Posted on
in Presentations
Hacking Exposed will demonstrate how adversaries have evolved their tradecraft to deploy near-undetectable intrusion techniques aimed at bypassing the cyber kill chain and defensive systems. Learn from a firsthand account of a global supply chain attack about how adversaries exploit trust across partner ecosystems, and how eCrime actors emulate nation-states to supercharge their attacks.
Video Transcript
>> ANNOUNCER: Please welcome George Kurtz and Michael Sentonas.
>> GEORGE KURTZ: All right. Well, welcome. Good afternoon, RSA. We have a packed house. It is a pleasure to be here. And I'm more excited than ever. Given COVID and how many years we had to be on zoom, this is great to have a packed house here.
>> MICHAEL SENTONAS: Always good to be in front of a good audience, thank you.
>> GEORGE KURTZ: Before we get started, there is a couple of things we want to do. We’ll level set and those sort of things. But the hacking exposed these sort of presentations I have been doing since 1999, well probably 2000, I wrote the book in 1999. So, it is always fun for me to go through the latest and greatest.
But before I get going, I always like to capture the memories of each RSA. So I want to do a selfie with the audience, if you’ll indulge me. So, I'm going to turn around, which is never the right thing to do with the audience, but I need everyone with a big smile. I’m like a dad here, I always have the phone the wrong direction. Terrible.
>> MICHAEL SENTONAS: (Inaudible 0:01:11) so I have to stand over here.
>> GEORGE KURTZ: Yeah. I don't need you. All right. 1, 2, 3 RSA. There we go. Okay, so we’ll put that on social media.
>> MICHAEL SENTONAS: All right. Put that away.
>> GEORGE KURTZ: So with that, we've got an action packed case study today. Let me move to the next area here.
And what we wanted to do was to really focus on eCrime, which is the talk of the town. We've seen the devastating impact of eCrime, all of the dollars associated with it, and really what we wanted to do was to take what we see in the real world and combine this into a case study. And go through exactly what we see on a day‑to‑day basis and just how sophisticated these adversaries are.
>> MICHAEL SENTONAS: So, we're going to use an example that's weeks old. We're going to replay exactly what we saw in the wild. So what you see is what's being played against organizations like the ones here in the room every week at the moment.
>> GEORGE KURTZ: So, what we are going to do is we will take you through the setup in typical hacking exposed fashion, if you’ve seen it. We’ll take you through the setup. We'll do a demo. And then we'll recap with some counter measures and get things wrapped up. So, with that we can jump into it.
As I mentioned earlier, this is an eCrime actor. And I think we were one of the first to come out with funny names for adversaries. It happens to be the hot topic of the day that people are doing that. We have been at it for the better part of ten years. But we call them spiders.
And there is a whole bunch of groups that are out there. But there are a few that target business processing and outsourcing and telcos. And really, they have global reach.
So, the main motivation here, obviously, is money. But what we’ve seen is people have gotten better at ransomware detection, prevention, and also backing up data. So what we see now is let's skip encrypting all your data, and let’s exfil the data and extort you.
>> MICHAEL SENTONAS: Yeah. What’s really interesting is one particular group we are going to profile little bit. A very small group but incredibly active. Active every single day. For a small team of attackers, they seem to be doing a lot very, very frequently. So, once they're inside the network, they are hammering users and connecting to machines. We will show you a little bit of that as we go through the demo.
>> GEORGE KURTZ: All right. Let's take a look at the kill chain here. This is a MITRE kill chain. And what I wanted to do is really highlight some of their areas that they focus on, initial access, exploitation of applications. A lot of it is around phishing or vishing to get the initial foothold. And then we will talk through the persistence. And what we have found over the years, and a lot of this comes back to Hacking Exposed, you can pretty much live on the land and not use malware and just use existing tools, administrative tools, RMM type tools to maintain persistence.
Credential access, I’ve been at this a long time, I think I did the first ever public demo of path-to-hash, the keynote at BlackHat in 1999. Still works pretty good today in 2023. You know, why get fancy.
And then command and control. Obviously you want to maintain that persistence and control those end computers.
So, this gives a bit of an idea of what they're focused on. Proxies, they really like to leverage existing tools that are out there. There is no reason to get fancy if you can blend in.
All right. So, let's go through the case study. Again this is typically what we see. Registered domains, happen very quickly. And then when we think ‑‑ and it is very similar to the MFA provider for phishing war.
So, we see domains get registered. We see the average time spent with a user, typically is a help desk vish type call. We’ve seen up to an hour spent with a user, kind of walking them through what they need and sounding very legit. They do a lot of recognizance on the company, they know the people and systems. And they are very, very persistent. And most of the time they speak very good English.
