 Okay, gweithgwm amlinell, evegen. You again, the Recon Village. Thanks to everyone who managed to come all the way over to Planet Hollywood again. I know we're in kind of the furthest realms of all of the hotel. So I do really appreciate you coming over here. We have got another jam-packed day. So, if you were here yesterday, thanks very much for coming back. We have got a comprehensive talk to start the day so I will get straight over to the boys to hand over. The title is on the screen, Hap to Basics. If you did not catch Anthony and Jake yesterday, yw'r yw'r llwylfain' yw'r Llamingo gyda'r ysgol. Felly, ydych chi'n ddim yn ymdill hynny'n meddwl, dyna'r gofyn o'r cyffredin, fydd y bydd yn eu hefyd. Fyddau'r cyffredin yn ymdill wedi'u llwyl ac rydyn ni'n byth yn ystafell i'r 1st Deffcon. Felly, wedi'u lle'r ymdill hefyd, roeddwn yn ei wneud o'r ddweud. Diolch yn fawr, reoli! Rwy'n cael ei ddechrau. This is Hack The Basics, adapting exploit frameworks to evade Microsoft ATP. Like they said, I'm Anthony, I go by coin. My background is electrical engineering. This is the second DEFCON now that I've spoken at. I'm a lock picking hoppiest. I've done a lot of work in Bluetooth over the years and especially working at... Uh oh, we're good? Okay. All right. Is that better? Perfect. All right. So, wireless security really is my passion, so I do a lot of work in wireless security and embedded systems. Yeah, and then I'm Jake Krasnov. I go by Hubble. I started off doing satellite engineering stuff, and then when I was in the military in a previous life, they actually started me in cyber, kind of not by choice, but it ended up being a great thing and I really enjoyed it. After that, I kind of went into a red team role for a little while, and now I do embedded security architecture stuff, and it's been pretty fun so far. So, just a quick overview of what we're going to be going over. We're going to introduce Empire real quick, just in case some people in the room aren't familiar with it, and go over some of the current shortfalls, demonstrate how to employ some recon against an organization, and not just the organization, but also researching what kind of software and stuff they're running, if you're lucky enough to get that kind of information. I'll show how to weaponize Microsoft Azure with some interesting information we found about Outlook 365 and Azure, and how they overlap over each other, and then deploying that attack, a spear phishing attack with Outlook and Microsoft Word. So, why are we here? For this assessment, we purposely chose to use an older framework like Empire, because we think a lot of people in the red team space are kind of obsessed with the newest shiny toy, because you see any hint of something being flagged or caught. They're like, oh, that tool's burned, and move on to the next thing. That's not really true. A lot of these older frameworks still work with very minor adjustments to them, and still bypass even advanced intrusion detection systems and stuff like that. You don't need to use C-Sharp or those new hotness things to get past these things. Just show our experiences from attacking a robust network. This assessment, it was just the two of us working out of our houses against some fairly large companies, or technology employed by fairly large companies like Dart Trace, Mimecast, Microsoft ATP, and things like that. Then, Anthony's going to do the click-over review for Empire real quick. We chose Empire as our post-exploitation framework. I'm sure a lot of people are pretty familiar with it. It's been out for a little while. It came out back at B-Sides back in 2015. If you're not aware, however, it's no longer being maintained as of two weeks ago, so we really did choose an out-of-date framework for our assessment. It has a lot of things built into it that makes it really easy for us, so the adaptability for the modules, as well as the encrypted C2 channel. Maybe you're wondering why we're still choosing PowerShell. Well, you have full .NET access, direct access to the Win32 API. You can operate completely in memory. It's installed by default on Windows, and most of your network admins are still running this, so with our hopes for our assessment, was the network admin had PowerShell enabled. For Empire, for its payloads, it typically does multi-stages for its payload, so originally you have your initial payload that goes out, and then it goes in steps to deploy its full framework, and it operates completely in memory. Some of the big shortfalls for Empire that we found, once again, it's relatively old in terms of hacking, so 2015 is an old framework. Many of the modules and signatures built into it have already been flagged, which is a big issue for us if we don't want to go detected, and then it's no longer being maintained, so we're going to have to make all the changes ourselves. We want to keep moving forward. Our initial plan moving in, you can see there's us. We wanted to use a cloud infrastructure to set up our listener. We wanted to then move into the network of going through their firewall. We knew they were running dark trace, so we were going to invade that, and we wanted to deliver our payload through Outlook, probably using a macro of some sort and embed into a word doc. That was our initial plan moving forward into our assessment. As we started with our recon, we knew who it was. We had a couple of choices on how you want to conduct your recon. You could be asked, you can get paid, or you can be upset with them. For us, we weren't getting paid, and we weren't upset, so we were asked to do this assessment. We did some scans on their servers to see what's going on. They moved pretty much everything into a cloud infrastructure, but we did find a lot of personal information on their website, which we found really useful. For their organization, this is the financial advisor union. I'm not giving away the real information of this company. That