Shopping Cart

No products in the cart.

A Blue Team’s Perspective on Red Team Hack Tools

A blue team's perspective on red team hack tools.

This webcast was originally published on June 4, 2020

In this video, Jordan and Kent discuss the utilization of red team tools from a blue team perspective. They explore how these tools can be repurposed to enhance cybersecurity defenses and the challenges of integrating red team tools into blue team operations. The conversation aims to provide insights into creating a more collaborative and effective security environment by blending offensive and defensive strategies.

  • The webinar discusses the use of red team tools from a blue team perspective and the integration of both to enhance organizational security.
  • The concept of ‘purple teaming’ is explored, emphasizing the need for collaboration between red and blue teams to improve security defenses.
  • The introduction of ‘Plumhound’ as a tool to make sense of ‘Bloodhound’ data for better defensive strategies is highlighted.

Highlights

Full Video

Transcript

John Strand

I once hacked a network this big. Thats nothing. I hacked a network this big. That was specifically how we got validation for a long time. And like I said, I was part of that problem for a long time.

But I realized after a while, and a number of people did, that organizations werent getting better. We kept on breaking our arms, trying to pat ourselves on the back, talking about how elite we were, and yet we were still finding the exact same vulnerabilities again and again.

Jason Blanchard

We got Jordan and Kent here with us today. Welcome to a Black Hills information security webcast. And we got, Jordan and Kent who are doing a blue team perspective talk on red team tools, right?

Kent Ickler

Yeah, absolutely.

Jordan Drysdale

Something to that effect.

Jason Blanchard

So if you have questions, feel free to ask questions because we’re always, looking for questions. But ask the questions in discord if you can. But if you have a question, like CJ likes to put it this way, if you have a question that will enhance what we’re talking about today so that Kent and Jordan can answer it, then ask that and go to webinar.

We’ll be on the lookout for those. If you have a comment about what Kent and Jordan are talking about, just go ahead and comment on that inside the Discord channel. You can post memes gifs, you can talk to each other in discord, that’s a great place for it.

But if you have a question that will enhance today’s conversation, then please ask it and go to webinar and then CJ will jump in from time to time and ask your question. Now, we can’t get to all of them, but when this is over today, we’re going to stick around for ten to 15 minutes and just rapid fire answer questions with Kent and Jordan.

Kent Ickler

And with that.

Jason Blanchard

I know, right?

John Strand

Wait, are we dropping, wait, wait, wait. Are we dropping plum Hound today?

Kent Ickler

Yeah, we are.

Jordan Drysdale

Yeah, it sure is.

John Strand

This is going to be fun.

Jordan Drysdale

All right. This is the coolest thing since, the wheel, sliced bread, whatever. You two take on over new tools every day, but this one takes some stuff to a new level.

Like, we’re starting this very well.

Kent Ickler

We’re doing this.

Jordan Drysdale

We’re doing this. Slides are up. See them?

Kent Ickler

Yeah, we’re good. Let’s go.

Jordan Drysdale

All right, man, you’re up. swing.

Kent Ickler

So we wanted to have a talk today. A while back. We had a conversation with the client and there was something along the lines of can you help us secure our active directory to put, environment?

And we said, yeah. And they were very interested in some red team tools and we were very interested in helping them and we very quickly found a, executive problem statement that we’re going to talk about later.

But what came of that is Jordan and I kind of reflected on from a defense perspective, all the red team tools that are out there, or at least some of them, and kind of how they fit in in the environment of trying to defend.

And, we’re going to talk about that today.

Jordan Drysdale

So this is Kent and I. You’ve seen us before. Maybe, maybe this is your first webcast, maybe not. The purple is here for John today because we know it’s his least favorite color.

John Strand

So I hate you.

Kent Ickler

It’s a color of royalty. Royalty. It’s prestige.

John Strand

It’s the color of clowns.

Jordan Drysdale

I wish we don’t love purple either, but the information designated that bridge between red and blue as purple. So we went with it and John told us he hates the color, so we went with it doubly.

So we’re going to talk about summary today. Go ahead. Sorry.

Kent Ickler

Yeah, so we’re going to talk about are these red team tools but in the blue team perspective. So we’re going to give both, sides of that. And then what you end up with is this kind of purple team view of things because you have to mix both together and you end up with purple.

But it doesn’t always work out as cleanly as that. We’re going to kind of talk about that as well. We’re going to do these in terms of a lifecycle. So red team, we’re going to talk about attacking, blue team, we’re going to talk about defending and then that lifecycle of what does it look like if we try to put that into like a continual improvement kind of life cycle and we’re going to talk about that and then later in the hour we’ll talk about Plumhound and what’s going on there.

Now, Jordan and I, all of our webcasts, we have to have this executive problem statement and it’s matured over time. It used to be, the basic questions like what are our tools and are they working and how do we detect them?

Jordan Drysdale

Can we spend our way out of this?

Kent Ickler

And it really comes down to, we’ve always said, I’ve always said that red team tools, they’re for blue teams too, but that, that statement actually breaks down really fast in certain occasions.

And, those questions where it breaks down are like, how do I use it? It doesn’t help me. What can I do? How is this scalable things like, what does it even mean like from defending, what does this tool actually do?

Why do I care? And that’s kind of what we’re using for a problem statement is where the whole reason we’re doing this is we can better understand that and then really use those tools for when we say the blue team, they’re made for them too.

Actually trying to break that down and do that.

Jordan Drysdale

Yeah, agree. So there’s, Kent wrote this slide and I had to ask him, well, what’s HSA? Oh, yeah, homeland Security.

Kent Ickler

Okay. I wouldn’t mention this. I wouldn’t say I wrote this slide. I would say I stole two slides from Homeland Security. And what I found interesting about these two slides is they were talking about red teams and eventually purple teams about the defense side of red teaming.

And one of the comments they added on here was the red teaming, it’s guaranteed maximum effort, but there’s a potential that you’ll have minimum return. And it’s kind of an interesting perspective when you actually think about it and look at what these tools, these tools are made for red teams and there’s a lot of effort that’s put into them, but it doesn’t always mean that return is going to be a one for one on the defense side.

And I think that’s really interesting. And HSA had already realized that and they were trying to move forward from there. And this is one of their slide decks talking really about purple teaming in I guess kind of an abbreviated fashion.

Jordan Drysdale

And back to something that was mentioned earlier, it’s in my perspective, is it possible, Kent, to tune a sim without red teaming your own organization without hiring a third party to do it, without some kind of role play where you actually password spray, you actually establish c two or you actually pass a hash to authenticate to a remote system.

