 Hello everyone, welcome, and thanks for stopping by my session purple sharp automated adversary simulation Really happy to be in this first adversary village at DEF CON And yeah during the next 30 minutes what I want to do is I'd like to present to you the adversary simulation tool I've been working on for the past couple of years now on and off called purple sharp my goal with this session and the tool itself is to encourage Encourage detection teams to integrate adversary simulation exercises and practices Into their detection program so to enhance the detection programs So yeah, hopefully this is helpful to for some of you and let's go ahead and start So we'll start with a quick introduction First of all, let me introduce myself. My name is Mauricio Velasco. I'm currently a part of a Splunk thread research team Before that I used to be I used to be part of a blue team I would I used to run the threat management team or the detection team for a fortune 500 organization Did that for a few years and before that I was a pentester I love meeting new people and chatting about infosec and interesting topics So I'll leave you my Twitter account here where I share my work other people's work So do follow me on Twitter if you are interested about adversary simulation threat hunting detection engineering I invite you to visit my github page where you'll find resources for the Work I've done in the past years and some of the talks I've given the tools I've released, etc But okay, let's let's move on so today. I want to start talking about why I wrote purple sharp and and So I as I mentioned before Before being a threat researcher. I used to run a blue team and specifically I built in and Deployed a detection program and when I was building a detection program. I learned a lot of things from from being a blue team but One lesson. I think I learned that was the most important lesson about About leading a detection program and I want to share with that with you guys I firmly believe that Detection engineers need the capability to generate attack telemetry in order to be successful at their jobs Imagine a scenario where we have we have instrumented an environment where we are Getting telemetry from networks endpoints applications and you're centralizing that to an event pipeline through an analytics engine like a sim or something like that, right and detection engineers are Creating detection supporting detections Maintaining this this complex architecture When I was doing this I realized that we can have all the data all the telemetry But we don't have that telemetry generated by attack techniques by executing the technique Detections engineers are always going to be limited because you cannot write a detection If you don't know if you don't know how an attack looks like right? So like I firmly believe that a detection team needs the capability to generate attack telemetry in other words I think Detection teams need the capability to simulate techniques to simulate attack techniques And this is why I wrote Torpor sharp, right? Purple sharp is an adversary simulation tool that executes adversary techniques within Windows Active Directory environment It follows the attack-minded framework, you know for Organization of the techniques. It's written in C sharp So for for the attack simulations what I use is that net libraries wherever possible and Windows 32 API calls where I can And its main goal is to generate the attack telemetry that enables detection teams to build Test and enhance detection controls. Okay That's the main goal of the tool. One interesting thing is that purple sharp is not weaponized Even though it executes techniques. It doesn't provide the output to the to the Operator so it's not weaponized for example when I'm doing a curve roasting attack Even though I'm getting a service ticket for that SPN. I don't get the hashback. I don't present the hashback So it executes techniques, but it doesn't provide the output and it doesn't help you in a red team That's why it's what I call Adversary simulation right because it the goal is to execute the technique to generate the telemetry And not necessarily to execute the technique to move on to a different goal like a red team or a pentest would do So now let's let's dive deep into Purple sharp and how it works. Okay, let's and then after that we're gonna go to some demos Okay, so there's five points. I want to go over real quick in the next eight to eight ten minutes around purple sharp and Why I think it's different and why I think it's helpful So first flexibility Purple sharp is flexible It's a simple C sharp assembly right when I wish when when we used to do other series simulation Exercises in my previous job at the beginning What we would do is you know work with command and control frameworks like open source and commercial both of them Right, but we would always lose time on setting up the infrastructure Getting a shell back infecting at hoes getting a payload and don't get me wrong They definitely work well, right? But we needed we needed to be a little bit more flexible a little bit faster, right? So now with purple sharp all I have to do is drop that C sharp binary and run it, right? Like no command and control no pay no You know reverse shells or anything like that Another thing is that we for purple sharp supports