>> MICHAEL SENTONAS: Very good. Profile the organizations for weeks, months, and so when they call they do a really good job of convincing users to go to website. The website is using a legitimate certificate. The browser doesn’t know any different. There’s nothing wrong with the certificate. They are going to a legitimate web page. They are just praying on a user that’s going to click and do some silly things in the process.
>> GEORGE KURTZ: The biggest thing here is we have seen and heard a lot about MFA for years. Hopefully everyone has it. It’s not a panacea, it can be abused. We saw it in a couple of big hacks over the last couple of years. We want to actually show you how that works. We are big fans of MFA. You should have it. But there are definitely ways that MFA can be abused. And we will show you how that works.
And then once there’s a level of access, then it’s all just about, you know Hacking Exposed 101. How do you move laterally? How do you maintain persistence? How do you add some accounts? How do you blend in? And they’ll even modify VPN settings. So, it’s a very sophisticated attack. We see these sorts of attacks across the board from different adversary groups. We just wanted to give you a sample of how it works with some representative folks that we have been tracking.
So, let's talk about the hack. As usual, we have a fancy – gosh, we’ve got a much better graphics. I used to do this in Vizio or something years ago. It was terrible at it. But it looks better now. – So, we’ve got just the overview here.
Mike tell us how this is all going to work.
>> MICHAEL SENTONAS: Yeah, for sure.
So, we're going to go through, as I said, a real world example that's current, as in the last few weeks. It's an example of an adversary that's very, very smart. Well versed in hiding their tracks. Everything that they do does not use any malware at all. Because they are trying to enforce that, well, they are trying to ensure that they don't leave behind anything. And they’re actually even set up to pull out a thumb drive, to pull out a USB key. If authorities are knocking on the door and they need to get out of there, they can literally pull out a USB key and run and nothing is left behind.
So, very, very smart hiding their tracks. Very focused on making sure that there’s little forensic evidence left behind. If you actually look at what they do, they are using great tools that you can easily get ahold of.
Tails is a favorite one right now. It is an operating system that protects against surveillance. Linux kernel, effectively built around Debian, as I said, runs on a USB key. When they fire up the Tails environment, they then go through another couple of steps. So, they'll set up a VPN server and use open VPN. They will use a freely available IDP client or VPN client. They'll spend their time making sure that they have got what we call dedics out there, a whole range of dedicated machines. Effectively a machine that they VPN onto to carry out their attack to further hide their tracks.
What's interesting about these dedicated machines is they're trying to use machines and have operating systems run on hardware as much as they possibly can. A lot of people talking about virtual machines spread all around the world. That's not the case. Because it is easy for someone to come in and suck up that virtual machine.
Remember, they’re trying to hide their tracks. So, they’ll try to get onto bare metal and VPN onto those machines. So, Tails, VPNs, they will use DigitalOcean droplets, which is again another virtual machine. Those virtual machines will run some of those hacking tools.
So you can kind of get the understanding as we go through this. They are very well prepared. Very well resourced as they go through the environment. They are very, very careful to set up a website. They will try to mimic the URL of the company. There will typically be a small mistake. Trick the user into going onto that particular webpage.
There is a man in the middle attack. They love using a tool right now called evilginx. It’s a very scary tool because one of the things it does, it’s not only a man in the middle attack, it actually captures your session token. Which allows you to replay the token inside a cookie and then get into the Microsoft Office 365 environment. We will step you through and show you the demo as we go through that. Once you are in and you got access to 365, I would imagine the majority of people in here are using hybrid AD environments where you use AMPRO AD, you use a combination of Azure AD, set up an account and wait a certain amount of time. It's going to effectively go from one environment to the other and then the adversary has access to your environment.
George touched on multifactor authentication; once they get access into 365, they will set MFA they’ll use the Microsoft authenticator app, or any other authenticator app. They will have a burner phone. They will be sending the MFA request to the burner phone. And away they go.
No malware at all in this particular attack. Which means if you are spending all your time walking the floors and going after NextGen AV, signature AV, not going to help you in this particular example of the tradecraft this particular adversary is using.
>> GEORGE KURTZ: Mike and I were talking as we put this together and you look at how it’s all done, it really looks like maybe they were or who knows, sophisticated red team. Because the way they unfold this, actually they really know what they're doing.
Okay, Mike. So, now what?
>> MICHAEL SENTONAS: All right. To that point. They do know what they're doing. They do know how to get around AD. They know how to get around a lot of the security tools that people use. The IDP tools that they use are legitimate IDP tools that are out there. One they love using now is AnyDesk. Nothing wrong with AnyDesk, if anyone is from here AnyDesk, they just like using it at the moment. It’s very, very useful.
