purple view

Purple ViewThe recent trend of using Attack and Defense

Together

Not OUR idea - backed by many@raffertylaura | @haydnjohnson

Quick who are weHaydn Johnson

@haydnjohnson

OSCP

Offensive/Attack Interest

Enjoys presenting

Laura

@raffertylaura

MSc Computer Science (Security/Privacy)

Interested in both sides of security

Loooooves presenting

@raffertylaura | @haydnjohnson

Contents1. Basic Term Definition2. Introduction to Red, Blue and Purple3. Run through of an Attack

○ Gaining Access○ Lateral Movement○ Domain Admin○ Maintaining Access○ Data Exfiltration

4. For each attack:○ Attacking View○ Defenders View○ Possible Purple Team exercises


DefinitionsExploit - The thing used to gain unauthorized access to a system

Payload - What is done after the access is gained (shell, command)

Metasploit - An open source exploit framework, modular

Meterpreter - an advanced, extensible payload that uses in-memory DLL injection

Shell - Gaining Terminal/CMD access remotely

https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/http://www.metasploit.com/

Red Team - Penetration | Offensive● Scans● Exploits● Logic abuse● Access to things they shouldn’t


Blue Team - Block, Prevent, Detect | Defensive● Logs● Emails● Events● Triggers● Networking● More Logs


Red Team - Goals● Model recent threats and trends● Longer term● Highlight Gaps in Security Controls, detection etc● Escape and Evade for Persistence


Blue Team - Goals

● Detect Attack● Respond and Recover● Produce Actionable Intelligence● Identify Gaps and investment needs


Purple Team - Offensive & DefensiveWorking together to achieve the ultimate goal of making the organization more secure

● Exposes blue team to different threats & attacker mindset ● Test incident detection and response● Allows red team to sharpen skills● Policy and procedures tested● Tuning of controls


Purple Team - Offensive & DefensiveDifferent types of Purple Teaming

● Read Team Sitting with Network Defense team● Adversary Simulation● Traffic Generation● cobaltstrike.com● Wargaming

Requires total picture involving all areas of the organization


Purple Team - The difference● Using Security Posture and Weaknesses to find what is most valuable● Goal Oriented● Review attack● Test how teams use services and how they are managed


Purple Team - The difference● Time to Domain Admin● Time to Data/Objective● Time to Respond● Time to Recover● Identify where there needs to be more investment● Measure Impact

Done right, the blue team should come out with better monitoring and response plans.


Purple Team - The difference● Set up a fake scenario - Assume Breach● How will the attacker gain access?● Why have they attacked, what do they want?● How did they move through the network?● If they exfiltrated data, how?

Do not turn off servers, block IP addresses, make it realistic


Purple Team - Exercise“In the beginning, it’s easy to challenge and exercise a network defense team. You will find that many network defenders do not have a lot of experience (actively) dealing with a sophisticated adversary.”

- Raphael Mudge

http://blog.cobaltstrike.com/2014/11/12/adversary-simulation-becomes-a-thing/


Purple Team - DEMO (step by step)Our exercise


Purple Team - Demo Architecture


Domain: corp.test.com

Tools UsedRed Team:

● Kali Linux● Metasploit● Meterpreter● PowerSploit● Twittor

Blue Team:

● Wireshark● Windows Event Logs


Setting up Windows GP


Gaining AccessHacking Team Flash Exploit


Flash Exploits


● Flash plugins are vulnerable ○ You can embed a javascript/binary within a Flash file○ ActionScript to define events to redirect to landing page

● Most exploit kit landing pages redirect to pages containing Flash exploits○ Angler○ Nuclear○ Fiesta

● Installed by default on browser● New vulnerabilities are identified on almost a weekly basis

