Pentesters and red teamers have long used post-exploitation toolkits to accomplish their mission of network domination and business impact. While traditional methods of collection during post-exploitation (such as keylogging and screenshots) are still very effective, modern technologies and software have brought new opportunities to collect useful data. With the recent evolution in red teaming and a shift towards adversary emulation for network assessments, the source of inspiration for offensive tactics, techniques and procedures (TTPs) must change. An offensive force looking to deliver a realistic assessment can and should use analysis of adversarial toolkits to better their tradecraft.
First, this talk will cover the process of deconstructing real world toolkits for practical analysis and use. To apply the process, this talk will analyze certain post-exploitation features seen in the wild and how adversaries use them to accomplish their malicious objectives. These features include webcam and microphone recording; Skype interception; real time file system monitoring, infection and exfil; and packet capture capabilities. This presentation will discuss the inner workings of these features, their intentions, and how they aid the adversary in accomplishing their objective. Next, similarities will be drawn between the objectives of the adversary and the objectives of the red team to demonstrate how these novel tradecraft ideas can be beneficial for training as well. We will also address the generic defensive concerns with regards to post-exploitation and the necessity for user education and reporting of suspicious events.
During this talk, PowerShell proof of concepts will be released that emulate the adversary features previously analyzed and allow pentesters and red teamers to use these advanced techniques in their own engagements. These tools will also be demonstrated with the audience able to witness first hand the power of studying an adversary to gain offensive inspiration.