And once they get all the credentials that they need, once they've effectively given themselves access, it's the standard modus operandi where they want to capture and exfiltrate as much information as they possibly can. Get that out, leave a ransom note and cover up their tracks, which is simply unplug the USB and go to dinner. That's it.
>> GEORGE KURTZ: Okay. So, we've talked through all this. Let's get to some action.
>> MICHAEL SENTONAS: All right. Let's jump into the demo. I'm going to unlock my machine. So, if we can jump over, switch over to my machine, there we are there.
So, going to step you through the process. As you can see here, it is the Tails OS as I talked about. Startup Tails running on the thumb drive. Once it starts up, run the standard install package for Open VPN. Use the IDP client and get all of those installed. We are use Remmina IDP client for this particular example here. Open the VPN connection.
And once you have that VPN connection installed, you connect to the dedic machine and put in your credentials. And now you have access to a machine and effectively you are ready to go to start the attack.
>> GEORGE KURTZ: So this dedic machine, this isn’t sitting in Russian or some other place, right? Where is it generally?
>> MICHAEL SENTONAS: This could be anywhere. The dedic machine, dedicated machine, dedicated piece of hardware, which as I said is what we typically see. This could be anywhere.
>> GEORGE KURTZ: But the point is it actually blends in. It’s not going to come from some crazy domain. It is actually going to just blend in.
>> MICHAEL SENTONAS: And there is going to be as many of them as they possibly can get. The reason behind that is, if one gets shut down, they want to have redundancy built in. Once they get into the environment, they run the DigitalOcean droplet which I talked about before.
The DigitalOcean droplet is effectively a VPN. On that VPN they have -- sorry, I said a VPN. It is a virtual machine, not a VPN. So the droplet is a virtual machine. That's running an operating system that’s running attack tools. And effectively they are just SSH'ing into that machine, trying to create a little obfuscation, make it a little bit harder.
Now we’re at the point they have got the SSH machine. For them it is ready to connect to the end user. So, next what they would do is contact the end user. (Phone ringing) Really?
>> GEORGE KURTZ: Sorry. I thought I shut this off. Sorry. Hey, I’m a little busy at the moment.
>> PHONE VOICE: Hi, it is Mark calling from security operations. Sorry to bother you, but we believe your account has been compromised and we need to validate your username and password.
In a few seconds we will send a notification to your phone. Please click it and follow on the onscreen prompts. The password should only be entered on the mobile device that is registered with the company. And remember, if you ever receive a phone call asking for your password, please hang up immediately and call the company support number.
>> GEORGE KURTZ: So, I'm good if I just click here, right?
>> MICHAEL SENTONAS: Let's get rid of the phone.
>> GEORGE KURTZ: Sorry about that.
>> MICHAEL SENTONAS: As funny as that sounds, that's pretty much it. It is not complex. After somebody's profiled the user long enough and established rapport and comfort, they'll do the phone call. They will get somebody to go to a particular website. As I said, all of the tools are running in the background. We are behind VPNs, we are behind multiple VPNs, we are ready to go.
If you look at the very top of the phone, there is a message that's sitting out there to the user, ww.COCRSec.com It's missing a w. So, a lot of people would look at that, they would click on that. And evilginx is running in the background. The man in the middle attack.
>> GEORGE KURTZ: So Mike, I'm sure everyone in the audience, they don't have users that would ever click on that.
>> MICHAEL SENTONAS: It wouldn’t happen. It wouldn’t happen.
>> GEORGE KURTZ: It would not happen, right? We call that a layer 8 problem between the chair and the keyboard.
>> MICHAEL SENTONAS: So, running in the background. Steve Ren, our poor user, is going to jump on here. Effectively, they go to the website and they get prompted to put in their username and password. A couple of interesting things happen at this point in time.
So, they put in the username, they put in the password. They have to put in their MFA credentials, of course. The organization is running multiple factor authentication, which is fantastic. Simple demo here. Now what's happened in the background is everything that he has put in has been captured. And that little highlighted piece in the bottom of the screen is the session token.
So, a lot of people will be thinking at this point how you are going to get around the MFA piece. Evilginx does a great thing, as I said earlier, captures the username, captures the password, captures the session token. Now what's really good and really scary about this is go to microsoftonline.com, get a browser extension, get a cookie browser extension that you can put in to Chrome. Insert the session token. Freely available. Anyone here can grab ahold of this. And replay the cookie. And when you refresh your browser, with that extension, you are straight in to 365.
>> GEORGE KURTZ: And Mike, I think it is the program is aptly named evil. Because it is evil and it is easy. It should be easyginx, because it is not hard to do once you get going, right?
>> MICHAEL SENTONAS: Absolutely. Very easy to get ahold and get on to the network. You can see here that effectively you are in 365.
