Defense

Introduction

‘Red Teaming’ the latest phrase in the cyber security world that brings a shudder down my spine! Now don’t get me wrong, adversary simulation is awesome, it’s a great tool and when wielded correctly brings massive value to enhancing your security posture… but alas, they aren’t always deployed in a business aligned and value driven position.

They sound ‘sexy’ and any pentester is going to jump at the chance to do one, let alone the sales and marketing teams will be grinning as they will come in with higher revenue but also will increase their case study portfolio for delivered red teams! (I’m not knocking this, it’s the reality of doing business).

Having witnessed a number of these take place against organizations who I don’t feel are ready for them, I thought I would write a piece on things I would recommend having in place before conducting a ‘red team’ assessment.

Background

C:\Users\Mr-R3b00t\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\64CF0893.tmp

(inspiration for the mortal combat image goes to Deviant Ollam!)

As I’ve mentioned there are a vast array of reasons why I wouldn’t spring a red team on an unsuspecting IT department without investing in defensive capability. Partly as well, the scenario is more than likely going to look like this:

Phase Description
Recon OSINT will scrape the web and gather a list of targets. Email addresses and pwned credential lists will be reviewed and more than likely a phishing campaign will be prepared for.
Weaponisation A social engineering (often a phishing campaign) or web based attack will be constructed using data obtained from the recon phase.
Delivery The malicious payloads will be delivered (likely via email, but may include drive by web, host compromise or dropped device (USB etc.))
Exploitation Either by a direct endpoint/browser exploit or using harvested credentials further exploitation will occur. The ultimate goal here is to obtain a mechanism for code execution on a victim.
Installation Once a vulnerability has been exploited, the threat actor will deploy some form of implant/malware on a target asset
Command & Control The threat actor will establish a line of communication to a remote management server (C2) so that they can execution actions remotely
Actions on objectives The threat actor will work towards their goals (steal data, disrupt services, extortion etc.)

so great you’re going to have a simulated attack, but let’s think about the though process as to why you (or a supplier) thinks a red team is suitable. Do any of these ring true?

  • You think it’s a great way to show the gaps in defensive capability
  • The IT team don’t take security seriously, this will show them!
  • By conducting a red team we can use any findings as a way to push through projects that have been blocked
  • We can’t convince senior management to invest in security so this will force their hand!

If they do… you might want to re-think your approach. Perhaps these might be better rationales:

  • We’ve invested in defense and want to strengthen our detection and response capabilities
  • To keep up with common threat tools, tactics and techniques we want to run periodic attacks
  • We’ve got the basics covered and want to continue to improve our security posture
  • Our threat model includes advanced targeted threat actors
  • Our blue team are asking for them!

You can see a stark contrast! Don’t get me wrong, I’m not saying there’s no room for black box red teaming (there absolutely is). But the whole aim of the ‘read team’ should be to further ‘enable and support’ the blue team. This requires a massive per-requisite of having a blue team and them being equipped to handle an advanced motivated threat actor.

Common attack Vectors

Ok so, we’ve looked at a high-level method, but let’s look at the technical hands on aspects. This is going to get a little techy but bear with me (the devil is in the detail!)

Phase Common Tactic Description
Recon OSINT By scraping the Internet the target will likely get a range of valid email addresses, alongside offensive use of social media (e.g. LinkedIn) the threat actor will be able to build quite a picture of your organization.
Weaponisation & Delivery, Exploitation and Installation Phishing OK, so I’m generalizing but you are probably going to get phished! If your attacker is advanced the domain used will be old, appear legitimate and the emails written in a way that induce the targets to send their credentials to them. The traffic will be encrypted. For all the best will in the world, your mail filters will probably let these through.

It is likely the attackers will get someone to send their credentials (regardless of how many ‘Security Awareness Training’ sessions they have attended. Assume the attackers have breached a set of ‘userland’ credentials.

