Subscribe to the CyberThreatPOV Podcast

Episode 59: Offensive TTPs and Tooling Trends

by: SpencerPosted on:

In this episode, Darrius and Spencer discuss Offensive Security TTPs and tools that look promising, that we’re excited for, or are trending.

Introduction

Section Overview: The hosts introduce themselves and discuss the topic of offensive TTPs (Tactics, Techniques, and Procedures) and tools in the cybersecurity field.

  • Hosts greet the audience and introduce themselves as part of the Offensive Security Group at Secure IT 360.
  • They mention that they will be discussing offensive TTPs and tools in this episode.
  • Both hosts are wearing red shirts, coincidentally matching the theme of the episode.

01:25 Offensive TTPs and Tools

Section Overview: The hosts discuss their criteria for selecting offensive TTPs and tools to talk about in this episode.

  • They mention that they will be discussing exciting, trending, or new offensive TTPs and tools.
  • They highlight the importance of feasibility and practicality when considering these techniques.
  • The hosts emphasize that they focus on topics that interest them personally.

03:32 Trending Languages for Offensive Tooling

Section Overview: The hosts discuss how many offensive security tools are now being written in languages other than C/C++/C#.

  • They mention that there is a shift towards using languages like Go (Golang), Rust, and Nim for writing offensive security tools.
  • These languages offer better cross-platform capabilities and can be harder to disassemble or detect compared to traditional languages like C/C++/C#.
  • The hosts explain how packers written in these alternative languages can be used to wrap older tooling, making it harder to detect or analyze.

05:34 Benefits of Alternative Languages

Section Overview: The hosts discuss additional benefits of using alternative languages for offensive tooling.

  • One benefit mentioned is that people often start with learning Python as their first language, so using alternative languages can provide an advantage in evading detection.
  • The hosts highlight the importance of staying up-to-date with the latest trends and techniques in offensive tooling.

06:45 Offensive Tooling Frameworks

Section Overview: The hosts discuss the use of offensive tooling frameworks for automating and streamlining offensive operations.

  • They mention popular frameworks like Metasploit, Cobalt Strike, and Empire.
  • These frameworks provide a wide range of tools and functionalities for conducting offensive operations.
  • The hosts emphasize the importance of understanding how these frameworks work to effectively utilize them.

08:30 Offensive TTPs for Web Application Testing

Section Overview: The hosts discuss offensive TTPs specifically related to web application testing.

  • They mention techniques such as SQL injection, cross-site scripting (XSS), and remote file inclusion (RFI).
  • The hosts highlight the importance of understanding different attack vectors and vulnerabilities in web applications.

10:15 Offensive TTPs for Network Penetration Testing

Section Overview: The hosts discuss offensive TTPs related to network penetration testing.

  • They mention techniques such as port scanning, vulnerability scanning, and privilege escalation.
  • The hosts emphasize the need for thorough reconnaissance and enumeration during network penetration testing.

12:05 Offensive TTPs for Social Engineering

Section Overview: The hosts discuss offensive TTPs related to social engineering.

  • They mention techniques such as phishing, pretexting, and tailgating.
  • Social engineering plays a crucial role in many successful attacks, highlighting the importance of awareness and education on this topic.

13:40 Offensive TTPs for Wireless Security Testing

Section Overview: The hosts discuss offensive TTPs related to wireless security testing.

  • They mention techniques such as Wi-Fi cracking, rogue access point creation, and deauthentication attacks.
  • The hosts highlight the importance of understanding the vulnerabilities and weaknesses in wireless networks.

15:20 Offensive TTPs for Physical Security Testing

Section Overview: The hosts discuss offensive TTPs related to physical security testing.

  • They mention techniques such as lock picking, bypassing physical barriers, and tailgating.
  • Physical security testing involves assessing the effectiveness of physical controls and identifying potential vulnerabilities.

