Register now for our upcoming December Secure Code Summit! Register Here
Shopping Cart

No products in the cart.

Your Active DAD (Active Domain Active Defense) Primer

This webcast was originally published on September 25, 2017.

In this video, the speaker discusses the concept of cyber deception and its practical applications in domains. They delve into the effectiveness of commercial cyber deception tools and share insights on creating a deceptive environment with fake user IDs and system names. The discussion also covers the broader implications of cyber deception for improving organizational security and its potential integration into cybersecurity strategies.

  • Cyber deception can be implemented effectively and inexpensively within organizations to enhance security detection.
  • Commercial products like Javelin Networks and Minerva demonstrate advanced applications of cyber deception to protect corporate systems.
  • The webinar discusses transitioning cyber deception from academic and niche usage to mainstream corporate and enterprise applications.

Highlights

Full Video

Transcript

John Strand

All right, so this is a, replay of a webcast that we did when we were at Sans Fire. One of the things the marketing department at Sans is working on very hard. The marketing department at Bhis is working on very hard is every time that I’m at a Sans conference or we have somebody that’s at a Sans conference trying to do something live for the people that are in that area.

Not necessarily at the Sans conference, but in that area just to get out and meet people in as many different ways as possible. So I wanted to put together a, presentation that was basically cyber deception on the cheap in domains.

And to be perfectly honest, this was also used for the Sans 550 course, active defense, cyber deception and offensive countermeasures, which by the way, is now killed. Sans is going to run it one more time and then it’s going on ice for a while.

They’re going to figure out how they want to retool it and what they’re going to do with it and maybe try to make it a little bit more applicable, to corporations and enterprises. So this is meant to go into that class, but it’s great as a standalone webcast.

So we thought we’d kill two birds with 1 st and we’d rock and roll with it. So commercial cyber deception is really starting to get some amazing, traction, out there.

It’s so cool. Like Javelin networks, I think is neat. They’re doing a lot of the stuff that we’re going to talk about here a little bit. They do a lot more, but actually creating an environment with fake user ids and fake name systems and how they do the naming of the fake, user ids and the fake name systems is really cool.

When you install javelinous, it’ll actually learn what your naming convention is for all of your user ids. It’ll then also learn what your system names are as well. And then when it generates fake names, fake user ids, fake names, it’s actually going to make sure that the fake ones look very similar to what the real ones look like in an organization.

So that’s neat. So if a bad guy tries to pivot to any of those accounts, tries to do any password spraying to any of those accounts, then they’re going to trip on those accounts or we’re going to do something very similar today, with that. So very cool.

Symmetria Gotti, Avron’s company for creating these, they like to call it mazes, maze Runner. If a bad guy is in an environment that bad guy will fall into a maze and really go down a rabbit hole, and they won’t get access to anything that’s of any particular use in the organization.

But they think that they’ve gotten all kinds of sensitive data. Just amazing. Then you got elusive. You got ativo trap. Xavio. I don’t know. sometimes I look at these company names, and I’m like, they named it Aviato.

You got to say it like, aviato. And, like, the names are just very weird. The other one that isn’t on this slide, but should be, is Lenny Zelster is with a company called Minerva. And Minerva does cyber deception to malware, which is really, really, really cool.

If malware hits a computer system and it starts looking for certain indications on that computer system and processing, utexes, it’ll actively lie to the malware in real time.

So check out Minerva, too. Now, these are awesome, and they’re brand new products. They’re out on the industry. And, there’s some people that we absolutely love and care for dearly at these organizations. But let’s say you’re a company that trying to get budget for management to start implementing these products may not be something that you can do relatively easily.

So how do you get the budget? How do you get the funding if you don’t have any? Well, you got to prove value in the area of cyber deception. So what I want to do is just kind of show you a couple of cool ways that you can do cyber deception in your own organization.

You can do it cheaply and quickly and actually get some impact and actually security detection in your organization with little to no effort to set it up and little to no maintenance moving forward.

So why we’re doing this is trying to prime the pump right, get ideas flowing. One of the things that we think is really, really cool about trying to get these ideas moving in organizations is once we talk about these in webcasts, once we talk about them and we incorporate them into classes or in books a lot of times, then you start seeing vendors start to follow suit, and they implement these ideas into their products.

And really, computer security as it stands now is very much a super stale industry. A, tremendous amount of vendors are still sending endpoint security. They’re still trying to sell firewalls and all these standard products they’ve been selling for years.

And they constantly try to redress it and say, no, no, no, this is next, next generation av. No, no. We’re using artificial intelligence to detect threats in the organization, and it really boils down to a lot of the exact same things.

And that makes sense from a marketing perspective. Anytime you try to open up a brand new concept, a, new idea, in a space like computer security, you’re working against all of the audit compliance standards, from NIST 853 somewhat to the 20 critical controls.

And all these controls say, thou shall do X, Y, and Z. And that’s what management wants to pay for, is X, Y, and Z. So trying to get these products set up and trying to come up with the concepts that people start implementing primes the pump for commercial products.

So in a large kind of way, we’re trying to help out the commercial vendors that are out there in the cyber deception arena by trying to get these ideas out as much as we can. So we need a fundamental shift in computer security and coming up with new and inventive approaches.

And cyber deception is definitely a huge part of that. Whenever we wrote the book, active, the cyber deception book, which is now the new one, is out on Amazon, by the way, people said the COVID is absolutely gorgeous.

It looks awesome.

Sierra Ward

We’re pretty excited.