Kent Ickler

Yeah. Because if you think about it, just like John talked about, antivirus and preshow banter, these signatures, malware based signatures, and you can create these signatures for the iocs that look like an attack, but are they going to work?

And if you’ve never tested them, if you don’t go through the effort of testing them, it’s really not maybe protecting you, but you don’t know unless you go through the motion of attempting that attack, attempting the hunt, making sure that you caught it.

And if you didn’t, you need to modify your configuration, your signature, how you’re using your sim to make sure that you can catch them and that you can react on them.

Jordan Drysdale

Agree completely.

Kent Ickler

Go ahead.

Jordan Drysdale

Yeah, go ahead. Sorry.

Kent Ickler

So this is an interesting one. this is an ugly slide because it’s all texty. The point here is NIST has controls out. So in 853, rev four controls ca seven and ca eight.

What’s interesting here is they talk about what you should be doing for information security. And, ca seven is about your blue team monitoring.

It’s about defending, it’s about that circular continual improvement. And ca eight is talking about the pen test. They’re essentially saying that, yeah, you can have ca seven, you can have ca eight, but really without both of them, you’re losing the point.

And you need both of them there together to really make sense of it. And of course, ca seven plus ca eight ends up being purple team, which they don’t. They don’t define that with NIST and 853, but that’s kind of what the ballooning to is that, ca seven blue, ca eight red.

And of course it makes purple.

Jordan Drysdale

Yeah. And, Roxanne just pointed out the text is small. Yeah, the text is supposed to be small.

Kent Ickler

Yeah, don’t read that.

Jordan Drysdale

Go read the controls. Right. It’s pointing out the flow of life. You wouldn’t want to have a red team if you’ve never implemented optics, unless you are trying to get budget for optics.

Kent Ickler

And that’s why in terms of the way they list out their controls, ca seven, which is the blue team monitoring, is first. They’re actually putting that like, this is your control you should have first before you go into attacking.

Jordan Drysdale

Agree. But some organizations are up against. Well, I have to have a pen test, but I have no staff or budget to deploy optics, configure optics and then maintain them.

Kent Ickler

It ends up being a tough report.

Jordan Drysdale

It sure does.

Kent Ickler

Well, tough report to receive anyway.

Jordan Drysdale

Magenta, a lovely color.

Kent Ickler

So we talk about these, we’re going to talk more about red team tools, but from the perspective of, we can generalize them. The red team tools that are out there, they’re exceptionally good at breaking protocols, programmatically, reverse engineering, automagically, tomfoolery engineering.

I made that word up. And good old fashioned deception, deceptively so. The point here is that these tools are, they’re made for one purpose. That’s to make a red teamer’s life easier and eventually to get that pwnage right.

That’s what they’re designed for. They aren’t necessarily designed for going, telling you what the problems are in your environment. They’re not necessarily like an antivirus that’s determined to tell you what virus you have installed and the correct method, for removal they’re just there to do that red team and to get Pwnage.

John Strand

And this also gets into a larger debate that’s happening on the twitters right now. On one side, you have people like Richard Bachelik, who’s talking about whenever you’re creating implants, you’re bypassing endpoint security products, and we’re doing red teaming.

He says we’re making the adversaries lives more easier. and we need to try to figure out how we can tip the scales for actually making their lives more difficult. I think that this webcast, the reason why I personally got so excited about it was because it’s starting to try and answer that question a little bit more.

And there’s a lot of people that have been doing this. Spectre ops has been doing this as part of their core business for a long time. But really, when we’re looking at red teaming, it’s not just about breaking into an organization and saying, ha, you suck.

It’s how do we actually make people improve? It’s not as simple as everyone saying motherhood and apple pie and saying, we all agree. in Beshlex example, if we create a backdoor like GCAT or we create a backdoor like something like Silent Trinity, and then a nation state level adversary uses that, is there any culpability, is there any responsibility on the part of the red teamers?

It’s easy to knee jerk as a red teamer and say, well, hell, no, freedom of speech. We’re trying to make things better. But he does have a point. And as a whole, I think that the red teams all need to do better at trying to make those blue teams better rather than just saying, hi, you suck.

Jordan Drysdale

Black Hills has had this conversation about its ethos and morally and ethically, we write a tool and we see it in the news in two months. I don’t know.

Is it uncomfortable? Yeah. Does it push the industry forward? Yeah. I don’t know. I’m always challenged. It’s a tough conversation to have.

We wrote a tool that was used to take down a government. That’s not. I don’t know how I feel about that.

John Strand

Well, yeah, hypothetically, but, if people want to know kind of where I come from on this, I believe firmly that things are only fragile until they break.

And that’s why it’s important for us as red teamers, as security professionals to break things constantly because that’s where we start finding weak points. That’s where we start finding faults. And there’s a lot more of us than there are actual adversaries.

And if we do our jobs well, will actually reinforce and make architectures better. But it only works if the red team is actually working to make things better at the same time.

Kent Ickler

So this kind of drives the point that, and this is sometimes political almost, that we’re saying red teams have this amazing skill at breaking things.

It’s an amazing skill at understanding those protocol levels at a very deep level and breaking things innately. The most professional blue teamers, they’re not red teamers, they are very different skill sets.

And the industry for years now has tried to merge this purple teaming and it’s difficult because you have to look at it.

Initially it was like everybody come together in Colab and the reason I don’t think that always worked well is because there was this kind of ignoring that there was two different skill sets. We just assumed that red teamers could be blue teamers and blue teamers could be red teamers and everybody would have a big party and it’d call it purple teaming.

And it doesn’t work that way. Right. We have to acknowledge that the skill sets are different and that way we can leverage all of those skills, those expert skills from both teams. And that’s kind of what we’re trying to do even with this is saying that all these red team tools have this other component.

Maybe it’s not fully thought out yet, but if you look at it from this perspective it can be.

Jordan Drysdale

Agree? Yeah, that’s very well described. And so then if we take that step forward and we let the red teams into our environment or we build our own red team, they definitely help move defenses forward.

If they don’t, I personally believe you’re doing it wrong. So the most important thing on networks these days is optics. And there’s so many different places and so many different ways to get it, but most of us maintain and manage windows domains.

So defining auditing baselines, this is a problem still in, I don’t know, 40 or 50% of the networks we test, they really aren’t seeing what we’re doing.

