SlideShare a Scribd company logo

Ready player 2 Multiplayer Red Teaming Against macOS

C
Cody Thomas

BSides Seattle 2019 talk about operating against macOS devices with a new open source tool called Apfell

Software
1 of 45
Download to read offline
READY PLAYER 2 MULTIPLAYER RED TEAMING AGAINST MACOS BSIDES SEATTLE 2019
CODY THOMAS • Senior Operator at SpecterOps • Previously: • Adversary Emulation Engineer at MITRE • Mac/Linux ATT&CK • APT3 Emulation Plan • Twitter: @its_a_feature_ • GitHub: github.com/its-a-feature/ 2
MACOS OPERATIONS What’s the current landscape? 3
CURRENT MACOS OPERATIONS Malware seen in the wild: • WindTail • Signed macOS application • FairyTale: • Signed macOS application • Calisto • Unsigned macOS application • AppleJeus • Signed macOS application • EvilEgg and LamePyre • Utilize EggShell and Empire Red Teaming FOSS Frameworks: • Empire • Python-based agent • Single User Terminal Application • RESTful Interface • EggShell • Python-based agent • Single User Terminal Application • Evil OSX • Python-based agent • Some GUI components 4 https://objective-see.com/downloads/MacMalware_2018.pdf https://github.com/EmpireProject/Empire https://github.com/neoneggplant/EggShell https://github.com/Marten4n6/EvilOSX
OPERATIONAL PROBLEMS ● Want to emulate adversaries, but: ○ Current FOSS capabilities don’t match up ○ More easily caught as “Red Team” ○ Signing macOS applications is not easy ● Want to operate in a team, but: ○ Need proper collaboration and sharing ○ Screen sharing isn’t scalable 5
BRIDGING THE GAP How can we get operations closer to the real thing? 6
JAVASCRIPT FOR AUTOMATION (JXA) ● Scriptable execution: ○ Most of the lower-level Objective C APIs exposed in a JS way ○ Kind of like if PowerShell stopped at version 1 or 2 ● According to Apple: “In OS X 10.10, JavaScript became a peer to AppleScript in OS X.” ● Still isn’t a signed macOS Application though ○ Hard to emulate as a consultant across multiple customers ● Very limited threading capabilities 7https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
● Does osascript normally run? ○ AppleScript has been around since 1993 ○ Mainly used by Admins and power users ● How does JXA perform actions? ○ Apple Events for IPC (causes popups in 10.14) ○ Objective C API calls ● Signing? ○ Not a problem – Live off the land ○ osascript is an Apple signed binary ○ Can execute entirely in memory 8 DEFENSIVE CONSIDERATIONS
NOW IT’S TIME TO OP You’ve been tasked to operate against macOS, now what? 9
10 INTRODUCING It’s not a bug, it’s a feature
WHAT IS APFELL? ● Collaborative, post-exploitation framework with a web front-end ● Apfell server runs on MacOS/Linux (needs python3.6+) ● Apfell agents can be any operating system ○ JXA payload for macOS ○ @xorrior already released a Chrome extension payload ○ Payloads can be scripted or dynamically compiled ● Any number of c2 profiles running at a time 11
DEMO TIME! Let’s operate 12 Demo videos: ● https://youtu.be/9yjNzYtOyHE ● https://youtu.be/FJf9oQkBG0g ● https://youtu.be/_V7PrbDHfY8 ● https://youtu.be/Hgn-RUa9feo ● https://youtu.be/4mABpw20KMQ ● https://youtu.be/KypCqWSQGwE
A FRAMEWORK SHOULD BE: 1. Informative • Track data, environment, operation, OPSEC concerns • Easy to understand user interface • Purple in nature - helping both Red and Blue teams 2. Collaborative • Every operator has their own customized front-end • Can share detailed information easily and quickly 3. Extensible • Easily add/share commands, C2 profiles, payloads • Support multiple operating systems • You shouldn’t have to re-roll a UI for every new payload 13
INFORMATIVE: FOR RED TEAMERS ● Operators ● Commands ○ OPSEC (Artifacts, Transforms) ● Payload Types ○ Creation, loading modules, execution help ● Operational Data Model ○ Let’s use all the data we collect/generate in operations ● Task-Response grouping ○ not just data-dump console ● Searching tasks and responses across an operation 14
INFORMATIVE: FOR BLUE TEAMERS ● Commands mapped to MITRE ATT&CK ○ Regex matching for more granularity ○ Exports to ATT&CK Navigator ○ Auto populates based on the command ● Host/Network artifact tracking per task ○ Helpful for deconfliction and reporting ○ Auto populated while operating ○ Agents can report updates or new artifacts ○ Soon include exportability of artifacts to Splunk/SIEMs 15
COLLABORATIVE ● Web-based GUI ○ No client dependencies besides a modern browser ○ Each operator has their own profile and login ● Users assigned to operations ○ Multiple operations ongoing concurrently ○ Individual tasks sharable amongst team members ● Operators can comment on tasks ○ Seen by all members in that operation 16
EXTENSIBLE ● You can create/add any number of payload types across all OSes ○ JXA, Python, C#, Go, etc ○ Can be scripts or compiled ● You can create/add any number of commands for a payload ○ Command templating ● You can create/add/run any number of C2 profiles at a time ○ They run as sub-processes ○ Only bound ports need to be unique 17
18 APFELL Enough words, let’s see Apfell
PAYLOAD TYPES • Add / Edit Payload types • Can be wrappers for full payloads • Macro • MSBuild • DyLib 19
COMMANDS • View Code • Provide operator help • Edit code • Add/edit/remove parameters 20
COMMAND TRANSFORMS / ATT&CK / ARTIFACTS • Transform commands • Provide ATT&CK Mappings • Indicate host/network artifacts 21
COMMAND AND CONTROL PROFILES 22
C2 PROFILE PARAMETERS • Specify parameters that will be stamped into an agent during creation • “key” value is stamped out with user’s value in agent code 23
PAYLOAD CREATION - UI • Pick C2 profile, payload type, and initial commands • Stamp all pieces together 24
PAYLOAD CONFIGURATION • All payloads registered in the database • See configuration and comparison to server state at any time 25
CALLBACK VIEW • Familiar table of callbacks like most tools • Detailed task data grouped by task (not time) • Add/track optional comments per task 26
SHARING SINGULAR TASKS • Click task number on almost any page to view JUST that one task and its output • Easy to share URL amongst team members: /tasks/task# • Only viewable by users assigned to that operation 27
TASK VIEW • View all tasks at once across all callbacks • Click to expand and see output 28
SEARCH VIEW • Search all task output or task parameters for key words/phrases • Searches across all callbacks in an operation • Faster and more targeted than just 29
ATT&CK × Transform commands × Provide ATT&CK Mappings × Indicate host/network artifacts 30
APPLY ATT&CK WITH REGEX • Match all tasks where the parameters fit regex: .*id • Check matches and their current ATT&CK mappings 31
BASIC ARTIFACT TRACKING • Define formats for artifacts based on commands and command parameters 32
COMMAND TRANSFORMS • Toggle transforms on/off locally • Can optionally persist settings globally for all operators • Test outputs of each transform: 33
UPLOADING / DOWNLOAD 34 • View all uploads/downloads and file paths across an operation • Real-time updates for in-progress downloads
SCREEN CAPTURES 35 • View screen captures by callback or across an entire operation
COMMAND COMPLETION 36 • Auto populate available commands based on the associated payload type for the callback • Can use L/R arrow keys to cycle through choices
COMMAND PARAMETERS 37 • If a command has registered parameters and you don’t type any on the command line • Pop-up dialog to fill in parameters
APFELL AGENTS What does an agent look like? 38
PAYLOAD DESIGN CONSIDERATIONS 39 ● Modular ○ All commands are stand-alone ○ Main payload is just management engine ○ C2 is abstracted away ■ Creates plug-and-play C2 functionality ○ Stamp in commands at creation ■ And load more in later ● Inspiration ○ Malware samples: PlugX, Flame, CozyDuke, etc
PAYLOAD DESIGN CONSIDERATIONS 40 ● OS Agnostic ○ Apfell is a framework for collaborative operations ○ Payloads can be created for any OS – scripted or compiled ● OPSEC aware ○ Ideally agents track their footprint on host and report back ○ Artifact tracking with real-time data in responses
GOING FORWARD What’s next for Apfell? 41
FUTURE UPDATES – SHORT TERM ● More encryption ○ Currently just HTTPS ● More payload types across multiple operating systems ○ Python, Mach-O, C#, ELF, Go ● More built-in commands ○ Keylogging, Process Injection, Proxy Pivots 42
FUTURE UPDATES – MEDIUM TERM ● More customizable C2 profiles included by default ○ Control GET/POST requests ● More C2 profiles that don’t require external comms ○ SMB, SSH ● More Artifact Tracking / Defensive Guidance ○ Better tracking of operational artifacts ○ Inclusion of defensive measures for commands 43
FUTURE UPDATES – LONG TERM ● Create scriptable Python API for greater control ○ Registerable within the UI – no need for RESTful scripting ● Server speed improvements ○ Automated builds ● More UI Upgrades ○ Attackers think in graphs, not lists ● Community driven updates ○ Please contribute! ☺ 44
45 THANKS!Any questions? • Twitter: @its_a_feature_ • GitHub: github.com/its-a-feature/ • https://its-a-feature.github.io • Blog series on creating Apfell • macOS AD discovery (Orchard) It’s not a bug, it’s a feature

