(Red Team TTPs)
Ralph May
Black Hills Information Security
Steve Borosh
Black Hills Information Security
Futuresec training
Workshop Overview
- Enhance red team operators' knowledge of trending TTPs across several MITRE Techniques
- Cross fingers
- Create a custom C2 payload combining several TTPs for remote access to a network.
Lab Setup
- Ubuntu virtual machine.
- login user:toor
- Windows 10/11 with Visual Studio Community Edition installed.
"The behavior of an actor. A tactic is the highest-level description of this behavior, while techniques give a more detailed description of behavior in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique."
TTPS
- Reconnaissance
- Execution
- Credential Access
example tactics
Example Techniques
- Active Scanning
- PowerShell
- LSASS Dumping
Example Procedures
- git clone <insert tool>
- cd <tool name>
- pip install -r requirements.txt
- hackstuff.py -target anything.ru
Phases of TTPs Covered
- Recon
- Social Engineering
- Cloud
- Initial Access
- Post Exploitation
Recon targets may include:
- Company Information
- Usernames
- Access portals
- Files
- Github repositories
- User information
- Passwords
- PII
- Social Media
- Networks
- By CIDR
- By domain/subdomain
recon targets
The art of reconnaissance includes mapping your target's attack surface within your approved scope.
Tools may include:
- nmap
- Browser
- Custom Tooling
- MANY Github repositories
- Shodan.io
- LinkedIn, Instagram, etc..
- Public breach data
recon
Microsoft Azure Recon
aadinternals
Invoke-AADIntReconAsOutsider -Domain company.com |ft
DNS Recon
- Many tools and mostly personal pereference
- Do it for each domain that's in-scope and attached to Azure Tenant
- Feed results to other tools for further enumeration
- Certificate Transparency Searching cert.sh may reveal internal hostnames
LinkedIn email generation
{first}.{lAST}@company.com
redhot ttp
Microsoft Teams User Enumeration
- Accurate
- Stealthy
- In many cases you may still enumerate users if blocked from sending messages
"Social engineering has become about 75% of an average hacker's toolkit, and for the most successful hackers, it reaches 90% or more." - John McAfee
- Still true if not more so
- Part of our daily lives
- Influence others
- "Would you grab me a cup of coffee while you're in Starbucks?"
- "Hi Jan, I'm Joe from IT and your PC requires an update that we cannot deploy from here. We need you to run this quick patch for your pc. Can you help us real quick after your meeting?"
social engineering
- Face-to-face conversation
- Phishing
- Vishing
- Smishing
- *ishing. (any way to communicate)
TYPES OF SE
- SMTP Smart Host "company-com.mail.protection.outlook.com"
- Send-MailMessage -SMTPServer <insert>
- Default
- May bypass some gateways
- Spoof External to Internal and Internal to Internal
Office 365 spoofing
- Business-to-Business allowed by default
- Links are less scrutinized than email
- Can send SharePoint files/links
- Can use AADInternals, Manual, or TeamsPhisher
TEAMS PHISHING
REVERSE RDP PHISH
Mike Felch @ustayready
- Send .rdp file
- User connects back to your server
- Capture clipboard, plant files, and steal files
SMISHING
- Cred captures
- Fingerprint devices
- TokenTactics
- Bypass normal Phishing Controls
evilginx3
- Gold standard for reverse proxy phishing
- Capture username,password, and session cookie
redhot ttp
AI VISHING
- Using AI to impersonate and fool another person into performing some action.
- Real-Time Voice
- Text to Voice
John Strand
CLOUD
Targets
- Azure Passwords
- Azure Databases
- S3 Buckets
- Virtual Machines
- Kubernetes
- Ever growing list
Azure SQL
- Azure allows other tenants to connect if allowed
- Find credentials in code repositories, Shares, or SharePoint
- Common usernames such as sa are not allowed. sqladmin is however allowed.
Azure SQL
Finding
Connection strings
Connect
redhot ttp
AWS SNS Topics
- Amazon Simple Notification Service (SNS)
- Example: SNS topic emails the security team
- Find Vulnerability
- Send spoofed phishing email to the securiy team
- Use aws cli to send message to topic
- Check SNS policy with cli for "allow *" principal
Initial Access
Key Questions
- What are your goals?
- Obtain credentials
- Obtain sensitive data
- Obtain a shell
- Obtain administrator tears
Goals dictate your payload.
Custom (JWT,Browser Secrets,access keys, files) stealer anyone?
ClickOnce
initial access
- May self-sign
- Sign with a "Leaked Certificate"
- May backdoor an already signed application
- SpecterOps
- https://specterops.io/blog/2023/06/07/less-smartscreen-more-caffeine-abusing-clickonce-for-trusted-code-execution/
- SpecterOps
- Host on azurewebsites.net
reverse ssh tunnels
- May not be allowed out over standard SSH
- Try other ports
- Just works better than C2 SOCKS
redhot ttp
MSIX
Leaked Signature + App Domain INjection
- Find Leaked CertificatesCavaet to C# app domain injection:
- https://tij.me/blog/finding-and-utilising-leaked-code-signing-certificates/
- It works ;)
- You cannot install an MSIX package if it is not signed
- Cannot execute-assembly/sharpinline in the same agent due to the app domain.
MSIX Packaging TOol
MSIX Select task
msix create package
post exploitation
- What do you do after initial access?
- Install persistence
- Enumerate the host
- Enumerate the internal network
- Elevate privileges
- Move laterally
Active Directory Certificate Services
- Most cases, user to DA
- Multiple abuse paths
- Easy win
- Certipy - https://github.com/ly4k/Certipy
Tool proxying
Why run on host/disk when you can tunnel your traffic and enhance your EDR evasion potential?
- C2/SSH SOCKS Proxy
- ProxyCap
- Proxifier
redhot ttp
SCCM/MECM Abuse
post explOItation
@vendetce
SCCM Abuse Tool list
- SharpSCCM
- SCCMHunter
- PXEThief
- SeatBelt
LAB