Once they have one set (if you don’t have MFA deployed on Outlook Web Access) they are going to then get inside your mail server and download your global address list (then continue expanding their campaign from the original and newly compromised vantage point)

Common phishing tool sets include:

  • Gophish
  • Modlishka
  • Social Engineering Toolkit
  • Various other phishing platforms
Command and Control (C2) Common C2 Framework The attacker will likely use a common C2 framework such as:

  • Metasploit
  • Posh C2
  • Empire
  • Cobal Strike
Actions on objectives Offensive Cyber Actions The next stage may be conducted onsite or remotely. If remote the attacker will ether try and get a user to execute a malicious payload through expanded social engineering or abuse the stolen credentials to gain some form of remote access to your network. If remote access isn’t possible they may try to deploy infected media, a rogue device or in some scenarios deploy onsite to your network.

Once a presence has been established on the network the threat actor is likely going to do the following (note this isn’t exhaustive but common):

  • NETBIOS/LLMNR (Responder) to attempt to steal NTLM hashes. If successful they will attempt to crack the hashes and/or attempt a pass the hash attack.
  • A Windows proxy auto discovery (WPAD) attack may also be used to trick a user into providing their logon credentials
  • Once they have access to the domain they will then likely attempt kerberoasting (attacking service principal names). The attacker will attempt to crack the hashes.
  • Search network shares and services for sensitive information from both an unauthenticated and authenticated perspective
  • Enumerate valid usernames for use in cred spraying attacks
  • Run bloodhound to attempt to identify active directory lateral movement and privilege escalation paths
  • Scan the network for known vulnerabilities (you will probably be probed for MS17-010 etc.)
  • Lateral movement on a Windows network will likely use the following services:
    • SMB/CIFS (TCP 445)
    • RDP (TCP 3389)
    • WinRM (TCP 5985)
  • Conduct ARP poisoning and associated man in the middle attacks
  • Capture WPA2 handshakes and attempt to crack wireless network connections
  • Attempt IPv4 and IPv6 DHCP attacks

It is likely that if you have not previously defended against this scenario the attacker will (in a limited time frame < 2 days) not only have access to your network but will likely have domain admin access.

You will likely find that if domain admin has been achieved that the ntds.dit will be exfiltrated and that a cracking attempt on all your domain credentials will be conducted.

Now depending upon agreed objectives this may conclude the ‘red team’ activities.

Debrief Report In a low engagement scenario you will likely now receive a report outlining the findings and recommendations. (if you aren’t doing an interactive debrief with your IT team (or ideally blue team) then your red team assessment is lacking

Telling me what I (may) already know

When we analyses the common attack vectors some of you might be thinking.. surely there are other ways to detect these vulnerable configurations.. and you would be right.

Let’s break down some of the attacks:

NETBIOS POISONING/Link Local Multicast Name Resolution

We can detect if we are vulnerable through a few activities:

  • Vulnerability Scanning/Assessments
  • Configuration Audits
  • Port Scans

Disabling LLMNR via Group Policy

This policy (either local or deployed via group policy) will set the following registry keys:

We can audit this using common off the shelf tools (such as Nessus Pro) or via scripts (such as PowerShell)

(sorry made a fubar in the example, the last write-host should just say “Vulnerable to Responder LLMNR Attack”)

It’s simpler to check via GPMC and group policy modelling wizard or resultant set of policy modelling.

Nebios

NETBIOS is a bit more complex as you can’t disable this directly via a GPO (you can use a computer startup script if that’s your only option). You can however set this via DHCP or configure the endpoints locally (or using a remote management system such as SCCM)

# Now we want to disable netbios

$netbios = “HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces”

Get-ChildItem $netbios |foreach { Get-ItemProperty -Path “$netbios\$($_.pschildname)” -Name NetbiosOptions} | select -Property PSPath,NetbiosOptions

## Disable netbios

Get-ChildItem $netbios |foreach { Set-ItemProperty -Path “$netbios\$($_.pschildname)” -Name NetbiosOptions -Value 2 -Verbose}

You can also do this using the GUI (network adapter TCP/IP settings)

So we’ve just blocked part of the responder suite (another common route is via WPAD poisoning)

It should also be noted that you can block this using the Windows firewall (or another host based firewall).

