Outside the red team oriented network RBI

Information Collection and outside the network RBI

Because up late .. first heard of the issue, with some regret, complement Photo

Infrastructure design deployment

Ordinary Architecture: Red Squad - "teamserver cs--" target Disadvantages: function unseparated, no hidden channel, log back even more, less flexible

Architecture Evolution: DNS / HTTP / HTTPS separation server tips: 1 ~ 2cpu 2G 10G hard drive memory, back even number of not more than 5 units, channel latency (the actual target environment priority)

Full Infrastructure: domain names and IP (VPS) teamserver (CS) front-end (redictor) CS - "teamservers 1/2/3 / ... front layer (SMTP / PAYLOAD / C2 / hidden C2)

Choose a domain name

Expired domain names registered expireddomains.net DELETE DOMAIN
tips1: Do not include the world's manufacturers and vendors of antivirus related domain names, and domain and objectives
tips2: common goals related to domain name registration area, remember to open the privacy protection
Other: www.freshdrop.com www.domcop.com
tips3: check whether the domain name is classified, finance, health care, electricity providers, airlines, travel great
tips4: go to VT, micro-step check whether the domain name is marked black
tips5: Report abuse rules carefully reading (freenom caution)

Training domain (support number)
- Build a normal domain, security vendors to submit to each site classification
- tips1: A record for the domain name resolves to manufacturers ip, use of time and then resolve to C2, manufacturers do not have time to resolve back ip
- tips2: self-assessment VT, alex self-assessment
DNS detection
Domain catalog detection
- domaincheck：
IP Detection
- External network IP, to see whether the station is marked by intelligence black
- Use CDN hide the real IP (some security vendors intercepts CDN IP)
Uterus,
- subdomain takeover: A high credibility domain name analytic B - "
- High credibility broiler to do pre-forwards
C2 tool
- CS 3.14
  - Custom Flow characteristics: DNS / HTTP / HTTPS / SMB and TCP
  - Payload loading process: shellcode / Loader / Stageless / beacon
  - DNS: If you use the default dns channel parameters must be modified (easy to detect equipment), not to do with the DNS data channel
  - HTTP (S): Do not file suffix uri settings js, css and other static files, the effect: Paid Certificates> Free certificate> self-signed certificate (Let's Encrypt free three months overdue, opened automatic renewal)
Redirector
- DNS socat | iptables | ssh (tmux screen and pick one)
- Apache|Nginx
- Tips：
  - Recommend the use of multiple requests over judgment, refused to use the default uri, against the whole network scanning C2
  - Only objects associated IP access, against cloud sandbox
  - Limited access time period, only a certain time period requested payload
  - Do not put non-uri payload of high reputation redirected to google domain name
  - Recommendation: www.aaa.com set up to raise domain name, use the second-level domain do c2.aaa.com C2
- Domain Fronting (hidden mode IP, domain name)
  - Google App Engine| Amazon |Azure|Aliyun CDN
  - Visible layer: DNS, TLS
  - Invisible layer: HTTPS
  - URL (high credibility) SNI (high credibility) HOST (C2)
  - https://github.com/vysecurity/DomainFrontingLists
  - Instead of scheme: HTTP pipelining (> http 1.1)
    - And the same effect domain fronting
    - Tcp connection using the same host of different transmission packet http
    - tips: good domain + bad domain coated with a layer made in the past at the same time
- Third-party service as C2
  - Office365、Pastebin、Slack、Facebook、Dropbox、Gmail、Twitter..
  - We need to hard-code to third-party services
Phishing e-mail (SMTP)
- Domain Name: domain name choice with C2
- High credibility of the mail sender: Mailchimp, Sendgrid
- Properly configure SPF, DKIM \ DMARC
- SSL Certificates
- Transmission time and the frequency
- One-click deployment
- Phishing framework: Gophish ( https://github.com/gophish/gophish )
Concealment and security
- Permissions Minimize: Use iptalbes limited communication components, SSH port forwarding
- Teamserver: only local access port restrictions, restrictions beacon listening port can only access the redirector
- Tips: VPS easily intercepted GFW?
  - Solution: V * 2r ay + Nginx + CLoudflare + Freenom + Websocket build agent
Infrastructure monitoring system
- Record complete logs, set alarm
- Automated Deployment LuWu ( https://github.com/QAX-A-Team/LuWu)
- Log Center

