FiestaConFor Red Teamers, By Red Teamers
FiestaConIntroduce the Red Team community to the means by which instructors of U.S. Air Force Undergraduate Cyber Warfare Training teach, engage, and evaluate students in the context of offensive cyber operations fundamentals.
Ever wondered how another group might put together a threat simulation campaign? This talk details the planning, development, and execution of a campaign from start to finish. We will bridge the gap between those TTPs that have been used by an adversary to those that could be used to simulate a similar threat.
Microsoft Defender for Endpoint (MDE), previously ATP, has been a thorn in the side of most operators since its deployment. While Microsoft hasn’t published any details about the inner workings of MDE publicly, it is commonly known that new kernel sensors were added to Windows to collect new types of security-related telemetry. With more vendors being granted access to this telemetry, it is now more important than ever to understand how these sensors work, what they help detect, and opportunities to evade them. In this talk, we’ll dive into the how what, and why behind the EtwTi* sensors to gain a deeper understanding of one of Microsoft’s strongest sources of defensive telemetry.
Command and Control (C2) frameworks are a dime a dozen these days, and all C2 frameworks provide the same basic functionality – send command, get output. So, why are there so many? What might cause somebody to look at all of the current C2 frameworks and decide to build another? Part of this is likely due to the inability to separate out the agent from the rest of the C2 framework, and part of this is likely due to the restrictive design of many C2 frameworks overall. This talk looks into common C2 constructions, the rise in C2 frameworks, and how to get more out of your frameworks.
How the UnitedHealth Group Red Team managed to provide a broader view of risk + trend analysis across 33 targets in one year.
Keeping the latest version of tools up to date is sometimes tough. Everything is easier with automation, so this is a tooling discussion of one way to use Terraform and Ansible to automatically build your favorite tools in the cloud. Code will be released to take this starter framework to use for yourself. While what will be presented will work on AWS, it can easily be converted to use GCP, Azure, VMWare, or whatever your favorite platform is.
Lateral movement often requires some sort of file transfer (push or pull) to your target host to establish execution. Normally when these files are transferred over SMB the full file paths, names, and contents of the transferred files are left as IoCs in the network traffic and can be inspected at firewalls, NIDS, Zeek hosts, etc. Hunt and response teams often use this to find and track attackers in a network. Our team identified multiple methods which can be leveraged through your C2 or with a proxy to force SMBv3 connections and ensure that connections over SMB are encrypted and these IoCs are hidden from defenders.
This talk will dive into the internals of the Sliver C2 platform. Sliver is an open-source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver’s implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. https://github.com/BishopFox/sliver
Scythe, Vectr, SnapAttack, etc. The number of commercial Purple Teaming “tools” is ever increasing. While a mature Purple Team could benefit from some of those tools, a vast majority of organizations are still trying to understand how and if a purple team will add value. This talk isn’t about lolbins, or living off the land in a traditional sense. This talk will go over Purple Teaming on a budget, how to leverage existing enterprise tools, and how to “sell” purple teaming to your stakeholders and partners.
The Plan, Brief, Execute, Debrief (PBED) methodology has been used by Special Forces (SOF) and fighter pilot communities for decades to increase lethality and mission effectiveness. PBED is also being implemented at USCYBERCOM and mission partners to combat terrorism and counter hostile cyber actors. This session covers how PBED can be implemented in a Red Team environment to meet assessment objectives and greatly increase team effectiveness. For new Red Teams, PBED will accelerate the learning curve. If you are a RT veteran, please come share your war stories
In the age of EDR products, Red Teamers need to be able to customize everything on the fly – stock Command and Control (C2) frameworks and agents quickly become insufficient. Why stop at simple obfuscation or name changes for customization though? Red Teamers can leverage operational data to track artifacts created on target, create callback hierarchies, and even map operations to MITRE ATT&CK. In this workshop, we’ll present two C2 frameworks designed with customization and collaboration in mind – Apfell and Covenant.
Students will navigate a series of labs to illustrate the advantages and use cases for Apfell and Covenant over other frameworks while in a simulated Active Directory enterprise environment. They should expect to be able to install, customize, and leverage these frameworks within operational environments when they get back to the office.