John Strand

Yeah. It has far fewer grammatical errors, and it’s full color. It is full color book, so it’s cool, right? The big thing that we broke that book up into is the three a’s.

we have annoyance, we have attribution, and we have attack. And most of the cyber deception technologies today are in the annoyance category, where they’re going to take your network and make it look different to the attacker so that the attacker doesn’t know whether they’re attacking something legitimate or whether or not they’re attacking something.

That’s weird, and you’re going to be alerted. It’s basically setting up tripwires. These things need to be in security architectures today, but we don’t necessarily have to spend a lot of, money off the gate to make them effective.

So what we want to do is show you some things that will actually slow us down in penetration tests. So what we are doing is not working. It’s just not. The attackers can move very, very quickly, and the research and development lifecycle for a lot of security products is three to five years.

So if somebody has a really good idea today, a lot of times you won’t necessarily see that idea hit the marketplace place for at least three years. And that takes a lot of money and funding to try to get it up and running.

We can do this quick. Let’s kind of jump in. So we want to set up cyberattribution and deception components and we want it to be something that you can implement in your environment in less than half a day.

Now, there are many ways to do the exact same thing. I just did it quick, I did it dirty, and I set it up the easiest way I could think of somebody that was relatively new to these concepts.

If I can show people how this is done, how we can do it quickly, how we can do it easily, then it greatly increases the likelihood that they’re actually going to implement these different components and techniques in their organization.

Basically, I don’t want people to be, afraid of what we’re going to discuss. So the first one, active directory honey admin account. Whenever we break into an organization of Black Hills information security, one of the first things we do once we get access and we get a foothold on a workstation is we try to enumerate as much as we can about that organization.

We try to enumerate user ids and we try to enumerate system names. Now, to be completely honest, this is also something that Javelin networks does a really, really, really good job of basically creating a whole bunch of cyber deception and faking out the attackers.

So what I want to do is create something that’s far more pinpointed. We want to create an admin account, a domain administrator account, that is going to attract the bad guys attention. And as soon as they see that account, they’re immediately going to try to do a password spray, or even if they don’t go after the account directly, in a general password spray approach, you would be able to detect a machine that is just blindly trying to blast out credentials.

The reason why this is key is a lot of the user behavioral analytics platforms that are out there today, they’ll look at rate limiting of different events. So for example, if you have a workstation with an authenticated user, and it tries to, authenticate to 20,000 user accounts in under a half an hour, that will trip up most of the different user behavioral analytics platforms that are out there today.

Whereas a real targeted, determined malicious attacker coming at your organization, they may spread that password spray out, over the course of maybe weeks or months.

They do it very slowly, let’s say one account every five minutes or ten minutes, and they can allow that to run for an extended period of time. How would you actually be able to detect that where user behavioral analytics tends to start failing now there’s a lot of attacks.

Mubix or Rob Fuller has given some presentations and done some research, on basically breaking some of these user behavioral analytics products. And while they do have weaknesses, I honestly believe that user behavioral analytics is fantastic and more organizations need to implement it.

The big concern that I have is that m most of these products are very effective at detecting a penetration tester who has a limited scope, one to two week engagement timeframe versus attacking a determined attacker that is patient and can run for months in an organization.

So how would we detect those more long term strategy adversaries? Let’s go through the steps. The first thing you’re going to do is basically create a domain administrator account and make it as obvious as you possibly can.

So I created an account admin, ADM administrator, trying to make it as obvious that this is an administrator account. Now, this is in the environment that Kent and Jordan had set up for Black Hills information security.

We have a full active directory environment. We have a whole bunch of workstations. We’re generating events all the time. So they were nice enough to set up this environment and allow me to come in and break it and create a whole bunch of accounts.

So we’re going to create an administrator level account. Now, do you have to create a domain administrator level account? Not necessarily, but we want to kind of set off like flares that this is an account that you absolutely want to do some investigation into.

that’s basically saying, right here, right here, right here, come and look at this account. You could also create other standard user accounts as well, basically pepper them throughout your environment.

And eventually the goal of this is going to be that if anyone tries to access these accounts, then it’s going to generate an alert and then your sin can actually pick up that alert and then notify you immediately.

So this would be something that would be an immediate alert in your organization and people must drop everything and start reacting to this alert in your organization. So step one, we’re going to create a domain administrator account and I would also recommend possibly creating some standard user accounts.

I want to pause to breathe for a couple of seconds and have some tasty instant coffee. Sierra, do we have any questions?

Sierra Ward

I think that the questions we got you answered, Mattia had one, but I talked to him, so Mattia, can you, I think that’s how you say your name. Can you ask, it again maybe?

and Jeffrey had a question, but you answered it and what you were talking about. Okay, okay, Matt, can you ask that question again?

John Strand

We’re trying to talk to people.

Sierra Ward

Well, if he asks, I’ll yeah, just interrupt me.

John Strand

That’s fine, go ahead. And that’s another thing. If you have any questions throughout these webcasts, anytime, don’t hesitate to type them in. And Sierra will interrupt me and ask on your behalf.

Sierra Ward

Is that a low interaction or high interaction?

John Strand

Oh, very good question. So, by and large, many honey pot technologies are broken into low interaction and high interaction honey pots. A low interaction honey pot is like a Ron popeele honey pot.

You set it and you forget it. You don’t worry about it. So this would be something that you would establish that would be a set and forget type honey pot. In fact, both of the ones we’re going to talk about today are set it and forget it type honey pots Rompo peel style.

Now, a high interaction honey pot, that would be like a full Windows computer system running in cuckoo sandbox, doing full analysis of the malware. You have to be a security analyst sitting there and working at this system, watching exactly what it’s doing.

