Information Collection and outside the network RBI
Because up late .. first heard of the issue, with some regret, complement Photo
Infrastructure design deployment
Ordinary Architecture: Red Squad - "teamserver cs--" target Disadvantages: function unseparated, no hidden channel, log back even more, less flexible
Architecture Evolution: DNS / HTTP / HTTPS separation server tips: 1 ~ 2cpu 2G 10G hard drive memory, back even number of not more than 5 units, channel latency (the actual target environment priority)
Full Infrastructure: domain names and IP (VPS) teamserver (CS) front-end (redictor) CS - "teamservers 1/2/3 / ... front layer (SMTP / PAYLOAD / C2 / hidden C2)
- Choose a domain name
- Expired domain names registered expireddomains.net DELETE DOMAIN
- tips1: Do not include the world's manufacturers and vendors of antivirus related domain names, and domain and objectives
- tips2: common goals related to domain name registration area, remember to open the privacy protection
- Other: www.freshdrop.com www.domcop.com
- tips3: check whether the domain name is classified, finance, health care, electricity providers, airlines, travel great
- tips4: go to VT, micro-step check whether the domain name is marked black
- tips5: Report abuse rules carefully reading (freenom caution)
- Training domain (support number)
- Build a normal domain, security vendors to submit to each site classification
- tips1: A record for the domain name resolves to manufacturers ip, use of time and then resolve to C2, manufacturers do not have time to resolve back ip
- tips2: self-assessment VT, alex self-assessment
- DNS detection
- Domain catalog detection
- domaincheck:
- IP Detection
- External network IP, to see whether the station is marked by intelligence black
- Use CDN hide the real IP (some security vendors intercepts CDN IP)
- Uterus,
- subdomain takeover: A high credibility domain name analytic B - "
- High credibility broiler to do pre-forwards
- C2 tool
- CS 3.14
- Custom Flow characteristics: DNS / HTTP / HTTPS / SMB and TCP
- Payload loading process: shellcode / Loader / Stageless / beacon
- DNS: If you use the default dns channel parameters must be modified (easy to detect equipment), not to do with the DNS data channel
- HTTP (S): Do not file suffix uri settings js, css and other static files, the effect: Paid Certificates> Free certificate> self-signed certificate (Let's Encrypt free three months overdue, opened automatic renewal)
- CS 3.14
- Redirector
- DNS socat | iptables | ssh (tmux screen and pick one)
- Apache|Nginx
- Tips:
- Recommend the use of multiple requests over judgment, refused to use the default uri, against the whole network scanning C2
- Only objects associated IP access, against cloud sandbox
- Limited access time period, only a certain time period requested payload
- Do not put non-uri payload of high reputation redirected to google domain name
- Recommendation: www.aaa.com set up to raise domain name, use the second-level domain do c2.aaa.com C2
- Domain Fronting (hidden mode IP, domain name)
- Google App Engine| Amazon |Azure|Aliyun CDN
- Visible layer: DNS, TLS
- Invisible layer: HTTPS
- URL (high credibility) SNI (high credibility) HOST (C2)
- https://github.com/vysecurity/DomainFrontingLists
- Instead of scheme: HTTP pipelining (> http 1.1)
- And the same effect domain fronting
- Tcp connection using the same host of different transmission packet http
- tips: good domain + bad domain coated with a layer made in the past at the same time
- Third-party service as C2
- Office365、Pastebin、Slack、Facebook、Dropbox、Gmail、Twitter..
- We need to hard-code to third-party services
- Phishing e-mail (SMTP)
- Domain Name: domain name choice with C2
- High credibility of the mail sender: Mailchimp, Sendgrid
- Properly configure SPF, DKIM \ DMARC
- SSL Certificates
- Transmission time and the frequency
- One-click deployment
- Phishing framework: Gophish ( https://github.com/gophish/gophish )
- Concealment and security
- Permissions Minimize: Use iptalbes limited communication components, SSH port forwarding
- Teamserver: only local access port restrictions, restrictions beacon listening port can only access the redirector
- Tips: VPS easily intercepted GFW?