They can’t give me back Powershell command line usage. They don’t catch me port scanning their entire environment with Masscan, NMAP and all of these other things in full like full smash mode.

But I think we can get more people there. I don’t know how but I think we can keep moving forward. It’s an expensive proposition to hire a third party to come in and tell you what you’re doing wrong or to demonstrate what you’re doing wrong, especially now in the time of budget crunch.

But having a purple team test your auditing baselines, push your sim forward or doing it yourself, just validating you can catch Powershell commands.

That is still not easy for all of our customers to do.

Kent Ickler

So this comes down to optics. We talk about that. But I worked with, an organization, they had a super large, one of the most well known sims in there and had endpoint on it.

We essentially were operating as Das on day two. And it wasn’t until day four that they caught us. And they caught us because of that bios poisoning. We had gone that far that we now kind of got sloppy and we’re like, well, we’ll see what else we can do.

And on the day four, they called us and said, hey, you guys are doing, responder poisoning. we caught you. We’ve been in there for four days now, or, for two days. Well, it’s interesting.

John Strand

And that also gets to another perspective that I fundamentally believe that every red team’s goal should be at some point to get caught. We need to identify where those clipping levels are, where we can get caught.

We can do that gap analysis as well.

Jordan Drysdale

Yeah, that’s an interesting one, John. I remember when you got a call from me one morning and I said, a lady just told me I, must have been the best kind of evil because I finally added myself to their da group.

It’s like, all right, well, I took over everything. I might as well add myself. Oh, she was livid. Holy cow. The best kind of evil.

Kent Ickler

And they.

John Strand

That was a weird one though, too, because, yeah, that’s, the customer, the person that we were working with was happy. But every once in a while you get those blue team side people where they feel like the red team may have gone too far.

And usually they feel the red team has gone too far because it’s embarrassed them.

Jordan Drysdale

That’s true. It’s interesting. So Sigma and Sigma are tools. You should definitely look at these, basically help us understand a generic log format and then convert them for whatever sim you want to use.

You basically take your SGMA rules, you pop them in your sim. The rules trigger and fire whatever alerting mechanisms you may have in place. Whether that’s a last alert and you get, a slack channel notification, text messages, emails, whatever.

These are amazing tools that you definitely need to go look at for your sims. But then how do you challenge those rule sets? Because, well, you need to challenge your rule sets to make sure they’re mapped properly.

And that’s, again, we’re back to purple teaming or we’re back to a blue teamer turning into a purple teamer for a day.

So the rule format looks something like this. Pretty generic. And what do we do? We define a set of conditions under which we expect an alert to trigger.

Kent, anything you want to add there?

Kent Ickler

No, this probably went like super. Like, we went from like, floating on water with theory to like, whoa, into the mix, and I don’t see just popping up. Got a question for us?

Jordan Drysdale

Sure. Yeah, we can stop right there.

John Strand

Another question? Well, there’s been a couple things. One is one of the, Please don’t make me register as the handle. Can you define practically what a purple team engagement is?

Because in my experience, the teams work separately and do their own, thing that seems wrong. It may or may not be wrong. It depends on the goals. So we definitely do what we call black teaming where it’s unannounced because you want to test whether someone can detect you.

Then we do things internally where we call it like sim tuning or threshold detection, clipping, tuning levels where you want to. You’re going to cooperate with the blue team to say, hey, we’re doing this.

Can you see this? You sort of coach them through it. The objective in any specific engagement is to be determined really by you, the customer. I’ll let you guys pontificate.

Kent Ickler

yeah, I would say there’s two parts to that. One, if you’re talking about third party purple teaming, that’s really tough because part of blue team on the purple teaming aspect is you have to know with your entire infrastructure inside and out.

If you don’t know that, then you got to start there. That’s why it’s tough for a third party to come and do that and do it. Awesome. The other part of that, though, is if you’re in an environment where you have a blue team and a red team currently and you want them to collaborate together, Jordan and I, we’ve got a class coming up that is called, applied purple teaming.

It actually covers this really closely. Essentially, you look at from the perspective of creating a framework, creating what that organization looks like and building a framework that someone can collaborate on.

So it’s not just red teams attacking and giving a report to blue team. That does not create purple team. That’s just blue and red. It’s just defense and attack. What makes it a purple team is the collaboration together and building a framework that the organizations can leverage the skill sets from both parties and make that useful for the organization itself.

Jordan Drysdale

Yeah, I agree. I see some other questions related to like how do we measure metrics? How can you demonstrate the value and addition of a purple team?

Kent Ickler

Kentucky? so last year Jordan and I developed this class and these are questions that we actually went to seek out and find answers for. And what we determined is that if you build a framework and you basically do it very intentionally, you say, yes, red team, blue team, we want to create a purple team.

That’s really just a collaboration, leveraging both skills. If you do that in a framework, you can create KPI’s everywhere. Inside that framework, you can have KPI’s for the amount of attacks that get deployed through the network, that end up being a defense mechanism, that get deployed out.

You can create KPI’s for that and that can eventually become a dollar amount that ends up feeding back into the, department.

Jordan Drysdale

So not everyone here can. As a business degree, a KPI is a key performance indicator. Those can be both qualitative and quantitative.

Kent Ickler

Absolutely. So the idea here being is that you have red team, you have a blue team, they’re always doing their work. They would every other day. But if you want to do a purple team to get them to collaborate, you do this in a lifecycle so that you can create very specific M.

Jordan hates this word, but goals, if you set goals for them, theyre things that they can reach to you. Build a framework for what that looks like so that they can operate inside that framework and they know what theyre responsible for.

If you do those things inside of that framework for the organization, your purple team can be successful. And its not going to just be the red team and the blue team fighting each other. Its actually going to be collaborative effort for good.

John Strand

there’s also a whole other.

Jordan Drysdale

Go ahead.

John Strand

I was just going to say, one of the things that we have to be very careful of, and I’m seeing a lot of organizations fall into this trap, is whenever the red team does something and the blue team tries to instrument the detection for that thing, a lot of times they’re going back to very rigid signatures.

Like for example, on the Sigma project, there’s a whole series of rules where they’re doing a search for the use of anything called mimicats and they’re looking specifically for that string. That’s a mistake.

We can’t just be looking for basic signature based detections and as red teamers we can’t be sharing those standard blacklist signature based detections. We’ve got to be able to go deeper and say, okay, so we’ve got this particular thing is injecting into lsas.