Mail preliminary information collection and investigation of fishing

Technical challenges:
- Mail gateway mail gateway
- Browser
- EDR、IDS
Mail Gateway
- ANTI-SPAM
  - SPF
  - DKI
  - New domain name registration
  - Rare domain name suffixes
  - Sensitive keywords
- characteristic:
  - Mail bounce enabled by default
  - MTA default does not open the Recipient Validation
- Conclusion: When we send an e-mail to a phishing e-mail account does not exist, if they can receive NDR, prove phishing emails through a mail gateway security review (BACKSCATTER ATTACK)
- BYPASS ANTI-SPAM
  - Through the above conclusions, detection, fuzzing ANTI-SPAM rules engine
  - Stable way to trigger an NDR:
    - The body is greater than 10M
    - Recipients over 5000
- BYPASS ANTI-MALWARE
- NDR
to sum up

Fishing sample production

Phishing Type
- Chm malicious document: use easy, but more sad kill soft, free to kill poor
- office document with a malicious macro code: easy to confuse (with pictures like fuzzy), but the need to manually open the macro process chain suspicious
- White with black fishing: the use of white with a program signed by malicious DLL DLL load hijacking programs; easier over AV, but decompression requires execution
- LNK file Fishing: linked object is Powershell, perfect process chain
- Fishing sample PPT: PPT hyperlink pop-up "security declaration", do not start the macro, but it must be full-screen playback, to enable it to perform; not recommended
- Exploit the phishing e-mail: high efficiency, high cost is the same
Write automated tool to generate the malicious lnk, key functions:
- IShellLink :: SetIconLocation ()
- IShellLink :: SetShowCmd () window display
- IShellLink :: SetArguments ()
- IShellLink :: parse ()
- ...
LNK Phishing production
- Fishing resume writing: content optional exaggerated, so that the probability of a large open HR delete after reading, to mention prevent technical staff
- LNK display icons: each system can be changed to display the default generic icons
- How to hide behavior: SetShowCmd () Minimize Window
- Word Document Storage:
  - Networking Download Word document
    - (New-Object System.Net.WebClient).DownloadFile(url, file_path);
    - Data reduction engine
      - Reduction agreement: tcp, http, smtp
      - Restore the contents of the file: office, pdf, zip
      - Packers Restore: upx
      - Restore data encryption algorithm: base64
  - Local release of Word documents
    - The Word stuffed COMMAND_LINE_ARGUMENTS
      - ARGUMENT used to store command line parameters LNK
      - StringData structure, CountCharacters
      - IShellLink :: SetArguments ()
      - Stuffing data is the maximum limit command-line arguments explorer.exe length
      - Measured results 0x7FC2 (31KB)
    - Lnk files to Word stuffed tail (recommended)
      - Tails may be added any size word, PE, PowerShell
      - select -last 1 to locate the last object, to "\ n" divided objects
      - you can also select -index 1
- Soft kill fight
  - Short file name POWERS ~ 1.EXE
  - Symantec's paper reference code obfuscation
  - Safety class detection process
    - VM - forensic tools - soft kill Detection - Debugger
    - Conventional techniques
      - Detection process name
      - Detection window title
    - The new posture
      - Traversal process, the process of obtaining the copyright information corresponding to the ratio of the black list
      - Pros: upgrade version does not change, GM
    - How the full path to PID acquisition process: ProcessExplorer
    - x86 is not feasible, x64 can
    - Bypassing PCHunter 0RING hook
    - After detecting behavior, notify the attacker, timely deal with the aftermath

Lateral movement within the network

Network investigation
- Active and passive network investigation in the classic way
  - Active scan
    - Asset identification device
    - Available Services Acquisition
    - Script detection
  - Passive collection
    - Listen to the broadcast
  - Minefield warning
    - Risk face: Network ACL blockade, controlled host HIDS, HoneyPot, NIDS
  - Methods Comparison
Domain information class field investigation * * * nix * Windows AD
- Targeting domain controller (host domain)
  - Time Server
    - net time /domain
    - w32tm /query
  - DNS server
    - Get-DnsClientServerAddress checks the local DNS SERVER provided
    - Address corresponding to the DNS server queries Domain Name A record
  - Domain controller locator
    - DC Locator Process
    - Mechanism to generate DNS queries, follow the DC Locator is very safe
    - Kerberos authentication, KDC
    - GC
    - Query Tool
      - nltest domain controller information extraction process
      - net
      - dsquery to query by LDAP
    - dsquery / ADSISearcher plaintext LDAP protocol, easy prey for IDS
- Targeting domain controller (outside the host)
  - DNS investigation
    - Scan UDP/53
    - Query DNS FQDN from DNS
    - Query Locators from DNS
  - LDAP（S）& GC（S）
    - Scan ports, properties of screening domain
    - Anonymous metadata reading section LDAP
    - Read LDAP certificate information
    - GC Services query TCP / 3268 TCP / 3269
    - Defense: You can turn off anonymous bind
  - Query LDAP (S) service
    - ADexplorer: GUI, some of the cmdlet
    - Get-ADUser
    - Powerview: a lot cmdlet
  - Kerberos
    - AS-REQ & AS-REP
    - KDC TGT bills
    - AS protocol based on user enumeration
      - KERBEROSUSERENUM（a-team github）
      - MSF module
    - ASREPROAST
      - Session Key, encrypted using the user's NTHASH
      - John / HashCat can break off
    - Properties SPN (Service Principal Name) domain object, the object is a machine / user must be set
    - TGS-REQ & TGS-REP
      - Service ticket
      - Service Ticket
      - Conclusion: General application domain account after account of the service ticket can break off
      - KERBEROAST attack (based on the above conclusions)
        