- Solution: V * 2r ay + Nginx + CLoudflare + Freenom + Websocket build agent
- Infrastructure monitoring system
- Record complete logs, set alarm
- Automated Deployment LuWu ( https://github.com/QAX-A-Team/LuWu)
- Log Center
Mail preliminary information collection and investigation of fishing
- Technical challenges:
- Mail gateway mail gateway
- Browser
- EDR、IDS
- Mail Gateway
- ANTI-SPAM
- SPF
- DKI
- New domain name registration
- Rare domain name suffixes
- Sensitive keywords
- characteristic:
- Mail bounce enabled by default
- MTA default does not open the Recipient Validation
- Conclusion: When we send an e-mail to a phishing e-mail account does not exist, if they can receive NDR, prove phishing emails through a mail gateway security review (BACKSCATTER ATTACK)
- BYPASS ANTI-SPAM
- Through the above conclusions, detection, fuzzing ANTI-SPAM rules engine
- Stable way to trigger an NDR:
- The body is greater than 10M
- Recipients over 5000
- BYPASS ANTI-MALWARE
- NDR
- ANTI-SPAM
- to sum up
Fishing sample production
- Phishing Type
- Chm malicious document: use easy, but more sad kill soft, free to kill poor
- office document with a malicious macro code: easy to confuse (with pictures like fuzzy), but the need to manually open the macro process chain suspicious
- White with black fishing: the use of white with a program signed by malicious DLL DLL load hijacking programs; easier over AV, but decompression requires execution
- LNK file Fishing: linked object is Powershell, perfect process chain
- Fishing sample PPT: PPT hyperlink pop-up "security declaration", do not start the macro, but it must be full-screen playback, to enable it to perform; not recommended
- Exploit the phishing e-mail: high efficiency, high cost is the same
- Write automated tool to generate the malicious lnk, key functions:
- IShellLink :: SetIconLocation ()
- IShellLink :: SetShowCmd () window display
- IShellLink :: SetArguments ()
- IShellLink :: parse ()
- ...
- LNK Phishing production
- Fishing resume writing: content optional exaggerated, so that the probability of a large open HR delete after reading, to mention prevent technical staff
- LNK display icons: each system can be changed to display the default generic icons
- How to hide behavior: SetShowCmd () Minimize Window
- Word Document Storage:
- Networking Download Word document
- (New-Object System.Net.WebClient).DownloadFile(url, file_path);
- Data reduction engine
- Reduction agreement: tcp, http, smtp
- Restore the contents of the file: office, pdf, zip
- Packers Restore: upx
- Restore data encryption algorithm: base64
- Local release of Word documents
- The Word stuffed COMMAND_LINE_ARGUMENTS
- ARGUMENT used to store command line parameters LNK
- StringData structure, CountCharacters
- IShellLink :: SetArguments ()
- Stuffing data is the maximum limit command-line arguments explorer.exe length
- Measured results 0x7FC2 (31KB)
- Lnk files to Word stuffed tail (recommended)
- Tails may be added any size word, PE, PowerShell
- select -last 1 to locate the last object, to "\ n" divided objects
- you can also select -index 1
- The Word stuffed COMMAND_LINE_ARGUMENTS
- Networking Download Word document
- Soft kill fight
- Short file name POWERS ~ 1.EXE
- Symantec's paper reference code obfuscation
- Safety class detection process
- VM - forensic tools - soft kill Detection - Debugger
- Conventional techniques
- Detection process name
- Detection window title
- The new posture
- Traversal process, the process of obtaining the copyright information corresponding to the ratio of the black list
- Pros: upgrade version does not change, GM
- How the full path to PID acquisition process: ProcessExplorer
- x86 is not feasible, x64 can
- Bypassing PCHunter 0RING hook
- After detecting behavior, notify the attacker, timely deal with the aftermath
Lateral movement within the network
- Network investigation
- Active and passive network investigation in the classic way
- Active scan
- Asset identification device
- Available Services Acquisition
- Script detection
- Passive collection
- Listen to the broadcast
- Minefield warning
- Risk face: Network ACL blockade, controlled host HIDS, HoneyPot, NIDS
- Methods Comparison
- Active scan
- Active and passive network investigation in the classic way
- Domain information class field investigation * * * nix * Windows AD
- Targeting domain controller (host domain)
- Time Server
- net time /domain
- w32tm /query
- DNS server
- Get-DnsClientServerAddress checks the local DNS SERVER provided
- Address corresponding to the DNS server queries Domain Name A record
- Domain controller locator
- DC Locator Process
- Mechanism to generate DNS queries, follow the DC Locator is very safe
- Kerberos authentication, KDC
- GC
- Query Tool
- nltest domain controller information extraction process
- net
- dsquery to query by LDAP
- dsquery / ADSISearcher plaintext LDAP protocol, easy prey for IDS
- Time Server