Gaining Access


Flash 18.0.0.194

A: Flash Exploit from SecurityFocus

Hacking Team Flash Exploit: http://downloads.securityfocus.com/vulnerabilities/exploits/75568.rb

http://downloads.securityfocus.com/vulnerabilities/exploits/75568.rb

A: Start Flash Exploit from Kali


Client1 User navigates to malicious site which redirects to the exploit

A: Redirect Victim


A: Client1 is exploited


A: A session is now established with Client1We can now run Meterpreter


B: Wireshark: Landing Page and Redirect


B: Wireshark: Shell


B: What can you take awaySecurity Onion, implement it, free

Has snort rules for Flash exploits (need to install)

Confirm if flash is needed for business reasons

Keep flash updated

2811962 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 SSL Cert (trojan.rules) 2811963 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 CnC Beacon (trojan.rules)


https://www.security-database.com/detail.php?alert=CVE-2015-5119https://security-onion-solutions.github.io/security-onion/

Purple Team - Exercise● Blue team understands how attackers can gain initial access● Flash exploits - ongoing issue ● Helps blue team to identify suspicious traffic and what is happening from the

attacker perspective● Red team sees how attacks are visible by blue team and think of ways to

make it more stealthy


Privilege EscalationNot Shown


Privilege Escalation● We are skipping privilege escalation from Domain User to Local Admin


Lateral MovementPowerSploit


A: PowerSploitAvailable on Github

Open Source

https://github.com/mattifestation/PowerSploit@raffertylaura | @haydnjohnson

A: PowerSploit

More than 1 script!

PowerShell Modules


PowerViewPart of PowerShell Empire

Very advanced

https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView @raffertylaura | @haydnjohnson

A: Lateral MovementThe same local Administrator account passwords on multiple computers.

by Sean Metcalf

https://adsecurity.org/?p=1684@raffertylaura | @haydnjohnson

Same Passwords for All Local Admins

A: Lateral Movement


A: Lateral MovementPowersploit

Remote Powershell

Using Invoke--Shellcode.ps1


A: Base64 Encoding PayloadRemove issues with whitespace

The Hacker Playbook 1 (now 2)

@raffertylaura | @haydnjohnsonhttp://thehackerplaybook.com/dashboard/

A: Hosting Powersploit Invoke--Shellcode.ps1PowerSploit code hosted on local Kali machine


A: Invoke-WmiMethodUse powershell to connect remotely, create a new process and launch the IEX cradle.

Calls Windows Management Instrumentation (WMI) methods.

The Win32_Process WMI class allows creation of a process.


A: Execute Remote commandExecute command from Client1 to tell Client2 to download and execute shellcode


A: Client1 gives same passwordSame password across multiple clients


A: Receive Shell


B: WireShark trafficTCP Hand Shake

Bind Requests


B: Client1 requests remote instance on Client2


B: Client2 eventually asks where is Kali


B: Client2 downloads Invoke--Shellcode.ps1


B: Client1 logs into Client2


B: PowerShell Process Created


B: PowerShell connects to KaliClient2 reaches out to Kali on port 80


B: What can you take awayEvent Correlation - based on event ID, source and destination for remote connections

Implement alerting based on Security Events together

SIEM can/SHOULD do this

Use Log MD - really great logging tool, especially for powershell


http://brakeingsecurity.com/2015-042-log_md-more-malware-archaeology-and-sifting-through-the-junk

http://malwarearchaeology.squarespace.com/log-md/

Purple Team - Benefits● Identify ways to move around the network● Identify and confirm Defensive Controls in Place● Identify what worked, what did not● Implement changes● Justification for resources


Privilege EscalationLocal Admin to Domain Admin


A: Local Admin to Domain Admin


● Why escalate privileges from Local Admin to Domain Admin?● Domain admin - control over active directory!● Access IT resources● Create accounts● Propagate malware

A: Local Admin to Domain Admin


A: Local Admin to Domain AdminFrom Client1, map the admin$ share on Client2 and copy over sekurlsa.dll


A: Local Admin to Domain AdminUse psexec to run mimikatz.exe on Client2


A: Local Admin to Domain AdminUse sekurlsa::logonpasswords to dump the Domain Admin logon credentials from Client2!


