 Okay, thank you so much welcome to the packet hacking village and the speaker workshops. It is now 410 We're gonna kick it right off. We're not gonna waste any time and now it is my pleasure to introduce the next talk Release the hound. I mean oh, sorry not release the hound hunting the hound. No, that's not good Sorry, sorry fooling the hound by Tom cellar Hey, you're me, okay Yeah, cool. Okay Hello, everybody. We're gonna talk about fooling down deceiving domain. I mean hunters So in the next 35 minutes or so we're gonna cover letter of movement and deception and hope it will be fun My name is Tom cellar. I'm a head of security research in illusive networks I want to take illusive for giving me the opportunity to stand here in front of you and all of the to the friendly face faces I see in the audience And also on our college I wanted to share a story with you about one one year ago I was sitting in the audience exactly as you sitting today and I attended a talk that changed the way I see a lateral movement the talk was six degrees to demand mean given by Andy will and Ron were sitting in the audience today and That talk they showed a great tool bloodhound that Shifted the balance between defenders and attackers and gave the attackers a significant amount of power and from that talk I set to a path to see how as defenders we can use the same tool So the talk. Oh, sorry The talk will cover the journey of the last year seeing how bloodhounds can be used in order to help blue teams So if you're expecting this hound, I'm sorry to disappoint you. It's not a game from the talk. It will be on bloodhounds What are we going to cover? We're gonna have a crash course on deceptions and lateral movement Sorry, I'm lateral moving the graphs then we'll move to deceptions and then we'll fool down We'll combine deceptions and lateral movement and we will wrap up Our goal throughout the entire talk will be to detect attackers Hunting domain admin credentials in the network. Our goal is to detect and The method will be to plant and monitor Deceptive users and computers through the network. So those two slides will follow us throughout the presentation when we look on that kill chain And attack usually starts when a computer being compromised either by Fishing mail Attack will get full control of the computer start moving laterally in the network to obtain domain admin credentials The credentials that gives him full power on the network and only after that will continue to achieve the goal this talk Focus on the first part from the initial bridge to obtaining domain admin credentials Let's you let's look in a Generic attack scenario will cover how an attacker in only just six stages from an initial bridge Get full control of the network Let's say in our network. We have a receptionist named Liz and attackers sent Fishing mail to Liz. Please open the email clicked on the link download a malware on your computer From that point an attacker has control of Liz PC and tries to move laterally in order to get domain admin credentials in our example You will run mimi cuts or other credential dumping tool get the credentials of Liz and then see what else you can do with them In our case Liz is a member of a domain group and that group is an admin or another PC So using these credentials you can move laterally you can use them and connect into room to PC They're all over again. You'll dump credentials see what else what with which additional user is connected to that machine in this case will have Clark which is connected will dump the credentials and once again see what else you can do with them Clark is admin into a CFO PC the attacker use the credentials just Compromise and move to the CFO PC and luckily for him a day before Elbdesk connected with that machine in order to help with a problem Didn't log out correctly and the credentials of the elblest stayed with that machine. Elbdesk is domain admin So an attacker in six steps were able to move from the reception PC Into getting a domain admin credentials. It just shows us the the Significant also computers that are not seemingly significant that are not I privileged How important them are them in attack kill chain or how they can be used in order to get complete control of the network If we take the graph that we just covered and try to make it a little bit more formalized We'll let we'll see that we had three node types We had we had users we had computers and we had groups All of that information can be obtained by any domain user You don't have to have any special privileges to get the information of the network So also these in our example can get the information of all the users computers and groups and We had edges The attacker had to know in order to follow the path we just covered Which user is logged into where which user is admin into each machine and the group membership? Surprisingly also that those edges or desk information can be obtained by any domain user No special privileges need to be in order to obtain that information So if we formalized that and we know what edges and what Nodes are parts of a lateral movement. Why won't we just make a graph? So it's a great idea and we didn't just think about it Actually the blood out guys thought about it before us and they did exactly that they created a tool that Maps the entire network gets the information of the nodes and as we just see and Provides a great UI for red teamers to see what path do they need to take in order to get to the domain admins So this is a picture from blood out and what we see all or all possible shortest path to get to the domain admin group so I'll take a little pause with Lateral movement and blood out and move to another subject We'll cover deceptions. What is the deception? Deception is the act of causing someone to accept as truth or valid something that is not true I'll show two examples from real world will real warfare The first one you see our tripsters In medieval