- Targeting domain controller (outside the host)
- DNS investigation
- Scan UDP/53
- Query DNS FQDN from DNS
- Query Locators from DNS
- LDAP(S)& GC(S)
- Scan ports, properties of screening domain
- Anonymous metadata reading section LDAP
- Read LDAP certificate information
- GC Services query TCP / 3268 TCP / 3269
- Defense: You can turn off anonymous bind
- Query LDAP (S) service
- ADexplorer: GUI, some of the cmdlet
- Get-ADUser
- Powerview: a lot cmdlet
- Kerberos
- AS-REQ & AS-REP
- KDC TGT bills
- AS protocol based on user enumeration
- KERBEROSUSERENUM(a-team github)
- MSF module
- ASREPROAST
- Session Key, encrypted using the user's NTHASH
- John / HashCat can break off
- Properties SPN (Service Principal Name) domain object, the object is a machine / user must be set
- TGS-REQ & TGS-REP
- Service ticket
- Service Ticket
- Conclusion: General application domain account after account of the service ticket can break off
- KERBEROAST attack (based on the above conclusions)
- Rubeus.exe
- PowerView
- HUNT DOMAIN ADMIN
- Specific user login session
- Remote Session Enumeration
- NetSessionEnum (SMB Session)
- NetWkstaUserEnum (interactive login session) the new version of the system requires admin privilige
- Remote User Enumeration
- Scene: Some of the same name with a domain account to manage local accounts might be the same person created
- SAMR query group and member information (Note: Win 10 after no admin can not enumerate)
- LSARPC queries related SID
- Telnet Enumeration
- Interactive Online: mainly refers to the RDP Console and landing way
- Remote Session Enumeration
- Host obtain permission: Vul RBCD & RPRN
- Extraction legacy credentials: Powerview Mimikatz
- Get user rights
- Specific user login session
- DNS investigation
- Targeting domain controller (host domain)
- Lateral movement
- MS-RPC
- WMI: DCOM TCP / 135-based plaintext transmission
- PSEXEC: (tips: Use impacket tool psexec.py difference is that the target support SMB3.0 encryption enabled by default)
- Remote Scheduled Tasks
- DCOM: COM component called remote TCP / 445 + Random port dcomexec.py
- Kerberos delegation
- The concept: a service has the ability to allow visitors access to user identity authentication mechanism other services
- Unlimited Delegate: default settings only domain controller may delegate unlimited
- S4U2SELF
- PRINTER BUG: Printer Spooler service SSRF
- Unlimited delegated + S4U2SELF + PRINTER any domain controller
- Constrained Delegation
- S4U2PROXY
- Currently the most deadly appointed delegate-based resources (RBCD)
- Inheritance S4U2SELF, S4U2PROXY
- MS-RPC
- Domain authority to maintain
- Host permissions to maintain the (common type, not expanded)
- Domain authority to maintain
- SPN
- For accounts, refer to the previous
- Gold notes
- Krbtgt with encryption TGT, TGT key encrypted using the account as a key
- Created with the default parameters golden ticket expired a long time, mimikatz
- DCSync pulled domain accounts hash / key
- check Point:
- krbtgt key, modify krbtgt password twice, the log analysis 4769
- Log Analysis
- IDS rules, expiry time, algorithms, etc.
- Silver notes
- SRVS related key encryption
- check Point:
- PAC information verification
- Constrained delegation
- RBCD
- Domain Group Policy
- LAPS
- SPN
Files infected with lateral movement
- File Infection
- significance
- Scenes
- The company supply chain software library, similar to the "drive of life"
- Remote file sharing infected
- External device infections, such as U disk, mobile hard disk
- 3389 Mount disk to the server
- E-mail infection, insert malicious macros
- Traffic hijacking, infection transmission file
- the way
- PE infection
- LNK infection
- Office of infection
- Conventional PE infection
- Exe to add an import function, DllMain write malicious code, tools StudyPE
- Malicious code into PE, modify the OEP, reconstruction PE
- Somewhere within OEP Jump to malicious code
- Modify OEP point to malicious code
- Against the idea
- DLL load
- OEP jump
- The use of TLS (thread local storage) callback
- TLS infection
- TLS callback, anti-debugging; malicious code on TLS, no need to modify OEP
- TLS data structures
- TLS infection in the overall process: Search Festival gap - Head modify recorded data - directory build TLS TLS callbacks - reconstruction PE - malicious files released
- LNK file
- How the icon remains unchanged?
- IShellLink :: SetIconLocation () to set the current exe icon of lnk
- Malicious code normal pull of the original program
- With rundll32.exe
- Scene: permission to maintain, lateral movement
- How the icon remains unchanged?
- Office files infection
- .docx .docm (macro file) can be changed to .doc
- Goal: to convert .docx to .doc or .docm with malicious macros
- Soft kill fight
- Modify the file association
- .docm changed to .doc, fighting for detecting the suffix .docm
- Modify the macro file associations, against dependency file name or type detection
- Modify the file association