B: Wireshark:


B: Event LogsClient1 logs into Client2 local admin

B: Event LogsClient1 runs mimikatz

on Client2


B: Event Logs

Sensitive privilege use from Client1

to Client2

B: What can you take away

● Prevention:○ Access control for shared drive○ Limit access to psexec and monitor use○ Active Directory best practices

● Detection:○ IDS signatures ○ SIEM use case - Event correlation between system logs and network proxy logs○ For lateral movement: enable file level auditing○ Canary accounts

Purple Team - Benefits● Blue team observes vulnerabilities/threats which may not have been

considered○ Learns how attacker could escalate privileges from local admin to domain admin

● Red team observes the footprint left behind from this attack and possibly how to minimize it

○ Can identify potential weaknesses in blue team monitoring/response processes○ Provide more thorough recommendations


TwittorBackdoor using Twitter


A: Twittor● Easy to install● Easy to Use● Easy to add

Shellcode

https://github.com/PaulSec/twittor @raffertylaura | @haydnjohnson

A: Twittor - insidesSimple Subprocess execution

Stored as base64 encoded message

A: PyinstallerOn Github

Turn Python file into EXE

@raffertylaura | @haydnjohnsonhttps://github.com/pyinstaller/pyinstaller

A: Pyinstaller Python File becomes Executable



Twittor: Backdoor Using Twitter

A: Twittor Python file used as C2 Server Python file used as backdoor

EXE - Pyinstaller


A: Twittor - Retrieving commandSend Command to execute

Retrieve command


B: Twittor - Network TrafficReaching out to API

Normal User Traffic??


B: Twittor - Client systemBackdoor as Python Executable compiled with --no-console flag to hide output


B: Traffic from ClientReaches out to twitter

Src and Destination are internal IPs, sends to API


B: What can you take awayCheck if there are any remote connections after hours, is it against policy?

Again, Correlate logs with known C2 addresses

See if AV picks it up


Purple Team - BenefitsTest if a C2 can reach out to twitter.

Social Media may be blocked via the browser, but some sites can still be accessed via API etc.

If it is not blocked, why not, can your blue team help to stop this and others.


Data ExfiltrationClear Text FTP



A: Data Exfiltration Through Clear Text FTP

A: FTP ExtractionFinding Data to extract


A: Finding dataImportant data identified


A: Downloading data


A: Data Transferred


B: Meterpreter connection DLL injection

Lots of chatter


B: FTP connection Clear Text


B: Successful Transfer


B: What can you take away?


Disable FTP - should not have a business need for it really

If there is a business need whitelist those IP addresses | Create a group of users specifically for FTP

Purple Team - ExerciseClear Text

Will any alarms trigger?

Understand potential holes in alerting

Measure time to detect and respond


ConclusionPurple Teaming is Good


Purple Team - ReiterationProvides more value than a Penetration Test

Should be implemented into a regular schedule

Helps train security personnel

Helps make sure your boxes are tuned


Limitations and Future Work● So far we have limited detection tools to Windows Server event logs and

Wireshark, (and a bit of Snort)● Could be extended for enterprise security tools such as SIEM/IDS● Powershell/WMI for blue team● More advanced attacks, persistence using Powershell Empire


Obligatory Cute Kat Picture

References are in following slides


Microsoft - 8 minute Videohttps://azure.microsoft.com/en-us/documentation/videos/red-vs-blue-internal-security-penetration-testing-of-microsoft-azure/


https://azure.microsoft.com/en-us/documentation/videos/red-vs-blue-internal-security-penetration-testing-of-microsoft-azure/

https://azure.microsoft.com/en-us/documentation/videos/red-vs-blue-internal-security-penetration-testing-of-microsoft-azure/

Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013

http://www.slideshare.net/beltface/hybrid-talk@raffertylaura | @haydnjohnson

A: Downloads PowerShell fileClient2 reaches out to Kali machine


purple view

Technology