At this point you would effectively ‑‑ you want to establish persistence. Like the little example that we gave with the phone call to George with somebody falling victim to the vish, you don't want to do that every single time.
So, what you want to do is download an authenticator app, which you see on the screen. Download that and get it on to your phone. You get the QR code. You have got your burner phone. Point the burner phone at the QR code. And effectively we've got the users username. We got their password. And we have got MFA set up. We don't need to be dealing with that user at this point in time, which is the scary part.
>> GEORGE KURTZ: It is. I think sometimes the longest part is just social engineering the user with the vish. But this actually happens very quickly in real life.
>> MICHAEL SENTONAS: Yeah. Absolutely.
So, at this point in time want to get on to the machine. And this is typically, again there might be a little bit of social engineering at this point in time. We can demonstrate here. We can demonstrate that the MFA is actually working. You can see that on the screen.
Right now we want to make sure that we can connect to Steve's desktop. At this point in time, there may be some conversations going on in the background.
We talked about the example of one particular attack where the attackers were talking to the help desk operator for about an hour ensuring that they captured the username, they captured the password and MFA was set up perfectly. You can see here the attacker in the background demonstrating that they can get into the environment without having to go to Steve, to the actual user.
So, they're well set up at this point. They are good to go and the big thing that they need to do now is be able to get into that person's machine.
The tool that we see them use most often is, at the moment and this will change, it will change all the time, is AnyDesk. Very powerful remote desktop tool. They can IDP into the environment. So, they’ve asked Steve to download it. Remember, they have befriended Steve. They have gone into software, a basic thing that everyone does.
Just to make sure it is a pretty straightforward demonstration, we are not doing anything with crash tech technology. We are just popping up the defender screen here so you can see this is not malware. There is nothing malicious about any of this, it’s a perfectly legitimate app.
So, Steve runs it. It’s running in the background and now the adversary has full access into that person's machine, into that organization’s network.
At this point, I effectively would say it is game over. Because now we have the ability to connect to the user. We have got the MFA set up. We have got IDP set up. At this point in time you want to start to get a little bit smart and they want to look for other machines to connect to.
Reason for it is you want to end up creating additional persistence. We don't want to rely just on Steve. We don't want to rely just on Steve's machine. Steve may be driving home from work and realizing it didn't sound right, that person on the phone. And then they may have this epiphany and they go and make changes. So, you want to go in there as quick as you can.
So, living off the land, go to systems config management and have a look at the administrator's group. We are on Steve's machine here. We can see that Steve is part of the service desk team. So, he is going to have a certain level of access to be able to get inside the organization.
So, drop to a command prompt here and just run a basic command to see what groups Steve is part of. And you can see there in the bottom, I will just highlight it there for you, Steve's part of the service desk team.
>> GEORGE KURTZ: So, Mike, can I jump in here?
>> MICHAEL SENTONAS: Yea. Absolutely.
>> GEORGE KURTZ: At this point maybe in the past you would expect somebody to load up Mimikatz or something like that. Do you see that? Why don't you see that?
>> MICHAEL SENTONAS: Tell me that again?
>> GEORGE KURTZ: Mimikatz.
>> MICHAEL SENTONAS: Well, Mimikatz has been around. A lot of people call it the AK47 of password stealing. It works incredibly well.
>> GEORGE KURTZ: And it keeps working.
>> MICHAEL SENTONAS: And people keep rebuilding it, they keep reusing it, and it keeps working. But a lot of tools will pick up, at least half decent tools will pick up Mimikatz and you are leaving a digital footprint behind.
So, what we are doing here is we are just running legitimate commands. There is nothing that we have run here at this point in time that's malicious in nature. We have run a command to see what group Steve is connected to. We are going to run a command just to see what is the naming convention.
So, that was probably a little bit hard to read. But running host name and it comes up C05. Most organizations will have a fairly good naming convention for host names. I'm going to make the demo really simple because we don't have time to do too much recognizance. So, I'm going to run IDP and I'm going to connect to CL6.
>> GEORGE KURTZ: Mike, if you look at these recognizance commands though, most of these really date back to the first iteration of Hacking Exposed. It was how do you find the machine you are on? How do you find the groups? Nothing has changed at all.
>> MICHAEL SENTONAS: Nothing has changed at all.
And this step we are obviously doing this in a couple of seconds. The attacker may spend a day, a month, they could spend a lot of time trying to work out how to get around the network and what the naming conventions are. I’ve just hit CL6 for the demo. And I connect into that environment with Steve Rentok's credentials.
If I want to establish persistence, I’m going to set up AnyDesk inside that environment again. That way I have got Steve's machine and I’ve got another host inside the organization that I can get on to and I can go and carry out my attacks.