was the one thing they asked us not to do, was to talk about them specifically. We're going to be targeting one person, specifically Kevin, for now. We're going to go over Kevin, and we'll look at some of the information that we might find really good for us. We can derive a lot of information from just his profile. We found that they have phone numbers for these employees on their website. They have email addresses, they have work addresses, as well as social media accounts, as well as professional certifications. Pretty much 90% of all the employees of this place had the same professional certification, and we thought that, hey, maybe we can use this professional certification as a way to convince people to maybe check out some of the stuff that we're going to send to them for our spearfishing attack. We did a little bit more research looking into CFP. They had a whole website dedicated to it. It's a certification specifically for financial professionals, and most of the people in our target organization held the certification. We went some more searching on their website. They have a lot of functionality built to it. Basically, if you're searching for a financial advisor that you want to hire, you can put in their information and it will pop back a bunch of stuff for them. You can see here is I can enter just their name, and it will give me a search result back on these people. Looking up Kevin, I can search Kevin now. I can find his work address, which I already had from before, as well as company, hopefully it's the right Kevin. Disciplinary history as well as bankruptcy. Now that I have all this information as well as some other information we gathered from a social media account, we can now start targeting these people specifically. So then we also started researching some of the software we knew they were running on their network. They want us to run this largely as a black box test, so they didn't really tell us where their servers were, what the IP address is, or anything like that were. Really the only thing they told us was that they were running Dart Trace because it was kind of the new toy they had gotten there, and they were kind of proud that they were running it. So we went and did a bunch of research on it because we didn't really know exactly what it was at the time. It turns out it's kind of a next-gen intrusion detection system that's using AI and machine learning to do network baselining where they're looking for. Is the website that someone's going to like an unusual one, people don't normally go to that one. What are the network baselines in terms when are users specifically normally on the network, like what hours, and how much data are they transferring day to day, and that kind of stuff. It also uses J3 signatures, which we'll talk about a little more in a second. So we actually, doing this, found an article about Dart Trace specifically hunting empire on using these J3 signatures, which are a way of finger printing like TLS handshakes without needing to be able to decrypt encrypted traffic. But it was really convenient because they were talking about hunting empire, and at the bottom of their article they actually gave a bunch of caveats about how you can go through and change your J3 signatures so it doesn't match anymore. And so after that we started researching Office 365 because we knew they were running Outlook as well, just based on some of the emails that had gone back and forth between them, or between us. And it turns out that if you start looking at the Office 365 endpoints, there's a web API where they say they give all the IP addresses that have to be whitelisted through your firewall and that kind of stuff so the Office 365 will work. And we go look up the Azure IP spaces as well, they actually overlap pretty significantly in quite a number of places. Like specifically like the 5218-16 subnet, almost half of that entire subnet was contained inside the Azure space as well. And like just up there is an example of the Asia Southeast region, all those addresses up there are actually inside of the Office 365 whitelisted space as well. So what we wanted to do was kind of weaponize Azure to try and get inside that common IP space. Unfortunately, we weren't able to do that. We tried for about a week, like getting new IP addresses over and over again to try and get inside there. We got really close and the IP addresses do shift slightly, that's why the API exists so they can, as they update them, they can, sorry, organisations can update their whitelists as well. And so we were hoping that maybe being really close, our IP space had been contained in there at one point. So we went ahead and used that and then Azure actually already has a Cali image uploaded there and you can just stand up a server with Cali on it really easily. Cali's a little weird for some reason, the commands don't run as like root by default and we had a hard time installing PowerShell on stuff on it so it's a little weird but it does have all the tools and everything you need to stand it up. One thing we did learn, you can't pay for Microsoft Azure using gift cards. So don't try that. They ban gift cards completely. So our new plan was to use Azure's our cloud space to try and make it not look like an outlier endpoint when we did have callbacks from our targets and hopefully Dart Trace had seen our IP address before and we just wouldn't get flagged at all. So we went through also and made a bunch of updates to Empire like we talked about. So the master branch is out of date. The master branch is really old. It hasn't had any updates pushed to it in like two or three years. So Invoke Office Gation has issues. PS Inject is broken because Microsoft updated the way some of the commandlets work in PowerShell so you have to update those. They fixed a lot of that in their dev branch. If you go to it and download the dev branch specifically a lot of those things have been corrected