Tradecraft - Red Team Operations Course and Notes

A few days ago, I posted the YouTube playlist on Twitter and it’s made a few rounds. That’s great. This blog post properly introduces the course along with a few notes and references for each segment.

Tradecraft is a new nine-part course that provides the background and skills needed to execute a targeted attack as an external actor with Cobalt Strike. I published this course to help you get the most out of the tools I develop.

If you’d like to jump into the course, it’s on YouTube:

Here are a few notes to explore each topic in the course with more depth.

1. Introduction

The first part of tradecraft introduces the course, the Metasploit Framework, and Cobalt Strike. If you already know Armitage or the Metasploit Framework–you don’t need to watch this segment. The goal of this segment is to provide the base background and vocabulary for Metasploit Framework novices to follow this course.

To learn more about the Metasploit Framework:

• Visit the Metasploit Homepage
• Read through the Metasploit Unleashed Wiki hosted by Offensive Security
• Buy Metasploit – The Penetration Tester’s Guide from No Starch Press.
• Watch the Metasploit Framework Expert Series from SecurityTube

Cobalt Strike:

• Most Cobalt Strike features have a support page dedicated to them, with documentation and videos.
• Tactics to Hack an Enterprise Network summarizes how to execute a targeted attack as an external actor with Cobalt Strike.

Targeted Attacks and Advanced Persistent Threat:

• Read Intelligence-Driven Computer Network Defense from Lockheed Martin. The process in this course maps well to the “systematic process to target and engage an adversary” presented in this paper. If you need to exercise controls that detect, deny, disrupt, degrade, or deceive an adversary–I know a product that can help 🙂
• Watch Michael Daly’s 2009 USENIX talk, The Advanced Persistent Threat. This talk pre-dates the marketing bonanza over APT actors and their work. This is a common sense discussion of the topic without an agenda. Even though it’s from 2009, the material is spot on.
• Watch Kevin Mandia’s 2014 RSA talk, State of the Hack: One Year After the APT1 Report. This is a 20 minute summary of the APT1 report published by Mandiant in February 2013.

Advanced Persistent Threat Campaigns

These actors managed to compromise thousands of hosts and steal data from them for years, without detection. Cobalt Strike’s aim is to augment the Metasploit Framework to replicate these types of threats.

• Uroburos: Highly complex espionage software with Russian roots (March 2014)
• Unveiling “Careto” – The Masked APT (February 2014)
• “Red October” Diplomatic Cyber Attacks Investigations (January 2013)
• W32.Duqu – The Precursor to the Next Stuxnet (November 2011)
• APT Notes – A Collection of APT reports by year.

2. Basic Exploitation (aka Hacking circa 2003)

Basic Exploitation introduces the Metasploit Framework and how to use it through Cobalt Strike. I cover how to pick a remote exploit, brute force credentials, and pivot through SSH. I call this lecture “hacking circa 2003” because remote memory corruption exploits have little use in an environment with a handle on patch management. Again, if you have strong Metasploit-fu, you may skip this lecture.

A few notes:

• I dismiss remote memory corruption exploits as a dated vector; but don’t discount the remote attack surface. HD Moore and Val Smith‘s Tactical Exploitation is one of the best resources on how to extract information from exposed services. First published in 2007, it’s still relevant. Watch the video and read the paper.
• I used the Metasploitable 2 Virtual Machine for the Linux demonstrations in this segment.

3. Getting a Foothold

This segment introduces how to execute a targeted attack with Cobalt Strike. We cover client-side attacks, reconnaissance, and crafting an attack package.

To go deeper into this material:

• Read the MetaPhish paper and watch the MetaPhish presentation. This talk greatly influenced my work.
• Go deeper with the System Profiler in phishing system profiles without phone calls
• Read Matt Weeks‘ blog post Direct Shellcode Execution in MS Office Macros.
• Read about why Cobalt Strike exposes x86 payloads over x64 payloads. There’s a valid reason behind it.

4. Social Engineering

The fourth installment of tradecraft covers how to get an attack package to a user. The use of physical media as an attack vector is explored as well as watering hole attacks, one off phishing sites, and spear phishing.

• Watch Advanced Phishing Tactics by Martin Bos and Eric Milam. This talk puts together a lot of concepts needed for a successful phish. How to harvest addresses, develop a good pretext, and create a phishing site.
• Advanced Threat actors favor spear phishing as an access vector. I’d point you to one source, but since this concept has such market buzz, there are a lot of whitepapers on this topic. I suggest a google search and reading something from a source you consider credible.

5. Post Exploitation with Beacon

By this time, you know how to craft and deliver an attack package. Now, it’s time to learn how to setup Beacon and use it for asynchronous and interactive operations.

• Read Beacon – An Operator’s Guide for a summary of everything Beacon related.
• A lot of people claim “that’ll never work, we dont allow port 53 out” when I bring up Beacon’s DNS communication capability. They’re kind of… wrong. Read the linked post to find out why.
• Watch Dirty Red Team Tricks II to get an idea of how asynchronous C2 (e.g., beaconing) can complement interactive C2.
• After this course was cut, Beacon added the ability to communicate peer-to-peer over SMB pipes. I recommend studying up on this feature.
• Beacon’s command and control traffic is Malleable. This means you may redefine its indicators to look like other malware.