This session is intended for newer teams looking to understand what goes into planning a full-scope threat simulation. The session will cover development of potential threat scenarios to simulate, how to get a scenario approved, some steps to take after the execution of a threat scenario, and lay out some options for getting the most value out of threat simulations. Attendees will have the opportunity to develop their own scenario plan and pitch it to an ‘executive panel’ to allow attendees to apply what they have learned in a meaningful way.
This class is intended for beginner/intermediate payload developers, like the instructor, no Computer Science degree is required. Filled with only a couple of Sea Stories, this training will describe the methods teams could utilize to develop custom malware payloads for windows. Beginning with recommended research materials, starting from the very basics covering topics such as code execution techniques, downloaders, self-executable file types; progressing through to the development of “combat coder” skills. Trainees should gain a sufficient level of comfort with PowerShell, VB, JavaScript and C# to customize payloads enough to bypass most AV/EDR inspection. The training will focus on customizing current open source/publicly available payloads that can be relatively easily modified and used during Red Team operations. In addition, this class will include an “Added Features” section, providing suggestions on how to make your payloads more realistic and/or functional, such as adding user feedback, or adding troubleshooting features that will help provide feedback to the operators on the payload’s success/failure.
Using various encryption techniques that pull the decryption key from the target workstation, or some other resource is a technique that can be referred to as “keying”. Last October, I released a few tools to help make this process a little easier for red team operators that are looking to encrypt their payloads as an effort to make it harder to analyze by the blue team, security products, or sandboxes.
The goal of this workshop is to first take a step back and understand the problem keying attempts to solve. Then we’ll use both keyring and keyserver to apply various keying techniques to encrypt our payloads. Finally, we’ll be putting our blue team hats on and reviewing the encrypted payloads to see how it may impact analysis or what we must change to improve.
By the end of the training you will understand how keying works and how to wield keyring and keyserver to fit your needs. We will also open up a discussion at the end of the training on how you may use it in your environments or if you feel there are other ways to achieve the same result without keying.
WMI has been publicized for its offensive use cases. Attackers, and now red teams, are discovering how powerful WMI can be when used beyond its original intent. Even with the recent surge in WMI use, not everyone knows how to interact with it. This workshop intends to showcase how you can leverage WMI on assessments to do nearly anything you would want to do in a post-exploitation scenario. Want to read files, perform a directory listing, detect active user accounts, run commands (and receive their output), download/upload files, and do all of the above (plus more) remotely?
Student Requirements: A windows 10 workstation (or virtual machine) where students have administrative rights
The goal of this workshop is to first take a step back and understand the problem keying attempts to solve. Then we’ll use both keyring and keyserver to apply various keying techniques to encrypt our payloads. Finally, we’ll be putting our blue team hats on and reviewing the encrypted payloads to see how it may impact analysis or what we must change to improve.
By the end of the training you will understand how keying works and how to wield keyring and keyserver to fit your needs. We will also open up a discussion at the end of the training on how you may use it in your environments or if you feel there are other ways to achieve the same result without keying.
A modern, ‘sophisticated’ Red Team simulation requires careful attention given to infrastructure design and preparation. Carelessness can cause an operation to be blown through premature detection and attribution before it has even begun. Just as pilots and doctors have learned when handling complex systems, a standardized checklist and pre-operational procedures can help reduce errors and help ensure operational success. This talk will highlight methods our team has developed to minimize mistakes and reduce operational security risk when launching an operation. Additionally, hackers make great targets for fourth party collection, we will discuss our strategies to help secure our infrastructure and keep our blue team happy.
Student Requirements: A windows 10 workstation (or virtual machine) where students have administrative rights
The goal of this workshop is to first take a step back and understand the problem keying attempts to solve. Then we’ll use both keyring and keyserver to apply various keying techniques to encrypt our payloads. Finally, we’ll be putting our blue team hats on and reviewing the encrypted payloads to see how it may impact analysis or what we must change to improve.
By the end of the training you will understand how keying works and how to wield keyring and keyserver to fit your needs. We will also open up a discussion at the end of the training on how you may use it in your environments or if you feel there are other ways to achieve the same result without keying.