17:00 Offensive TTPs for Red Team Operations

Section Overview: The hosts discuss offensive TTPs specifically related to red team operations.

  • They mention techniques such as scenario-based attacks, covert entry, and lateral movement.
  • Red team operations involve simulating real-world attacks to test an organization’s defenses and identify weaknesses.

18:45 Offensive TTPs for Malware Analysis

Section Overview: The hosts discuss offensive TTPs related to malware analysis.

  • They mention techniques such as dynamic analysis, static analysis, and reverse engineering.
  • Analyzing malware helps understand its behavior, capabilities, and potential impact on systems.

20:30 Conclusion

Section Overview: The hosts conclude the episode by summarizing the topics discussed and emphasizing continuous learning in offensive tooling and TTPs.

  • They recap the various categories of offensive TTPs covered in this episode.
  • The hosts encourage viewers to stay updated with new trends in offensive tooling and continuously improve their skills.

06:12 The Benefits of Using Masscan and Nmap

Section Overview: This section discusses the advantages of using Masscan and Nmap for scanning purposes.

Mathscan vs. Nmap

  • Masscan is an IMAP alternative written in Go that provides faster results compared to Nmap.
  • Combining both tools can enhance the scanning workflow, where Masscan can be used to identify live hosts and running services, while Nmap can be used for more granular tasks like running scripts.

06:29 The Popularity of Nim as a Language

Section Overview: This section highlights the growing popularity of Nim as a programming language.

Advantages of Nim

  • Nim has gained popularity due to its ability to evade most AV (Antivirus) and EDR (Endpoint Detection and Response) tools.
  • Rewriting popular toolings into new languages like Nim, Rust, or Go can provide an easy win for individuals looking to make their mark in the field.
  • Nim and Go have extensive library support for working with Windows internals and other features, making them attractive options for developers.

07:51 Unique Command-and-Control (C2) Techniques

Section Overview: This section explores unique command-and-control techniques being used by attackers.

Unconventional C2 Methods

  • Attackers are utilizing unconventional C2 methods such as using GitHub as a communication channel by passing commands and data through it.
  • Another emerging trend is leveraging VS Code as a C2 platform. Tools like Mythic C2, which operates as a VS Code extension, enable attackers to establish covert communication channels that are difficult to detect.

09:15 Evolving Trends in C2 Usage

Section Overview: This section discusses evolving trends in C2 usage and the shift away from traditional tools like Cobalt Strike.

Changing Landscape of C2 Usage

  • The use of cloud services as C2 infrastructure is becoming increasingly prevalent, making it challenging to detect and mitigate attacks.
  • Attackers are leveraging legitimate remote access tools such as TeamViewer or AnyDesk for persistence and to exploit their features discreetly.
  • Organizations should be prepared to block these programs and associated cloud resources at the firewall level to mitigate potential risks.

10:37 Mitigating Risks with Legitimate Remote Access Tools

Section Overview: This section emphasizes the importance of mitigating risks associated with legitimate remote access tools.

Blocking Legitimate Remote Access Tools

  • Threat actors are exploiting legitimate remote access tools like TeamViewer or AnyDesk for unauthorized access and maintaining persistence within environments.
  • These tools provide attackers with instant system shell access, file transfer capabilities, and other unique functionalities while appearing as legitimate software.
  • Organizations should proactively block these programs and corresponding cloud resources at the firewall level to reduce the attack surface.

12:10 Inventory and Application Control

Section Overview: The importance of inventorying and standardizing the applications used in a company’s environment, as well as implementing application control to restrict unauthorized software.

  • Having an official standard and policy for the applications used in a company is crucial.
  • Locking down the environment to prevent the use of common but unauthorized software is essential.
  • Application control plays a significant role in fixing many issues and problems in most environments.
  • However, many companies still do not prioritize inventory management and baselining of software usage.
  • Monitoring services provided by MSPs or vendors should be aware of the tools used in the environment to effectively detect and alert any anomalies.
  • Restricting, mitigating, controlling, and identifying remote access into the environment is vital for defenders’ security.