but the main branch still doesn't really work and you will get caught because it's so well known across like multiple IDSs and that kind of stuff. So what we had to fix, like I said, they updated a lot of the stuff like Mimicats and Invoke Office Gation to the latest versions inside of the dev branch but we also went through and modified our JA3 signatures. Fixed the default launch commands inside of there because they were tacking on an extra launcher that was actually breaking it a little bit and then we updated the AMSI bypasses to have our little own flavor just to change the signature up a little bit and there was a bug in the HTTP listener that actually caused a signature that AMSI was using to flag our scripts as well. So this just shows what our TLS handshake looked like initially. The JA3 signature is hashing a bunch of fields in your TLS handshake and the easiest one to change is that Cypher Suite that I have in that red box. You can go in and make some very complicated changes to your code. So it just takes adding this single line inside of your HTTP server on the Python web server and your JA3 signature changes completely as well as just a single line inside of our PowerShell agent to change the JA3 signature there. So invoke obfuscation like I said is probably the most common issue reported on the empire project. There's just hundreds of people saying obfuscation is broken. It's not really broken. The default command is just not set up properly and the dev branch fixed some of those but some of them also still have broken commands in them. But you can just update that command and have it running using the obfuscate command. But if you just go to the token all one which is the default invoke obfuscation, it doesn't use a truly random obfuscation set up. It uses a semi random and it's been run so many times and even if you use that token all one to obfuscate your payload, the signature gets flagged because all of the variations of that obfuscation have been seen. So if you use a custom order like as you can see it might be a little hard to read up there. But if you use a custom order of commands for invoke obfuscation, your payloads will still get passed most AVs when they do file scanning and that kind of stuff. And then the default PowerShell launcher actually had a couple of issues in it as well. The first one was the AMZ bypass they were using. They were using the bypass published by Matt Graeber and it doesn't have any obfuscation so the default it was published in 2016 so it's been seen a lot and gets flagged but it takes again it takes some very simple changes. All you have to do is concatenate the AMZ utils to break it apart so that signature is not there and the AMZ init failed and the bypass will go through. So it takes like 30 seconds to update it. And then there was a bug in the code which was really interesting because even after we fixed that the AMZ bypass from being flagged we were still getting picked up and we couldn't find out for a long time why we were getting picked up and it turned out that there was a bug in the code that was adding this headers.add user agent command twice in there and AMZ evaluates script box as a whole in context and that repeated command was enough to create a signature for AV to start flagging on it. So you removed that command being repeated twice and now our payload where it gets past defender out of the box without needing to run like invoke obfuscation on it. So how do we convince our users now to click on our payload launch it and that way we get a callback other network. So we need to build a believable word doc because that's where we're going to employ. We chose word doc because it would probably be the easiest for us. We're going to embed our payload with visual basic into that word doc. We got to send that convincing email to hopefully get past junk mail and then hope that the user clicks on the email and opens the word doc and enables the macro. So we got a lot of stuff. So first we just go to the web page pretty easy. We're going to grab the header throw that on our word doc try to make it as convincing as possible. Go back to Kevin we're going to grab all that personal information that we had earlier and we're going to start adding it into our word doc just like this. Now this alone is not going to be able to get us to get them to open or not just open the word doc but enable macros because the only way to make this to our word doc is to enable macros. So we're going to purposely embed bad information in there so when they look at this they're going to be like oh look my information is not quite right and in our email that we send out we're going to try to get them to open and be like hey our database is being updated and you need to update this form and then send it in. So as they go through and add all that stuff in they're going to have to go back and make edits to make sure it's correct. They send out a lot of newsletters and surveys all the time. I signed up for their stuff to kind of do some recon on that and this is some of the stuff that would pop out of there so they'd ask what other certifications do you have how long have you been doing your job and then what kind of education you have. So we took that as well through it in there just to add a little bit more noise into our word doc and then finally after we put all the information in there we wanted to kind of give some feedback to the user so we put a submit button in there. So when they click on it it actually doesn't do anything all it does is gives them say that the form was sent but at least that way when they put in all their information they hit a button they get that good feeling that at least they accomplished something. We're going to take our empire payload that we made earlier. We're going to embed it into our Microsoft macro enable document so we're going to send that using our email that we built. This email is pretty much