Recommended

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 

Recommended

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryDaniel Bohannon
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019David Tulis
 
Free the Functions with Fn project!
Free the Functions with Fn project!Free the Functions with Fn project!
Free the Functions with Fn project!J On The Beach
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Stanislav Pogrebnyak
 

More Related Content

What's hot

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryDaniel Bohannon
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019David Tulis
 

What's hot (20)

A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell Story
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019
 

Similar to Ready player 2 Multiplayer Red Teaming Against macOS

Free the Functions with Fn project!
Free the Functions with Fn project!Free the Functions with Fn project!
Free the Functions with Fn project!J On The Beach
 
Meetup 2020 - Back to the Basics part 101 : IaC
Meetup 2020 - Back to the Basics part 101 : IaCMeetup 2020 - Back to the Basics part 101 : IaC
Meetup 2020 - Back to the Basics part 101 : IaCDamienCarpy
 
introduction to micro services
introduction to micro servicesintroduction to micro services
introduction to micro servicesSpyros Lambrinidis
 
Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...
Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...
Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...Kaxil Naik
 
Docker in production service discovery with consul - road to opscon 2015
Docker in production service discovery with consul - road to opscon 2015Docker in production service discovery with consul - road to opscon 2015
Docker in production service discovery with consul - road to opscon 2015Giovanni Toraldo
 
Rhel8 Beta - Halifax RHUG
Rhel8 Beta - Halifax RHUGRhel8 Beta - Halifax RHUG
Rhel8 Beta - Halifax RHUGNicole Maselli
 
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...NETWAYS
 
Angular2 - A story from the trenches
Angular2 - A story from the trenchesAngular2 - A story from the trenches
Angular2 - A story from the trenchesJohannes Rudolph
 
Azure functions: from a function to a whole application in 60 minutes
Azure functions: from a function to a whole application in 60 minutesAzure functions: from a function to a whole application in 60 minutes
Azure functions: from a function to a whole application in 60 minutesAlessandro Melchiori
 
