Five Offensive Objectives

The five essential objectives for a successful offensive operation.

PREFACE:

This blog post originated from an idea I had while standing at my own "virtual Bellagio Fountain." During an engagement, my team of three gained access to a hardened environment, where our objective was to maintain persistence without setting off any security alerts. To achieve this, we needed to enumerate the security stack and identify ways to process and extract information from technologies such as Splunk, Sysmon, and other EDRs. For this purpose, I leveraged the detectionlab (https://www.detectionlab.network) project to understand the various events or detections that my actions might trigger.

For brevity, I will skip the enumeration phase and jump directly to the persistence method we discovered in the environment. It involved a broken SSO and users susceptible to a push fatigue attack, which created an exploit chain allowing us access to a virtual desktop environment via VMware Horizon. Using this access, we could move laterally and obtain privileged credentials, which we validated but did not exploit. At this point, we had access to multiple jump hosts and two ways into the network via VPN/WebShell.

Now that we had persistence and the necessary permissions to access the vault, our next objective was to reach the Bellagio Vault, which was defended by multiple Security Operation Center (SOC) teams. After enumerating the network, we found that different parts of it used different security stacks and event forwarding methods. This discovery was interesting as it forced us to ensure that our code execution and lateral movement techniques would either bypass EDR or blend into the data stream of logs. The differences between the environments of the SOC teams slowed us down considerably. Furthermore, the Vault was situated in a segmented network that could only be accessed via a jump host, which we knew would be well-monitored by a different security stack.

We needed a solution.

The Big 5:

The big 5 doesn’t have a specific order. We needed to obtain all 5 before we could watch the chaos. Each member of the team is to discover a way of performing the following 5. Following discovery, we discuss which would work best for this environment.

1. A way to Encrypt

2. A way to Exfiltrate

3. A way to Write

4. A way for Code Execution

5. A way to Buy Time.

A way to Encrypt: The vault data needed to be sent outside of the network. As stated earlier, this environment had a full security stack including transparent proxy. However, this applies to any environment Always Encrypt your Exfil! There are many ways of performing encryption using tools like 7z or <insert your favorite here>. As stated earlier, after enumeration these encryption methods were not uncovered. Executing 7z.exe would have created a process created alert in Sysmon. Instead, live off the land, Microsoft office applications can AES256 encrypt their products. The team opted to use those to encrypt our data with a 35-character key.

A way to Exfiltrate: The exfiltration method is very important and can’t be interrupted. (Tip of the hat to https://lots-project.com) Similar to encryption, we want to enumerate traffic and identify what is normal behavior to normal sites. We opted to use a business application with a different subdomain to host our data. Prior to execution, we used our way to encrypt to encrypt a blob of dummy data, and our new business application to exfiltrate. (It worked, Excellent.)

A way to Write: The Environment vault is big, enumeration doesn’t tell us how big it is, but our team is planning for a large amount of data. If our location is compromised by the SOC team and they closeout our “VMware Horizon” Desktop… we want to be able to recover whatever data, we can. Knowing this, we leverage azure or on prem to find a writeable location or share to access if the worst case happens. We test this by dropping another encrypted blob on the writeable location. We use our smoke screen (A way to buy time) to confirm the location and data is recoverable.

A way for Code Execution: Knowing the security stack and trying to glean some information from detection lab is important for code execution. Discussing with the team what shellcode execution technique you will use is important. Remember, at this time we have not executed anything “malicious”. Checking if constrained language mode is disabled is a good first step for deciding if .net reflection can be discussed. Do you need to bypass AWL? What will that look like on the event forwarding, is that event-id “Expensive” (or noisy so it’s whitelisted) for SOC to collect. For the “Environment”, we discovered a mistake, the environment did not enforce constrained language mode on another VMWare Horizon environment. (Excellent) We test code execution LAST always. With the mistake discovered of missing constrained language mode, our team opted to bring our own tools using PowerShell .net reflection. Code execution was tested by reflecting binary that performed an LDAP query. However, before performing the lookup, we used an AMSI bypass and ETW (tip of the hat to XPN https://blog.xpnsec.com/hiding-your-dotnet-etw/ ). After execution we wait for a response, once no response occurs, we continue.

A way to Buy Time: We have enumerated the (multiple) stacks. We have read documentation that we could access about procedures and policies. (Lucky if you find the IR policy). Our team discusses how long we believe response will be, once we have a number, we discuss options to make roadblocks more difficult for IR. (Shoutout to 13Cubed https://www.youtube.com/watch?v=myzG11BP3Sk) The team calls this our smoke screen how many RDP sessions can we move away from our code execution user account. Will our team have enough time to exfiltrate the data. (For this “Environment”, yes. Excellent!)

The Execution Phase:

Enumeration of policies, event logs and any other data we can discover about the IR team. We decide to move at a certain time, this time we believe is a lunch for one SOC team and another team begins. We have an idea of geographical and the response time over the wire that it would take to remove our RDP sessions. We have our Encryption – Microsoft Tool, Exfiltrate – Subdomain.<product>.com, Write – File Share, Smoke Screen – Multiple RDP’s and Multiple entry points (web shell, VPN) As the blood began to pump. We began our code execution and successfully exfiltrated the Vault. As we retrieved the (Vault) from our exfiltration endpoint…We observed the code execution machine drop. A stunning response time from the SOC.

However, we still got our Oceans 11 movie scene… the team executed the big five. The job was done, network and data were ours. Until next time!