Jason simulation playbooks a lot of other tools do this And I like to call this the simulation as code where you can define a simulation playbook with Jason files, right? And each technique has different parameters Supported so let me look at an example here on the right This is a playbook for a password sprain attack Okay, as you can see I define the technique the password even the protocol you can define which protocol to use I added here a sleep time so we can we're gonna wait 30 seconds between each authentication event We define the users that we're gonna spray we define the target, right? So all the simulations supported by purple sharp come in a similar way, you know easy to Flexible easy to customize a lot of different parameters to customize the specific execution of the technique Here's another two other examples on the first one, this is how we create us We execute the persistent technique to create a service and on the right side to create a scheduled task As you can see we can define the name of the service the command that it's going to be executed Same for the scheduled task, right next point One of the goals that I had when writing a simulation tool is that I wanted to be able to To report Remote simulation deployment. I wanted to be able to execute techniques in remote host. Why is that because? When you're executing techniques on your local network, you're only testing the local networks detection controls I wanted to be able to drop that simulation far away on that network That is maybe in a different country maybe in a different continent. We are actually having to have someone there, right? So that was my goal What I ended up doing is just leveraging native services of windows like the SMB to copy the file WMI to execute the file and name pipes for communication And of course it has a couple of requirements that this means that when we want to deploy a simulation on a remote host We're gonna need to have network connectivity to these services as well as Administrative credentials to these remote hosts, right? Now, let's dive a little even deeper on how this works. There's three modules that work together The orchestrator that runs on the operator's computer The scout that runs on the simulation target and the simulator that also runs on the simulation target So these are three different modules That synchronize with each other to execute the simulation Now one important thing is these modules they needed to share information, right about the simulation so what I'm using is name pipes and serialized objects so that they communicate over the network using name pipes So I did this because in a previous version. I was just using command line parameters So I would have to copy those command line parameters and use them on the remote host But that wasn't good opposite, right? Because you could see the parameters there and it was easy to detect that this was a simulation But now there's no more parameters because all the communication all the details about the simulations is Flowing through name pipes from the orchestrator to the scout and from the scout to the simulator, okay? At a high level the way it works is that the orchestrator first copies itself using SMB to The target to similar like PSX right copies itself then it x it uses WMI to execute the scout Right the scout runs which is essentially a service like a name pipe service The scout runs some recon tasks to get a little bit more information about the target host And then the orchestrator starts talking to the scout over name pipes They share information once everything is ready the scout then Executes the simulator which is in charge of actually the actual simulation itself I wanted to separate simulation the problem deployment from simulation itself, which is why I separated these two Okay um Yeah This is just an example on the source code of Like the scout this is the scout service as you can see it starts a name pipe service Okay, and it waits for the orchestrator to connect to it Once it connects to it it it receives an object. I know the object is the simulation request which is essentially a Small kind of like a protocol that I came up with on how to exchange this Simulation details, right? So this is the simulation request that has a header a type and it has a simulation playbook Which has all the details about all the simulations that need to be executed So yeah, that's you can look at the source code to see how that works But it's pretty interesting and I'm pretty pretty happy with the results Another requirement that I had when writing purple sharp is that when I was executing remote simulations The challenge was that because I'm using WMI to execute the scout The scout runs under the context of that service account That you used to play simulation, right? But I wanted to get user impersonation because when I'm executing a remote technique I know that there's a user logged on here So I wanted my simulation to run under the context of that user that's logged in on that host at that time, right? So how do I achieve that? Well, I had a first a few approaches my first approach was to play with tokens and I used this API calls to duplicate Tokens and to start a process with a token that I stole because the scout runs in a high privilege mode So he has access you can get a handle to other