Electron JS | Build cross-platform desktop applications with web technologies
Electron JS | Build cross-platform desktop applications with web technologiesElectron JS | Build cross-platform desktop applications with web technologies
Electron JS | Build cross-platform desktop applications with web technologiesBethmi Gunasekara
 
AWS ElasticBeanstalk and Docker
AWS ElasticBeanstalk and Docker AWS ElasticBeanstalk and Docker
AWS ElasticBeanstalk and Docker kloia
 
OpenDataPlane Testing in Travis
OpenDataPlane Testing in TravisOpenDataPlane Testing in Travis
OpenDataPlane Testing in TravisDmitry Baryshkov
 
LCU14 310- Cisco ODP v2
LCU14 310- Cisco ODP v2LCU14 310- Cisco ODP v2
LCU14 310- Cisco ODP v2Linaro
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAPLDAPCon
 
CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...
CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...
CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...Ortus Solutions, Corp
 
Instant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositoriesInstant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositoriesYshay Yaacobi
 
Kubernetes Forum Seoul 2019: Re-architecting Data Platform with Kubernetes
Kubernetes Forum Seoul 2019: Re-architecting Data Platform with KubernetesKubernetes Forum Seoul 2019: Re-architecting Data Platform with Kubernetes
Kubernetes Forum Seoul 2019: Re-architecting Data Platform with KubernetesSeungYong Oh
 

Similar to Ready player 2 Multiplayer Red Teaming Against macOS (20)

Free the Functions with Fn project!
Free the Functions with Fn project!Free the Functions with Fn project!
Free the Functions with Fn project!
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Meetup 2020 - Back to the Basics part 101 : IaC
Meetup 2020 - Back to the Basics part 101 : IaCMeetup 2020 - Back to the Basics part 101 : IaC
Meetup 2020 - Back to the Basics part 101 : IaC
 
introduction to micro services
introduction to micro servicesintroduction to micro services
introduction to micro services
 
Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...
Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...
Apache Airflow in the Cloud: Programmatically orchestrating workloads with Py...
 
Docker in production service discovery with consul - road to opscon 2015
Docker in production service discovery with consul - road to opscon 2015Docker in production service discovery with consul - road to opscon 2015
Docker in production service discovery with consul - road to opscon 2015
 
Rhel8 Beta - Halifax RHUG
Rhel8 Beta - Halifax RHUGRhel8 Beta - Halifax RHUG
Rhel8 Beta - Halifax RHUG
 
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
 
Angular2 - A story from the trenches
Angular2 - A story from the trenchesAngular2 - A story from the trenches
Angular2 - A story from the trenches
 
Azure functions: from a function to a whole application in 60 minutes
Azure functions: from a function to a whole application in 60 minutesAzure functions: from a function to a whole application in 60 minutes
Azure functions: from a function to a whole application in 60 minutes
 
Electron JS | Build cross-platform desktop applications with web technologies
Electron JS | Build cross-platform desktop applications with web technologiesElectron JS | Build cross-platform desktop applications with web technologies
Electron JS | Build cross-platform desktop applications with web technologies
 
AWS ElasticBeanstalk and Docker
AWS ElasticBeanstalk and Docker AWS ElasticBeanstalk and Docker
AWS ElasticBeanstalk and Docker
 
OpenDataPlane Testing in Travis
OpenDataPlane Testing in TravisOpenDataPlane Testing in Travis
OpenDataPlane Testing in Travis
 
LCU14 310- Cisco ODP v2
LCU14 310- Cisco ODP v2LCU14 310- Cisco ODP v2
LCU14 310- Cisco ODP v2
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAP
 
Tranquilizer
TranquilizerTranquilizer
Tranquilizer
 
CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...
CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...
CBDW2014- Intro to CommandBox; The ColdFusion CLI, Package Manager, and REPL ...
 
