Presentation is loading. Please wait.

Presentation is loading. Please wait.

A C ONCEPT OF O PERATIONS. Raphael Mudge, Strategic Cyber LLC – I develop Cobalt Strike – Would.

Published bySarah Coyle Modified over 9 years ago

Similar presentations

Presentation on theme: "A C ONCEPT OF O PERATIONS. Raphael Mudge, Strategic Cyber LLC – I develop Cobalt Strike – Would."— Presentation transcript:

1 A C ONCEPT OF O PERATIONS

2 Raphael Mudge, Strategic Cyber LLC – raffi@strategiccyber.com I develop Cobalt Strike – http://www.advancedpentest.com/ Would you like to try Cobalt Strike? – I have DVDs with a complete hacking lab on them – Ask for one. They’re fun. Raphael Mudge, Strategic Cyber LLC – raffi@strategiccyber.com I develop Cobalt Strike – http://www.advancedpentest.com/ Would you like to try Cobalt Strike? – I have DVDs with a complete hacking lab on them – Ask for one. They’re fun.

3 My Back Story Pen Testing vs. Red Team vs. Aggressor What is an Aggressor? From Red Team to Aggressor My Back Story Pen Testing vs. Red Team vs. Aggressor What is an Aggressor? From Red Team to Aggressor

4

5

6

7

8

9

10 1.Map client-side attack surface 2.Create Virtual Machine for testing purposes 3.Use Virtual Machine to select best attack 4.Configure and disguise the attack 5.Email attack package to victim 1.Map client-side attack surface 2.Create Virtual Machine for testing purposes 3.Use Virtual Machine to select best attack 4.Configure and disguise the attack 5.Email attack package to victim

11 1.Map client-side attack surface 2.Create Virtual Machine for testing purposes 3.Use Virtual Machine to select best attack 4.Configure and disguise the attack 5.Email attack package to victim 1.Map client-side attack surface 2.Create Virtual Machine for testing purposes 3.Use Virtual Machine to select best attack 4.Configure and disguise the attack 5.Email attack package to victim

12 Attacks are caught by anti-virus Limited options to egress a network – HTTP, HTTPS, TCP, TCP – All Ports Meterpreter – Communicates with one C&C endpoint – Requires active channel or session dies – Non-obfuscated staging process (fixed April 2013) Attacks are caught by anti-virus Limited options to egress a network – HTTP, HTTPS, TCP, TCP – All Ports Meterpreter – Communicates with one C&C endpoint – Requires active channel or session dies – Non-obfuscated staging process (fixed April 2013)

13

14

15 Artifacts that get past anti-virus Social Engineering Workflow Beacon Payload – C&C over DNS, HTTP, and SMB Named Pipes – Uses redirectors, calls home to multiple systems – Low and Slow “asynchronous” C&C Post-Exploitation Emphasis – e.g., browser pivoting to get past 2FA Artifacts that get past anti-virus Social Engineering Workflow Beacon Payload – C&C over DNS, HTTP, and SMB Named Pipes – Uses redirectors, calls home to multiple systems – Low and Slow “asynchronous” C&C Post-Exploitation Emphasis – e.g., browser pivoting to get past 2FA

16

17

18 Penetration Tester Red Team Aggressor Penetration Tester Red Team Aggressor

19 Penetration Tester – Exploit Security Holes Red Team – Simulate an Attack Aggressor – Replicate an Imminent Threat Penetration Tester – Exploit Security Holes Red Team – Simulate an Attack Aggressor – Replicate an Imminent Threat

20 Penetration Tester – Find and verify vulnerabilities Red Team – Exercise Security Controls Aggressor – Exercise Intelligence Support to CND Penetration Tester – Find and verify vulnerabilities Red Team – Exercise Security Controls Aggressor – Exercise Intelligence Support to CND

21

22 2.2:1

23 Project Red Baron II – Pilot’s chance of survival increases after 10 missions – Led to USAF’s Red Flag Exercise in 1975 * Red Flag Exercise – Fly 10 combat missions against… – dissimilar aircraft (flown by Aggressors) Project Red Baron II – Pilot’s chance of survival increases after 10 missions – Led to USAF’s Red Flag Exercise in 1975 * Red Flag Exercise – Fly 10 combat missions against… – dissimilar aircraft (flown by Aggressors) * US NAVY founded TOPGUN in 1969 to address training gap after heavy losses during Operation Rolling Thunder.

24 Selected from top pilots Trained to use enemies TTPs Flew American aircraft! Selected from top pilots Trained to use enemies TTPs Flew American aircraft!

25 American aircraft with similar profile Painted with adversary’s colors American aircraft with similar profile Painted with adversary’s colors

26 Selected from top red operators Trained to use enemies TTPs Uses platform with enemy’s capabilities Selected from top red operators Trained to use enemies TTPs Uses platform with enemy’s capabilities

27 Standard Platform Gets past static defenses Extensible for mission needs Customizable Indicators Standard Platform Gets past static defenses Extensible for mission needs Customizable Indicators

28 On Disk – Add static strings to EXE and DLL artifacts – Drop persistence to same location, use same registry key On Disk – Add static strings to EXE and DLL artifacts – Drop persistence to same location, use same registry key

29 On Network – Limit C&C Protocols to what adversary uses – Customize C&C with indicators to look like actor On Network – Limit C&C Protocols to what adversary uses – Customize C&C with indicators to look like actor

30

31 Start a Cobalt Strike team server with a profile Profile is compiled and hot-patched into Beacon agent and server Communication through Beacon follows profile Start a Cobalt Strike team server with a profile Profile is compiled and hot-patched into Beacon agent and server Communication through Beacon follows profile

32 To replicate Comment Crew: – Restrict Beacon to its HTTP channel – Load profile that: Base64 encodes data Pads data with dummy HTML – Tunnel Tools through Beacon To replicate Comment Crew: – Restrict Beacon to its HTTP channel – Load profile that: Base64 encodes data Pads data with dummy HTML – Tunnel Tools through Beacon

33 What did you see? What did the adversary take? Which systems is the adversary on? Which accounts are compromised? Where is the adversary’s C&C? What did you see? What did the adversary take? Which systems is the adversary on? Which accounts are compromised? Where is the adversary’s C&C?

34 Who is attacking us? What do they want? What will they go after next? Which indicators match known profile? Which indicators are new? What other indicators may we look at? Who is attacking us? What do they want? What will they go after next? Which indicators match known profile? Which indicators are new? What other indicators may we look at?

35 My Back Story Pen Testing vs. Red Team vs. Aggressor What is an Aggressor? From Red Team to Aggressor My Back Story Pen Testing vs. Red Team vs. Aggressor What is an Aggressor? From Red Team to Aggressor

36 Email: raffi@strategiccyber.com Twitter: @armitagehacker WWW: http://www.advancedpentest.com/ Email: raffi@strategiccyber.com Twitter: @armitagehacker WWW: http://www.advancedpentest.com/

Download ppt "A C ONCEPT OF O PERATIONS. Raphael Mudge, Strategic Cyber LLC – I develop Cobalt Strike – Would."

Similar presentations

and Mitigations Brady Bloxham

and Mitigations Brady Bloxham
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.
Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.

Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.

Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.
Armitage and Metasploit Penetration Testing Lab

Armitage and Metasploit Penetration Testing Lab
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
Offense in Depth A Developer’s Perspective on Hacker Tradecraft.

Offense in Depth A Developer’s Perspective on Hacker Tradecraft.
Cyber and Maritime Infrastructure

Cyber and Maritime Infrastructure
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
The Way to Protect The Smartest Way to Protect Websites and Web Apps from Attacks.

The Way to Protect The Smartest Way to Protect Websites and Web Apps from Attacks.
Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya.

Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya.
1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.
Penetration Testing.

Penetration Testing.
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Similar presentations

Ads by Google