Adversarial Post-Exploitation: Lessons From The Pros

BSidesDC 2016

Presented by: Chris Ross, Justin Warner
Date: Saturday October 22, 2016
Time: 15:30 - 16:20
Location: Grand South
Track: Track 1

Pentesters and red teamers have long used post-exploitation toolkits to accomplish their mission of network domination and business impact. While traditional methods of collection during post-exploitation (such as keylogging and screenshots) are still very effective, modern technologies and software have brought new opportunities to collect useful data. With the recent evolution in red teaming and a shift towards adversary emulation for network assessments, the source of inspiration for offensive tactics, techniques and procedures (TTPs) must change. An offensive force looking to deliver a realistic assessment can and should use analysis of adversarial toolkits to better their tradecraft.

First, this talk will cover the process of deconstructing real world toolkits for practical analysis and use. To apply the process, this talk will analyze certain post-exploitation features seen in the wild and how adversaries use them to accomplish their malicious objectives. These features include webcam and microphone recording; Skype interception; real time file system monitoring, infection and exfil; and packet capture capabilities. This presentation will discuss the inner workings of these features, their intentions, and how they aid the adversary in accomplishing their objective. Next, similarities will be drawn between the objectives of the adversary and the objectives of the red team to demonstrate how these novel tradecraft ideas can be beneficial for training as well. We will also address the generic defensive concerns with regards to post-exploitation and the necessity for user education and reporting of suspicious events.

During this talk, PowerShell proof of concepts will be released that emulate the adversary features previously analyzed and allow pentesters and red teamers to use these advanced techniques in their own engagements. These tools will also be demonstrated with the audience able to witness first hand the power of studying an adversary to gain offensive inspiration.

Justin Warner

Justin Warner is a red-teamer and the Offensive Network Services Lead for Veris Group's Adaptive Threat Division but dabbles in security research when he is feeling inspired. As an Air Force Academy graduate and former USAF Cyber Operations Officer, he gained experience with large scale operations at the national level. Justin has a passion for threat research, reverse engineering, and red team operations. He is a cofounder of the PowerShell Empire project, actively participates on numerous open source projects and is a participant in various red team events in the DC area.

Chris Ross

Chris Ross currently works in the Adaptive Threat Division at Veris as a penetration tester and red teamer. Chris is an offensive PowerShell advocate and loves developing offensive tools in both PowerShell and Python. He particularly enjoys the challenge of developing capabilities to emulate real world toolkits. Chris is a developer on the EmPyre Mac/Linux post-exploitation toolkit and a contributor to the community across numerous other toolsets.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats