ANATOMY OF A GOVERNMENT RED TEAM ASSESSMENT Jason Hill 1 May 20, - - PowerPoint PPT Presentation

anatomy of a government red team assessment
SMART_READER_LITE
LIVE PREVIEW

ANATOMY OF A GOVERNMENT RED TEAM ASSESSMENT Jason Hill 1 May 20, - - PowerPoint PPT Presentation

Aug 20, 2023 451 likes •817 views

C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y ANATOMY OF A GOVERNMENT RED TEAM ASSESSMENT Jason Hill 1 May 20, 2019 TLP:WHITE AGENDA Who am I CISA Assessments Services and Goals

slide-1
SLIDE 1

Jason Hill May 20, 2019

C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y

ANATOMY OF A GOVERNMENT RED TEAM ASSESSMENT

1

slide-2
SLIDE 2

TLP:WHITE

Jason Hill May 20, 2019

AGENDA

§ Who am I § CISA Assessments Services and Goals § Red Team Assessments (RTA) – Methodology § RTA Walkthrough – Actual Assessment § Questions

2

slide-3
SLIDE 3

TLP:WHITE

Jason Hill May 20, 2019

WHO AM I

§ Jason Hill

§ Branch Chief NCATS § VA National Guard (retired) – Cyber § Red Team Lead

3

slide-4
SLIDE 4

TLP:WHITE

Jason Hill May 20, 2019

4

  • Risk and Vulnerability

Assessments

  • Validated Architecture

Design Reviews

Advanced Operations Risk Evaluation Cyber Hygiene .... lets focus on proactive elimination of vulnerability to reduce risk If vulnerability is the only element of risk that we can eliminate ….

CISA ASSESSMENT SERVICES

  • Open Source

Intelligence Monitoring

  • Phishing Campaigns

and Assessments

  • System & Application

Vulnerability Scanning

  • Remote Penetration

Testing

  • Critical Product

Evaluation

  • Red Team Assessments
slide-5
SLIDE 5

TLP:WHITE

Jason Hill May 20, 2019

CISA ASSESSMENT GOALS

5

slide-6
SLIDE 6

TLP:WHITE

Jason Hill May 20, 2019

RED TEAM ASSESSMENT (RTA)

6

slide-7
SLIDE 7

TLP:WHITE

Jason Hill May 20, 2019

RTA VS PENTEST

7

slide-8
SLIDE 8

TLP:WHITE

Jason Hill May 20, 2019

INFRASTRUCTURE

8

slide-9
SLIDE 9

TLP:WHITE

Jason Hill May 20, 2019

DOMAINS

9

slide-10
SLIDE 10

TLP:WHITE

Jason Hill May 20, 2019

METHODOLOGY

10

slide-11
SLIDE 11

TLP:WHITE

Jason Hill May 20, 2019

AGENCY X

§ Large Government Agency § Multiple sub agencies § Between 1 and 1,000,000 employees § Several Sensitive Business Systems (SBS) § Responsible for ICS systems

11

slide-12
SLIDE 12

TLP:WHITE

Jason Hill May 20, 2019

TIMELINE OF OPERATIONS

12

slide-13
SLIDE 13

TLP:WHITE

Jason Hill May 20, 2019

RECON

13

Ø Utilize public information to find anything that would aid in penetrating the network Ø Utilize Cyber Hygiene results due to time constraints Ø Identify Department personnel responsible for public interactions Ø Utilize Department online presence for information leading to network access Ø Utilize public information to create target list of Sensitive Business Systems (SBS) Ø Look for information the Department is responsible for safeguarding Ø Find critical infrastructure maintained by the Department

slide-14
SLIDE 14

TLP:WHITE

Jason Hill May 20, 2019

EXPLOITATION

14

Ø Delivered phishing e-mails containing a malicious link Ø Agency X user clicked the RTA supplied link and executed our payload

Ø Initial foothold into the Agency X domain

Ø Sub Agency X user clicked the RTA supplied link and executed our payload

Ø Initial foothold into the Sub Agency X domain

slide-15
SLIDE 15

TLP:WHITE

Jason Hill May 20, 2019

Phishing Payload

Ø Email contained link to HTA file on NCATS controlled Amazon EC2 Server Ø HTA was stageless payload that calls back to Cobalt Strike C2 server over DNS Ø Payload spawns new iexplore.exe and runs Cobalt Strike shellcode Ø Payload converted to Jscript using DotNetToJScript1

1https://github.com/tyranid/DotNetToJScript

slide-16
SLIDE 16

TLP:WHITE

Jason Hill May 20, 2019

PHISHING – BUILD TRUST

16

slide-17
SLIDE 17

TLP:WHITE

Jason Hill May 20, 2019

PHISHING - BUILD TRUST

17

slide-18
SLIDE 18

TLP:WHITE

Jason Hill May 20, 2019

PERSISTENCE

18

slide-19
SLIDE 19

TLP:WHITE

Jason Hill May 20, 2019

USER LEVEL PERSISTENCE

Ø Compiled custom DLL to spawn msinfo32.exe process and injects in Cobalt Strike Shellcode

Ø Code implemented in “UnRegisterClass” method

Ø RegAsm.exe is Microsoft Signed Binary that will execute code in DLL’s UnRegisterClass Ø Created registry run key that calls RegAsm.exe with argument of custom DLL