pulled almost exactly from a newsletter that they sent out so we formatted it exactly like that telling them hey guess what system is being updated if you want to maintain your membership you got to go in update your information hit submit and then your account won't be suspended. We try to make it as urgent as possible so that way hopefully they'll be able to submit that form. Just a quick interjection when you're making the Microsoft documents Word if you try to save with the current format like the 2013 format earlier it forces you to save as a macro enable document so it has a dot doc m at the end but if you save it as a 2007 form it still just says the dot doc so you don't show up as having a macro enable document if you save it as an older format rather than the new format. A lot of email services will filter out the dot doc m1 so it's good to make sure that we're keeping it so that way it gets through with kind of to maximize our chances so now that we have our document our email everything is ready to go so we're going to run a test using an email account that we own to make sure that this all works so we didn't want to just throw it out there in the wild and hope that it works we wanted to do kind of a trial run so we launch it we get a call back, we're really excited we're really happy and then we stop and think for a minute and be like wait we sent the email however we never opened it why am I getting a call back so that's a bit of a problem I'm not Sarah, he's not Sarah who the hell is this person and why did they have my malware so what it turns out is that our attack failed and we're not sure why so being crafty as we were we decided why don't we just send a bunch of payloads now get all these call backs and hope we can figure out what's going on and it turns out this original plan that we came up with for launching everything into their network it turns out that Microsoft has built now ATP processes that they have in place into their regular non ATP accounts that adds a sandbox so all these emails that you send out now Microsoft is taking them putting them into a sandbox environment and checking them to see if they execute or have any call backs out of them so this is happening, there's no documentation at all on this so just so you're aware all your emails are being scanned by Microsoft big surprise a sandbox just real quick can be anything from where you're isolating an individual process to running like an entire virtual machine to analyze the behavior of a attachment or a piece of malware if you're doing analysis on your own so when they start using these for the emails it's because it's way easier to do behavioral analysis than try and create every single signature easier is not the right word but it's a more reliable way if you're launching a payload you still have to have things like your C2 call back you're launching new processes and things like that so the behavioral analysis is a more reliable way than using signatures so they've started using those but we couldn't find, like Anthony said we couldn't find any documentation that Outlook was using sandboxes by default on all accounts whether or not they were ATP or just plain old like you signed up and used a free one so what we did was we started we decided that if we're getting all these call backs maybe we can use that to figure out what's going on because we tried using standard sandbox evasion techniques like launching the payload once the document was closed out doing some time waiting not very long just like a minute or two doing some time waiting and doing like user inputs like it won't launch unless there's some user inputs and the sandbox is actually doing user inputs and that kind of stuff it's a pretty advanced sandbox environment so it was a little more difficult than we were expecting to evade it so we wanted to try and enumerate the sandbox environment to see if there was any we could get any information back that was a reliable indicator that we were in that sandbox so our first attempt was just a super lazy we sent an enumeration thing that made a text file and tried to copy it directly back to our server and the sandbox did not like it when we tried to copy a file off so it just killed our connection immediately we didn't even get like a full call back that time so we ended up changing the second stage of the empire payload to enumerate the host looking for things like identification numbers disk size ram that kind of stuff to see if the physical configuration of the sandbox was the same every time and it turned out that it was so every time you ran you got the same serial number back or identification number or cores in the same disk size every time even though the IP addresses the domain names, the user names all that stuff was changing every time the physical indicators were exactly the same every time so we were able to build that look, that check into our payload and it immediately went through the sandbox without any issues from that point forward every single time and we actually reported this to Microsoft saying like hey it's probably not a good idea that your sandbox allows the C2 server to connect it ended up being fixed in about July but as far as we can tell it wasn't intentional because they hadn't gotten back to us and the email they did send back to us said we've verified your issues but we're not going to do anything about it we might fix it in the future and so now we're going to go ahead and try and launch the attack again now that we've identified that sandbox so launching the attack now that we have all the information at least we think we had all the information we launch our attack we made it through the sandbox congratulations however for some reason no one is totally clicking our totally legit fishing campaign can't imagine why come to find out that our really great fishing campaign that we came up with doesn't work because since we're doing a black box test black