Here’s how you would actually go about trying to detect that. We have to be intelligent about how we’re communicating and setting those goals for the organization to detect these attacks.

Kent Ickler

In that framework, too, you can define out things like when you reach down to that defense perspective and hunting, what does that actually look like? And if you set the guidelines for what that looks like, you can prevent that rigid signature based application that eventually doesn’t work.

Jordan, we’re going to talk about responder. I think we’ve talked about responder in every webcast.

Jordan Drysdale

I don’t know why we wouldn’t. It still works every single test, whether it’s writing the LNK file to a writable share and having hashes come back, or whether it’s just getting into the network and launching responder, it always seems to be effective.

Kent Ickler

All right, so let’s just cap. Respond. We’ll say it’s network poisoning, allows us to grab cache, hashes, allows us to grab authentication, handshakes, allows us to grab cookies if we use, like, wpad.

Right.

Jordan Drysdale

Something to that effect. Yeah, it’s basically a poisoning tool for weakly configured Microsoft default protocols.

Kent Ickler

This is pretty much a red team tool. I mean, what’s the blue team side of it?

Jordan Drysdale

That’s a really good question. I’m not sure. I don’t know how I would use this, except for I would want to be able to catch usage of it. So it’s a very standard mitre technique.

It is used, I think us government employees were told to avoid hotel wireless because there were Russians targeting specific hotels and using responder. This is a dangerous tool.

It’s a tool you definitely need to be able to catch.

Kent Ickler

Okay, so from blue team perspective, we really just need to know whether or not we’re vulnerable. Right. So what about the hunting side? What does that, what does that look like?

Jordan Drysdale

Well, before we hunt, I would talk about defense. Right? You want to prep yourself. You want to be ready for someone to come in. Yeah. The last comment I saw, SMB signing. Yeah, SMB signing is definitely still a thing, and you definitely get dinged for that in your pen test reports because, well, if you want to know whether or not you should turn it off, hire us for a pen test and we’ll show you why you should turn it off.

But really, the defense methodology is several steps, right? Limit LLM and r by a group policy. This one is tough. Not all people can deny access to a computer via group policy.

But we really gloss over NBNs here because NBNs is on by default on all Nics you attach to Microsoft systems. There isn’t a group policy setting that says you can go turn off nbns everywhere.

Now you’ve got to have a Powershell script running that basically pushes down a configuration setting to disable netbios. Name lookups on all your adapters everywhere. Right. And firewalls.

Right. I was testing this last night and guess what? I wasn’t authenticating remotely to a system and I figured out the firewall was on boom post. But I turn off the firewall, which a lot of people do to troubleshoot.

Leave it off. 445 is open. We relay, we get your local admin creds, we laterally move, pivot, pillage.

John Strand

So I wanted to share with people, if you’re not on the discord channel, you should be. So there’s a tool called responder that helps detect responder style attacks. And then also I shared out the cred defense toolkit from Black Hills information security that is specifically designed for detecting things like kerberosing and responder style attacks as well.

Jordan Drysdale

I thought I included those in here. Are they in here?

John Strand

They just popped up.

Jordan Drysdale

Yeah, yeah. But responder guard, it was kind of funny. We found, an event you can create on a network. Again, part of that cred defense toolkit. Great tool, but yep, denying access.

This isn’t, again, this is a group policy that isn’t available to everyone because they want to access our systems remotely. But this is another way to kill the relay attacks. So some detections down there at the bottom that pass the hash.

So let’s move over to crack map. Amazing. Red team tool.

Kent Ickler

Yeah. when I first played around with this, I was surprised at how quickly it just made effortless work.

Jordan Drysdale

Yeah, it’s a very stealthy tool. It’s designed to take advantage again of a lot of protocols on Windows networks. So you poison, respond, relay.

Then I usually get local hashes, whether it’s workstation administrators, server administrators, those hashes I then pull back into crack map pass.

The hash attacks are still valid. Now Microsoft thought disabling past the hash attacks by limiting the accounts you can authenticate against a remote system locally to rid 500.

500? Yep. So that’s ineffective if you get ahold of domain credentials, which happens all the time in these attacks.

Kent Ickler

So anyway, I mean, it also limited you to, when you get a win, you get a local administrator win. So it’s always nice.

Jordan Drysdale

Yeah, exactly. So this is a red team tool, right?

Kent Ickler

it, it’s very fast for red team tools.

John Strand

Yeah, no, no question. I would say this is pretty solid on the red side.

Kent Ickler

Most of them today are going to be all we would agree, except you.

Jordan Drysdale

Definitely want to be able to catch it. So here’s one we tried to figure out when we were writing this class. How would we actually catch the extraction of ntds if it was a valid DC sync operation crack map uses.

You get a dahash and you basically request a DC sync. It happens over DRS UAPI. I thought the names of these requests initially when I started researching or marcello making fun of something, I have no idea what is DS crack names.

But anyway, that turned out to be completely valid in the protocol and usage, for this remote API call. Then we figured out, well, how are we going to catch this, kent, what do we do?

Well, we better perform that attack. We work backwards through those steps of identifying past the hash attacks.

This was even before we knew sigma rules existed. We figured out backwards the same results, which is event id 4624 valid authentication.

A user reported Sid of s 100 null nobody and then a logon process name of NTLM sSp. When we combined these things in our sim, we were consistently catching past the hash attacks, which you want to be able to do.

If you hire pen testers.

Kent Ickler

From this perspective, then hackers take over using crack map exec. We’re using it just to essentially attack hunt and then define out what our signature is.

Right. Even though the way we’re defining it out is not very. We’re not actually capturing or identifying exploitation of machines at this point. We’re just using logs.

Jordan Drysdale

Yeah, we’re trying to figure out what this tool looks like in usage because while it is a pretty hard red team tool, you have to be able to catch these things.

It’s not the only tool that implements pass the hash attacks. You want to be able to catch the indicators of compromise, whatever tooling. It’s just this one is so easy to use that why wouldn’t we use this one?

Kent Ickler

From a lifecycle perspective, first thing is get approval. You don’t want to be attacking your networks, but without approval or authorization. But from that perspective, what that lifecycle might look like for this is to actually run the replays, run CME and potentially do that attack and then attempt to hunt for what you just did and then see if you can build a signature for it.

And then of course the last portion of a lifecycle would be to implement that signature into your production environment, so that you can utilize signature and hopefully catch next time someone runs crap Mac exit or any save ATT and ck.