        Rubeus.exe
        
        PowerView
  - HUNT DOMAIN ADMIN
    - Specific user login session
      - Remote Session Enumeration
        
        NetSessionEnum (SMB Session)
        
        NetWkstaUserEnum (interactive login session) the new version of the system requires admin privilige
      - Remote User Enumeration
        
        Scene: Some of the same name with a domain account to manage local accounts might be the same person created
        
        SAMR query group and member information (Note: Win 10 after no admin can not enumerate)
        
        LSARPC queries related SID
      - Telnet Enumeration
        
        Interactive Online: mainly refers to the RDP Console and landing way
    - Host obtain permission: Vul RBCD & RPRN
    - Extraction legacy credentials: Powerview Mimikatz
    - Get user rights
Lateral movement
- MS-RPC
  - WMI: DCOM TCP / 135-based plaintext transmission
  - PSEXEC: (tips: Use impacket tool psexec.py difference is that the target support SMB3.0 encryption enabled by default)
  - Remote Scheduled Tasks
  - DCOM: COM component called remote TCP / 445 + Random port dcomexec.py
- Kerberos delegation
  - The concept: a service has the ability to allow visitors access to user identity authentication mechanism other services
  - Unlimited Delegate: default settings only domain controller may delegate unlimited
    - S4U2SELF
    - PRINTER BUG: Printer Spooler service SSRF
    - Unlimited delegated + S4U2SELF + PRINTER any domain controller
  - Constrained Delegation
    - S4U2PROXY
  - Currently the most deadly appointed delegate-based resources (RBCD)
    - Inheritance S4U2SELF, S4U2PROXY
Domain authority to maintain
- Host permissions to maintain the (common type, not expanded)
- Domain authority to maintain
  - SPN
    - For accounts, refer to the previous
  - Gold notes
    - Krbtgt with encryption TGT, TGT key encrypted using the account as a key
    - Created with the default parameters golden ticket expired a long time, mimikatz
    - DCSync pulled domain accounts hash / key
    - check Point:
      - krbtgt key, modify krbtgt password twice, the log analysis 4769
      - Log Analysis
      - IDS rules, expiry time, algorithms, etc.
  - Silver notes
    - SRVS related key encryption
    - check Point:
      - PAC information verification
  - Constrained delegation
  - RBCD
  - Domain Group Policy
  - LAPS

Files infected with lateral movement

File Infection
- significance
- Scenes
  - The company supply chain software library, similar to the "drive of life"
  - Remote file sharing infected
  - External device infections, such as U disk, mobile hard disk
  - 3389 Mount disk to the server
  - E-mail infection, insert malicious macros
  - Traffic hijacking, infection transmission file
- the way
  - PE infection
  - LNK infection
  - Office of infection
- Conventional PE infection
  - Exe to add an import function, DllMain write malicious code, tools StudyPE
  - Malicious code into PE, modify the OEP, reconstruction PE
    - Somewhere within OEP Jump to malicious code
    - Modify OEP point to malicious code
  - Against the idea
    - DLL load
    - OEP jump
    - The use of TLS (thread local storage) callback
- TLS infection
  - TLS callback, anti-debugging; malicious code on TLS, no need to modify OEP
  - TLS data structures
  - TLS infection in the overall process: Search Festival gap - Head modify recorded data - directory build TLS TLS callbacks - reconstruction PE - malicious files released
- LNK file
  - How the icon remains unchanged?
    - IShellLink :: SetIconLocation () to set the current exe icon of lnk
  - Malicious code normal pull of the original program
    - With rundll32.exe
  - Scene: permission to maintain, lateral movement
- Office files infection
  - .docx .docm (macro file) can be changed to .doc
  - Goal: to convert .docx to .doc or .docm with malicious macros
- Soft kill fight
  - Modify the file association
    - .docm changed to .doc, fighting for detecting the suffix .docm
    - Modify the macro file associations, against dependency file name or type detection

from:https://github.com/backlion/RedTeam-BCS