medieval ages the most terrifying thing for defenders was for an enemy to storm into the castle and take over it What I did they create a seemingly insignificant change in their infrastructure in their staircase that will be insignificant for defenders will be Devastating for attackers. They took every 10th stir and made it a little bit higher Defenders living in the castle all their life knew which stars do need to skip over because they live their all their life But for a tacker running into the castle for this the first time not noticing this Insignificant change you will trip on the stir fall and it will block the entire attack. So this is one example from real world The second one what you see? It's a tank it being lifted by four people strange, right? It's from the second world war the the allied forces at an army unit called the ghost army Its entire purpose was to deceive the German forces what we see in the picture It's an inflatable tank. It's not a real tank and what the allied forces did they deployed Tens of those tanks in a specific field making the Germans think that they are getting to attack Where in reality? It was that just a deception they were able to cause the German to shift the defenses to a certain location Without using any real force. So those are two examples for real world We cover bloodhounds and we cover dissections. Let's combine the two What blood blood on showed us? That an attacker can get the precise path it needs to go in order to get domain admin credentials as Defenders we can use the same tool in order to participate to know in advance Where the attacker will go we can know that it will take the most efficient path But we can do even better We control the environment we control the information. They're using in order to create the graph So as defenders we can control the path that will take Will create the the right manipulations in our network in order to control where they will go and how they will go And that's exactly what we're going to cover from this point on so This is the network how it looks like before planting deceptions and This is how it will look after deceptions. What you're looking is an extension to bloodhound all the orange Nodes are deceptive nodes. This means that the network is exactly the same It's exactly the same network The only difference that we created manipulations That if a tracker tried to follow them the first one it will detect him and the second He will not be able to reach his target There are two places that deceptions can be planted either on existing endpoints We call it any tokens or By adding an additional server to the network The any token resembles the stir example. We covered an example that creating a insignificant change to the defender That will be devastating for an attacker. So it resembles any tokens and The example with the tanks resembles any pot will create will make an attacker believe That's something in true. Although it is just a trap Let's start creating deceptive user sessions We covered that graph in the beginning What will happen if we'll do the following if we'll add a deceptive user session on Room 2pc that points into a domain admin user an Attacker running bloodhound or similar to We'll see that he has It can it can take only four steps in order to get a domain admin Four steps is better than six. So it's a more efficient way to get domain admin And that's the way it will see on bloodhound Let's see how we can create make an attacker believe that Superman Is logged into room 2pc although in reality is not and the only real user on room 2pc is Clark We'll start with any tokens We'll cover four examples for each example will first I will first describe what the attackers are doing afterwards, I will describe what How the deception is implemented the first example will cover registry key For an attacker to know which user is logged in into a specific machine He can start otherwise when a user logged into a machine is Automatically is profile loaded into the operating system a part of it a specific key is generated in the registry The key the keys name matches the user seed. The seed is a unique number for each user Surprisingly by default Windows allows read access for everybody for that specific key That means any domain user this can come to any Domain machine and just get the list of seeds and that's exactly what attackers are doing They get the list of seeds convert them to username and know remotely which users are connected to that machine Exactly as I described an attacker will reuse RPC command to ask all the keys in the specific location the endpoint will return the keys again No special privileges are required and the attacker will know which users are connected to that machine as Defenders what we can do The answer is quite simple We can add an additional key and that location the key will be Matching the user we want the attacker to believe is logged into that machine Let's hear them over it on the right Where have the attacker machine? We'll run the command that extracts all the logged in users by the registry At the beginning we will see that only Clark is logged into that machine, which is true What we'll do now it will plant the deception on room to PC. I Remind you that we want to make the attacker think that Superman is logged into that machine So we'll check the seed of Superman. We can do it by either PowerShell or CC internal tools this example Why I'm using CC internal tool We got the seed of Superman and now we'll add the specific key to the registry the key was added we see that we have an additional key in the registry and The attacker will run the same command again Previously you got only cocking in return, but now he believes that also Superman is logged into that machine Exactly what we want to achieve Whenever you see the wolf sheep thing you it's an indication that we succeeded. So we cover the first example Let's see an additional example Again, we want the