So, if we switch back to the slides for us. Just as a little bit of a summary: They built rapport with Steve. They got his username and passwords. They have set up an MFA token on their own device. They've used their permissions to install another AnyDesk agent. Now they have got network access. They have got backup network access. And they have got credentials.
>> GEORGE KURTZ: Didn't seem too hard.
>> MICHAEL SENTONAS: Didn't seem too hard at all. Nothing that we did was too stressful or too hard.
And what we're finding is it's not even a requirement for the attacker to do the vish. Or it’s not a requirement for the attacker to call the service desk employee and trick them into giving away their username or passwords or use some of the tools that are out there. We see today that adversaries are doubling down on stolen credentials. 112% increase year on year in advertisements for access broker services. So, you pay somebody to give you the username and password to a website.
You ‑‑ if you are happy to pay people, you can pay somebody for every step of the attack. And you just have to chain it all together. It is pretty much as simple as that.
>> GEORGE KURTZ: The key thing here is this looked pretty simple. We are going to go through it there are some easy‑to‑use tools off the shelf. But this is actually what we see. There is nothing made up here. This demo is actually what we see. So, the bar is kind of low in some areas. And at the same time, it can be pretty sophisticated when you look at those tools and session stealing and what happens with kind of SSL hijacking and those sorts of things.
So, real world stuff. And I always like to say the bar is only as high as the exploits -- or the attacker only needs to jump over the bar which is pretty low.
>> MICHAEL SENTONAS: And the other reason why I like this particular demonstration is, George, you started CrowdStrike in 2011. We’ve been tracking the percentage of attacks that include malware or non-malware techniques. Some think that if you have read a CrowdStrike threat report, if you have been following us we talk about this every particular year. The last 12 months, for calendar year 2022, 71% of the attacks, the incidents that we investigated, 71% did not use malware at all. So just think through that.
When we talk about, you know, when you walk the floors and people talk about AV and preventing malware autonomously and a whole bunch of other stuff. You’ve got to separate the technical tradecraft the adversaries use with the marketing. Because if you your strategy does not involve threat hunting, if it does not involve the basic ability to get visibility into the attacks and the tradecraft, you will get breached. And you won't know the adversary is on your network. That’s why we wanted to use this particular attack.
We're going to go in to the second part of the attack, which is to go through the additional steps to add more users into the environment. And then ultimately to start exfiltrating data and to leave an extortion note. With a couple of little cool tricks and things to let everyone know about.
So remember, the adversary has access to only one set of credentials so far, which is Steve Rentok’s. We don't want to keep doing the smishing, we don’t want to keep doing the vish style attacks. So, we want to go through the process of setting up a couple of extra people.
>> GEORGE KURTZ: So, how do they get that data?
>> MICHAEL SENTONAS: So, let’s jump to that section of the demo. If we can switch back to my laptop here. Fantastic. Let's go through that next section here.
So, we'll jump back on to the demo. And what you are going to see here as it comes up, if my machine responds, there we go, this is an interesting step here that I want to talk you through. There is a little bit of a misconception that you need domain admin rights to be able to do things like add users. And what I'm going to show you here is a little bit of a trick to add to a little bit of how scary this particular example is here.
We're using the AD PowerShell module. This is trusted by Microsoft. There is nothing wrong with this. There is hundreds of cmdlets that you can use to manage AD with this particular tool. We're going to install it on Steve's machine. This again, there is no malware here. Nothing wrong with it. You can set it up. And what we're going to do is actually prey on that misconception of the domain admin feature.
So, I'll show you here the way that this tool works. We're going to install it and have it run. And then you are going to see here what I'm trying to do. A little bit hard to read but I will highlight a couple of these things. What we are going to try to do is use a password, which is Monday23!! with a couple of exclamation marks, and we’re going to try to set up a user called SpiderUser1.
So, when we run the tool, we get an error message which I will just read it out to you. I can't even read it on the screen. It says access denied. It’s that joke you said, well it wasn’t a joke, that you’ve been doing this since the ‘90s.
>> GEORGE KURTZ: Yeah.
>> MICHAEL SENTONAS: It shows. Because I can't read my screen anymore.
But access denied because we don't have access, we don't have domain admin rights. But we don't need domain admin rights. This is part of that misconception.
So, if we use this AD module, what I'm going to do at this point is I'm going to run a command to basically tell me all of the OUs that are inside this environment. And I can see here these are all the OUs that I have access to as Steve Rentok. Now I'm going to run another command in the background and I'm going to filter some of this, because I want to see where I have delegated permissions. And I'm going to stop it here.
This is the part of the demo that you want to think about. With AD there is this wonderful feature to give delegated permissions to your service desk staff. I guarantee you at least two‑thirds of the room here is using that functionality. So, instead of giving a service desk employee domain admins, you give them delegated permission to be able to set up users, to be able to set up some permissions.
