[INTERACTIVE BLOG]
Did you like Choose Your Own Adventure books as a kid?
Are you fascinated by Red Team adversary tradecraft?
Would you like stories inspired from the best defenders?
Then come Choose Your Own Red Team Adventure!
Unpopular opinion: exploit development should not be part of penetration testing (and definitely not "red team") training courses.
It should be its own standalone course, since it's a separate discipline.
For the newcomers out there...
I’ve been doing InfoSec stuff for ~20 years now, & every 3-5 years I discover a better understanding of the subject. Just when I think I’ve got it figured out, I get a little closer still.
This is for your edification to stick with it 1/
Red Team != pentest++
Not all penetration testers will be happy doing red teaming. If you like solving puzzles, you may not like planning an "op." Red Teaming isn't necessarily "better." It's "different." It's not necessarily more technical, either.
A
#redteam
wanting to keep vulns/tricks to themselves (i.e. not disclosing to
#blueteam
) for repeated future success is like a 12 year old kid wanting to replay the same video game on novice level instead of moving up to master/expert level.
Enjoy the challenge, share the tricks
If you are looking at getting into
#RedTeam
by 2020, you better know how to code— not just piecing together scripts, but actually structuring code like a real developer avoiding code smells.
Commodity attacks are drying up.
PSA: if you have “1337” in your handle, you’re going to come across as an amateur.
Same goes for newish handles (last few years) with “0x{string}”.
Be original.
Wouldn’t hurt you to grow up a bit, too.
#RedTeam
Pro Tip: make sure all of your tools, terminals, output, and screenshots include full timestamps with month, day, and year.
You never know how much later you may need to dig that up and know exactly _when_ something happened.
This weeks' offensive C# templates:
- A windows service that cannot be stopped in the service manager:
- Code execution across named pipes
Both are easier than you might think.
I’ve given
@DuckDuckGo
an entire month across all of my and my family’s devices. It’s come a long way since I first heard of them ~10 years ago & I don’t miss Google.
Looks like this change will be permanent.
Imagine how much better Blue Teams would be if Red Teams realized they weren’t Conor McGregor, they’re his sparring/training partner that virtually nobody knows.
If RED thinks they’re the ones showing up at the fight, they have got the date, venue, and match WRONG.
After 5 years of building the Red Team program
@WalmartTech
, I am moving on. Learned a ton & worked with some of the best there are.
We latched onto Mr. Sam's 10 rules for business, specifically
#10
: Swim Upstream. Seemed fitting for us!
$ dig txt
[New Blog]
How to start an internal/corp
#RedTeam
program in 7 Steps.
I get this question a lot, so here's a nicely compiled answer for you that could save you time and keep you busy for a few years. Let me know if this helps you out!
One of my fav parts of my red team is that we rotate campaign leaders every time. Everybody will run a campaign at some point. Everybody gets to feel the pressure of coordinating all the moving pieces. You're not expected to know everything, but you are expected to lead.
~Half year later ...
Not only do I NOT hate the word "cyber" I think there is a big distinction between "cyber" and "information" security, and I distinctly prefer the former over the latter.
Maturity? Nuanced understanding?
Your thoughts?
On this Happy Friday, remind yourself that nobody is going to look out for your career better than YOU.
Invest in yourself. Take risks. Try new things. Don't wait for opportunities to fall in your lap, make them happen.
"The harder I work, the luckier I get."
My 9 year old twins just found an
@Apple
iOS parental controls escape , pivoting through the
@DarkSkyApp
. Yep, hacking runs in the family.
Here is their first (public) attack chain:
Step 1. Tap the warning text in the app.
"Adversary Onboarding"
I'm coining that term. It's the point in which an adversary uses an org's internal documentation for internal recon, much like a new employee's orientation and onboarding.
I'm coining it royalty-free. Yes, you may (and shall!) use it.
Moar C#
Programmatically call UAC and escalate to admin:
Monitor Process Creation/Termination events with some WMI help:
Monitor Security Event Log
* PoC/pattern/example code to be pulled into your tools.
If you're an aspiring
#redteamer
learn as much code as you can. Operating System internals have never been more transparently open to code than they are today.
Don't get overwhelmed. Just practice, learn, and realize it will take a little while, but it's worth the effort.
If you’re into writing or detecting maldocs and you haven’t looked at ViperMonkey, look now:
I’m told it’s now used by Project Zero and DoD.
One of the primary authors is a
@WalmartTech
associate and a good person to follow:
@bigmacjpg
@vysecurity
Well, e.g. in Windows there's ipconfig /displaydns but it's best to stay off the command line & use the native APIs where possible, like this:
What can we learn?