If the passwords aren’t weak the attacker may also try and SMB Relay attack! (again more reason to shut this vector down ASAP!)

Kerberoasting

This one might be a bit more complex, detecting kerberoasting attempts requires more verbose audit logging and a centralized security information and event management tool (you can use Windows Event Forwarding if you are on a budget but remember it has its limitations!)

For this blog I’m not going to talk heavily on detection, but on prevention. The simple way to prevent kerberoasting being effective is to ensure all service accounts with SPN’s have strong passwords and have sensible access rights (they really don’t need domain admin rights!)

From an authenticated perspective run the following script to list all your domains SPNs

# Source / credit:

# https://social.technet.microsoft.com/wiki/contents/articles/18996.active-directory-powershell-script-to-list-all-spns-used.aspx

cls

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]””)

$search.filter = “(servicePrincipalName=*)”

## You can use this to filter for OU’s:

## $results = $search.Findall() | ?{ $_.path -like ‘*OU=whatever,DC=whatever,DC=whatever*’ }

$results = $search.Findall()

foreach( $result in $results ) {

$userEntry = $result.GetDirectoryEntry()

Write-host “Object Name = ” $userEntry.name -backgroundcolor “yellow” -foregroundcolor “black”

Write-host “DN = ” $userEntry.distinguishedName

Write-host “Object Cat. = ” $userEntry.objectCategory

Write-host “servicePrincipalNames”

$i=1

foreach( $SPN in $userEntry.servicePrincipalName ) {

Write-host “SPN(” $i “) = ” $SPN

$i+=1

}

Write-host “”

}

identify these service accounts and then conduct a password audit/review. If in doubt change these service account passwords (ensure they are longer than 25 characters)

WPAD Exloits

In most versions of Windows, Internet explorer has windows proxy auto discovery configured:

With this set internet explorer attempts to connect to a range of wpad names to try and obtain proxy configurations. There are a number of ways to disable this including via GPO, configuring a wpad DNS record, via the IEAK or by script. For Chrome and Firefox you may need to deploy custom solutions (e.g. the Firefox GPO adm). Clearly we need to untick this box

SMB Vulnerabilities

It’s a good idea to look for vulnerabilities, if you are equipped with an appropriate tool (e.g. Nessus/OpenVAST etc.) then this should be fairly simple. However if you don’t have these don’t worry.

Armed with nmap and the mighty nmap scripting environment we can run the following (change the target IP to suit your scenario):

SMB -sS -sV -n -Pn –script smb-enum-shares,smb-protocols,smb-system-info,smb-vuln-conficker,smb-vuln-cve-2017-7494,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-ms17-010,smb2-capabilities,smb2-security-mode 192.168.2.0/24

Once this is complete you should be able to identify any open shares or major SMB vulnerabilities (you know like MS17-010 which was used by WannaCry!).

Password Audits

If the red team are successful they may get domain admin creds and then exfiltrate your ntds.dit and system hives. From there they are going to start trying to crack all the things. Not only is this problematic as the hashes for every account are now compromised, but also they may be quite successful. So thinking from an assume breach mode, let’s do some credential hygiene and proactive maintenance. There’s a bunch of tools to conduct a password audit, from commercial solutions such as L0phtcrack, through to open source tools such as OCL hashcat and John the Ripper. There’s even a powershell script provided by NCSC, so there’s no excuse for not running regular password audits, advising people to use strong pass phrases and forcing resets when weak passwords are detected.

Office Macros

Office document formats made up 38% of the top Maliciouis file extentions (based on CISCO’s Research) so let’s do ourselves a favour and reduce the attack surface. Now there’s a few ways to go here, I personally would look at a role based deployment model however if you don’t have the resources for that (or its a phased hardening process) then look at the following config areas:

Outlook

Navigate to Options > Trust Center

Word

Navigate to Options > Trust Center

Also consider using trusted locations (there will most likely be macros used by some of your business (get scanning your file servers to identify these!)