Jordan Drysdale

Yep. So password sprays, right. This is another way we move laterally. When you hire us to come into your network, it’s a very standard attack. We use Powershell, if not Powershell.

We use Powershell without Powershell command prompt. I love Joff’s for loop where you have a list of users. You iterate through your list of users against a single password with a command prompt.

So whatever we can do, however we can get there, we are almost certainly going to password spray every network we come across. Domain password spray is easy enough for us to implement, use.

I am saying in the next slide, I believe it is about a five minute tool from zero to password spraying your environment.

Kent Ickler

Red team is pretty clear here. I get what we’re trying to do is we’re just trying to get a password right by using summer 2020 bang. Like, no one should be using that password from the blue team.

This should, it should be pretty easy. Like, we could audit for bad passwords, right? That’s pretty simple.

Jordan Drysdale

Yeah. Agree. Completely agree. My cat’s talking to me, so threw me off my game a little bit here. But blue team perspective on this. Right. We probably ought to know what our organization security culture is like and unfortunately, generally bad.

Unless your organization has implemented a 15 character password policy and it is ingrained in your people to not hate that password policy because they understand length is more important than knowing Kanye west is married to some lady.

this is a serious challenge for organizations. So again, we’re going to have to go back to the next slide where it says, well, you need approval to do this. You’re going to get a hold of people’s credentials, almost certainly if you have bad password policies and knowing this is a common lateral movement technique isn’t good enough.

So, one, you need permission to do this because you are going to see people’s credentials and I don’t know, Ken, what do you got here?

Kent Ickler

I mean, technically, if I said your password is summer 2020, bang. And I said to a large enough group of audience, I knew their password, I just didn’t know who it was. I agree.

I think obviously you need to have authorization. The good thing here is you’ll be able to determine what that password hygiene looks like and just saying 15 characters.

The interesting thing about that is if you take all the American English, words, put them out, get frequency analysis on it, figure out what the top thousand words are.

What’s a thousand times or a thousand cubed, right? It’s a billion. So we can crack a billion password hashes in less than a second.

Just because you have three words in your password, that doesn’t mean you have a good password either. Five words isn’t even necessarily good enough if it’s all the top 1000 frequency words.

This is where domain password spray can come into play. But really I think the other big benefit here for blue teams is the fact that if you can do this and you can catch it, that’s where the big win for this is because you’re going to be able to catch those brute forces then that are lateral instead of being vertical.

Jordan Drysdale

Sure. So I just saw an interesting question from Jimmy, but we’ll address that in just a second. CJ. We have any other interesting questions? Anything you want to talk about?

John Strand

Kind of a hodgepodge here. Early on they were asking what we like for honey pots.

John Strand

Sure, John, I really like for a lot of the things that you’re talking about here. One of my favorite honey pots, whenever we’re talking about password spray attacks is create a user account, log into the user account, set it’s logon hours to zero and then set up a sim alert where anytime someone tries to authenticate to that account it’ll generate an alert on who’s trying to authenticate and from where.

And that will shut this particular that will detect this attack immediately. Because domain password spraying is not a targeted endeavor, they’re pulling down every single user account in order to do it.

Kent Ickler

What’s interesting too, John, is I think the clarification is that you didn’t just say tool, you actually gave the methodology to how to do it. I think when you talk about some of these things, about blue teaming and creating these tripwires, there’s not always a tool.

Sometimes it’s actually you configuring things in a logical way to be able to build that hunt platform.

Jordan Drysdale

Agree. And another question here was what’s the general difference between event id 4624 and event code or event id 4776? One of those is Kerberos validation and one of those is just a standard Windows account logon.

Huh? I think we show this in a couple slides coming up. But 4624 is a successful logon. 4625 is an unsuccessful logon. Now the 4776 codes, you have to be baseline optic.

You have to have a specific set of audit policy configuration settings in your Windows domain that are pushed to one your domain controller baseline as defined by Microsoft your member server audit baseline as defined by Microsoft and then your workstations.

Right. All of these have slightly different audit policy configuration recommendations and you will never see event code 4776 if you’re not auditing properly.

Kent Ickler

So you won’t see this unless you’ve done it intentionally. I think that’s key is that the default configuration does not yield itself. To be able to do some of these hunts you actually have to put the effort in and do these things intentionally.

Jordan Drysdale

Agree? Yeah. Optics are so crucial. So for a lot of organizations, I assume a lot of people even on this webcast have not really understood the fundamentals of Windows optics.

And there’s some serious problems with their default settings that leave us blind to critical, critical things like password spraying.

John Strand

Well I don’t know exactly what the webcast was. It was one of the ATT and CK tactics webcasts, if you remember. We thought it would have been easy to say okay, we’re going to go through and find out what are the event logs that you should find for the entire ATT and CK methodology.

And we found out by default it caught nothing. And then simply by enabling a few things it still wasn’t detecting we had to go, I swear to God, to like page three on Google to figure out how to get the level of detection that we needed.

I think it was like attack tactics six or something like that where you guys went through and said this is specifically how you have to set up your logging to detect this attack.

Jordan Drysdale

Yeah, and that’s, again, there’s, okay, so let’s talk about ASP for a second. You deploy an ASP domain integrated application on the edge of your network. IIs by default does not log squat to your event viewer, nothing.

It logs everything to disk on a file. But that file does not propagate through your event forwarding configurations. Just doesn’t exist. So you have to go touch all of your application pools in IIs, configure them to log to both the event viewer and disk if that’s how you want to operate.

Define the sizes of those logs and make sure those logs are forwarding. It just turned out that outlook and exchange do not log.

Kent Ickler

So I’m going to play devil’s advocate. I’m going to also give my age away by saying that my MCSE, right yield me to really want to say that we can’t fault Microsoft for this because there’s a reason that it’s deployed the way it is by default.

That is a history of computers that have gotten faster and faster over time. But there was a time when, if you turned all this on, you wouldn’t be able to do anything. Just the disk latency on writing logs all the time would prevent you from actually getting any work done.

It made sense to not necessarily have this enabled unless you were in an environment that needed it enabled. However, today, in today’s environment, the security risk weighing that out is now, because computers are faster, we can actually deploy these things, gain security from it, and we’re risking a lot less in doing that.

It’s costing us less on that balance to actually deploy these types of things, gain the, security posture from it, and not have to worry so much about that disk latency. That really would have been a problem years past.