That’s a high interaction honeypot. And by and large, I see more value in the low interaction honey pots, where you can set up these little pitfalls and these little traps around your environment. And as soon as a bad guy steps on them, you’re going to be alerted, and then you can react relatively quickly.

So this is definitely low interaction. A very, very good question. All right, now, here’s the most important part. This is absolutely essential.

Shut off the logon hours. You can actually go into this administrator level account or your standard user accounts, and you can set logon denied for all hours. We basically want it.

so this system, this account can never be logged into. It’s present. The attacker can see it, they can try to authenticate to it, but once they do, they’re not going to be able to get in to at all.

Now, with that in mind, the same thing would apply for your standard user accounts. And this is one of those things that would definitely get your organization burnt. If you set up a honey admin account and a bad guy breaks into it, that’s a career ending type move.

So what I’m saying is, please don’t do career ending moves in your organization. because we don’t want people to get fired based on what we did here. We don’t have people like, yeah, I went to the webcast, sierra and John and I did what they told me, and now I’m out of a job.

We’re saying, make it so you can’t log into this account. So, all right, I use snare for this. there’s a lot of different things you can do event forwarding on windows. You can do, all kinds of different event logging utilities.

nxlog. Yeah.

Sierra Ward

Sir, someone asked if you turn the log on off, can the attacker tell.

John Strand

Can the attacker tell they’d still have to interact with the account and it would still generate an alert. but generally no. If you limit the logon hours it’s not something they can pull down directly and do it without actually tripping it.

So good question. So I set this up to go as quickly as I could and snare is super simple to set up event forwarding. And more importantly, the thing I like about Snare and its event forwarding capability is it can be configured to not send all of the events.

It’ll only send a certain subset of events like event logins. Like if somebody logs into their computer it’s going to forward that. If somebody’s trying to change the security policy it could be configured to just do that. You can do that with event forwarding and a bunch of other things.

nxlog being another example. So there’s a lot of ways to achieve the same goal. I was just thinking if somebody was sitting down trying to set this up, they didn’t want to be afraid of the tack. how could they do it?

And with snare you just simply set up what is the destination server address? This would be the syslog server and I set up Kiwi syslog. There’s lots of different syslogging utilities. You can have it dumped to your arc site server, you can have it dumped to splunk, you can have it dumped to anything but Kiwi syslog, you have that thing up and running in under five minutes.

So I set it up to be as quick and easy to configure as possible. So I set it up, have the agent on the Windows computer system and that’s basically going to forward it. Now this is set up on my domain controller.

If you’re using a sim like Arcsight or logarithm or splunk, you can also just put in a rule set that once the domain controller actually fires, that specific event of somebody logging in as a domain administrator, it’ll alert you as a critical alert at that point as well.

Then I set up Kiwi, just basically, real, real simple, kiwi is running. Basically I want it to log to file and I’d like to have it log to screen. Next I fired up bose tool invoke password spray.

so with domain password spray, it’s a script that we use in almost every single penetration test. That we’re doing now, what this tool does, it automatically pulls down a list of all of the users in your domain.

Then you can feed it a password and it will attempt to authenticate as that account with that specific password. So it isn’t just one account, it would be all of the accounts.

So if we walk through how this particular script fires so Bofors prints out current domain is compatible with fine grained password policy. Now, creating a list of users to spray.

It does that by pulling down a list of the users from the domain. You could do that through Powershell. You can do that from the command prompt with netuser space, forward slash domain.

It’ll dump them down. Then it says that there’s lockout policies. Don’t trust that, really, you don’t ever want to try any more than a single password for each attempt. Then it’s, removing disabled users from the list to make it run a little bit faster.

And then it’s going to remove users with one attempt of locking out of the list. Then it creates a user list, so it dumps all of those 293 users in this example, puts it into a list.

Then whenever you fire up and say, we’re going to run the password spray, at the top, it says, the password we’re going to try is one password we’re going to try spring 2017, because we love months and years, right?

It’s on all of our shirts and I think our October fest, our Hacktoberfest is autumn 2017, which is pretty cool. So it’s going to try that one password against all of these accounts.

Generally, that’s going to fly under the radar and it’s not going to block out any accounts. Many organizations, it’s three failed login attempts, and then it locks the account out.

We’re going to do one password at a time. And once again, this low and slow, you can also send in some timing in the Powershell script so it runs over a longer period of time, but this one runs fast because a lot of our engagements are very much limited in the timeframe that we can dedicate to the attack.

So it runs through the password spray. It says, are you sure you want to perform the password spray against these accounts? And you have to type why? You have to tell it. Yes, I’m absolutely sure. It says password spraying begun at 1111, and then it goes through and it scans and you can see it was able to access one account, the Jenkins admin account, with the password of spring 2017.

Now, notice it didn’t break into our admin account, our Adam admin account. That’s because this particular technique doesn’t need to be, they don’t have to successfully authenticate at this user account.

All they need to do is touch the user account and then it’s going to generate the event log, forward it to Kiwi and then Kiwi alerts us. And here it is. So you can see that the admin admin account was accessed at 1111 53.

So it was like 53 seconds into the password spray, an alert was generated. It was a failure audit which means this was an invalid user id and password but it still generated an alert that this particular user account was accessed.

It will also give us the IP address that it accessed it from. And in this situation the workstation was Winlab DC. So it was the local system where we can see that authentication and you can also see down below it says reason account login time restriction violation.

Not only was the password incorrect but you can see that it tried to violate the access restriction for the timeline, for the timeframe. And this is going to alert that. Now one of the problems that you would run into in an organization though is the total amount of noise of event logs that you’re getting.

Unfortunately, many environments that have sIM technology, they are generating thousands and thousands of alerts per second in some situations. And Justin at the Sans Institute and instructors came up with a new class.

I think its number is 555, which is a fantastic new class about how to do event logging correctly. So thats pretty neat. And Justin and Phil are getting ready on a super secret specialized elk stack.

Im not going to talk too much about it. Theyre getting the copyright, getting it all locked down. They do have a really cool logo, its got like an elk and it has all kinds of digital things and its wearing neat gaggles. So be on the lookout for that question.

Sierra Ward

Jeffrey said, does this require any special auditing to be set in Windows beyond the standard?

John Strand

Nope. the question is absolutely valid. It’s an awesome question. Nope. The standard event logging in most Windows environments. This will work just fine because success and failure audits are in fact being recorded and they’re being logged in most environments.

All you need to do is set up an alert for this specific account being accessed. Very good question. Any other questions?

Sierra Ward

Nope, we’re good right now.

John Strand

So the next one I want to talk about is creating a honey share and a honey doc. So we’re going to couple two things together. The first thing that we’re going to establish is we’re going to create a super secret kind of share that would attract the attention of the bad guys.

Now, for those of you that are new to this, a share is a folder on a network that you can share documents out. And if an attacker is running something like Sharefinder with Powershell Empire, they can enumerate all the shares in your environment.

And usually as a pen testing company or a malicious attacker, they’re going to go through the share names and they’re going to look for interesting share names. So if you have a share that’s just like HR docs, it might be interesting, but if you have a share that’s like super secret blueprints for world domination, that’s going to be one of the documents that they’re going to go for right off the gate.

So we want to create a share that’s going to attract attention, and once the bad guy actually gets there, we’re going to have a document that they can pull down that’ll actually beacon back so we can actually track the IP address of the attacker.

Not full geolocation, not yet. I, But I’m going to share with you a new project, by, Benjamin Donnelly, who’s been doing some interesting active defense research, and he released, honey badger Red, which will do full geolocation in documents, which I think is pretty cool.

So first, setting it up. So this is, honey badger version two. We’re using the standard ADHD setup, so we have the full step by step instructions to run ADHD.

And this installs on any 1604 system. So this is going to be a system that you want to install out online. So we like digitalocean, even though I don’t know if people saw it in the news. Digitalocean had a security vulnerability, pretty bad one, actually.

that hit, I think, within the last 48 hours. So I’ll be on the lookout for that. Digitalocean is going to be patching and updating some servers. I haven’t had time to look at the full write up of it yet because I was working on slides for this and the other webcasts that we have coming up this afternoon, and Enterprise security Weekly, which starts right after this, recording as well.

But, you can install ADHD, you can install it in, Linode, you can install it in digitalocean, you can install it in Amazon, you, can install it anywhere. So it installs very, very quickly with the commands that are here, and you can pull it down.

Yes.

Sierra Ward

Question, Vassil said, what are the user permissions required to run net user domain successfully.

John Strand

Oh, good question. What are the permissions required to run net user space forward slash domain correctly? any user that is an authenticated user to the domain can run net user space forward slash domain.

And that’s why it’s one of the favorite attacks for bad guys, because it doesn’t matter where they start. Once they get on that system, they can actually start enumerating shares systems.

Like if you just run netview by itself, it’ll actually pull down, systems on the local network and possibly share information. So a lot of these are post exploitation enumeration commands that bad guys would run anytime they get access to a workstation to kind of get a lay of the land where our systems, where our users, where do they need to pivot to next?

Sierra Ward

He says, I got access to nat system error five.

John Strand

system error five. I think that that means, if you could tell me what it is right below it, I think that says resource not found. It could be that it’s restricted in your environment, or it could be restricted from your command prompt.

If you want, you can try querying it via Powershell. Sometimes the Powershell restrictions are not in place. I can’t remember the Powershell command off the top of my head to enumerate domain users.

However, I am absolutely certain that here in just a few moments, our wonderful audience is going to find that command and give it to you in a Powershell one liner. Also, that command is built into domain password spray.

Bose tool does that as well.

Sierra Ward

Can group policy restrict this?

John Strand

yes, it can. You can actually restrict almost anything with group policy. The hard part is actually error five is access denied. So that means that his account didn’t have permissions to actually query it. So yes, you can actually, you can actually restrict it through group policy.

Sierra Ward

are there any special considerations? If I’m just running this in a lab environment, can I drop it into a vm locally and still get similar functionality?

John Strand

Yeah, absolutely. If you just run it in a vm locally, in order for it to work properly, you do want to have it in a total domain. And also with the net user space forward slash domain account, aero five, I’m 99% service access tonight, but if you run it that way, maybe that’s a good thing because you’re going to blind the bad guy on the environment.

I think that’s great. But sometimes maybe you can give them a smaller subset of results. Maybe you want them to enumerate the user accounts in order to start detecting them. whenever they try moving laterally.

So that’s all a balanced question.

Sierra Ward

Can these attacks get around NIST or cIS benchmarks that are deployed in ad?

John Strand

So the question was the NIST, benchmarks for gold image standards and the CIS standards, they have all kinds of different guidelines for secure operating system deployment.

Yeah, most of these are going to work. This is at the group policy at the active directory level. In fact, a lot of hacking classes are actually using the NIST. I can’t remember what they’re called, but they have these images of what a secure windows seven and a secure windows eight and a secure Windows 710 system looks like.

