Offensive Development: Post Exploitation Tradecraft in an EDR World

You spend days or even weeks perfecting the perfect phish; your campaign has a targeted pre-text, a slick initial access payload and it slips through perimeter defences right in to your target’s inbox. Moments later, your c2 pings and your beacon is awake – you’re in, it’s time to explore! You start by probing the endpoint, checking your privileges and getting your bearings in the network. Suddenly, silence… your beacon has stopped responding, your infrastructure is burned and you have to start over.

Command line logging, PowerShell logging, sysmon, EDR, EDP, app whitelisting, AMSI; the blue team has it all and you’re playing on their turf. Unless your post-exploitation game is at its peak, you shall not pass.

During this talk we will explore traditional post-exploitation tradecraft, reviewing the OpSec pitfalls that commonly lead to detection in mature environments. Further to this, we will present innovative techniques to significantly reduce indicators of compromise, avoiding command line execution, remote process injection and process creation. It will demonstrate how DevOps principles can be applied to red teaming, focusing on the implementation of a custom CI/CD pipeline to automatically consume, build and deploy existing and custom tooling to an environment in a manner agnostic to any command and control framework. This approach also provides the operator with the capability to programmatically and automatically protect their tools from DFIR, safeguarding intellectual property and operational infrastructure when an artifact is dropped to disk.

The future of red teaming is offensive development.

Location: Track 1 Date: April 24, 2020 Time: 3:00 pm - 4:00 pm Dominic Chell