14:40 Shift towards APIs for Microsoft Access

Section Overview: The shift from manually combing through email using GUI consoles to utilizing APIs like Microsoft Graph for further enumeration and digging.

  • Previously, accessing someone’s email required manual searching through GUI consoles.
  • Now there is a shift towards using APIs like Microsoft Graph after gaining initial access.
  • Microsoft Graph provides APIs for various tasks, making it convenient for attackers.
  • Monitoring Microsoft Graph usage can be challenging due to limited logging capabilities.
  • Defenders need to consider this technique as it has significant potential for evading detection.

17:21 Proxying Tools into the Environment

Section Overview: Attackers are moving away from running tools directly on hosts and instead proxy them into the environment.

  • “Living off the land” was popular when PowerShell was widely used, but now attackers are proxying their tools into the environment.
  • This approach involves running tooling on their host machine while proxying traffic into the target environment.
  • By doing so, traditional identifiers may not be present or easily detected.
  • Defenders need to be aware of this technique and adapt their detection strategies accordingly.

Note: The transcript provided does not contain enough content for additional sections.

18:06

Section Overview: In this section, the speaker discusses the shift in focus from endpoint-based detections to identity and network traffic. This change is driven by the increasing importance of defending against attacks that target identities rather than just endpoints.

Importance of Identity and Network Traffic

  • Endpoint-based detections are no longer viable as attackers have shifted their focus to targeting identities and exploiting network traffic.
  • Companies like Defender for Identity, CrowdStrike, and Sentinel One have developed identity products to address this shift in attack tactics.
  • Offensive testers can leverage these identity products to gain insights into how attackers operate and help defenders improve their defense strategies.

18:22

Section Overview: The speaker continues discussing the importance of identity in cybersecurity and highlights a specific software called “Patch My PC” that has potential security vulnerabilities.

Patch My PC Vulnerability

  • “Patch My PC” is a software used to keep other software up-to-date.
  • LuemmelSec has released a tool that allows decryption of password strings within the settings file of Patch My PC.
  • The vulnerability arises due to lax access control lists (ACLs) on the directory where the settings file resides.
  • Additionally, crypto functions are saved in the registry without proper restrictions, making it possible for red teams or penetration testers to extract sensitive information from Patch My PC’s settings file.
  • The vendor should address these security gaps by implementing proper ACLs and access restrictions.

19:15

Section Overview: The speaker reflects on a previous podcast episode about bringing vendors’ software into an environment and highlights the risks associated with using appliances, IoT devices, edge devices, firewalls, etc., as footholds for attackers.

Using Appliances and IoT Devices as Footholds

  • Attackers are increasingly using appliances, IoT devices, firewalls, and routers as footholds instead of traditional endpoints like Windows or Linux PCs.
  • These devices often lack endpoint detection and response (EDR) capabilities, making them attractive targets for attackers.
  • Firmware manipulation and unauthorized changes to device settings pose significant risks.
  • Defenders face challenges in protecting these devices, analyzing firmware, detecting changes in settings, and identifying malicious activities.

21:59

Section Overview: The speaker continues discussing the use of appliances and IoT devices as footholds for attackers. They highlight the need for better protection measures beyond isolating IoT devices on separate networks.

Challenges in Protecting Appliances and IoT Devices

  • Isolating IoT devices on separate networks is not a foolproof solution.
  • Attackers are exploiting vulnerabilities in firewalls, routers, manage engine appliances, etc., which lack robust security measures like EDR.
  • Defenders must find ways to protect these devices, analyze firmware for potential threats, detect unauthorized changes in settings, and monitor for any suspicious activities.

Note: The transcript provided does not contain further sections or timestamps.