Running red teams are rife with challenges, ranging from struggling to meet management expectations to dealing with suddenly broken ops infrastructure. Fortunately, the challenges any given team encounters are typically shared by others. Over the course of our careers, we’ve had the opportunity to see a wide array of issues red teams face, whether it’s pain we’ve personally felt in building our team, attempts we’ve made in helping organizations build their red teams, or just listening to the stories of teams we’ve met, along with many varied attempts at addressing those issues. This talk will cover an editorialized list of the top common challenges we’ve seen red teams face and some tactics they’ve used to overcome them. Tales of pain and tales of success within. Maybe some funny anecdotes too.
Both new and mature red teams benefit from having a realistic, robust lab environment. Whether training new operators or developing new tradecraft for an upcoming engagement, a team relies on its lab environment to be an accurate representation of the environment(s) the red team will be exposed to. To accomplish this there are several considerations a team needs to make before building or acquiring a lab of their own. In this talk we’ll discuss these considerations and their impacts, as well as the choices we’ve made while building environments for our customers.
Back for another year, this BoF provides a forum for red team leads to discuss relevant issues.
Our Red Team achieved an operational cadence of over 100 per year. We present our approach and lessons learned.
There is no learning like watching someone do exactly what you are trying to do. In this talk, I will lay bare my personal red team methodology start to finish, including tools, resources, and workflow for all phases of a modern red team engagement. Perfect for beginners or seasoned red teamers alike, there is always something to learn by watching another struggle with and overcome (usually) the same pain that you are dealing with. New tools will be dropped, stories shared, friends made
Windows 10 and Server 2016 immediately provide defensive technologies that can be used to secure the endpoints within your domain. Both operating systems allow administrators granular control over how to best administer and defend their network, and in the opinion of the speakers, one of the best new defensive technologies provided by these operating systems is Windows Defender Application Control.
WDAC is Microsoft’s latest defensive addition that allows administrators to defend their domain against malware. WDAC enables administrators to customize how and if applications are allowed to run on endpoints within their domain. This can be based on File Name, Hash, PCACertificate, or more. We will talk about WDAC, how it is used, demo deploying device guard, and create a couple sample deployment configurations. We want attendees to be able to walk away from this part of our talk and have an idea how they can immediately improve their defenses.
This talk also wouldn’t be complete without looking at these same technologies from an attacker’s perspective! We’ve been analyzing WDAC configurations and how we expect them to be deployed in the field, and have worked to develop a tool that can not only help attackers in today’s Windows 7 environment, but in the future’s Server 2016 and Windows 10 domains. Developing a multifaceted tool in PowerShell was critical because we wanted maximum functionality, flexibility, and impact.
We will use this BoF to discuss what a red team audit might look like, layout some reasons to create a best practice guide (especially in regulated industries) and gauge interest in working on such a project, identify useful sources of data already out there, and establish a potential working group.
When catching up on the latest research, it is easy to assign a technique to a single bucket (lateral movement, persistence, etc) and move on. A great potential exists when you can recognize how a combination of techniques and tools can be leveraged together for a different purpose. This talk references a number of different research articles and blog posts, and details how they were brought together to create a phishing payload with zero warnings, and requires only two minimally suspicious clicks.
Office documents have been an attack vector for a long time, but unfortunately they are still a requirement for most businesses. During this talk, we’re going to look at some practical ways to hide data, demonstrate data hiding in Word and Excel documents that could be used for payload smuggling or even data exfiltration. We’ll look at how to generate malicious documents, tricks for making them harder to analyze, and how to customize them so that they will be less likely to be detected. We’ll also look at some of the ways to detect these techniques, and talk about other areas that might be fun to explore in the future.
Internal red teams deal with an environment that is both constantly changing and seemingly not changing at all. As red teams, it is our responsibility to provide an attacker’s perspective of the network. Traditionally this happens in the form of point in time assessments that may span anywhere from a few days to several months and focus on an objective. This talk proposes an additional service for your red team to provide – a continuously monitored attacker’s perspective of the attack surface. This can be used to enable more timely attack simulations and enable the team to proactively detect flaws in the environment. This talk explores some types of data that can be collected continuously and the value that it can provide to a red team. It will also introduce tooling to automate network scanning for continuous data.