processes My second approach was to inject shellcode so inject purple sharp as a shellcode to a remote process Because once I inject that then I'm gonna run under the context of that process and whoever owns that process So I tested these two first approaches they worked, but still they were what I needed I ended up going in a different route. What I did was I use parent process ID spoofing technique which allows me to do two things one The parent process of my simulator now is gonna be as it's gonna run under the context of the user who's logged in So I am breaking that parent child process relationship between the scout and the simulator and Second because I'm using explore that exe as the parent process Then the child process the simulator is also gonna run under the context of that user so I am Stealing that token and leveraging that users token that's logged in on that host without having to To you know actually steal a token. I'm just using parent process ID spoofing, right? So now my simulator things to this runs under context of that user and it's pretty that's pretty pretty interesting Because it allows me to execute my simulation under a real user, right? So we no longer have to have that service account Simulating techniques for now we have that real user that is able to authenticate to other holes is able to get cover of tickets So now it looks like this is an actual user that has been compromised and he's attacking the network. It's pretty cool This is again just some code on how I do this. This is the scout the the Function color runs a scout service here lies and As soon as the scout runs it receives that protocol that that message from the orchestrator like a send packet and then Automatically starts doing the recon, okay? So it sends that back to the orchestrator the orchestrator Stages the attack the simulation and once the simulation is ready the orchestrator sends an act command And when that act command is received if the object technique is PP ID What the scout runs? It's it runs the simulator using the parent process ID spoofing technique, right? Again, you can look at the source code yourself and check this out how this works So what we end up getting is something like this where as you can see here We have the scout running under the context of this be sharp account Which is a service account that you're gonna use to remotely authenticate to host but The simulator actually runs under the context of a real user that's logged in on this host and the panel process Is gonna be explored, right? So now when this comes to an analyst They're gonna think that this is a real attack and they're gonna investigate it the right way Which is another reason that I build purpose sharp. I wanted to test my team my sub team and This is one way of doing this because now this real user has real real hosts real data real proxy logs So they can hunt through this data and look for suspicious behavior Another important thing for me was to execute the same technique in different variations And why is that because I want to be able to bypass or at least attempt to bypass existing detections It helps me validate detection resilience. Here's an example The technique PowerShell the way purple sharp can execute them is two ways one Just calling PowerShell that EXE right and putting the command there and encoded command But also another way is using that net and executing PowerShell Leveraging the data libraries without having to call PowerShell that EXE So there's two ways of executing this technique and defenders should know how to the take these two ways Here's a cooler example. You probably know about this technique remote services It's when you are able to a lateral movement technique that allows you to execute code remotely By starting a remote service or by messing with a remote service, right? So there's three ways that I can support this One just using a negative binary SC that EXE which allows you to if you have the right permissions on a remote host It allows you to create a remote service and start a remote service. This is how I do it on purple sharp Second way is no longer using the command line But now using Windows API calls the API call create service that allows me to create a remote service remotely And then I can also start that service remotely to execute that technique but finally and Here here's a way to bypass detections the first two ways what happens is that they both Generate an event a service creation event, which is a really cool way of detecting this technique But with this third variation, we are no longer creating a new service because what purple sharp does is going to find an existing service Modify it so that it's it's binary path gets changed gets updated to a malicious command And then reverts it back, right? So now we bypass we're still leveraging Service control manager on that remote host to execute code, but we're no longer creating a new service What we're doing now is Modifying existing service and by the way credits to the author. This is a technique that I first saw on this tool called SC shell And I just replicated it So three ways of executing this technique another another example of these passwords frame I know that within Active Directory You can use password frame with cover rows and NTLM and that looks different on the logs It's