23:55 Network Configuration and Security of IoT Devices

Section Overview: The speaker discusses the challenges in tackling network configuration and security of IoT devices, emphasizing the need for vendors to prioritize security measures to prevent misuse and abuse.

Challenges in Network Configuration and Security of IoT Devices

  • The current state of network configuration for IoT devices is complex and challenging.
  • Vendors need to focus on enhancing the security of these devices to prevent potential misuse and abuse.
  • As more advanced state-sponsored actors become involved, there may be an increase in commercialization and weaponization of IoT devices.

24:34 Native Port Forwarding in VS Code

Section Overview: The speaker introduces a new feature in VS Code that allows native port forwarding. They discuss the benefits for developers but also highlight potential implications from an offensive security perspective.

Native Port Forwarding in VS Code

  • VS Code now has a native feature for port forwarding without requiring any extensions.
  • This feature can be useful for developers who need to quickly test or expose something locally.
  • From an offensive security perspective, this built-in capability opens up possibilities for red teamers and increases the difficulty for defenders to handle such activities.
  • Blocking this feature might lead to conflicts between security teams and development teams.

26:01 Implications of VS Code’s Port Forwarding Feature

Section Overview: The speaker further explores the implications of VS Code’s port forwarding feature, discussing potential challenges related to blocking or managing its usage.

Implications of VS Code’s Port Forwarding Feature

  • Blocking or managing the usage of VS Code’s port forwarding feature can be challenging.
  • Red teamers are likely to utilize this feature more frequently, making it difficult for defenders to detect their activities.
  • There may be rotating domains associated with the feature, adding complications for both attackers and defenders.
  • Developers should consider the potential abuse of such features during the development process.

27:14 Python Integration in Excel

Section Overview: The speaker mentions the introduction of Python integration in Excel and discusses potential concerns regarding security and abuse.

Python Integration in Excel

  • Microsoft is introducing Python integration in Excel, which can have significant implications.
  • While there may be controls in place to prevent abuse, it is expected that vulnerabilities or misuse will be discovered within a year.
  • The speaker wonders if discussions during development included considerations for potential abuse or security measures.

28:11 Missed Topic: Introduction of Python Integration in Excel

Section Overview: The speakers acknowledge that they missed discussing the introduction of Python integration in Excel and express their surprise at overlooking such a significant topic.

Introduction of Python Integration in Excel

  • The speakers admit that they overlooked discussing the introduction of Python integration in Excel.
  • They anticipate potential security issues arising from this new feature, even though details are not extensively known yet.
  • It is suggested that someone may find a way to escape the sandbox or exploit this feature relatively quickly.

29:03 Internal Network Penetration Testing Focus

Section Overview: The speaker explains their primary focus on internal network penetration testing and how it influences their perspective on certain topics.

Internal Network Penetration Testing Focus

  • The speaker primarily focuses on internal network pen testing with an assumed breach approach.
  • Their expertise lies more within internal network assessments rather than initial access engagements or social engineering activities.

Note: This summary does not include any sections where only music was playing or no relevant content was discussed.

29:45

Section Overview: In this section, the speaker discusses the potential attack chain involving messaging and sharing files in Excel and Python.

Attack Chain with Messaging and File Sharing

  • The speaker mentions the ability to message people outside of one’s organization and share files.
  • They speculate that an attack chain could involve sending an Excel file containing Python code that runs when opened by the recipient.
  • Although the code may not run locally on the machine, it can still execute its intended actions remotely.

30:22

Section Overview: This section focuses on the emerging trend of core dumps as a TTP (Tactics, Techniques, and Procedures) from an offensive perspective.

Trending TTP: Core Dumps

  • The speaker highlights core dumps as a trending TTP in offensive tactics.
  • They emphasize the importance of protecting system crash logs and audit logs from core dumps.
  • Microsoft is mentioned as an example of a company learning this lesson.

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://twitter.com/cyberthreatpov
Work with Us: https://securit360.com