SESSION ID: OST-W02 Abaddon, the Red Team Angel Charles IBRAHIM Information Security Senior Consultant Wavestone @Ibrahimous #RSAC Red Team operations management #RSAC A story of complexity Why, on earth, another tool? Reminder: What is a red team operation ? Real goals, bold means, long run Test an information system security deeply, in real conditions Miscellaneous attack vectors Bounces on indirect targets to reach the goal #RSAC How does red teaming work ? Identify business trophies from critical risks Access SWIFT network, perform bank transfers… Design and perform real-life attacks by mixing “classical” audit skills and out-ofthe-box tactics, techniques, and procedures (TTP) Advanced TTP used by APT, FIN6 or other attacker groups… Provide a clear answer to the board Given a threat model, am I at risk? But: why, on earth, another tool ? Because What do we want ? Facilitate Red Team operations by: Reducing the time to build an infrastructure Enabling complex actions with 1 or 2 clicks Tons of tools No aggregation “Operational security” failures are common Enabling easier reporting for long operations Reducing the “OPSEC failure” risk #RSAC / 02 Automating C&C deployments #RSAC Show me that tool! Authentication - What could be improved Authentication - What works now ⁄ Authentication works and is useful ⁄ Authenticate against an external service like LDAP #RSAC Show me your reconnaissance ! Under development – will be upgraded until February 6th Reconnaissance - What could be improved Reconnaissance - What works now ⁄ Nmap, recon-ng & Hunterio scans ⁄ Use Amass ⁄ Consolidate the results of all the tools A crucial step that could be enhanced What we’ve automated From a custom external cartography methodology, we took nmap & recon-ng and put it to an interface Then, we took hunterio & amass (under development) and put it to an interface What could be improved Integrate more recon tools Consolidate their results #RSAC #RSAC Recon. That’s cute. Time to bring out the big guns (= build your C&C infrastructure) #RSAC Command and Control architecture ⁄ Deployed within 30 minutes AWS ⁄ Throwable, authenticated, stealth EC2 instance with nginx proxy ⁄ Enables phishing as well as remote command execution EC2 instance with website False flag website: Your secure network C&C server (SilentTrinity) C&C client (SilentTrinity) Remote command execution Red Teamer Abaddon Flask server ID & timestamp decryption 1) Valid timestamp: HTTPS requests transfer to the C&C 2) Invalid timestamp: redirect to the false flag website Apache reverse proxy HTTPS requests forwarding over the proxy protocol RedELK Communications logging Public key SSH authentication / Web authentication through HTTPS i. Installed on an automatically deployed EC2 instance ii. Hosting a dockerized & automatically deployed nginx proxy 2) RCE scenario Stager download by requesting the false flag website ii.Pointed to by Gophish HTTPS requests, with encrypted ID & timestamp Professional Gmail account Route53 domain name Compromise Target network Throwable Gophish instances EC2 instance with Gophish 1) Phishing scenario Phishing website: i. Installed on an automatically deployed EC2 instance HTTPS requests forwarding over the proxy protocol Victim Phishing #RSAC Show me your EC2! Instances - What could be improved Deploy EC2 instances - What works now ⁄ Deploy one, several instances, “undeploy” them, monitor them ⁄ Use an IaaS like Terraform ⁄ Use GCP and not only AWS #RSAC Show me your Gophish! Deploy Gophish - What could be improved Deploy Gophish - What works now ⁄ Access gophish admin panel within minutes ⁄ Automatically deploy an htaccess & change the default password depending on a local configuration file Far from enough: deploy the full infrastructure! Did you say SilentTrinity? You did mention Red ELK! #RSAC Show me that deployment! #RSAC Show me that deployment! #RSAC Using a fake site to deceive the SOC #RSAC Using SilentTrinity through Abaddon #RSAC #RSAC Under the hood Containers. Lots of them. THE proxy protocol. Deploy a full C&C infrastructure - What works now ⁄ It worked in operations, helped us save a lot of time & stay stealthy Deploy a full C&C infrastructure - What could be improved ⁄ Change parameters of the deployed infrastructure, to avoid redeploying when changes need to be applied Oldies: show me your cloud fronting dist