so it could be a way to bypass a texture where a purple sharp supports both cover rows and NTLM just by leveraging the API call a login user And I have to change a variable here and that's all you have to change to Force the authentication to happen over cover rows instead of NTLM or the opposite So technique variations right pretty pretty interesting feature for proper shot Finally another another important thing for proper sharp is I wanted to have Active Directory support meaning be able to execute techniques in Active Directory environments Of course purple service a C sharp binary focused on windows, but I also wanted to do more so for example Purple service able to interact with Active Directory and the domain members in the context of that log use It also supports in of the queries to for random target selection So there are some technique that require targets for example password sprain Requires user targets, right, but a lot of movement technique requires host targets So what I do with purple sharp is that you can define two variables host target type or user target type And what these variables define is which targets you want to attack? If you set these variables to tool what happens is that proper sharp is gonna automatically do random held up queries against the active against Active Directory and Obtain random users obtain random host so you can target them in your simulation exercises And and when you're picking holes it actually does an extra check It goes against LDAP it gets a list of holes But also checks if those sources alive with a ping it also checks with a quick port scan on Specific ports to see if those sources are responding or not. So it does some checks before returning Just an LDAP result. So pretty interesting because now I can Pick random targets without having to define passwords because remember I'm leveraging that locked users token So and that user is already authenticated to the main So I'm just leveraging that to do all that queries without having to define passwords So now that we've looked at a few few ways of how proper sharp Works a few features of purple sharp. Let me jump to the demos Okay, now what I'm gonna do now. I'm gonna stop the video and I need to set up my environment But at a high level, this is what we're gonna be looking at looking at right? I have a lab environment a few I think 10 windows hose I'm using windows event forwarding And then I'm using a Splunk community version To get all those logs and we're gonna be executing techniques and look at that some dash words Okay, so give me a minute. I'm gonna set up my lab environment and I'll be right back Okay backs, sorry. Okay guys. Okay, so I'm back now and Let's look at the first demo. So on this first demo, we're gonna execute two playbooks On the first playbook, we're gonna execute some reconnaissance or discovery techniques using the command line so using native files native windows binaries and Then we're gonna use the cover roads in attack Okay On the second playbook, we're gonna execute this these techniques on a different hose We're gonna execute some similar reconnaissance techniques, but this time We're no longer going to use the command line to execute them But we're gonna use partial commands. So that that's gonna look different on the logs And finally we're gonna start executing some password spraying techniques From from that hose. Okay All right, so let's jump to this demo real quick guys So I have my lab environment as I was showing as I was mentioning here We have a bunch of hose. I think it's ten ten hose. Oh, I don't know what I did here. Hold on Let me come back to this Okay, so I was as I was saying So I have 10 VMs here a domain environment, right and I have this computer here And as you can see, I'm not this computer is not part of the domain. Okay So it's within a work group and I have proper shop. So what I'm gonna do what I'm going to do is from here I'm gonna deploy remote simulations to some of these hosts. Okay So let's start looking at the playbook. So for the first playbook, we have this playbook Let's quickly go over it. So this is a remote playbook because I'm gonna again I said I'm gonna deploy the simulation against remote hosts on this network I'm gonna use this is the gonna be the service account that it's gonna be used to authenticate to those remote hosts so for this stage for this first simulation, I'm gonna Deploy to this Windows 10-1 which is this guy and as you can see here It has the the March simpson user logged in. Okay, so we're gonna deploy We're gonna execute simulation under the context of these users. Thanks to purple sharps user impersonation We defined the scout and the path and sorry the scout path and the simulator path Because they are also configurable and this is where the simulation is gonna come from right And then we start defining some techniques System discovery using command line account using command line I'm not gonna go over each one of these techniques You can look at matter attack to see what they are finally. We're gonna use a curve roasting techniques We're gonna use variation number one Which means get all the service get all get a service ticket for all the service principal names that proposal can find Which is a noisy way of executing it, right, but proposal supports all their ways as well and