RandoriSec 9 min

For another year, RandoriSec sponsored the most western cybersecurity event, organized in Brest, to participate in the 10th anniversary of the Unlock Your Brain, Harden Your System (UYBHYS) event. We attended the workshop “DFIR at the speed of a velociraptor” and the conferences the following day.

Workshop

This workshop was led by Aurélien Cuvelier and Anthony Hannouille. The purpose was to provide an immersive experience about a forensic analysis scenario inspired by a real case encountered during an incident response using Velociraptor. This is a powerful open-source digital forensics and incident-response tool. As a pentester, it is always interesting to see how attacks are handled by the blue team in order to understand these tools and better bypass them.

Initially, we received information about the tool: Velociraptor is a tool that can be installed on an internal server or in the cloud. It responds to SIEM alerts and operates on a Splunk-type model with deployed agents, notably via MSI or under Linux. It can also operate in offline mode thanks to a pre-configuration that generates artefacts in a ZIP file. The artefacts are stored in Velociraptor and then analysed by the tool or sent to the SIEM. Agent-server communications are encrypted. As Velociraptor agents are powerful, malicious people abused it to use it for offensive purposes.

Next, we have access to a Velociraptor server to investigate. The scenario is as follows: On Friday evening, the company is called to assist a customer located on an island in Brittany who is under attack and has 200 servers. We need to ask ourselves a few questions:

  • What happened?
  • How did attackers gain a foothold? When?
  • Which systems/accounts were compromised?
  • What are the indicators of compromise?
  • Did the attackers established persistence?
  • Did the attackers performed lateral movement?
  • What actions should be taken?

During analysis, we realized that the fake company was compromised because of a Linux server that served as a jump host. This server was exposed on the internet with a facing ssh service on port 22, which could be brute-forced. After further investigation, it appears that the attackers created a new account wwww-data, which was then added to sudoers using a crontab. It also appears that the company’s internal network was scanned from this compromised jump host. By analysing Windows logs, we can see an intriguing PowerShell command on a few servers. In fact, it was on four servers and aims to deploy a C2 agent on these machines.

At the end, the attackers uploaded the rclone tool, which suggests a data exfiltration. In real life, to find out if a large volume of data has been exfiltrated, it is also possible to ask your ISP for the network peek over the last 3 days. If there is a sharp increase in traffic, we can assume that this is the case.

Conferences

Modeling the information threat: “In the beginning was the incident”

The first conference of the day was presented by Bertrand BOYER and Anaïs MEUNIER. They are part of an association which is an initiative to modeling information and understand large-scale manipulation operations. At the beginning of their project, their goal was to move away from the purely technical and defensive vocabulary which was used and create a common grammar for analysing influence campaigns. The model focuses on the attacker’s point of view, identifying actions intended to change the state or perceptions of a target.

Operations can be strategic. The objective of these campaigns are not making you act, but aimed at normalizing certain narratives. For example, Russia has been hammering home for years that the “West is in decline”. The goal is to normalize the discourse.

They can also be tactical. For example: During the final months of World War II, the United States dropped thousands of flyers over Japanese cities, warning the population of imminent bombing raids and urging them to surrender. The objective was to bring change in the enemy’s behaviour.

The model describes these operations through infrastructure, actions, and effects, allowing for the gradual capitalization of observations.

Creating a Dropbox, or the art of obtaining a backdoor in physical intrusion testing

The second conference was performed by Matthieu MOQUET, which works as a redteamer for Asten. The goal of this conference was to show how to create an implant for red team exercises and how to use it, make it almost undetectable, and what equipment can be used. The speaker develops his implant using a Raspberry Pi hidden inside a powerline communication (PLC) box with PoE and an LTE antenna.

There are several steps during red team exercises. First, a physical foothold should be obtained. Then, 802.1x could be bypassed if enabled. This can be done physically with tools like Basilisk. Thirdly, the objective is to get internet connection from the implant using a VPN, SSH, C2 agent, or even with an LTE antenna.

The next step is to analyse the internal network. A Wi-Fi dongle is also connected on the Raspberry to perform Wi-Fi attacks. At the end, the speaker talked about remediation which is limited but he recommended implementing MACsec to avoid MITM using NAC bypass.

Advancing Vulnerability Tracking and Disclosure Through an open and distributed platform

The speakers at this conference were Cédric BONHOMME and Alexandre DULAUNOY, which are co-authors of the tool named cve-search.Now, they are working on a new project, which is Vulnerability Lookup. This project is funded by CIRCL and the European Union and it is used by ENISA. This tool was born out of the limitations of CVE search, a tool that known an unexpected success, which caused some setbacks at the beginning.