box test they're employing mindcast so all their emails are being placed into kind of a locker and the users have to manually pull them out to actually review them so this organization ran a spear fishing kind of assessment earlier in the year to kind of see how their users were doing we found out at that point that less than 2% of their users were clicking these kind of emails anyway so our chances were pretty slim to start out with anyway so that was great for them it was really bad for us however so we went in we talked to the network admin and he said sure know what I have a computer laying around I'll execute this payload on my computer to see if dark trace is working because that's really what the whole intent was behind this so he goes he clicks on it it works we get a call back we think everything's great come to find out the network taps we're misconfigured at this location so they spent all this money setting up an ids and they misconfigured the entire thing so that kind of stuff for them so we asked nicely again he went to another location that they knew was actually properly configured and they launched it from there and we did get a call back again so you can see there we blocked out all their personal information we got a call back out of there with dark trace actually properly running so our entire attack was completely successful well so so we were successful in getting our C2 our C2 traffic not seen we weren't really able to lateral partly because the scope of our agreement for the assessment was that we couldn't drop anything to disk which really limited our ability to elevate our permissions and that kind of stuff because they didn't want to drop any DLLs they wanted to be able to hit the power button on the computer and it would go back to where it was so that limited us so we started getting noisier and noisier just from the single host that we had to try and enumerate it the network and that kind of stuff and dark trace did eventually when we started doing full network scans that's a flag on the computer but dark trace has a second component that you can buy called anegina which is an intrusion prevention system it's supposed to be an automated system if it sees bad actors to isolate that connection and cut it off and isolate that computer but even though we were getting we had some alerts triggered it never isolated us so we were able to pull like a whole bunch of information off of the shared drives enumerate their network and we found like a computer they found like a Windows 2003 server on their network so that kind of stuff the attack was successful in the terms of getting our C2 traffic pass but we weren't really able to lateral because of the scope we had I fixed some of the issues with like PS and Jet getting flagged and stuff in Empire at that point we managed to fix those a little later so the lessons learned the older frameworks are still viable we had a next gen IDS and a lot of stuff that's supposed to be doing all this network baselining and using these weak indicators of compromise that when to put all together are able to produce strong indicators and really effective analysis of the network but we're using an outdated framework and we're still able to get past it with relatively minor changes in the code base and then avoiding Windows Defender and AMZ is not that hard at least we understand how they work you actually see a lot of things on line about old techniques for bypassing Defender and AMZ that people are like oh these don't work anymore because it was flagged in this new update or something like that we just don't understand why AMZ is flagging on it and it takes all the few strings being concatenated to make those techniques still work and then phishing just overall is still one of the most common is the most common way of delivering malware but the click rates across organizations across the country if you go look at the Verizon wireless report that came out the click rates are getting really low like less than 5% in most companies which is really great it's great that we're finally getting to that point with things like minecasts of helping a lot and then Microsoft is rolling out more and more mitigations and that's also really great too their response to us we would have liked to see them say that they were going to address some of the issues with the sandbox but we understand really why that they can't change everything like instantaneously so hopefully they address that in the future and just non-ATPE accounts will be getting better too you guys got any questions for us? sure so what was happening was we would get a connection back for like two to three minutes and then it would cut off and it was the same time every time and when we looked up the IP addresses we were getting back they were all registered to Microsoft so we were able to look up those IP addresses and after we got four or five of them back and it kept detonating and they were all kind of in the same IP space and they were all registered to Microsoft so we were able to do that oh I apologize I forgot the question was how were we able to tell that we were in a sandbox without being told that when there was no documentation on it so any other questions? yes sir so the question was are there any more advertisers that are using sandboxes that aren't advertised we're not aware of any I haven't been able to determine Google rolled out sandboxes for G Suite but I haven't been able to determine if they're being used on just standard Gmail accounts or not I haven't seen anything that indicates that they are because like all of our payloads we're having the issue with the outlook our payload was still going through on Gmail because we tested on that to see if it was some other issue and it didn't get detonated there so they were all making it through so I'm not aware of anyone else putting on advertised sandboxes in yet cool any other questions? oh cool thanks guys