A lot of hacking classes these days are actually using those freely downloadable versions in demonstrations in their classes as well. So yeah, don’t think for 1 second that if you’re using a hardened image from CIS or NIST that your system is completely locked down to all attacks.

It makes it more difficult in other ways, like rootkit deployment, things like that. But a lot of these, it doesn’t necessarily lock it down effectively.

Sierra Ward

Can you just give a quick description of ADHD for people that don’t know asking?

John Strand

Very cool. let’s just jump to a demo. I think that’s easier. Let’s just do it that way.

Sierra Ward

Ooh, a demo.

John Strand

ADHD people are like oh God, not this crap again. So there’s always a reason for him to talk about ADHD, so.

Sierra Ward

Well, I like that there’s someone that wants, that doesn’t know about it.

John Strand

I think it’s cool. Absolutely awesome. And I just stopped sharing. I got done with sans 504 and my screen has the source code for the privilege escalation vulnerability by cas from years ago, Linux 6.2.

And it has some naughty words in it.

Sierra Ward

oh yeah, Alice is praying to the demo cards for you.

John Strand

Oh, this isn’t going to be a problem at all. Good, now I’m doomed. Right now I’m doomed. It’s not that kind of demo.

Sierra Ward

he doesn’t want to derail you, but he appreciates it.

John Strand

No, not a problem. It’s just going to take a second.

Sierra Ward

I think it’s funny when I butcher your questions and john rephrases them for me. Thank you.

John Strand

Not a problem.

Sierra Ward

I apologize for. For butchering your names and questions, but I’m learning the things too.

John Strand

Learning all the things.

Sierra Ward

I am getting there slowly.

John Strand

So ADHD is a collection of a bunch of active defense cyber deception utilities. And I know the font’s going to be very small here, but I’m going to make it bigger for everybody. There you go. so ADHD has a large number of different tools installed on it.

Artillery, bear trap, beef, cryptolock, deny hosts all of these. The one that we’re going to be dealing with is the web bug server. And all of the tools have step by step instructions on how to install them.

And by the way, sierra, can you get the project link from bhis for ADHD and share it with people so they know where to download it? But m we’re going to be going through the web bug server on how to create a word document that beacons back home every single time that it is opened.

So that’s what ADHD is and it’s pretty much maintained now by Benjamin Donnelly and he’s been doing a lot of work on it in between skydiving and other like crazy pursuits.

I think Ben’s main hobbies are working on ADHD, skydiving, riding motorcycles very fast and trolling people on the Internet. so he helps us out with it and that’s kind of the way he likes to spend his time.

so this is in ADHD and full step by step instructions on how to set it up. And it’s all free, it doesn’t cost anything. So that wasn’t a full derail. It’s just basically saying, hey, something really.

Sierra Ward

Cool, go check it out and I’ll put the link in the chat.

John Strand

Awesome, thank you. So for creating the document, we’re following the instructions that are built into ADHD on how to create this document. That’s going to callback. Now the cool thing about the callback document is it does not require macros to be enabled.

Now whenever it opens it is going to say, do you want to enable this document for editing? And questions like that. But to be honest, that’s something. Talking about tangents. It used to be a Microsoft word.

If you opened up a document, it would say there’s macros. Macros are dangerous, don’t run it. Microsoft, I guess, got a lot of complaints about that. So now whenever you open up a document, it’s basically it asks you, do you want to open this document for editing?

Editing might be dangerous. It’s kind of watered down. The error, excuse me. And they’ve also kicked up the amount of times the error kicks out. Like almost every single document that you open now that has any type of active content, be it macros, be it cascading style sheets, anything is asking you the exact same question.

So people are getting used to just clicking ok, ok, ok. So what we do is we create a document and if you look at this webbug doc we have HTML head, we got link reference style sheet, we have image source tag, we have all of these things in play and if you look at it it’s HTML.

That’s because Microsoft Word is a web browser. It’ll actually render HTML and it’ll try to reach out to pull out the cascading style sheet of and it also reach out to try and grab the image from the image source tag.

And when it does that we want to be able to catch that opening of the document. So we’re going to move it to a Linux server. Now we’re going to be using empacket to actually generate the share for Windows through the SMB share but we want to have something there for the bad guy to access to basically pull it down.

So we pull the web bug doc to the empacket share and as you can see I’ve named it super or Secret super. So once again trying to create a name that a bad guy is going to get all excited about.

Then we start in packet. Now we’re in that server and we do Smbserver py comment. Secret, super Secret is the name of the actual share and then it’s going to mount over to secret super.

Now it pulls down the config file callback added for UUId and all the different parsers sets up absolutely everything. But the really cool thing is whenever you look at the share you can mount it just like you would any share on windows you can mount the share and there you got a web bug document.

Now you wouldn’t want to call it web bug in your environment. You would want to call it something like super secret design deliverable social securitynumbers dot doc or passwords dot doc.

Something that’s going to entice a bad guy to actually pull that document down. Now from the network any Windows computer system can see that share and you can see the share is 192.

One six eight dot, one nine, two dot, one three four. In my environment now it’s going to be different in yours and sure enough if you actually go to that share it says secret. So now we know that there’s a share that is available.

So you can actually set up your windows systems to automatically mount the share or mount it and have it in their share history somehow. You want to make this so a bad guy can actually see it from a number of locations.

Sierra Ward

And to be fair.

John Strand

This is very similar to what symmetry does. symmetria does this in a much more complicated and beautiful, way. They stand up multiple systems. They set up multiple shares. They establish breadcrumbs to actually draw the attackers in.