Jordan Drysdale

Yeah, I agree. So here’s our event id 4625. Either bad username or authentication information. So someone pointed that out in the logs as well. If I knew all my event ids, I’d probably be a sim, author or maintainer or something else.

But basically what we saw in our, if we look at this previous slide, we notice spike in our elastic cluster. We drill into the spike just like John did in pre show banter.

We look at each one of these columns now and we can sort out what’s going on. Right. We’re seeing a spike in bad username or authentication information events. Now we know in our sim that we probably want to configure some form of escalation, a rule, and alert when we see spikes that look like this column highlighted in red.

So, Ken, anything you want to add there?

Kent Ickler

No, I think we got that covered, man.

Jordan Drysdale

Sure. So let’s look at mimikats. John wanted to talk about this, so let’s do this. Here’s your mimikatz again. This is about two minutes for you to launch a powershell, run and bypass mode and execute mimikats.

It’s all right there. Now, a couple things should happen. One, you’re going to need to have an admin shell. Two, your antivirus is probably going to trigger.

But, there’s another consideration here. Are you worried maybe that the MSP you’ve hired in your environment isn’t getting the job done?

Because if you kill AV on a box intentionally, with permission from your change management CIO, whatever it takes for you to get permission to do things like this.

If you kill AV on a box and are intending to test your managed service provider, and they don’t catch this as a big red flag, you probably need a new MSP.

And I think, maybe twice a week, our chat, our internal chat, blows up about managed service providers. And we as pen testers are never satisfied with MSP’s and there’s always gaps in how well they’re delivering.

But we’re not on the end where we have to say, hey, managed service provider, you’re not doing a great job. You didn’t see this thing you do, though. And to get there, guess what, if you’re uncomfortable with what they’re doing, you don’t think they’re getting it done.

Kill AV in a box, get permission and run mimicats.

John Strand

Well, that really goes to, I think that that gets into a really thorough purple teaming assessment, right? You’re not just saying, can we be hacked? Can somebody bypass endpoint?

You’re now making an assumption. If they bypass our endpoint protection, now they’re on the box. What can be detected from that point on? And the really horrible thing is about a lot of MSSP’s or MDR’s managed detection response vendors, once you take away their endpoint product, they are blind.

And this absolutely sums that up perfectly.

Jordan Drysdale

Yeah, what we see here, I love this. When you are properly PowerShell logging, if you look at the Mimikatz logo, the stuff written there, we get the exact same output written to our log.

Boom. This is what you want to see.

Kent Ickler

So are you suggesting you write a signature based off the logo of mimikats?

John Strand

Yeah. How many pounds pound prompts and slash cheese are used? Well, this also gets to the brittleness of these types of signatures. Right. The advanced persistent set attack is a great presentation by Eric Conrad where he took mimicats and changed the name of it to Mimi dogs and then recompiled it.

And it was able to bypass a lot of endpoint products. So you do want to be able to detect these things as table stakes. Yes, you may want to have a signature to detect this, but at the same time, you’ve got to go deeper and say, how is this process injection actually working as well?

Kent Ickler

John, he would have changed the name, but he wouldn’t have changed the logo. The signature would have worked.

John Strand

That’s probably, probably true about the logo. The funny thing about the Mimi dogs attack, though, is somebody, there was a signature that was written for that, but if you changed it from mimi dogs to Mimi kittens or whatever, it still worked again.

So it shows once again the brittleness of a lot of endpoint security products.

Jordan Drysdale

Didn’t Benjamin Delpy just show his latest executable on Twitter where he showed it against four or five different antivirus vendors and it’s still the same that trunk version of the exe, modify a couple things, recompile, and guess what?

It just takes a couple things in these tools to get them by EDR.

Kent Ickler

So, the lifecycle, you’re starting to get kind of redundant now, right? Because it’s turning into something cyclical. It’s, you get approval, you do the attack, you hunt, you defend, and you make a report.

Right. The lifecycle is pretty clear on these. Hey, CJ, what’s up, man?

John Strand

Hey, this is a nice question that came in from Ibuhima. what do you think about a company not using Sim, that’s, just using security events directly from EDR platform, like Crowdstrike, carbon black pros, cons.

Jordan Drysdale

Most of those EDRs charge you a ton of money to do that for you. I’m not saying that there isn’t a carbon black dashboard. You can go manage and monitor yourself.

But most of these companies want to get you into an endpoint contract and then have you ship them logs so that they can do the processing themselves, and they probably do a better job of it. These EDRs are legit, and it is getting really difficult for pen testers and attackers to not step on some landmine that they trigger.

John Strand

And that’s good, right? Let’s talk about, blind spots for a couple of seconds. Okay. If your EDR goes down or it’s not logging, or the agent goes down or the attacker brings it down, or theres ways to blind it, which they come out probably five, six times a year, youre effectively done.

Youve basically built your entire security around one thing that is not defense in depth. And God help me for agreeing with Gartner on this. Gartner said that any MDR solution has to incorporate an endpoint security product and network visibility to be complete, because you need to be looking for those overlapping fields of visibility where if one thing fails, something else can pick it up.

That’s why I talk to people and I’m like, yeah, use your EDR and use Sysmon intelligently tuned to complement and support each other with network level forensics to do it correctly.

Kent Ickler

We were talking about crack map exec earlier, right? You noticed that the signature that we found was actually found in wireshark. So it’s at that level for some of these attacks that you need to have that full visibility.

Jordan Drysdale

So that one was a boundary defense question, and we used to argue about that as an MSP. Do we have ids, IPS, protections on all boundaries on our internal networks? No. Who’s going to be running some kind of attack on the inside of our network.

This is one of them. The ids rule would say, here are my known DC IP addresses, trusted. If any requests for DRS API syncs come from other IPs at my boundaries.

Trigger alerts. John, there is another question here I want you to address, if you don’t mind. Why do we believe, nearly all security vendors keep implementing, like, these kind of defense detect things improperly, are they?

Go ahead. what?

John Strand

That’s, let’s back up for a second. I think that sometimes it can get too easy to rip on these vendors, right, and say that they’re doing it wrong, they’re doing it incorrectly. It is incredibly difficult to create an endpoint security product.

It is incredibly difficult to look in all the nooks and crannies on a Windows operating system for what is going on, even Microsoft themselves. There are sysmon bypass techniques, there are Amzie bypass techniques that exist.

Youre not dealing with something simple. Its incredibly complicated. And if youre looking for a really quick stopgap, which is what a lot of people are looking for, writing a signature for something like mimicats works in the short term, and it also works for 98% of the attacks that would utilize it.