Excel

Navigate to Options > Trust Center

Office Security

Remember there’s a whole range of configuration options, from Macro’s, add-ins, active-x content and developer options. You are not likely not going to find one config to rule them all, but you can deploy role based configurations, and by default deploy a hardened configuration. You can always use the Office setup tools and group policy to manage these down the line in a role based deployment manner.

Patching

Now this should not come as a surprise to you, but if your full of holes through not patching, you might just get owned. So the simple thing to do here is scan your estate, understand your landscape and patch/mitigate. (patching isn’t easy, anyone who says so hasn’t done it before!)

Technical Summary

So we’ve touched on some of the work that you could (should?) do before getting some well armed cyber pros into your network. Trust me this is going to have removed some serious low hanging fruit! There are common findings that will come out from penetration testing/red team assessments etc.

Domain Common Findings
Physical Security Tailgating, lockpicking, RFID cloning, Social Engineering, lack of challenge to personelle in restricted areas
Digital Credentials from phishing, weak security configuration, lack of patching, weak or missing network segmentation, weak credentals etc.

So if I wasn’t prepared (and I’m not talking about just two weeks before an assessment) and I had a motivated and skilled attacker come in, I’m going to invest a bunch of money to be told the following:

  • We could tailgate into your office
  • We phished your users
  • You have weak credentials
  • Your network isn’t segmented
  • Your missing critical patches
  • We could steal and crack credentials from your network
  • We weren’t detected

Now put your hands up if your network has these characteristics you’re not going to learn a whole bunch of new stuff by having a team come and attack your business! That being said, if you’ve have taken proactive steps, have invested in developing defensive cyber security capabilities and you want to improve or validate controls with the ‘red team’ and ‘blue team’ working together you are on the right track!

The negative impacts of doing a misplaced ‘red team’

  • Drop in moral from IT or defending team (you may not have a blue team)
  • Discovery of already known vectors
  • Critical business assets may not have been breached (regardless of the red team getting domain admin)
  • The resources spent on conducting the excericse and post mortem activities may far outweight the value of the findings

Checklist before doing a ‘red team’

So we’ve looked at common kill chain scenarios, a common set of attack vectors and some of the negative aspects that can occur. However, we’re a massive fan of adversary simulation/red team activities when used in the right way. So to help people check and validate they are prepared we’ve put together a suggested areas that should have a level of investment and capability before hitting the red team attack button:

  • Do you have a defined blue team?
  • Have you got a business risk appetite statement?
  • Do you have a good understanding of your technology assets and their composition?
  • Have you conducted a crown jewels analysis?
  • Have you conducted threat modelling?
  • Have you documented data flows?
  • Do you have a risk register?
  • Have you conducted a vulnerability assessment?
  • Have you conducted penetration testing?
  • Have you completed a system hardening project?
  • Do you have an active vulnerability management practice?
  • Do you have proactive security monitoring capabilities?
  • Have you segmented your network?
  • Have you planned, designed and drilled your cyber incident response plan?

Summary

We love a buzz word in the technology industry, and these days it’s easy to get lost in Cyber jargon! It’s important to recognise the purpose of a red team assessment, what they are good for and when to use them. Used well they are a great tool for strengthening your organisations security posture. Ued poorly they are likely to be a low value investment which might tell you what you already know and worse still, damage the morale of the teams who work hard to keep technology working for your business (despite the constraints they might face!)

If your thinking about improving your organisations security posture or are looking to validate your organisations resiliance and control strength, we offer a range of services to help organisations increase their cyber resilience, protect their brand and enable customer value!

References

I hadn’t watched this video fully before writing this (but it did give me the Mortal Combat idea!), but I think it makes some great points!

https://www.youtube.com/watch?v=mj2iSdBw4-0

Leave a Reply