So it’s really cool from a commercial perspective, but if we’re standing it up on the cheap, we’re just going to create a share that’s called secret, and it’s on our super secret share. And let’s see what happens when the bad guy accesses it.

So whenever the bad guy opens the file, the first thing that file is going to do is it’s going to beacon back. Now, in your environment, you’re going to want to set this up on like a digital ocean entrance or, instance or Amazon or linode, someplace that the bad guy is going to have the callback go to online, not on the inside of your network.

These servers need to be on the outside of your network. So at this point, a lot of people start asking me questions about Tor and different obfuscation networks. If the bad guy completely sets up Tor, absolutely 100% correct.

Odds are that connection isn’t going to come back proper. But it’s very rare when we’re working these cyber deception cases that the bad guy actually sets up Tor properly. Usually what they do is they configure Tor.

They send their browser through Tordegh, and then that’s pretty much it. If they open up word or they open up AVI word. If they open up libreoffice or any other document viewing program, it’ll actually trigger, many times directly to the attacker or to not to the attacker’s computer system, directly from the attacker’s computer system to our server that is exposed online.

So we basically get that IP address. Now, if you have a warrant and you’re working with the FBI, they can then get, the access from the Internet service provider of exactly where that IP address is.

You have to go to the Internet service provider with the IP address, the originating IP address, and the date timestamp. And in some situations, you need to have the source port, too. It, depends on what ISP you’re working with.

But if you have the IP address, you have the date timestamp. Go to the ISP. Where is this IP address? They can usually tell you exactly where that IP address is and if it’s on a phone. Many times, providers like Verizon or Vodafone and those providers, they can actually tell you the exact latitude and longitude where that document was opened from, and they can even go so far as to tell you where that device is right now.

Now once again, you need to have a warrant to be able to do those things. But that’s really cool cyber attribution as well. Oh yes.

Sierra Ward

Question, we have a question. It’s kind of a question from before, but Tim asks when you run a Windows net command such as Netview and you receive the permission denied error, will that be recorded in the Windows event log?

John Strand

It should be. The question was, whenever you receive the access denied event, I think it’s event error five. Whenever you try to do something and it says access denied, it should generate an error.

If it does not, you’re going to want to go back and tweak your event log settings on your domain controller to basically say where it’s being access denied. So like on your system, I don’t know if it’s access denied from the workstation or if it’s access denied at the domain controller group policy level, I’m assuming it’s group policy, but if it is, then you would need to configure it.

So that’d be something you test fire it up, run it a whole bunch of times and see if your domain event log is showing your system, showing multiple failed audits. So write down the name of your computer system, run the command a whole bunch of times and then you can go into active directories, MMC snap in for event viewer and do a filter search for your machine name and pull all the events for that machine and see if it actually showed up there.

Cool, good question. All right, so empackit is really, really neat. from the perspective that it gives us a lot of information about the system that pulled down our sensitive file.

So it’s serving up the server and we have the user that pulls down the file. But let’s say that the user is on your environment and they’re pivoting from another workstation. So like they exploit Sierra’s computer, they then pivot and access my computer system.

Well we want to find out where that original computer is compromised from. We just don’t want to like identify the bad guys IP address way out on the Internet in the cloud. We want to know what’s the internal workstation that they’ve compromised as well.

This will actually record that. So you can see in packet we’ve got log levels that we can enable for it to work properly. And then you can see we have an incoming connection from an IP address. In this example it’s one, nine, two, dot, one, six, eight, dot, one, nine, two, dot, one.

Which is my Windows host and the source port 50 2000. actually that source port is kind of strange. That’s not right. I don’t know what that number actually is. I assumed it was the port.

but that doesn’t look right to me. Could be, we’ll see. And then it says authenticate message desktop, John, desktop. And it gives us the desktop name. It says user John. So now we have the user id that is most likely compromised.

And it says authenticated successfully. And then it gives us the challenge and response. The 4141-4141 is part of the NTLMV one V two authentication challenge. That’s a series of capital a’s.

And then it says colon. And then it’s got this long stream of gibberish. I believe that that’s the NTLM V two password. that’s the authentication with the password hash. So now we have the password for the system, we have the user account for the system, we have the system name, we have the IP address of the system as well.

So now we have enough to actually go and do investigations on that workstation to get additional information about the potential computer that is compromised. And on top of that, we’ve got the attackers potential IP address online.

Now we can work with law enforcement, say we have an attacker, they’ve compromised this workstation. They were using these credentials to access the share and there’s their IP address online. We also have access to the workstation.

Maybe we can do some forensics analysis on that workstation to get some more information about the attacker. So all told, yes.

Sierra Ward

Wouldn’t any semi smart hacker copy and then open the files offline?

John Strand

Absolutely. If they actually did open the files offline, that would actually stop it. anytime they tried to open up that word document, it would shut it down. The problem is, attackers really aren’t that smart.

A lot of times we attribute more to attackers than we should. So they basically have the thought of an attacker would open up every single file in a special sandbox that’s completely isolated.

I’m okay with that. Let me explain why it’s absolutely possible that an attacker could do that. It’s absolutely possible an attacker could run all of their attacks through Tor and all of their command and control through Tor.

But what this does is it creates a sort, of conundrum. The bad guy, if they run everything through Tor tour Tor is ridiculously slow. It’s going to greatly slow down their ability to be successful as an attacker.

If they have to open up every single document on an offline sandbox computer system, that paranoia is really high. But it’s going to greatly reduce their effectiveness as an attacker as far as the number of files that they can look at as well.

So there’s all these trade offs. Right. So if the point is that if the bad guy does everything, a lot of these things won’t be detected. Yes. But we very rarely see the absolute perfect game.