As both an analyst and a manager at a number of defense and security organizations, Mark has directed wargames, conferences, studies, and assessments covering a range of defense and security topics. For nearly a decade, he taught graduate courses for the Department of Engineering Management and Systems Engineering at The George Washington University. Since founding the Web site Red Team Journal (https://redteamjournal.com/) in 1997, he’s been a thought leader in the red teaming community, where he helped pioneer the application of systems engineering principles, techniques, and tools to the practice of red teaming. He’s currently president of Reciprocal Strategies, LLC (https://reciprocalstrategies.com).
Brady Donovan is an automation engineer who works mostly around the SCCM platform for Windows. He has worked with various companies around the Twin Cities helping them convert to Windows 10, as well as managing their Windows endpoints. Brady is particularly interested in identifying how configuration management platforms and other common administrator tools can be used maliciously. He recently started a B.S. in Cybersecurity & Information Assurance from Western Governors University and will be starting his OSCP journey in November.
Nick Flores is a dedicated network security professional with over 19 years of experience supporting both government and commercial enterprise clients. He has co-authored tactics, techniques, and procedures (TTPs) used by the U.S. Air Force in defending national security systems. As a senior technical lead with the U.S. Air Force’s 92d Information Warfare Aggressor Squadron, he supervised the assessment and vulnerability testing of U.S. Air Force network assets. Additionally, as a cadre instructor for the Air Force’s Red Team Operators Course (RTOC), he instructed military and civilian personnel in all aspects of Information Operations defense and assessment, including network security, physical security, social engineering, and more. Mr. Flores was also a lead scenario developer for the Air Force’s first global cybersecurity exercise, named Black Demon.
As a former adjunct professor, Mr. Flores taught undergraduate courses in Information Assurance and Computer Networking at Our Lady of the Lake University. He holds a Master of Science degree in Information Systems Security as well as a Bachelor of Science degree in Electronic Commerce. Mr. Flores is currently a managing director for Mandiant, a FireEye company. He is responsible for the consulting practice service delivery across the central United States.
Matt is a Red Team lead and Principal Security Consultant at Rapid7. Matt has been operating on Red Teams since late-2013, working primarily with federal, manufacturing, and financial clients around the world. Matt is a contributor to Empire/Empyre and his areas of research include threat emulation and Linux exploit development.
Kirk is a Red Team Lead and Senior Security Consultant for Rapid7. Kirk has performed research around Citrix escaping, discovered zero-days in popular web applications, and can be found testing in his lab or playing with his kids. Kirk has written and contributed to a number of security tools, including backHack, myBFF, spotter, Metasploit, and others.
Amin is a cyber security professional who works as a penetration tester for Ernst & Young. He has been performing penetration tests for a year. He has experience penetration testing external (Internet), Internal (Intranet) environments, and Cloud services.
Brent is currently a senior manager on the Capital One Red Team where he leads full-scope operations targeted towards threats affecting the financial industry. Formerly, he lead the penetration testing and assessment group at the CERT division of the Software Engineering Institute at Carnegie Mellon University where he worked with the Department of Homeland Security’s Risk and Vulnerability Assessment (RVA) program to provide penetration testing services to federal, state and local government entities.
Alexander is a Senior Security Consultant and Red Team Lead at NetSPI, with a specialization in Network Penetration Testing and Threat Emulation. He currently holds Offensive Security OSCP, CREST CRPT, CREST CPSA, and Access Data ACE certifications. Alexander also holds a degree in Information Security and Forensics from the Rochester Institute of Technology where he graduated Summa Cum Laude.
David specializes in building enterprise adversary-focused assessment teams, which have performed thousands of engagements for large private-sector organizations and major government agencies. David has extensive experience in conducting highly specialized, large-scale adversarial operations against a variety of targets. In addition, he has built several training courses focused on red team operations methodologies. In his previous life, David was a senior technical lead for the National Security Agency Red Team, providing mission direction through numerous large-scale operations.