You don't give them domain admin to everything. But that core feature of the operating system allows you to do a couple of things. You can see here you can access groups. You can access users. You can do things like create children. You can delete children. So users as an example. You can read properties. You can write properties. That's all we need to set up users inside the environment.
Steve's got access. People use delegated permissions to run their businesses all around the world because it’s a very powerful and it’s a very useful feature. If you're not an attacker, which you are looking to use it to exploit that functionality. So, I'm going to do the same ‑‑
>> GEORGE KURTZ: So, Mike, I think that kind of gets back to one of my original questions, a lot of times, you know, in the past you would see credential theft, pass-the-hash, those sorts of things. And because they are so noisy, again, these guys just focus on using the existing tools. Some of the functionality that maybe people don't realize they have or use. And then without admin, which is key here, without admin access being able to add all these different users to different groups and then still move laterally.
>> MICHAEL SENTONAS: Correct. And not that I want to teach everyone how to go back and do this inside their organization, but Microsoft documentation is a wonderful thing. You can read about the AD module, you can read about delegated permissions, you can follow the bouncing ball all the way through this demo and you can easily test this out in your environment. Don't recommend that anyone does that, because we will get to the countermeasures and talk about how you deal with this.
But if we have a look here, I'm going to run this same command. This time I have picked OU users for the particular environment that I have got delegated access to. And I hit enter and it ran. I have got the command prompt back. So, now that I have set up SpiderUser1, I'm going to run it again to set up SpiderUser2 on the top. And it's run perfectly fine.
So, I'm going to run again one of these little cmdlets in a second. You can see there OU users, OU lab. That's the environment that I have access to. If I just say get AD user, it dumps me out and tells me I have created SpiderUser1 and I have created SpiderUser2.
Very simple. Nothing complex about what we did. Well, remember the demo, remember what we did earlier. We set up persistence. We set up MFA. So, I'm going to go through the same process here. I'm going to go to Microsoft online. I'm going to log in as SpiderUser1. I'm going to put in my password. I have got the authenticator app that I want to get ahold of. I may have another burner phone or use the same ones.
So, once I have logged in, you'll see here start by getting the app. So, get the authenticator app. I have already got it. I got the QR code now. So, I'm going to scan the QR code. Now I have got Steve Rentok's account, I’ve got SpiderUser1 set up. Let's try it out. Works perfectly. So, I have got my second account. And again, just to save time, we haven't gone through the process of setting up MFA for SpiderUser2.
So, we’ve established persistence. We are doing an amazing amount of things inside the organization. So, what's interesting now is I want to give the SpiderUser1 and SpiderUser2 the same rights as Steve Rentok. So, I add them to the group service desk. So that they have got the same exact privileges as Steve. Works perfectly fine. And now I want to set myself up to exfiltrate data.
>> GEORGE KURTZ: So, how noisy has this been?
>> MICHAEL SENTONAS: Unless you are scanning for legitimate Windows commands, no malware, very little footprint left behind, and I'm just using the operating system against itself. So, pretty straightforward.
So, I'm going to dump all of the groups here. And I can see domain admins there. I know I don't have access to that, but there is a couple of interesting ones that are there that I want to look at. I want to filter in on the groups that I have access to.
So, I'm going to dump the groups so I can see what AD groups I have access to. Now the demo gets a little bit interesting here. Because if you see down at the bottom there, I have highlighted that says CRM users. CRM, good place to go after, it has a lot of interesting data. So, I'm going to go after that particular group to see if I can access machines inside that particular group.
So, I'm going to add myself to the CRM users. I have delegated permissions. Why not, I keep adding myself to any of those groups that I’ve got visibility of.
>> GEORGE KURTZ: It would be rude not to.
>> MICHAEL SENTONAS: It would be definitely rude not to because the demo would stop. So, we'll keep going.
What we’re going to do here, you can see I have got access to CRM users. I have highlighted that one there. So, I'm having a look to see what machines are on the network that are affiliated with CRM users.
And I can see there that there is a CRM account name called SQL. And it’s part of the CRM SQL server. That's the description. So, this is a good machine to go after.
So, I'm going to try to IDP because I have credentials to a machine called SQL. So, let’s start up IDP. We will type in SQL. We will put in Steve's passwords and it failed. Which is not a good sign.
So, why has it failed? Well there are a couple of things that are probably a little bit hard to read. So, we'll highlight it there. There is another group here called SQL server admins. So, good guess. We're going to add ourselves to SQL server admins. So, we're going to add ourselves as a group member. SpiderUser1 and SpiderUser2. So, we are going to connect to it again with the SpiderUser1 username and password.
And look at that.
>> GEORGE KURTZ: There we go.