attacker to think that Superman is logged into room to PC and not only Clark That example involves an API to remotely quarry user sessions the API Does require admin privileges, but the deception is relevant also for other tools such as mimic arts So the deception that going to cover will influence an attacker that after you've got Control of the endpoint and we'll try to run mimic arts to dump the credentials We're using this deception. It will see an additional user an additional user password so We want to add an additional deceptive session The problem that each time that you want to authenticate or add a session You have to authenticate the credentials against active directory And we want to plant deceptive credentials. We want to plant the deceptive Credentials that if they will be used by the attacker. It will not be able to actually move laterally Luckily for us. There is a method to do that death method involves Run as net only the runners command creates an additional process when passing the flag net only You can pass any credentials that you want without them actually Authenticating against active directory, but the credentials are still added to the windows memory and we'll do exactly that so an attacker remotely quarries all the Sessions and the computer returns a response and using the response attack will know which users are connected to that machine Let's see it in action so again, we're our attacker first we'll run the command and We'll see we got only the computer count and Clark connected to that machine And of course, that's the reality Reality only Clark is connected now will Create the deception or edit the deception We'll run run as with any random password. It's not the real password of the user The command executed and now the attacker once again will run the same command and this time He also sees Superman exactly what I wanted to achieve. So this is a second method to create deceptive user sessions We're gonna cover the last example of creating user sessions Again, we want to create that make it a type cable leave that Superman is logged into PC to For this example, we will use our trap server or a any pot any Windows machine is by default also a SMB server So any endpoint is a SMB server. It's a file server, but also active directory or your organizational file server Those file servers For each machine that connects to them all does the name of the user and the machine that connected to them What attackers are doing again? Instead of going machine one by one They connect to the quarry a file server Ask them for all the machines and users that connected to them. So in our example Clark connected to a file server Our attacker will quarry the file server for all of the the users and machines that has active sessions to it The files are return response saying that Clark is connected from computer room to PC and Our attacker would know that Clark is on room to PC When adding an any pot to the network, we control all the responses. It will generate We can control whatever you will return to the attacker and we will do exactly that We added a trap server and When our attacker will quarry it for all the remote all the active sessions will just let him know Superman is connected on room to PC and I'm going to show you an example of that and the example we have a Deceptive file server with our own implementation of an SMB server And the implementation where the file that holds the response. It will return for an attacker So on the right we have the attacker and on the left our deceptive on a pot server What we see in the background is the file that will hold the responses will turn to the attacker Right now the file is empty. So when I talk her quarries of all the active sessions He got nothing in response But once we added Superman in room to PC the same quick rust now Gives the attacker the notion that Superman is connected to that machine and we can do anything We want we can add an additional like random PC or whatever you want and an attacker will believe That those users are connected to those machines So that was the third example of how we can deceive attackers and make him think that User is connected to a specific machine although in reality it is not that I Will give one last example But not for deceptive user sessions, but deceptive local admin privileges Taking the same graph if you create the following manipulation will make an attacker believe that user leaves is admin into our trap server and There is a domain admin connected to that machine will provide an attacker a Shortest shorter path to a domain admin that path is only three steps Even better than deception using user sessions Let's see how we can do that as with previous examples Quaring remotely quarrying group membership does not require special privileges any user Can just come to any machine and ask it for all the local members of the administers a group What we do is similar to the previous example We have our trap server and we control all the response it generates So all we need to do you just Return response that leaves is admin on our trap server and for this example We use even a name that matches the convention of the organization Room 3pc matches the convention of other computers. I Will skip the example there demo for that one. It's similar to the previous one So enough technique for now Let's see how we start fooling so I promised you that our goal is to detect attackers hunting domain admin credentials in the network and we want to do it by Placing and monitoring deceptive users and machines We got the pieces of the puzzle We know how we can create or add deceptive users and deceptive machines To make sure we detect attackers. We have a specific goal The goal is that any shortest path to a domain admin will contain at least one edge or one node that is deceptive and and Those nodes and edges will provide us a detection mechanism if an attacker use a deceptive user or Connects to