The developers did not expect to have 20,000 requests per second on their website. Furthermore, NVD is no longer the only source of vulnerability information. The project incorporates nearly 1.8 million vulnerabilities and 150,000 insights from 27 different sources and the Vulnerability Lookup project is the only one to retrieve vulnerabilities from the official Chinese database.

The platform is powerful and offers an API. They are able to offer bundles for attack campaigns. Users have the possibility to add observations to vulnerabilities with different types of sightings. The more sightings an application has, the more likely it is that the vulnerability is being actively exploited.

Building your mobile CERT for tailored CTI!

The speaker of this conference was David LE GOFF, which led in 2023 to the creation of the CERT Aviation in order to have a CERT ready for Paris 2024 Olympic Games. The goal of this presentation was to show that it is entirely possible to start operational activities of a CERT with development available for everyone by defining the operational needs of a member and the level of attackers. The CERT has very limited resources, David is the only one to work for the CERT, it is known as mobile because there is no office. He manages to create a CERT starting by homemade tools such as:

  • Internal scanners to assess the status of members and attackers.
  • Rapid detection of downtime (e.g. defacements/DDoS) with automatic measurements: capture, timestamp, Wget response, certificate, downtime.
  • Attack surface monitoring via FOFA, Shodan and alternatives, crt.sh, DNSdumpster, dnstwist, spoofcheck, dehashed, etc.
  • Implementation of a ransomware monitoring bot powered by ransom.live, ransomlock, ransomfeed, allowing the compromise of an actor to be estimated to within ~12 days.
  • Leak analysis: spider data leak, suricata on Raspberry Pi, collection outside the internal network to limit risks.
  • The speaker has set up daily information monitoring (infostealers, exchanges between CERTs), massive data parsing (≈2 GB/day of text files), and actions such as a Telegram information bot to monitor partners in the avionic sector. This hard work resulted in a front-page publication in MISC magazine.

Active Directory Tiering: Theory, Practice… and Crash Testing

This presentation was presented by Aurélien CHALOT working for OCD. He gave an initial presentation on how to bypass an EDR using methods that are not detected by design.

For the first method, the speaker recalled what Benjamin Delpy did a few years ago with Mimikatz: if a password is present in memory, an attacker can extract it and perform a Pass-the-Hash attack. The attacker will often dump the LSASS memory and then reuse the password or hash to move laterally, for example with the tool nxc. As early as 2014, Luke Jennings suggested avoiding the LSASS dump by relying on access tokens. LSASS first validates the password, then, generates an access token associated with the user, which is transmitted to each process that needs to access a resource, such as Notepad when it opens a file. Rather than extracting the password, an attacker can therefore directly steal a token and use it. It can be performed with NetExec with the impersonate option. A second method presented is to create a scheduled task on behalf of someone else. For example, the speaker started a notepad on the victim machine. The third and last technique presented was to use RDP shadowing, which is disabled by default. Local admin can just change a shadow registry key to get RDP session as local admin. The main problem is that too many companies rely on EDR, thinking it is infallible, rather than adopt a defence in depth strategy.

The second part presents the AD tiering model, which consists of separating domain users into three parts. T0 contains global administrators, T1 contains users who manage the core business, such as business application developers, and finally, T2 contains all other users. In this second part, the speaker presented a series of AD architecture diagrams, highlighting their limitations before arriving at the diagram he proposes, which he believes is secure by design but has a main limitation. Indeed, it is very complicated for a company to implement.

Bring in the hacker who is guilty" (case law 2023-2025)

Marc-Antoine Ledieu, attorney and head of information systems security presented the local laws in France regarding some situations that cybersecurity professionals and amateurs often face. He presented legal cases or laws artistically through comic strips.

Firstly, he discussed certain cases and asked whether they are true or false. An employee deleted 4.631 files and send 688 work e-mails from his personal e-mail accounts, which was true and the person was convicted. He also cited the example of a pentester who attempted to log in to a fire department platform using the ADMIN/ADMIN credentials without authorization and without maintenance, and was sentenced to eight months’ suspended imprisonment.

In the second part, he presented the evolution of European regulations. In particular, he noted that the NIS2 directive has struggled to gain traction within companies. He also mentioned that a new European directive, the Cyber Resilience Act (ACT), will soon be mandatory for many companies. It will require all companies that provide a digital product to be able to provide a comprehensive risk analysis with requirements for vulnerability management that must be documented for all software. From December 11, 2027, if a company is not compliant, its product could be withdrawn from the market.

Catégories

0day (15)

Bugbounty (2)

Conference (40)

Ctf (5)

General (6)

Gestion de crise (1)

Pentest (30)

Publications (17)

Red team (1)

Responsible disclosure (18)

Spyware (1)

Swift (1)

Training (15)

Workshop (1)

Writeup (1)

Tags

Conference
Uybhys