>> MICHAEL SENTONAS: IDP is a wonderful thing. We have connected to the SQL server. This has got my CRM database. So, I'm going to connect to SQL server management and go to my main table. I can traverse the table. Here is all my customer information as an attacker that I would want to get my hands on.
So, I'm going to dump everything in that database. I'm going to dump it all on to the desktop. Legitimate SQL server commands. There’s nothing here that's malicious. So, I have exported all the data. I'm going to leave a very complex and scary note here on the screen. We've seen some interesting ones in the last 48 hours. Very, very funny attackers. They're trying to a little bit more humorous with some of the notes that they’re leaving behind.
But we're going to leave a note behind. I'm going to store that file. I'm going to copy the file onto the desktop. Now remember all the tools that we used before, so I'm going to put that file on to my desktop. Let's get rid of AD. Let’s jump to the desktop and paste the file there. Let's go back to Steve's machine. And we're going to effectively copy the file on to Steve's machine using AnyDesk. And what we're going to now do is jump over to the dedics, to the dedicated machine that we’re connected to. We're going to copy the file to the dedic and move the file to the dedic.
At this point in time, once we have pasted it, we're going to jump back over to the Tails machine. So, we have come out of DigitalOcean. We are back on to Tails. We've dumped the file onto the USB. Now I could have put it anywhere. But just forsake of the demo, we put the file on to the USB. And this is the cleanup step.
Unplug the USB.
>> GEORGE KURTZ: And in Tails, if you haven't used it, it is super easy to use. There is actually an option where you can create an encrypted volume. So, you can store all the data in the encrypted volume, you pull it all out, you have the data and key, it is encrypted. You are good to go.
>> MICHAEL SENTONAS: That's it. So, the example here, what we typically see, a lot of these people who are about to be caught, they love to use the USB because they will pull it out and run. Or they go into a library and sitting there in a public library, in a coffee shop, a Starbucks, they can run the attack from anywhere in the world. All they need is that first USB key, and that's it.
And if it sounds like we're oversimplifying it, we really are, because that wasn’t a complex demo. But the exfiltration – the impact of the exfiltration, we have seen some of the largest organizations in the world fall victim to this particular attack every week for the last quarter or two pretty much. Which is why we want to show it to you all.
>> GEORGE KURTZ: And we're going to talk about the counter measures, but I think that's where it is important to understand what signals are coming from these influence and what’s happening. Because the use of those command line tools may be legitimate from an administrative perspective, but as you start to see these things get pieced together, it is taking these very weak signals and being able to create a story of what's happening there to be able to identify it.
One of the things that I always like to talk about is most big organizations are going to have an incident. Everyone seems to have an incident. You want to make sure you can contain the incident. That it doesn’t turn into a breach or a data leak or something like that.
So, what we want to now is move in into the counter measure phase.
>> MICHAEL SENTONAS. Yeah.
>> GEORGE KURTZ: Which is, again if you are familiar with the Hacking Exposed book, we always wrap up with the counter measures for what we have seen.
So, Mike, why don't you take us through some of the thoughts around this?
>> MICHAEL SENTONAS: Yeah. This is a really interesting one. As I talked about earlier, no malware used, so you’re not going to get an event popped in up your AD tools. You are not going to get a traditional event in an ADR tool. This is something that you are going to need to collect as much telemetry from as much of your organization as you possibly can.
This is the reason we talk so much about visibility. Not getting in to debates around prevention versus detection. You can't be good at detection, you can’t be good at prevention, unless you have visibility into everything going on inside your organization.
Obviously, from an advice perspective, try to get as much telemetry as you possibly can from your identity stores, from your endpoint. Get relevant information from the network, from firewalls. A lot of it is going to be noise. But you want to filter out the noise to keep the important information.
The challenge that you are going to need to think about, especially for those who are in large organizations, with so much telemetry you need somewhere to put it. And this is where the conversation around AI and ML comes in, because you need to go through that telemetry as quickly as you possibly can.
If it takes you hours to sift through all of that telemetry, we just did a demo in ten minutes. So, you need to be able to move very quickly to you can make decisions as quick as possible
So, accounts that are being created. New applications that you have never seen before, people moving laterally, whether they are doing anything malicious or not, you need to capture all of that information and you need to be looking at it.
>> GEORGE KURTZ: And the key thing here is, though, all of these weak signals will show up. We look at a combination of weak signals to actually give you an idea of what's happening there. So I think as you go back and you look at your own security, there are things that are going to happen on a daily basis like account recreation, resets, et cetera. It is how you string them together, or have the ability to string them all together, and connect the dots which is going to tell you if you have a problem.
Again, there is no malware. Just tools that were running but how do you piece it all together and stop it is really important.