I'm gonna put a sleep time because why not I can put a sleep time and On my second simulation, I'm gonna run it against another hose Windows 10-2 Simmer techniques, but now this time I'm gonna use PowerShell This is why I said the variation number two here with PowerShell with this variation to I'm gonna use PowerShell and I'm gonna use two password spraying techniques one using curve roasts against 20 randomly picked users as I mentioned on the sides and On a another password spraying attack, but this time we're gonna Authenticate to a remote whole so we're gonna do a remote spacer spraying attack by Finding a hose random hose and spraying it. Okay So I'm gonna execute this and and then just pause the video so we don't have to wait for this to finish, okay? So I defined the password and here we go. So I'm gonna stop the video and come back to this. I'll be right back So one once proposal is finished. We can go in and look at the results Don't forget that proposal writes results to a JSON file in case you want to do that But for purpose of time, we'll just do this manually. Okay, so two playbooks have executed Let's look at the results on the first on the first one We see that purpose are authenticated to Windows 10-1 and started executing commands under this simulator Of course under the context of a real user with this PID and starts executing some some enumeration commands using the command line Nothing fancy here Get some results back, right? We can we're gonna see that on Splunk in a Lunar and then after that it starts the curve roasting technique So it queries LDAP for SPNs it finds them and it starts getting a service ticket for each one of them Executing curve roast and as you can see waits one second for each authentication event because we define that sleep time, okay? finally Actually, let's come back to the to the to the logs to see how this looks like So if I refresh this this dashboard that I have here We can see that in fact this host Windows 10-1 in this user March Simpson Executed a bunch of weird Enumeration commands, right? But here here's the interesting things if we look at this curve roasting dashboard We see that in fact Windows 10-1 and March see Simpson Start getting service tickets for all these service accounts and waiting one second between a chest and each Authentication event as you can see here and so that looks pretty interesting, right? So now let's look at the results of the second playbook on the second playbook Now we're starting doing some in there in ration But now this time we use PowerShell instead of the command line So we're gonna look at that and finally the purple sharpwood can execute password sprain attack against Random users using curve roast and then now another password sprain attack against another host using ntlm, right? so if we look at our Numeration dashboard now we see that this hose Windows 10-1 Started executing this a bunch of PowerShell commands that are used for enumeration, right? And if we look at how it looks like on the command line We just see that a bunch of PowerShell being executed, which is not helpful But if you have PowerShell logs, we can see this, right? And finally, if you look at the password sprain dashboard that we have here, we can see hopefully that this guy Puzzle sprayed against 19 users Random users picked up a purple sharp. This is with curve roast. This is with ntlm because Purpose are also supports ntlm Here we can see another way of catching this technique from the simulator how the simulator attempted to authenticate with these 10 users So yeah, you get you get the idea right like different attacks different ways of detecting it Okay Cool. All right. So now real quick. We're gonna move to the next demo in the next four minutes that we have here This guy's we're gonna use lateral movement. Okay? Now a cool thing is that we're gonna execute these techniques on a remote host and The user that's logged in on this remote host if they have the privileges, we're gonna be able to execute code remotely Okay So let's continue to this demo Okay, so now we have a different playbook this playbook and now we're gonna Execute the service creation and oh before I jump there. Let's look at the details So now we're gonna be using for the most the foremost common lateral movement techniques in Windows environments We're gonna use remote services to her remote service Scheduled tasks to create a remote schedule tasks. We're gonna use WMI and win RM Proposal supports all four of them and also we're gonna use some network service scanning So scan some ports on on some random hose and we're also gonna do some network sharing enumeration. Why not? Okay Okay, so let's jump to our operator computer. We have the playbook here This playbook is gonna execute it when windows 10 dash 2 Actually both the both tasks on the first playbook are gonna execute against windows 10 dash 2 The reason behind that is that on windows 10 dash 2 we have a user mr. Burns and mr. Burns He's a local admin on all windows 10 endpoints So which is what we need to be able to successfully move laterally, okay? So on this first technique we define like I said the scout the simulator First we're gonna randomly scan Hosts like big random holes and scan them. Why not and then we're gonna first create us and start a remote schedule task On windows 10 dash 3 I think this is wrong here windows 10 dash 3 as you can see here Using the command line. So using seh tasks Okay, and then we're gonna create and start a remote service on also windows 10 dash 3 this time using API call create service And this is the command that we're gonna execute as part of the service Actually against windows 10 dash 4. Sorry about that. The target is windows 10 dash 4, okay? And on the sepicon playbook, we're gonna execute Commands remotely using WMI and win RM as you can see here this one is First actually we're gonna use some network chain enumeration. Why not against five random hosts? Then we're gonna execute code remotely using WMI Against five random hosts here as you can see we define host target type 2 which picks random targets 5 for a local for total 5 random targets and we're gonna execute this command Why not and then using win RM executing against five other random hosts using win RM and Finally, we're gonna execute a variegation of that same technique PSX or remote services But in this time, we're gonna go over against windows 2019 dash 1 and there's a service here called purple sharp service as you can see Here net Flanders. There's a service called purple sharp service. Okay And this purple sharp service has no path what purpose I was going to do is going to authenticate to that a host and then Change the configuration of that service so instead of note that we execute PowerShell and then moves that service back to its original configuration, okay? Alright, so We execute demo 2 And let me just make sure that our hosts are up and running. Oh I'm missing one. So give me one second Okay, I'm back and one thing that I forgot to mention is for the second playbook that executes code on random hosts I'm gonna run it again windows 10 dash 4 and why is that because on windows 10 dash 4 I have Mr. Smithers logged in and mr. Smithers. He's a domain admin So he's gonna be able to execute code remotely on any host, which is what we want because we're gonna pick random hosts Okay, so let's Execute this this now And let me just confirm that these guys are all up and running Yeah, this guy needs to come back. Okay, so we execute it and we pass that service I can't password and just like before I'm gonna stop the video So we don't have to wait for this to finish and come back. Okay So propose your finish and let's quickly take a look at this So the first playbook we run against windows 10 dash 2, right? So we're running under mr. Burns right here and we create a schedule task on a remote host and then we We now create a remote service Against windows 10 dash 4 as we can see here purpose are Generated a random service name and use Windows API calls to create start and delete that service So let's like let's take a look at how this looks on the logs So first if we look at what windows 10 dash 2 did we can see that it actually executed SCH task to clear a remote task on this remote host again under the context of mr. Burns, right? And if we look at this Dashboard that I have here Looking for object changes. We can see that a Schedule task was created on windows 10 dash 3 right Legit task as we saw here running run DLL and finally we also see this Service account with a random name that matches that name that we saw on on on the logs And msh da was executed on windows 10 dash 4 right so this is how we cut this And if we move on to the last playbook Now we're gonna execute code using WM. Oh first we do some network sharing or Asian I'm not gonna because of time. I'm not gonna go over the results. We're just gonna go over the lateral movement So now we're gonna be using um WMI to execute code on five hosts remotely and then we know ram to execute code on Five other hosts remotely in the first case msi exec and the second case Rick is viewer 32 so if we look at parent process relationship Logs here and if we refresh this we're gonna see The child processes of WMI PR BSE that EXE MSI exec as you can see here, right? So this is how we cut this lateral movement technique And finally moving on with power shell because when you execute code using win RM We see a different A different command executing on this hose that purpose are Executed remote code on we wish to win RM and finally for the first last task of this playbook we connected to Windows 2019 dash one and then we Identify the purpose of service that it was coming using notepad that EXE so now Purple sharp is gonna change this configuration to run power shell Started start that service and then move it back. Of course. We confirm this because we did not get a Service creation event, but if you look here, we did see services that EXE Spawning partial that EXE on Windows 19 dash one. So this was successful, but we bypassed some detection, right? So that concludes my demos guys, and I think it's right on time a little bit over But good on time if you like purple sharp here's some documentation If you like it do give me a star on github if you have any feedback Want to help with the project? Please please you're more than welcome and by the way all these Jason playbooks I'm I'm creating a database of or more like a centralized repository of Playbooks so you can look at this project to to start getting some ideas on simulations. So that's it for me guys Thanks a lot, and yeah, you have a great day