6. Post Exploitation with Meterpreter

This video digs into interactive post-exploitation with Meterpreter. You will learn how to use Meterpreter, pivot through the target’s browser, escalate privileges, pivot, and use external tools through a pivot.

• I have some advice for Meterpreter users in Situational Awareness for Meterpreter Users
• Find out more about Browser Pivoting.

Privilege Escalation

• Encyclopedia of Windows Privilege Escalation by Brett Moore
• bypass uac is a great module. Read Dave Kennedy’s post on it and the original reference on the technique.
• Read User Account Control – What Penetration Testers Should Know
• Read: Windows Services – All Roads Lead to SYSTEM

7. Lateral Movement

This installment covers lateral movement. You’ll learn how to enumerate hosts and systems with built-in Windows commands, steal tokens, interrogate hosts to steal data, and use just Windows commands to compromise a fully-patched system by abusing trust relationships. My technical foundation is very Linux heavy, I wish this lecture existed when I was refreshing my skillset.

Token Stealing and Active Directory Abuse

• For more background on Windows Trust Relationships, check out Jim Foster’s (of Foofus.net fame) excellent Insidious Implicit Windows Trust Relationships from BSides Detroit. This talk wasn’t recorded (boo!), but Jim has good notes with his slides.
• Read Luke Jenning‘s paper Security Implications of Windows Access Tokens – A Penetration Tester’s Guide
• Don’t fixate yourself on the domain admin only. Read zeknox‘s blog post to find out which systems your domain user is a local admin on.
• Watch Windows Attacks: AT is the New Black by Chris Gates and Rob Fuller
• Read Authenticated Remote Code Execution in Windows by Matt Weeks for more ways to schedule or run a process on a remote system.
• Read Covert Lateral Movement with High-Latency C&C to learn how to move laterally with Beacon.

Recovering Passwords 

• Read more details about how Windows Group Policy Preferences feature stores passwords. The original disclosure on this flaw doesn’t seem to be online or else I’d link to it as a primary source.
• Read about mimikatz and how it works from Benjamin Delpy. He drops a lot of knowledge in Français to keep it out of the hands of script kiddies. Beware.
• Passwords aren’t everything. Learn how to generate a Golden Ticket with Mimikatz 2.0 and use it for lateral movement.

Pass the Hash

• Pass the Hash is possible with more than just psexec. Take a look at Chris Campbell and Alva Lease ‘Skip’ Duckwall IV‘s Passing the Hash 15 Years Later and Pass the Hash II: The Admin’s Revenge. There is great background on this attack technique in both talks.

8. Offense in Depth

This segment dissects the process to get a foothold into the defenses you’ll encounter. You’ll learn how to avoid or get past defenses that prevent message delivery, prevent code execution, and detect or stop command and control.

Email Delivery

• Were you entertained and delighted by the topic of SPF, DKIM, and DMARC? Read Email Delivery – What Penetration Tester’s Should Know for even more information

Anti-virus Evasion

• If you like, you may use Cortana to force Armitage or Cobalt Strike to use an AV-safe executable of your choosing. You have the option to select an EXE with Cobalt Strike’s dialogs. This process allows you to automate the process of generating a new automatically for your payload parameters.
• Also, check out Veil, a framework for generating anti-virus safe executables.
• Here’s a blog post by funoverip.net on how to modify a client-side exploit to get past an anti-virus product

Payload Staging

• The concept of staging and its limitations is important to understand. Read Payload Staging – What Penetration Testers Should Know as well.
• Read How to write a stager for Meterpreter.
• Sometimes, egress is hard. Read Evade Egress Restrictions with Staged Payloads for tips to get your stager past network defenses.

Offense in Depth

• One of my favorite talks that puts a lot of these concepts together is No Tools, No Problem? Writing a PowerShell Bot Net by Chris Campbell.
• Watch The Infosec Revival by Matt Weeks. This talk walks through how a modern threat gets their foothold, escalate their privileges, and moves laterally in a Windows enterprise network. Matt then walks through things network admins can do to make life harder for hackers.

9. Operations

This last chapter covers operations. Learn how to collaborate during a red team engagement, manage multiple team servers from one client, and load scripts to help you out.

• Watch Force Multipliers for Red Team Operations — I discuss why collaboration, distribution, and automation are important.
• Read A Vision for Distributed Red Team Operations — this post describes Cobalt Strike’s approach to managing multiple attack nodes through one client.
• More information on the Cortana scripting technology is available in the documentation.
• I’ve written several after action reports on different red team exercises. The NCCDC Red Team – Fair and Balanced blog post describes the model for red team collaboration I recommend here.

Labs

The online course does not have dedicated labs per se. I have two sets of labs I run through with this material.

When I’m hired to teach, I bring a Windows enterprise in a box. I have my students conduct several drills to get familiar with the tools. I then drop them into my enterprise environment and assign goals for them to go through.

I also have a DVD with labs that map to the old version of this course. This DVD has two Linux target virtual machines and an attack virtual machine. Nothing beats setting up a Windows environment to play with these concepts, but this DVD isn’t a bad starter. If you see me at a conference, ask for one.