into it. In the next slides, we will look at public threat scenarios, public scenario repository. We released three scenarios on our GitHub account. All scenarios are again prepared with regards to Mitre. From these scenarios, complex scenario groups are generated. For example, if you look at ransomware emulation, ransomware emulation includes two scenarios included in public scenario repository. It has two JSON files with their IDs. These include attack type, attack payloads, and platform information. I will show you later that. For ransomware emulation in this section, we will look at ransomware emulation scenarios for generating public scenarios. We have two different implementations for ransomware emulation. One of them is written by Go. The other one is PowerShell based. This released implementation is not covering all steps of real ransomware attack. But this is on purpose because we wanted to release a simplified implementation of this scenario. There is no CC or server communication or encrypting all files. We are encrypting a file that we create on the fly and decrypt it in this file. Adding the field missing points, these implementations can be converted to full ransomware emulation. Yet, our aim is to test if a defense mechanism could prevent the core function of ransomware which is encrypting files. In this section, we will speak about Mantra Adversary Emulation CLI tool. This tool is working with public threat scenarios, which I showed earlier in another repository. As we said before, we have seen that adversarial emulation tools do not provide transparency in some of their scenarios. Here we publish command line based adversarial emulation tool that is fully open source to bring some visibility to how emulation works. All threats and scenarios are public and configurable. Red timbers, blue timbers can easily edit this tool according to their aim. Also, this CLI is developed in Go language for achieving multi-platform execution. This tool includes single config line, which is shown here. Public scenarios, payloads and threats with this config wire command line based tool emulates adversary. Now we will look at our demo for this presentation. We have one remote machine and we will run adversarial emulation scenarios here. For looking scenarios, which are used by the CLI tool, here we can see public threat repository, here we can see three different kind of scenario collection. There are city many scenarios in our backlog and we are importing all of this gradually and this scenarios can be easily updated. The all kind of this scenarios is compatible with Mitre. Firstly, we will look at our built-in scenario place before the demo, demo of the CLI tool. Here we can see which is shown in our public threat repository scenarios. We can see here too. For example, for PowerShell, one of the example scenario, execute PowerShell from the CMD executable to collect and compress files of specific extensions. It is used by the Windows platforms, it is designed for the Windows platforms. There we can see Mitre tags, Mitre tag name. Also, we can go into the scenario here. If we go here, we can see scenario. If we click it on it, we can see there is a simple structure of the J list as scenario. Here the technique, attack ID, name, type, platform and command and interface. You can see here PowerShell is the interface. Also, you can see here the ID. Also, we said before too, we have many scenarios in our backlog and we will try to import all of these scenarios and we will publish them to red timbers, blue timbers, purple timbers. For now, we will execute the scenarios with our CLI tool instead of using interface. Next, we will look at our CLI tool, which is published on GitHub repository again. Here we can see our adversarial emulation client CLI tool. You can easily compile this on your own infrastructure. Also, for ease of use, we publish the release. Here you can go into the release and you can download config.ini file and you can download Mantikore CLI executable. You can run this executable and with the config.ini file, with the same directory. Config.ini file includes three components. One of them is public thread group URL, which is used for complex scenario collection. Other one is public thread scenario URL section. It shows thread scenario repository. Last one is the payload location, which is used for scenario payloads. As we told before, you simply compile or download executable and config.ini file. You cite necessary URLs for parsing repository on the platform. In the thread group URL, you can give multiple URLs for emulation as it accepts an array of URLs. Now, we will firstly emulate LOI bin emulation for downloading a file from a remote server. As we can see here, we give thread group URL. We are coming our tools here, our config.ini file and mantikore CLI executable. When we run it, emulation is starting. We have some connection problems here. I will connect again. If we can see here, you can see LOI bin emulation bin list for download malicious executable. One of them is using sartutil for downloading a file from a remote server. In the description, we can see this steps download a file from a remote web server to host using sartutil. Also, we have a different second scenario uses bitsadmin.executable to download a file from a remote server. And scenario that can be seen here. Next, we will emulate ransomware, which is published on the mantikore GitHub repository. If we go there, clearly we can see it includes two phases. And for generating these scenarios, we used ransomware emulation repository. One of them is Go-based ransomware emulation. Second one is PowerShell-based ransomware emulation. If we edit our thread group URL, then we are running our CLI again. Firstly, Go-based multiplatform ransomware emulation is simulated. Also, Secondly, PowerShell-based ransomware emulation is simulated. For example, if we look at the first scenario, first isk is generated, then encrypted is generated via public key, then decrypted isk via generated private key. Here, we can see encrypted file content and decrypted file content here. And we can finally see the scenario result here. If you wonder, for example, ransom emulation executable here listed, it is, as we said before, it is compiled from this repository. You can easily compile that and you can run in your infrastructure. Finally, we will add APT29 emulation URL in config file, which does not show all scenarios, but few of them we will try to emulate. For being clear, if we go into APT21 JSON file, there we can see different scenario phases. And you can easily go into the it in our GitHub repository. For example, in one of the examples, screen capture native api calls were used to collect a screenshot. It imports to getScreenshot.ps1 file, PowerShell file, then called the function. And we will emulate now this one. We are closing that. I will check config file again. Here we can see scenario execution is continuing. Here we completed partially APT29 emulation. There is a, as we told before, it is partial. We have a different kind of scenarios. You can clearly go down into our GitHub repository. We are trying to generate, we will try to import all available scenarios into our platform. Easily people can reach them and they can generate complex scenarios from them. If we go into the, continue our slides. For the feature work, we are continuing to add all available scenarios to the repository. We are also working on the feature of running scheduled scenarios throughout the UI. Another plan is to integrate our threat intelligence framework into this scenario tool to contribute to the scenario generation and attack prevention. In the public areas, we will add reporting feature that will be added. On the other hand, for achieving purple team, we will add security management software integration into our CLI tool and UI feed user interface. Easily red timbers, blue timbers can query or can query which scenario is detected or prevented. In the next, we are waiting for the community support for this tool. Thanks for listening. If you have any question, please ask us live in Discord. Also you can reach us if you want from this email address. Also we are waiting your support on our GitHub platform. Thank you so much again.