SEC699: Purple Team Tactics - Adversary Emulation for Breach Prevention & Detection

Overview

In section one we will lay the foundations for the rest of the course by:

• Leveraging the power of automation to deploy our lab infrastructure.
• Learning how to build a purple team in-house, covering process, approach, and tooling.
• Tracking purple teaming exercises using VECTR.
• Building an emulation and detection pipeline using a variety of available technology (SIGMA for detection rule development, and various adversary emulation tools, with a focus on Covenant and Prelude Operator).

Even though this is the first section, you will have significant hands-on opportunities, as students will complete five different exercises.

Exercises

• Exercise: Deploying the lab environment
• Exercise: Introduction to VECTR
• Exercise: Preparing our Elastic and SIGMA stack
• Exercise: Preparing our adversary emulation stack
• Exercise: Prelude

Topics

• Introduction

  • Course objectives
  • Building our lab environment
  • Introducing the lab architecture
  • Purple Teaming Organization

• Key Tools

  • Building a stack for detection
  • Assessing detection coverage
  • Rule-based versus anomaly-based detection
  • Building a stack for adversary emulation
  • Automating emulation using Prelude Operator

Overview

The following modules will be covered in section two:

• We'll start with a state-of-the-art overview on current attack strategies & defenses for initial execution.
• We will zoom in on built-in defenses provided by Microsoft such as the Anti Malware Scanning Interface (AMSI). How does it work, how effective is it and can it be bypassed?
• Controlling execution on your endpoints using Attack Surface Reduction (ASR) rules. Introduced in Windows 10, ASR rules are an additional security layer that can be used to prevent execution of malicious payloads. We will zoom in on there effectiveness and test several bypasses.
• Controlling execution on your endpoints using AppLocker. Introduced in Windows 7, Applocker is an application control technique that can be used to prevent execution of malicious payloads. We will zoom in on its effectiveness and test several bypasses.
• The rise of Endpoint Detection & Response (EDR) tools has provided organisations with a means to enable in-depth detection and perform immediate response activities on their endpoints. These tools have changed the security landscape and have forced adversaries to get creative. We will look at a number of EDR bypass strategies including Child-Parent Process ID spoofing, Command line argument spoofing, Process injection & hollowing and finally the use of direct syscalls. It gets quite technical here...

Exercises

• Exercise: VBA Stomping, Purging & AMSI Bypasses
• Exercise: Bypassing Application Execution Control
• Exercise: Bypassing Attack Surface Reduction
• Exercise: Bypassing Modern Security Products - Child-parent and command-line spoofing
• Exercise: Bypassing Modern Security Products - Process hollowing
• Exercise: Bypassing Modern Security Products - Direct System calls

Topics

• Initial Intrusion Strategies

  • Traditional Attack Strategies & Defenses
• Emulating Adversarial Techniques & Detections
• Anti-Malware Scanning Interface (AMSI)
• Office Macro Obfuscation Techniques
• Application Execution Control
• ExploitGuard & Attack Surface Reduction Rules

• Going Stealth - Process Shenanigans

  • Zooming in on Windows Internals
  • Bypassing Security Products through Process Shenanigans
  • Hunting for These Shenanigans

• Conclusions

Overview

The following modules will be covered in section three:

• Enumerating Active Directory resources and configurations to map the overall attack surface of an AD environment.
• Understanding the Local Security Authority Subsystem Service (LSASS) process. What is its purpose and how is it traditionally attacked? We will go in-depth and explan topics such as Security Support Provicers (SSPs) and Authentcation Packages (APs). After this explanation, we will zoom in on the execution and detection of LSASS dumping attacks using a variety of tools (including Mimikatz, Dumpert, ProcDump,&)
• Given the focus of security products on LSASS, we will also investigate other credential dumping techniques. How can adversaries steal credentials without touching LSASS? Key techniques will include Internal Monologue (NTLMv1 downgrade), NTDS.dit stealing and DCSync.
• Forcing Windows Authentication: Provided with network-level access (or an initial payload on a network-connected device), how can we obtain additional credentials through forcing other Windows systems to connect to us? Typical topics include the use of LLMNR, but also IPv6-based MitM attacks.
• A refresh on Kerberos and traditional attacks such as Kerberoasting, ASReproasting, golden tickets, silver tickets and the Skeleton Key attack. After the refresh, we will focus on advanced attack strategies, primarily focused on delegation attacks. We will cover unconstrained delegation, constrained delegation and resource-based constrained delegation.

Exercises

• Exercise: Analyzing BloodHound attack chains
• Exercise: Stealing credentials from LSASS
• Exercise: Internal Monologue in NTLMv1 downgrades
• Exercise: Creative NTLMv2 Challenge-Response stealing
• Exercise: Abusing unconstrained delegation
• Exercise: Abusing constrained delegation

Topics

• Active Directory Enumeration

  • Bloodhound Enumeration

• Credential Dumping

  • LSASS Credential Stealing Techniques
  • Stealing credentials without touching LSASS
  • Stealing NTLMv2 Challenge-Response

• Kerberos Attacks

  • Kerberos refresh
  • Unconstrained Delegation Attacks
  • (Resource-based) Constrained Delegation Attacks

• Conclusion

Overview

The following modules will be covered in section four:

• An explanation on the security boundaries in AD environment and how adversaries can possibly pivot between different domains and forests.
• Explaining typical persistence strategies used by adversaries. We will also discuss typical detection strategies.
• Abusing the Component Object Model (COM) to establish a persistent foothold in a target environment. Attacks we will cover include Phantom COM Objects and COM Search Order Hijacking
• Obtaining persistence through the use of Windows Management Instrumentation (WMI). We will explain WMI Event Filters, Event Consumers and Event Filter to Consumer bindings
• Establishing persistence through DLLs such as AppCert, AppInit and Netshell.
• Leveraging Microsoft Office for persistence, with a key focus on template shenanigans and malicious add-ins
• Abusing the Application Compatibility Toolkit (ACT) to obtain persistence through application shims.
• Stealth persistence using the AD

Exercises

• Exercise: Pivoting between domains and forests
• Exercise: COM Object Hijacking
• Exercise: WMI Persistence
• Exercise: Implementing Netsh helper DLLs
• Exercise: Office Persistence
• Exercise: Application Shimming
• Exercise: Stealth AD persistence

Topics

• Pivoting between domains and forests

  • Breaking Domain & Forest Trusts
• Persistence Techniques
• COM Object Hijacking
• WMI Persistence
• AppCert, AppInit & Netsh Helper DLLs
• Office Template & Library tricks
• Application shimming
• Sealth AD Persistence

• Conclusion

Overview

The following modules will be covered in section five:

• We will build out emulation plans for five specific threat actors: APT-33, EvilCorp, APT-28, APT-34 and Turla.
• Upon completing the emulation plans, we will execute them using Caldera, Covenant, and Prelude Operator.

Exercises

• APT-33 Emulation Plan
• EvilCorp Emulation Plan
• APT-28 Emulation Plan
• APT-34 Emulation Plan
• Turla Emulation Plan

Topics

• Executing Emulation Plans
• APT-33 Emulation Plan
• EvilCorp Emulation Plan
• APT-28 Emulation Plan
• APT-34 Emulation Plan
• Turla Emulation Plan