- Browsing habits
- AD Domain
- Cloud Services
- EDR Callbacks
- etc.
I can’t believe pentesters/red teamers still focus on getting Domain Admin. DA is in most cases a waste of access. It’s inefficient. If you’re modeling “sophisticated” (whatever that means) adversaries, abuse the path of least privilege, usually the path of least noise.
I'm over here eating crow. Laugh at this with me, then realize your crow will come, too.
For all the times, as a red teamer/pentester when I wrote something dismissive like "just implement a detection for that" ...
1/
AppSec is only a (small) piece of a security program.
If you focus 90% on AppSec and have no detection/response, you basically don’t have a security program.
Look what I found in a box, almost perfectly preserved.
I bet many of you don’t immediately recognize what this is, and others of you probably have no idea at all.
This just happened.
“Hey Siri, lower the temperature to [stutter] 73 degrees.”
Siri: “Got it. Cooling the house to negative two thousand seventy three degrees.”
“What? No!”
Thermostat is now set to 50 degrees. Apparently that’s as low as it goes.
Give me a list of well known tools used by adversaries
Novice:
nmap, Cain, hydra, tcpdump, arpspoof
Intermediate:
Htran, Mimikatz, smbexec, Lazagne, PwDump
Expert:
PowerShell, VBA macros, JavaScript, WMI, certutil, legitimate signed executables
Here’s a better look at my holiday gift to my team of hackers. It was soooo hard to keep it a secret.
Note the Powershell Empire “ornaments” among the other “layers” ...
Corollary: life is too short not to work with people you love working with.
If you think
#redteam
stuff is all fun all the time:
Try planning a major campaign involving 5+ different component entities that all have to appear physically/logically distinct and unrelated as a resilient, multi-prong attack. A single connected OPSEC line ruins them all.
Ways to turn me off:
-claim you are an expert, thought leader, or value add
-keep a tally of your CVEs
-claim you can hack anything
-list your certs in your name field on social media
Vs:
-build something useful
-teach people skills
-lifelong learner
-be humble
[NOW HIRING- Pls RT]
Rare opportunity: top tier opening for Red Team Operator/Engineer/Dev. US based candidates only; completely remote team w/ great mission across 5 continents.
Pay no attention to the preferred certs, because I won't. (auto-generated)
My youngest recently had a birthday. Kind of a big deal, since he spent his first 5 months of life in the NICU and would have died on Day 1 if it wasn’t for amazing in utero ID of a birth defect & great surgeons ready to fight with him. We expect great things from him.
1998 What is InfoSec?
2008 InfoSec == Prevent all the bad things
2018 InfoSec == Prevention is a losing battle, Containment/Response is where it’s at—make breaches meaningless.
My kids found another parental controls escape (WebKit in an app to full YouTube)!
So, naturally, I solved this problem the way any Dad would. I instituted a family Bug Bounty program.
We pay out in MineCoins. 💰💰💰
It’s been another 5 years and this article holds true. There are really only 5 ways to breach an organization, yet so many over-complicate this concept.
Know the 5. Think simpler.
=== BEGIN INTERNET MATURITY TEST ===
Answer the following fill in the blank:
“I like to ___.”
=== END TEST ===
.
.
.
.
.
.
.
.
If you answered “move it, move it” you’re officially 6 years old. You know who you are.
I talked to a 16 year old yesterday who grilled me with questions about a career as a hacker, everything from how to get started, to financial viability, to emotional satisfaction.
When I was 16, I just wanted to drive friends to the movies.
That 16 year old WILL BE successful.
I think I’m going to start giving out hunt advice to make red teams better.
BLUE: log all process create events centrally and hunt on common LOLbins like “net”. Practice to get your timing window close to zero and crush RED.
If you’re doing red team work and you don’t have a lab with EDR and SEIM products, you’re doing it wrong ... also I’d bet you’re either in consulting or a new internal red team. If former, up your game now or your clients will find someone else.
@HackingLZ
@pmelson
@arekfurt
I would say if you're doing offense security work (mostly speaking about red teams), and you don't know anything about your tools potential detections, what EDR in general is and how it works, what stage of the kill chain you're most vulnerable too, etc... you're being lazy AF.
[BLOG SERIES]
Having a slow Turkey Day?
How about 12 adversary tradecraft related blog posts with reference C# code? Want to pull apart the Windows API in C#?
Start here and follow the links:
Source code (and more) here:
Opinion: Red Teams use domain fronting more than FIN/APT groups.