Ø Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

slide-20
SLIDE 20

TLP:WHITE

Jason Hill May 20, 2019

PRIVILEGE ESCALATION

20

slide-21
SLIDE 21

TLP:WHITE

Jason Hill May 20, 2019

KERBEROASTING

21

Ø SPN MSSQLSvc/-XXX.XXX.net:1433 is associated with Service Account XXX\XXXXXsql Ø Able to decrypt TGS ticket and ‘crack’ service account password

slide-22
SLIDE 22

TLP:WHITE

Jason Hill May 20, 2019

ADMIN COMPROMISE

Ø Administrative user logged into compromised XXXSQL host Ø User is part of XXX-SYSOPS group Ø User has admin access on (most) SUB AGENCY X hosts

slide-23
SLIDE 23

TLP:WHITE

Jason Hill May 20, 2019

POST EXPLOITATION

23

slide-24
SLIDE 24

TLP:WHITE

Jason Hill May 20, 2019

POST EXPLOITATION

24

slide-25
SLIDE 25

TLP:WHITE

Jason Hill May 20, 2019

IR EVENTS

So did they do anything?

25

slide-26
SLIDE 26

TLP:WHITE

Jason Hill May 20, 2019

IR Event 1: Domain Enumeration

Ø September 11th

Ø 0914 EST – Received initial callback from phished user Ø 0917 EST – Likely triggered anti-virus when trying to execute persistence executable Ø 0945 EST – Uploaded and installed a DLL as a second method of persistence Ø This method of persistence was used in other parts of the network during operations Ø 1025 EST – Requested TGS tickets for all SPNs associated with user accounts throughout the entire forest Ø 1052 EST – Requested AD information for all users and groups within AgencyX.Gov Ø 1625 EST – Last communications received from phished user’s machine Ø 1625 EST – Assumed IR action

TGS Ticket Requests DOI Workstation Domain Controller

slide-27
SLIDE 27

TLP:WHITE

Jason Hill May 20, 2019

IR Event 2: Suspicious Account Enumeration

Ø NCATS noticed an e-mail suggesting investigation into XXXXXOC.XXX.GOV Ø September 18th

Ø 1025 EST – NCATS observed an e-mail titled “Suspicious Account Enumeration” referencing (COMPUTER NAME) Ø 1037 EST – A list of all installed software on that machine was requested by administrators Ø 1037 EST – An e-mail was drafted to the phished user of (COMPUTER NAME), asking for information on the activities Ø 1040 EST – NCATS removed persistence from the machine Ø 1104 EST – IT Staff requested an ad-hoc anti-virus scan of the host

slide-28
SLIDE 28

TLP:WHITE

Jason Hill May 20, 2019

IR Event 3: Pass-the-Hash Detection

Ø FireEye alerts on malicious activity for (COMPUTER NAME) Ø September 13th

Ø 1820 EST – NCATS used a default “Pass-the-Hash” command to impersonate AGENCYX\USER using the user’s NTLM hash Ø 1822 EST – NCATS proceeded to use these credentials to laterally move to (ANOTHER COMPUTER)

Ø September 18th

Ø 1502 EST – An e-mail was seen from AGENCYX IT Staff inquiring about an alert from FireEye about a ”BACKDOOR”

slide-29
SLIDE 29

TLP:WHITE

Jason Hill May 20, 2019

MEL Detection Times

Ø 4 out of 13 MELs confirmed as detected: ØActive Directory Account Addition (Domain Administrator):

ØTime To Response (TTR) - 24 Hours ØResponse – 06NOV18 Agencty X PoC reached out about the possible creation

  • f a Domain Admin account by NCATS

Ø Agency X was preparing to respond by shutting off internet access to the forest, and ‘rolling’ the krbtgt account password twice on all domains Ø DHS suggested not taking those steps, and NCATS proceeded AS IF those steps were taken

ØDA Logging into a Workstation

ØTTR – 4 Days ØResponse – Received phone call about DA logon events from Agency X PoC

Ø No further response was observed by DHS

slide-30
SLIDE 30

TLP:WHITE

Jason Hill May 20, 2019

MEL Detection Times

Ø 4 out of 13 MELs confirmed: ØIntentional A/V triggering on a DC

ØTTR – Instant technology response ØResponse – The malicious file was immediately deleted when it was uploaded

Ø No further response was observed by DHS

ØRansomware Emulation:

ØTTR – 1.5 Hours ØResponse – By 1930 EST on 11/07/2018, 3 users had notified the Agency X team of possible malware on the users’ workstation

Ø The team from Agency X contacted NCATS for deconfliction

slide-31
SLIDE 31

TLP:WHITE

Jason Hill May 20, 2019

MEL Conclusions

Ø 13 Measurable Events executed Ø MEL activity began 30 October 2018 Ø MEL activity completed 07 November 2018 Ø 4 of 13 Measurable Events were observed to have a detection by Agency X Ø 1 of 4 was a technology based response Ø 3 of 4 were people based responses Ø Internal MELs were not often detected, showing a few common deficiencies Notable events include: Ø People: Once alerted, action was taken to mitigate some compromised accounts Ø Processes: Follow-up to detected events seemed incomplete in some cases Ø Technology: Technologies detected and reacted to a small number of events

slide-32
SLIDE 32

TLP:WHITE

Jason Hill May 20, 2019

QUESTIONS ?

32

slide-33
SLIDE 33

Jason Hill May 20, 2019

33

For more information:

cisa.gov

Questions?

Email: NCATS_INFO@HQ.DHS.GOV

slide-34
SLIDE 34

Jason Hill May 20, 2019