So I think youre looking at this run and gun. Youre looking at basically trying to do this gap analysis and fixing things as quickly as possible in a triage mode. But, if we look at where endpoint security products are today and where they were five years ago, there is no comparison.

They are absolutely getting much better at what they do. But back to Gapps, the browser is the new endpoint, the cloud is the new endpoint, and a lot of those products start losing visibility there.

Jordan Drysdale

Yeah, I don’t know anyone who has deployed EDR on EC. Two instances. I’m, not saying that there aren’t probably people on this webcast. I have never encountered a situation where someone’s Ec two fleet was fully edr’d.

And that’s, that’s just the facts of life, so. All right, kent, we’re almost there.

Kent Ickler

Oh, man, bloodhound. Okay, so back to the very first slide, right? We talked about a customer of ours that said they had a red team tool they wanted to use, and they struggled to understand the usefulness of it to defend.

The tool that they were talking about was bloodhound. And, when we sat down, we looked at their environment in bloodhound, and it became very, very apparent why they were struggling.

So Bloodhound is a great way for red teamers. And I considered a red team tool, but it’s made for blue team too, right? It’ll work. It allows you to do things like pathfinding, right? And it’s using a graphical database to do it.

So you can do things like I have access to a user account here, a very low privileged user account, and I want access to da show me the shortest hack path I can find to do just that with the least amount of effort.

And that’s what bloodhound does. Now from a red team perspective, that’s what it’s doing. It gives you information like that that’s useful to make your job really fast, to pwn a network as fast as possible, as efficient as possible.

Then they’ve actually gone and people have made modules to this that actually now work with cobalt strike. So you can set up bloodhound to find that shortest path and then they just go import it into cobalt strike.

And cobalt strike does the complete automation from user account to DA and it’s done. And that was the red team pathfinding. Okay, so that’s really cool.

What you see in the lower left hand corner here is why it’s not cool for blue teams and why it struggles. So the right hand side is all the things that come pre built in bloodhound. So you can do things like final domain admins or somewhere in the middle there is like groups with foreign domain group membership.

So you can talk about now, trust domain, active directory, domain, trust in the forest and finding links between those like in a bastion domain. So a lot of power here.

Lots and lots of power in the graphical database that’s being used to build all these relationships. From a blue team perspective, we know there’s good data here, we see the data, but it’s just, it’s kind of clunky for us, right?

We can get told what the red team did, how they got from the custodians account to domain admin. We can see that they can give us all the iocs about every step they took, but it still wasn’t enough for us to go back and what are we going to do?

Fix one account? That’s not the point. That’s not helping us. So that’s the red team tool. It’s awesome. It is super, super cool and efficient for red teams, blue teams, it’s just tougher from the lifecycle perspective.

So bloodhound, you get the data from active directory in a couple different ways. You can use, envelope bloodhound to get everything set up and to inject that way you can also use sharp hound, which is an exe or Powershell.

it generates a bunch of CSV files that you then are JSON files that you then pull into bloodhound. The attack here looks like you run, some powershell for sharphound. You get some datasets that you then import into bloodhound and then bloodhound does the analysis of that to build those relationships.

So that’s what that looks like from the lifecycle.

Jordan Drysdale

It’s that easy to run.

Kent Ickler

Five times it is that easy to run. And from the backside of the lifecycle, turning that back and giving it to the blue team and say, hey, you need to go fix this stuff. The blue team’s gonna say, what do I need to fix?

You can see it here. You ran Powershell. That’s not enough. It’s not enough just to block the running of Powershell, but to actually get the data out of, bloodhound is still really difficult, much more difficult than just saying, yeah, you ran invoke bloodhound.

Jordan Drysdale

We figured out in our sim it’s pretty easy to catch Powershell with a couple of or statements. I want to see all IEx or import or invoke statements. And then we get the stuff like we saw earlier with the Mimikats.

We get to see the whole logo. It’s beautiful. It’s captured because we properly opted and told our sim what we want to see.

Kent Ickler

We were actually worried that we’d have to baseline this to weed out all the stuff that Microsoft does to manage an active directory domain. Those are actually very, very few and far between.

We had a lab running for months and we looked at that specific query and didn’t find a lot. All right, so bloodhound, I consider it a problem. It’s awesome. For red teams, the blue team struggles.

So I decided we’re going to take an executive problem statement about this and really look at Bloodhound. For the blue and purple team, there’s so much data, there’s so much.

How do we make sense of it? And that’s the question that I wanted to pose. And we came up with a solution. So for the client, we went back and we said, okay, let’s look at the data that’s actually in bloodhound in terms of what’s meaningful to you.

And we took that from the perspective of we had to write a tool to do this. So we just went one step further and built a framework for it. And we released the framework on GitHub last night. So I would call it a proof of concept framework at this point, but we called it plumhound.

And essentially the idea behind it is the way bloodhound works is with what’s called cipher queries. Cipher queries are those relational, the graphical relational database and how those things pull data out of there and build those relationships.

We’ve just built the framework. What the framework does is it connects to bloodhound, to the neo four J database and it runs cipher queries and those cipher queries come back in some sort of meaningful way.

And then we try to put that into an HTML report or dump it to grep or dump it to a CSV file that you can then ingest. We’ve gone a little bit further than that then and we’ve actually made it so that you can bundle a bunch of tasks, a bunch of cipher queries together to build reports.

So if you go to the next slide, Jordan, looking at this now, this is not pretty by any means, but what we talked about, all of those things that bloodhound could do and all those are based off, cipher queries that builds this nice pathfinding map, basically a GPS map of point a to point b.

So we’ve done something very similar, except for we’ve built it into a report fashion. So finding things like unconstrained delegation, upper left hand corner user to indirect local administrators, the upper right hand corner group policies to privilege group, to admin and then also kerberosable accounts.

These are, things are interesting because with this you can actually go and find all the corrosible accounts that also have sessions on workstations that you might be interested in, for example, a domain controller or a remote desktop that also has lots of other users logged in as well.

The idea here was to take a look at that bloodhound map and make sense of it in a way that you can infer work that needs to be done. From a blue team perspective, no longer do you get this map that’s massive.

You can now look at something that I think is ingested by, consumed by blue teams a lot better, which is honestly logs and reports. To look at it from an analytical perspective and say, of all the past, this is the commonality between these 400 accounts.