>> MICHAEL SENTONAS: Yeah. One thing to quickly just touch on, we're going to run out of time in a sec, but one of the quick things to touch on. One of the reasons why we keep saying there is no malware, a lot of ADR tools actually pivot off malware. Which is an interesting discussion point in itself.
If there is no malware, a lot of ADR tools will have no event for you to go and look at. Which means they become very difficult to use operationally.
>> GEORGE KURTZ: So, they key on the detection first.
>> MICHAEL SENTONAS: They key on the detection first. And if there is nothing to detect, what do they have?
>> GEORGE KURTZ: Right.
>> MICHAEL SENTONAS: Which is why we keep talking about this. Because you need to be able to easily go through your telemetry to find this information inside your organization.
This is a big one. Maintaining good identity store hygiene. Making sure that you know what accounts are being created. Making sure whether you know people are doing some of the things that I just showed you, leveraging delegated permissions, adding people to particular groups.
One of the things that you want to think about is how many of you are protecting the services that you use to set up MFA? Hopefully after the demo it is something that you are going to have and have a look at. So, the thing you want to think about is hybrid environments where you use on premise AD and Azure AD. Because what ends up happening is that account that gets created in one will get synchronized with the other. We see adversaries coming into the cloud where maybe you don't have the right level or right types of security tools, and then suddenly they are moving inside of your organization.
>> GEORGE KURTZ: That's a feature.
>> MICHAEL SENTONAS: It is a feature, apparently. Or they go the other way. They go from on‑prem into the cloud and they get access to your cloud stores and your cloud information.
Go through one more there. I think there is two more.
The other big thing is know what's running on your endpoints. I can't stress this enough. Have a list of all of the applications that are being installed inside your organization. If AnyDesk is not a legitimate tool, know it is running inside your organization.
If you read our threat reports, or you read other threat reports, typically you will see venders talking about the tradecraft, the tools, the adversaries are using. Go and grab our current threat report. We have a list of tools that adversaries are using. Go and hunt for those tools inside your environment. Really simple thing to do. Even if they are legitimate tools, it doesn't mean they should be inside your organization if they are not used by your trusted users.
All right. And then let's talk about some prevention. Obviously in our demo we showed, in a couple of seconds, the ability to move laterally. In reality it is a little bit different. We typically see on average attackers find a way in and it takes them about 84 minutes to move laterally inside an organization. What we call the average break out time.
So, be aware of that. That number is coming down. In 2021 it was 98 minutes, an adversary finding a weak point in the network using that to break out into the organization to move laterally. That number has come down to 84 minutes. So far in the first quarter of this year, it is well under 70.
>> GEORGE KURTZ: And Mike, one of the things that, maybe a little bit of a PSA, that I want to comment on that we typically see. And again, it may sound like that’s so bad, but so many organizations have – I guarantee there is whole bunch in here that do this -- but PowerShell scripts with embedded credentials and generally admin type credentials we see all the time.
It really is one of the first things that the adversaries are going to hunt for. It is hard to control unless you have some other third party software. PowerShell scripts is hard to enforce MFA around that. So, as you think about MFA, there are a lot of accounts, in particular machine and service accounts, that may not have that. And you start to find these credentials in PowerShell scripts all over an enterprise.
>> MICHAEL SENTONAS: George said it at the start, I don't want anyone walking away from the session thinking that we don't like MFA. We love MFA. MFA everywhere. Turn it on to everything, service accounts, everywhere you possibly can. Protect your identity stores, especially legacy identity stores, active directory, use strong phish resistant methods. Use the current FIDO2 standards.
Make sure that you create a robust environment to make it harder for the attacker.
>> GEORGE KURTZ: All right, so we will get things wrapped up here. Hopefully this gives you an idea of how simple it is. But the folks behind these attacks are pretty sophisticated. They're going to continue to target companies.
We just gave you a view of eCrime. We break it down into nation-state eCrime and hacktivism. You can find a lot of this information on our website, on our blogs. We have incredible intelligence team. We see this through our consulting work, our intel team, and obviously telemetry from 176 different countries. So, you can get educated on some of those websites like ours and others.
And I wanted to get wrapped up. And I wanted to thank my partner in crime, Mike. And I also wanted to thank the audience here. We know you have a lot of busy things you could be doing. And we love coming back. I’ve probably gone to almost 30 RSAs. So, they will hit you with the reviews and those sorts of things. You will have that on the reviews.
And with that, anything else to add, Mike?
>> MICHAEL SENTONAS: Just the last two points.
Understand the complexities of your organization.
Understand the adversary tradecraft and what they do. And try to stay safe and make it hard for the adversaries to be successful.
Thank you so much.
>> GEORGE KURTZ: All right. Well, we appreciate it. Thank you so much. And we will see you next year.
Share With Your Community