Tim (@malcomvetter) has two decades of experience building and breaking systems: red teaming the world’s largest commercial organization, consulting with Fortune 500s, hacking everything from mobile apps to fuel pumps, leading e-commerce dev teams, and deploying enterprise security solutions. Tim has several degrees, certifications, held a PhD research fellowship, has presented at many security and developer conferences, and contributes to open source software projects.
Sean Pierce is a Red Team Lead for Target currently specializing in Threat Emulation and Reverse Engineering (Malware mostly). In the past Sean has also done work in incident response, botnet tracking, security research, automation, and quality control. Prior to working at Target, Sean worked at iSIGHT Partners (Acquired by FireEye), and before that he was an academic researcher and part time lecturer at the University of Texas at Arlington where he earned a Bachelors of Computer Engineering with a minor in Math.
Jamison is the co-founder (in 2008) and current senior manager for the Bank of America (BAC) internal Red Team, a position he has held for 5 years. He has founded 3 separate teams at Bank of America, the Red Team, a Vendor Assessment team, and a Hunt Team. He was also a team lead for nearly 3 years on the BAC Red Team. Prior to joining Bank of America in 2008, he was in the US Air Force as a communications officer for more than 6 years where he briefed generals on information security threats after 9/11, led an incident response team, performed configuration management for a major aviation platform, led a base networking team, led a base honor guard, served as an executive officer for an USAF Colonel, and attended graduate school. Jamison is a 2001 graduate of the US Air Force Academy.
Justin Warner (@sixdub) is a Principal Security Engineer at ICEBRG, where he conducts threat research and develops network threat detection capabilities. Justin is an Air Force Academy graduate, former USAF Cyber Operations officer and former red team lead where he focused on adversary emulation operations against several Fortune 100 companies as well as federal, state, and local government organizations. Justin has a passion for threat research, reverse engineering, and diving into mountains of data to keep his analytics skills sharp. In his “free time”, he can be found with his wife and daughter keeping busy in the Northern VA area.
Rob Webb is a professional working for Ernest and young’s attack and pentest team. Rob currently specializes in internal active directory assessments. Robert successfully passed the OSCP in January and is preparing for OSCE.
Demonstration on how to split a detectable malicious file to isolate/edit the offending code.
Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but standard methodology dictates a manual and often tedious process – gather credentials, analyze new systems we now have admin rights on, pivot, and repeat until we reach our objective. Then — and only then — we can look back and see the path we took in its entirety. But that may not be the only, nor shortest path we could have taken. By combining our concept of derivative admin (the chaining or linking of administrative rights), existing tools, and graph theory, we can reveal the hidden and unintended relationships in Active Directory domains. Bob is an admin on Steve’s system, and Steve is an admin on Mary’s system; therefore, Bob is effectively (and perhaps unintentionally) an admin on Mary’s system. While existing tools such as Nmap, PowerView, CrackMapExec, and others can gather much of the information needed to find these paths, graph theory is the missing link that gives us the power to find hidden relationships in this offensive data. The application of graph theory to an Active Directory domain offers several advantages to attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. All possible escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. Graph theory has the power and the potential to dramatically change the way you think about and approach Active Directory domain security.
KeePass is one of the most commonly used password managers in modern enterprises, with the KeePass databases of particular administrators at times protecting the literal “keys to the kingdom”. Password managers (while a great protection) sometimes give administrators a false sense of security. This talk will cover a number of ways to “attack” an administrator’s KeePass database operationally. We will detail our open-source project KeeThief, which allows for the decryption of KeePass key material from unlocked databases without relying upon a keylogger and is indifferent to KeePass’ “secure desktop” protection. For unlocked databases, we will show methods for triggering KeeThief at the perfect time, extracting out everything you need to decrypt a database and pilfer credentials off-system. We’ll also cover a way to exfiltrate all database contents without any malware or code injection, and will conclude with demos that show how to pilfer KeePass databases with all current protections enabled.
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
Combing OLEOutlook bypass (Kevin Beaumont) with WinRAR SFX capabilities, to create realistic payloads that bypass enterprise security stacks (including Fire eye), adding persistence, realism and user feedback. The combination of these methods creates a quick and flexible payload delivery mechanism that currently bypasses most security stacks.