Why? Because red teams have to follow more rules when acquiring callback domains. We can’t reuse third party victims.
Also, because categorization and aging are hard, requiring discipline & planning.
REMINDER: the primary purpose of a red team exercise when the org doesn’t have Detect/Respond capability (SOC) is to wake them up to realize they need a SOC.
It’s always better if the org builds a SOC capability first, but sometimes you don’t know what you don’t know.
1/
Red: remember you’re not the main event. You’re the strength coach, the nutritionist, the personal trainer, and occasional kicking post for the superstar: Blue.
That’s your job.
[BLOG]
The Future of Adversaries is Software Development
A weather report depicting why APEX predator adversary groups must build custom coded toolkit and why you should start learning to develop code today if you want your red team to model them.
This is why I (still) think the security pros who've bounced from blue to red (or vice versa) and spent time in the trenches of admin work make the best talent overall; they're well rounded.
Be well rounded, friends!
6/6
DNS Registrar: "Your account is locked due to hosting malicious content."
Us: "Can you at least cancel the domain renewal?"
DNS Registrar: "Nope, we're going to lock you out and bill you recurring forever."
Us: "Who is the criminal?"
Psst. Hey you. Yeah, you over there. It’s Sunday night. A new week is starting. Don’t compare yourself to others, but make plans THIS WEEK to become a better version of YOU.
Hint: that probably involves learning from people right in front of you, NOT on twitter. (Yeah, I know.)
76 years ago today. Could you have gotten off the boat? Would you have what it takes to not stop?
I keep this on my office wall to remind me that no work problem is probably as bad as I think it is.
#DDay
Offensive tool developers: glad to see you working in C#/C/C++.
Please do us a favor & structure your code so that it’s reusable as a library, not a standalone console app. Remove console output. Still want console output in your PoC? Do it in main by iterating on rich data.
I'm now on the receiving end from my fellow pentesters who dismissively say "detect that" or "fix your SIEM" or "work with your MSSP."
Gentle reminder, my red team friends:
Some things are NOT EASILY DETECTED.
Things like false positive rates and alert volumes are a thing.
2/
FACT (not opinion):
#RedTeamFit
is the MOST POSITIVE place in all of InfoSec Twitter.🔥‼️
I ❤️ seeing the new faces, the transformation stories, the support for those starting out.
It’s started with “let’s make this a thing.” Now “lets KEEP this a thing.”
Consistency.
Telemetry is telemetry. Good guys, bad guys ... everybody wants it. I've never met anyone who said "I've got all the telemetry I need, thanks."
Good guys have C2, too (it's just called other names like SCCM, EnTune, JAMF, Tanium, etc.).
Security People frequently jump to technical controls when a process would be more effective. Processes require people, buy-in, and more work, while a technical control may be ineffective.
“When your only solution is a hammer, every problem looks like a nail.” 🔨
Hey Colorado InfoSec people ...
Why isn't there a "SlopeCon" or "PowderCon" or similar? Say, January-February-ish, west of Denver, talks/events during the evenings (4PM - 10PM) with the open mornings (hit the slopes or lobby con). Hosted in a ski resort hotel, of course.
I've been a
@Microsoft
customer for ~33 years (Tandy 1000, MS-DOS, 1985ish), but this is my first time to Redmond, WA, and I get to speak tomorrow at
#BlueHatv18
! I'm excited to make the visit, talk
#RedTeam
, and represent
@WalmartTech
@WalmartLabs
!
See you tomorrow and say hi!
I just survived my first week as an ex/recovering/revoked/disavowed/expired CISSP after 13 years.
The world kept turning.
I still remember halon fire extinguishers and Bell LaPadula.
Most “gains” are made with 2.5lbs plates, not 45s.
Remember that when thinking about your career: a steady set of small increases will take you farther than a rare large increase. Focus small.
What is something non-infosec that you do that helps your infosec thinking and career? How does it help?
Some examples: chess, jiu jitsu, maybe tennis?
I’ve been saying this for awhile now. I’ll say it again.
One day, we are going to have a company breached and the access vector will be compromised pentest/red team tooling.
“Not on my watch.”
Recipe for a popular tweet:
insult/shame companies + their employees for a breach
Recipe for an unpopular tweet:
recognize infosec people are human, imperfect, and most likely well-intentioned, despite a breach
Red Teams are really good at finding systems and processes that don’t have an owner.
The subsequent exercise of assigning an owner ... well, that’s often very hard. After all, if there was an owner, odds are higher that the red team wouldn’t have as much to say about it.