There’s this one step right here that’s common. If we fix that one step, this problem kind of goes away. And this tool is designed to help facilitate, that. So we’ve built the framework and then we’ve built.

We’re also going to release later today kind of basically a marketplace where everyone can add their own cipher queries because the power of this is not just in me creating a cipher query and making it useful for you.

The idea behind it is that if you create a cipher query because the way bloodhound works, it’s common between all active directory environments, you’ll be able to run replay that cypher query across other environments.

And that means if I create one, why can’t you use it if you create one? If the goal is to better security as a community we can do that by building these cipher queries that generate these reports.

And these reports can be meaningful. The big key here is taking these cypher queries and making them aggregate data so that you not only see a number of user accounts that have access to a certain resource but drill it down to why and that’s where the power is really going to come in at.

John Strand

Well, and this also becomes the task list for the blue team. That’s what was really missing from Bloodhound is whenever you try to explain this to a lot of red teamers, probably myself included, is you would say well we don’t have a good way of pulling out what is the action items.

And it’s like, but I got domain administrator. Yeah, but there’s like 150,000 things in the report that need to be addressed. But these twelve got me domain administrator and this really starts basically turning it into a worksheet for the administrators to address the issues, not just the one path the attacker used.

Jordan Drysdale

I would have you take one step back in description of the tool. What is the input? How do you get from zero to plumbhound these reports?

Kent Ickler

Yeah, so it’s interesting the way this works. Bloodhound is actually built on neo four js. That’s the graphic, database, relational graphing database. It handles the relationship connecting.

Bloodhound is a really awesome graphical tool and it builds that map for you and it provides that information graphically. You can export it to JSON, but that’s still difficult to use.

What we’ve done is we’ve actually, then after you’ve imported the data in Bloodhound from sharphound, take the sharphound JSON files, import them into bloodhound. Bloodhound builds all those relationships together.

Builds out what, that map? Yep. Control pass builds that all together. And then we’re then connecting to that same database and running the same cipher queries that bloodhound does. We’re doing it with the output being text based tables or record sets instead of maps, if that makes sense.

What this looks like from the actual syntax. I don’t know if I have more slide on here or not. No, we don’t. Okay, that’s all right. The syntax essentially is just running plumhound to specify the server username password for the database and then the task list.

And the task list is a bunch of tasks. If you go and look at the GitHub page, they’ll have all that information in there. It’ll even give you like a sample task list, that job list that produces a bunch of reports.

The idea here is that we can generate multiple task lists, ones that are for specific things. Like if you’re interested in domain admins, you can create a task list that drills down domain admins and figures out your root cause analysis and why you have so many domain admins, or why you have more than you thought, or what the actual account privileges are of those domain admins.

And you can create these sets of task lists that you can run and then share out as well. So that’s kind of the community involvement is building that framework or building those task lists. And then also, I mean, this is proof of concept code and I’m not a rockstar python guy, so no one looks at my code and says, you should have done it this way.

Yeah, make a pull request or push request. And it’s awesome. Fine with that.

John Strand

We’Re looking for people to say, this sucks. Here’s how to fix it. That’s awesome. That’s how we get.

Kent Ickler

Exactly. And Jordan, go back one slide. I really wish I could have given the reports that came back from our client because they didn’t like this.

This is like the most.

Jordan Drysdale

Yeah, let me talk about that really quick. We use a tool called Bad Blood, which is also available on GitHub, to create a domain for us. Something like 2000 user objects, 500 computers, and then 395 groups.

The problem is that tool can’t create sessions for us.

Kent Ickler

Bloodhound uses those sessions to be able to build those control paths. We’re missing a component in our database report here that’s missing and doesn’t give you a full picture of what can actually be done here.

But if you look at the GitHub page, it’s pretty easy to run again. If there’s bugs, just let us know. Or you can just fix it too. That’d be awesome.

Jordan Drysdale

Go home. Make the world a better place.

Kent Ickler

Absolutely. That puts us right at time, Jordan.

Jordan Drysdale

I know, that’s amazing.

Jason Blanchard

Holy cow, guys.

John Strand

That’s like the best timing you guys have ever had.

John Strand

I just got a comment that said that he hasn’t seen any questions in this presentation.

John Strand

I got all the questions. There’s been a lot of them.

Jason Blanchard

Yeah, we’ve been answering all the backhand.

John Strand

Oh, my God. Here’s a project for am Spartacus. Bad blood is, fills active directory domain with structure with thousands of objects.

The output of the tool will create a demo or similar to the real world. That’s cool.

Jordan Drysdale

Production.

Kent Ickler

Do not run in production.

John Strand

Well, well, you’re gonna run bloodhound in production, right? People do it all the time. This is just basically taking that data.

Kent Ickler

Yes. But, but bad blood is actually.

Jordan Drysdale

Yeah, we used bad blood.

John Strand

Yes. that’s right. That’s right.

Kent Ickler

So the thing with bad, but like Jordan said, is it can’t create session. It can’t create those session relationships between a workstation that fictitiously got created and then saying that there’s a session on there, it doesn’t do that, but it does do things like ACL modification and such.

That is interesting.

Jordan Drysdale

In bloodhound, random users from the top thousand first names, last names, random passwords, computer objects, groups. I mean, it is beautiful. Like, the output is amazing.

Kent Ickler

This is actually the first time Jordan and I used that. Prior to this, we wrote our own scripts that did it. So we’re happy to see that now there’s, someone else, the same thing, but in a little bit more of a, portable fashion.

John Strand

Nothing like turning your domain into a smoldering heap. So let’s bring the questions on, folks. Since we’re at the end of the webcast now, it’s time for post show banter where we answer questions.

And then Kent and Jordan start drinking heavily. They’re like, oh, we made it.

Jordan Drysdale

Coffee.

John Strand

Although people are like, live demo, live demo. Live demo. Hell, no.

Jason Blanchard

We’re gonna kill the recording. So we’re gonna kill the recording, but we’re gonna stick around for all the questions.

Kent Ickler

So, for everyone, thank you so.

Jason Blanchard

Much for being here. This black Hills information security webcast. Please stick around if you’d like to hear the questions. And shecky was the winner of our, wildest heckin fetish hoodie. So check you make sure you check your messages on discord.

Jordan Drysdale

Jason, do you want me to click the stop recording button?

John Strand

Are we done with the recording? Are we done recording?

Jordan Drysdale

It is.

Kent Ickler

Now.

Jason Blanchard

We’re done.

John Strand

Let’s get these pants off.