It’s kind of like, I hate to use a baseball analogy, I don’t know why that popped in, but if you’re playing baseball, it’s kind of the equivalent of saying, well, if we’re going up against an absolutely perfect pitcher who throws 108 miles an hour, like curve balls, and, it’s completely unpredictable, we’ll never hit a single ball he throws.

That’s absolutely correct. But that’s not how the real world works. The real world is a lot of attackers have time pressures just like we do. The real world is the attacker wants to go through multiple things just like we do.

And the fact is, a lot of attackers aren’t worried about security on their own computer systems. They’re so completely enamored with being the hunters that they never once assumed that they’re actually the hunted.

Sierra Ward

Real life is in the lab.

John Strand

Yeah, real life is not a lab, at all. And also, I want to be honest, whenever we’re doing pen tests, some of our customers will stand up these things and sure enough, they catch us quite a bit.

And that’s okay. that’s okay. Which brings me to another thing. I didn’t get a chance to talk to you too much about this, Sierra, but, I didn’t feel good just giving a presentation.

That was the exact same thing that we did in DC. So bo, saw that we were giving this presentation and Derek and Brian working on some amazing things for Derbycon, and they opted to share kind of a preview of some of the stuff that they’re working on.

Sierra Ward

They have a webcast scheduled next week.

John Strand

They do, but it’s after Derbycon.

Sierra Ward

Okay, so they’re going to preview this.

John Strand

Yeah. So this is a preview of the Derbycon talk, which is a preview of their webcast next week.

Sierra Ward

Nice.

John Strand

So it’s a preview of a.

Sierra Ward

Well, their webcast next week should be really fun.

John Strand

Yeah, it’s going to be awesome. So here’s a little preview. One of the things that they worked on is, shutting down or really messing with attackers that are using responder or using link local, multicast name resolution attacks environments.

So empacket will serve up fake systems. But the cool thing about responder guard which they’ve written and they’re going to release at dirty Con is you can run responderguard and it’ll basically shoot out Llmnr requests to the network.

And then any system that responds back with an answer it authenticates. But when it authenticates, it authenticates with a user id and a domain. So in this situation it’s the honey domain, honey user with a password of 2017.

So by seeding in, we’re actually kind of tricking the attacker and thinking that there’s a vulnerable computer system on the network. And as soon as they try to steal the credentials from that vulnerable system on the network, we give them fake credentials or honey token credentials so then we can track them even further.

So this is one of their tools that they’re going to be releasing. And it’s just one, there’s a whole suite of different tools that they’re going to be releasing here shortly, at Derbycon.

So this is just a little preview of what they’re releasing. And then in the background it’ll actually intercept their authentication and give them fake information. So this is the defender running fake like Llmnr, request and it’s running responderguard.

And here’s what it looks like. Whenever they try to use something like responder on the network, you can see that responder has captured credentials. It says oh well we captured some credentials for this IP address, 192168 0.12 honey domain with the honey user.

And here’s a fake user id and password or a honey account. Then the attacker would try to use that account and then we have them yet again, so very, very cool tools that we’re going to be releasing at Derbycon.

And then also in our webcast next week if you can’t make it to Derbycon. So a lot of good things. And also I believe that they’re going on Friday, they’ll be releasing these tools and this is just one of their tools.

they’re trying to come up with all kinds of free alternatives for detecting a lot of post exploitation attacks. And that’s kind of a big thing at Bhis. I’ll talk about this at Derbycon as well when I’m presenting there, but I’m seeing something awesome happen in the industry and this is, this is really, really really cool.

The first thing is a lot of security researchers that have spent a tremendous amount of time coming up with exploitation techniques are now starting to come up with techniques to defend the network. So at Bhis, we have Rita, real intelligence, threat analytics, which I’ll be talking about in the talk.

Also, we have a functional front end that we haven’t released yet for the commercial version. If you guys want to check it out at swing biome, I’ll be showing that to people. But, we released rita for free.

It’s the heart and soul of AI hunt is Rita, and that’ll always be free. And we’re releasing that. Not really kind of re releasing a new version of it. And then you have, Dave Kennedy, who’s coming up with artillery and a bunch of other cool things.

He’s working on vision. And, Derek and Brian and Beau are coming up with defensive products. And there’s two things about this that are intriguing. One, most of these people are really offensive people.

Dave, Kennedy is very much offensive in nature. One of the best pen testers to ever walk the planet, and he’s working on defensive products. Then we have Bo, Brian, and Derek, who are amazing pen testers at Bhis with amazing success, and they’re releasing defensive products as well.

And we see this again and again and again with a lot of security researchers. I would also throw sub t in this category, given a number of talks about attacks, but, somebody’s, like, doing the bingo.

Yep. He covered sub t in another webcast.

Sierra Ward

No, he said, john is so nerdy. I love it. He always gets me pumped up for the security thing. Thanks, josh.

John Strand

So a couple of things about this that are disturbing, though. The first thing that’s disturbing is why is it the attackers that are releasing these twins? I know that there’s defenders out there, like Swift on security has some sysmon scripts.

There’s a lot of blue teamers that are releasing these tools. But the reason, and I’m not saying that blue teamers are dropping the ball, but the reason why red teamers are starting to release defensive tools is because they’re not seeing tools in this market space that are effectively detecting the attackers.

So a lot of people are basically standing up and consistently breaking into environments, and they’re releasing tools to defend against their attacks. And that is an amazing sign, I believe, in the industry as far as maturity, and it’s something to look forward to in Derbycon as well.