our trap to our any potter trap server. We can alert We'll do it in three steps. It's a naive implementation. There are even more Interesting implementations using graph theory. I deliberately chose to to To use something naive it will be easier to explain so the straps the steps are as follows First we want to add a deceptive user session for all the computers that are closest to the domain admin group Second will add deceptive computers to the top groups in the network and Laisley will take clicks or endpoints that in reality does not have a Clear path to domain admin and we'll make an attacker think that they can lead into domain admin So for organization with 10,000 nodes The blood and graph will show approximately maybe 100 nodes because not all computers can lead to domain admin But using the third option we can create a graph that for an attacker will see 500 nodes or even more because we can take Computers from the network and create a deceptive connection that will lead to domain admin. So This is again the blood and the blood on you are the blood and graph and this is our Domain domain admin group. Let's see those three steps in action step number one We just added Users to all the closes computers if we just stop right here We already achieved our goal because all the path that lead to the domain admin group already contain at least one One node, but we want to create even more complex picture for the attacker. So the second stage will add deceptive computers to the top groups Once again all of the Those nodes a new path that you're seeing are not real path an attacker that will follow them Will not be able to get domain admin credentials. It will only trigger an alert. So we added additional machines to the top groups and Lastly we took additional machines in the network and connected them to their blood and graph So all of those are Either deceptive computers or users that Are added to the graph and one result you can see over here This user is the antivirus admin you add antivirus service user before It would not lead to the domain admin group, but using deceptions. We added all of those machines That if an attacker will compromise them It will think that he has a valid path that will lead to the main domain admin group wrapping up What we covered we covered lateral movement and graphs We showed four methods to deceive attackers We showed how we can control the path an attacker will take and We showed an algorithm that will make sure that every shortest path will Contain at least one deceptive edge or node What we can take from that? Deceptions bring doubts and Uncertainty to the operations of the attacker an Attacker that tries to move laterally in an organization that employs deception will doubt any piece of information It finds because it would no no longer be able to be sure that those information this information is truth and Our current security Strategy is mostly built on walls and walls are good. They keep the bad things out But we also understand that we live in a assume bridge era that any wall will eventually be bypassed What I wanted to show you and if we'll take only one thing from that from this talk is that? Using deceptions we can make attackers fear of what awaits them behind those walls and One last game of thorns That's it. Thank you very much If you have any questions, okay? Yeah The question was will it be also relevant to really sophisticated attackers that will invest a Larger amount of time to my in order to make sure that they're using the right information Right. Yeah Okay What? Yeah, and the way I look at it. It's and I showed only specific examples and very naive implementation using in order to Deceive the advanced attackers you'll have to make a very professional deceptions that will not have a pattern will not be easily detected and The implementation just so is very very naive one So in reality you can have multiple layers of deceptions and one thing you also will gain that It will make the cost of operation much higher because if before they can use and do whatever they want right now they'll have to stop any step and make sure that there is no pattern and this is a win by itself and The adversary will not know what deception they deployed So there is the also the chances that will take real information It will not follow it because of the possibility that it's in deception But but if they'll take the fake ones you will ever detect it and that's our goal At least it makes only one bad step of the adversary. Yeah, so it's a great question and But once an attacker will perform operation that does not yield result. You already detected him And that's our goal That's what we're trying to achieve. It's a it's a detection mechanism and not a prevention that I go still being your Organization, but you get a flag that you know you need to take care of it and that's what we're trying to achieve anything else In a sort you're monitoring the The information that you placed in the network So if you place credentials, you will monitor them and if you place any parts you will monitor them That that's separate that that's an extension that I created who is the deceptive nodes an edge Yeah, as I said a walk for a company named illusive networks and I will we can talk afterwards Can you repeat the question? The examples that you use are mostly for workstations But I'm assuming you can also use deceptive technology for web servers Which are also highly attacked and capture movement from the web servers going back into the DMZ, right? That's completely true. I deliberately showed only a small amount of our of what? Possibilities there are for deception so we're also relevant for servers and endpoints and For other services and not just active directory related related services Yeah, they're a Will happy to to cover that if you want afterwards. There is a vest The best options for creating deceptions and I'll be happy to cover it. Thank you very much everybody