Red Teaming at PRCCDC 2016



Woot woot! Like last year's PRCCDC, this year we had similar planning, operational run books, pre-calls, staging meetings, and of course we brought our own custom set of tools :) Unlike last year, this years red team captain was the infamous Chris Nickerson, who lead the charge in a very WRCCDC style fashion, which seemed highly successful. Again, I participated remotely, although I wish I was in person as it sounds like the room was fun and communication was strong there.  That said, this year was extremely fun, for a number of reasons. First, the network was really rich, and well layered. There was a public DMZ where the majority of their critical services and servers sat (.X for team number), and another internal network from which they administered the server network (.0 network). Pivoting between these networks added a lot of fun to the game, but still left for a large attack surface in the DMZ. I was also up against a really good blue team, so I want to highlight some of the things they did that good teams can continue to do to keep the red team at bay. There are also some extra tips in here to help them get even better, as well as everyone's favorite screenshots. The following is Alex and I's rampage through the blue teams:




The teams this year made excellent use of firewalls and effectively blocked the range the red team would come from often. We weren't running Borg or any distributed scanners this year / at this region and had only a few team servers / callback servers, so they could effectively block the few hosts and small range we would come from. Despite this, we were successful in using their internal hosts and bypassing their defenses to disable their host based firewalls time and time again.




The blue teams were also diligent in disabling accounts they saw being used, and after checking with the white team, changing the passwords of compromised accounts. This was a step up from the sad state of affairs at Western (WRCCDC), however we had trojans on top of abusing internal / domain permissions, so simply disabling our accounts was not enough to keep us out. The team would also actively kill out processes, applications, and shells. This resulted in us responding by toying with their users and monitoring as well.





Blue teams would often remove the programs they saw us abusing, to keep us constantly reloading, improvising, and utilizing new tools. For example, they caught on to the abuse of PowerShell, so they removed the 64 bit version of PowerShell:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
But unfortunately, they forgot the 32 bit version of PowerShell:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
As luck happens, this is a game I like to play too :)


 


The blue teams relied heavily on reverts. I gave up counting the amount of times I would pwn a machine, we would fight over control for a brief while, and then the team would revert the machine to its original vulnerable state, only to have the process happen again and again. The teams would repeat this process over and over again until one of us would give up for a prolonged period of time. I would never kick them out permanently, so I would really advise using that access to do some root cause analysis before reverting the machine. The blue teams really have an advantage in that regard, if you spend some time doing the root cause analysis you can patch when you revert and take advantage of that do-over.




Finally, I'm going to end on some things that I thought the blue teams could do a bit better. It should be a no brainer but maintaining control of your DC is critical above all other machines in most cases. If we own the DC we can remotely manage / control all of the other machines on the domain through that. In this scenario, it was also critical because it was the source of your authentication, DNS and DHCP, controlling most of the critical networking services for machines on your domain.






Droppers continue to be effective, but we need to remember to keep versions for older / obscure machines to hit all machines, as well as having fallback binaries for the group (vs people falling back to individual infrastructure). These tools are improving all the time with new tricks various red teamers are adding from their own practice, and have grown in scope from just persistence. We now have a treasure trove of trolling options (including classics), so we will likely branch soon, to allow focus on both persistence and trolling respectively.