So, in closing, yeah, you guys can do this quickly and easily. In fact, the amount of time it took me to do this entire webcast, you could have stood this up in your environment as well. So cyber deception is definitely an up and coming area of research.

Gartner’s actually creating a magic quadrant for cyber deception, and it doesn’t necessarily need to be defensive. And more importantly, if you were to set these things up before a penetration test, it would be very quick and easy for you to demonstrate to management the effectiveness of this.

And then you can start getting funding for Minerva or symmetria or Javelin or Trapx or any of these other products that are on the market space today. So support your local vendor, take a look at their products, let them do a demo, but start doing these things internally and, start looking at some different options, because the traditional security products that we are all working with all the time aren’t working.

That’s why the attackers are trying to come up with new tools and new techniques. So that’s it. I want to open it up for any final questions before we close out. And I jump into enterprise security weekly, and then I jump into the endpoint security webcast as well.

Sierra Ward

Yeah. If you have more questions, there were, yes. Why instant coffee?

John Strand

Why instant coffee?

Sierra Ward

question of the day.

John Strand

So, the instant coffee thing. so, there’s a coffee shop right around the corner, and Blackbird espresso.

We go over there and, it’s around the corner. Sometimes I don’t have time to just go over and get some espresso. also, our coffee maker, to be completely honest with you, scares the hell out of me.

we need an espresso machine, right?

Sierra Ward

Espresso.

John Strand

Espresso.

Sierra Ward

Oh, it’s funny. I’ll have to.

John Strand

Is it a pet peeve?

Sierra Ward

No, it’s a funny video. I’ll share it later. Okay.

John Strand

Yeah, like, I don’t get the joke. People are laughing at me. It’s just like high school.

Sierra Ward

No, it’s me. It’s just me. so you don’t have time?

John Strand

Don’t have time.

Sierra Ward

It’s too complicated.

John Strand

my grandfather, who was like the marble man, he drank instant coffee constantly, and I thought I’d give it a shot. Apparently, it runs in the genetics.

No, it’s not bad. It’s not horrible. it’s not the greatest thing in the world. and the other thing is, I needed a cheap high to get me through today. And, this definitely qualifies to do that.

And also we had all this instant coffee. This is kind of weird. we have all this instant coffee left, over from the last time that I made, seagram Seven. With seagram seven and cream and a couple of other things.

You can make Kahlua and you can also make Bailey’s irish cream from scratch.

Sierra Ward

sounds delicious.

John Strand

It’s absolutely yummy, but it’s so dangerous. I mean, anytime you mix cream and sugar and sweetness and coffee with alcohol, yep, you’re just in trouble.

Sierra Ward

Somebody said interns are great for getting copy. I said our interns are too busy doing dev to get copy.

John Strand

The interns know better. They’re like, I don’t actually have to listen to John, do I? No. All right, we’re good.

Sierra Ward

Callum says, are there any tips for detecting responder.

John Strand

Are there any tips for detecting responder? Well, the tool that we’re going to release is this one. Invoke responder guard. This would detect it. But what’s even better than that? Disable llmnr on your entire environment if it’s not necessary.

Most of the time it’s not necessary. but it’s in your services, it’ll be there. You can just disable it as a service. Just google disabling link, local multicast name resolution. then say that like 19 times really, really, really fast and you can shut it down.

So I’ve gotten much better at it lately. All right, any other final questions?

Sierra Ward

so to flip the table one more time, how would an attacker detect your active deception with, this one?

John Strand

One of the things that I would say if I was going to try to detect, this account, you can configure the user id, and, the password. I would just be looking for low hanging fruit.

If this thing falls in your lap. You’re like, that was too easy. I would be very cautious about how you actually use the accounts. As a red teamer, this gets into a much larger question.

Casey is talking about the difference between pen testing and full adversary emulation is fundamentally different and how the attackers will approach. And a lot of pen testing firms, due to time constraints and budgetary constraints, are running their attacks more like organized crime, which is still an advanced attacker, but their tactics are generally break in, smash, grab, move on, whereas a nation state adversary will do things like inject rootkits.

They’ll do things like dwell on the system for an extended period of time and they’ll move a lot slower. So it really depends on what type of attacker you’re actually dealing with as well. So yeah, usually you just run slow.

Don’t get crazy about running these types of things. Be methodical in your approach. Don’t jump to the quick, easy things like running responder or doing password spraying. Spend a little bit of time just kind of looking around what’s available to the system.

Enumerate about as much as you can from the local system before you start getting off of the system. And that also takes a lot more time and more money on the pen test side, but you can do it on your own environment as well.

Sierra Ward

do we have a full deployment guide? Yes, on our website?

John Strand

Yeah, we do. And this other one, it’s going to be released. Once Bo and Derek and Brian, they released the tool. They’ll have full step by step instructions, I’m sure.

Sierra Ward

Yes. Check out our website for the ADHD thing. And I put the link in the chat. But also the next webinar topic is going to be, Bo Derek, Brian.

Brian Furman. they’re going to talk about the tools that they release at dirbycon. So if you can’t go to Durbicon, you can check out our webinar. I don’t have that completely set up, so I will set that up this week and send out the link to the slides for this one, the link to the YouTube video once we get it all snazzified up and posted.

And then I’ll also put the link to the registration in there. So, and once again, John bhas knocks it out of the park. Thanks, Darius. thank you guys for joining.

hopefully you found this useful. Useful. I always think it’s great to hear John talk about security. And we will see you guys next week. Thank you.

John Strand

See a lot of you in con. Drive careful. Fly careful.

Sierra Ward

Bye.