Agenda ▪ Introduction ▪ “Standard” Infrastructure ▪ Weaknesses ▪ “Advanced” Infrastructure ▪ For The Reds: Tips for a Strong Infrastructure ▪ For The Blues: Tips and Tradecraft ▪ Questions
Purpose ▪ Infrastructure design ▫ Build a resilient infrastructure ▫ Stay hidden ▫ Separation of resources ▪ Secure the infrastructure ▫ Prevent “hack-back” ▫ Prevent data leakage ▪ Train both Blue and Red
Props to prior research ▪ blog.cobaltstrike.com - Raphael Mudge ▫ “A Vision for Distributed Red Team Operations” ▫ “Advanced Threat Tactics: Course and Notes” ▪ Cybersyndicates.com - Alex Rymdeko-Harvey ▫ “6 Red Team Infrastructure Tips”
Weaknesses ▪ Hosted payloads are easily enumerated by defenders ▪ C2 may be easily blocked by IP, netblock, or domain name ▪ No redundancy in case of outages ▪ Susceptible to Internet-wide probing or exploitation
Design ▪ Based on “Infrastructure for Ongoing Red Team Operations” by Raphael Mudge ▪ Segregate assets based on function, minimize overlap ▪ Place redirectors in front of every host
Components ▪ Four teamservers ▫ Phishing & payloads ▫ Long-term DNS C2 ▫ Short-term DNS C2 ▫ Short-term HTTP C2 ▪ Four redirectors (VPS hosts) ▫ Two for DNS C2 via socat/iptables ▫ HTTP C2 via Apache ▫ HTTP payloads via Apache ▪ SMTP server (VPS host) ▪ Four domains
Domains ▪ expireddomains.net ▫ Old first registered age ▫ High SimilarWeb score ▫ High number of backlinks ▪ Register pre-used domains ▪ Register domains in same category ▪ Finance/Healthcare usually have firewall exceptions for SSL
SMTP ▪ Use “redirector” for sending ▪ Remove previous server headers ▪ Catch-all address to receive bounce-backs or responses ▪ Use third-party SMTP servers ▫ Read the TOS first!
DNS Redirecting Socat http://www.rvrsh3ll.net/blog/offensive/redir ecting-cobalt-strike-dns-beacons/ IPTables ▪ Forward UDP port 53 to teamserver from redirector
Modified C2 Signatures ▪ Changes how C2 looks on the wire ▪ Impersonate adversary or internal applications ▪ Malleable C2 -> Cobalt Strike ▪ Communication Profile -> Empire ▪ Use custom profiles on every server!
Watching the watchers ▪ ‘Pre-phish’ with a weak phish to fingerprint response ▫ Easy-to-spot, but not Nigerian Prince ▫ Use completely different infrastructure ▫ Perform far in advance ▪ WATCH ALL LOGS ▫ Look for CURL/WGET/Python requests ▫ Geolocate IPs ▫ ID appliances ▫ ID incident response actions
Watching the watchers ▪ Monitor domain/IP categorization/blacklisting ▪ Monitor emails, if possible ▫ Compromised accounts ▫ Bouncebacks ▪ Roll infrastructure as needed
Logistics ▪ Document the setup ▫ Know what points where ▪ Split hosts amongst providers ▫ (Pay attention to terms of service!) ▪ Keep elements as independent as possible ▪ Forward all logs to central server via rsyslog
Securing the Teamserver ▪ Chattr cron directories ▪ iptables ▫ Restrict resources to only needed IPs ▪ Lock down SSH ▫ PKI auth only ▫ Limited user rights
Identifying malicious DNS traffic ▪ Request length ▪ Same domain with many subdomains ▫ Entropy in subdomains ▪ DNS Server resolves to 0.0.0.0 If you start looking for DNS C2 traffic, it’s easy to spot!
Identifying other malicious traffic (cont.) ▪ Process monitoring ▫ Why is x process talking to the Internet? ▫ Example Tools ■ Sysmon/Procmon ■ Carbon Black
Thanks! ANY QUESTIONS? You can contact us at: @424f424f (Steve Borosh) @bluscreenofjeff (Jeff Dimmock) http://www.rvrsh3ll.net https://www.bluescreenofjeff.com
rvrsh3ll
line_developers_tw
ouchi2501
cybozuinsideout
nwiizo
fedepaol
hakubishin3
ufried
peisuke
revcomm_inc
oldbigbuddha
mtx2s
chloe463
nonsquared
tammielis
hatefulcrawdad
lara
chriscoyier
michaelherold
carmenintech
garrettdimon
sferik
jlugia
jacobian