Gitlab ci-cd
Gitlab ci-cdGitlab ci-cd
Gitlab ci-cd
 
Instant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositoriesInstant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositories
 
Kubernetes Forum Seoul 2019: Re-architecting Data Platform with Kubernetes
Kubernetes Forum Seoul 2019: Re-architecting Data Platform with KubernetesKubernetes Forum Seoul 2019: Re-architecting Data Platform with Kubernetes
Kubernetes Forum Seoul 2019: Re-architecting Data Platform with Kubernetes
 

Recently uploaded

Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 

Recently uploaded (20)

Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 

Ready player 2 Multiplayer Red Teaming Against macOS

  • 1. READY PLAYER 2 MULTIPLAYER RED TEAMING AGAINST MACOS BSIDES SEATTLE 2019
  • 2. CODY THOMAS • Senior Operator at SpecterOps • Previously: • Adversary Emulation Engineer at MITRE • Mac/Linux ATT&CK • APT3 Emulation Plan • Twitter: @its_a_feature_ • GitHub: github.com/its-a-feature/ 2
  • 3. MACOS OPERATIONS What’s the current landscape? 3
  • 4. CURRENT MACOS OPERATIONS Malware seen in the wild: • WindTail • Signed macOS application • FairyTale: • Signed macOS application • Calisto • Unsigned macOS application • AppleJeus • Signed macOS application • EvilEgg and LamePyre • Utilize EggShell and Empire Red Teaming FOSS Frameworks: • Empire • Python-based agent • Single User Terminal Application • RESTful Interface • EggShell • Python-based agent • Single User Terminal Application • Evil OSX • Python-based agent • Some GUI components 4 https://objective-see.com/downloads/MacMalware_2018.pdf https://github.com/EmpireProject/Empire https://github.com/neoneggplant/EggShell https://github.com/Marten4n6/EvilOSX
  • 5. OPERATIONAL PROBLEMS ● Want to emulate adversaries, but: ○ Current FOSS capabilities don’t match up ○ More easily caught as “Red Team” ○ Signing macOS applications is not easy ● Want to operate in a team, but: ○ Need proper collaboration and sharing ○ Screen sharing isn’t scalable 5
  • 6. BRIDGING THE GAP How can we get operations closer to the real thing? 6
  • 7. JAVASCRIPT FOR AUTOMATION (JXA) ● Scriptable execution: ○ Most of the lower-level Objective C APIs exposed in a JS way ○ Kind of like if PowerShell stopped at version 1 or 2 ● According to Apple: “In OS X 10.10, JavaScript became a peer to AppleScript in OS X.” ● Still isn’t a signed macOS Application though ○ Hard to emulate as a consultant across multiple customers ● Very limited threading capabilities 7https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
  • 8. ● Does osascript normally run? ○ AppleScript has been around since 1993 ○ Mainly used by Admins and power users ● How does JXA perform actions? ○ Apple Events for IPC (causes popups in 10.14) ○ Objective C API calls ● Signing? ○ Not a problem – Live off the land ○ osascript is an Apple signed binary ○ Can execute entirely in memory 8 DEFENSIVE CONSIDERATIONS
  • 9. NOW IT’S TIME TO OP You’ve been tasked to operate against macOS, now what? 9
  • 10. 10 INTRODUCING It’s not a bug, it’s a feature
  • 11. WHAT IS APFELL? ● Collaborative, post-exploitation framework with a web front-end ● Apfell server runs on MacOS/Linux (needs python3.6+) ● Apfell agents can be any operating system ○ JXA payload for macOS ○ @xorrior already released a Chrome extension payload ○ Payloads can be scripted or dynamically compiled ● Any number of c2 profiles running at a time 11
  • 12. DEMO TIME! Let’s operate 12 Demo videos: ● https://youtu.be/9yjNzYtOyHE ● https://youtu.be/FJf9oQkBG0g ● https://youtu.be/_V7PrbDHfY8 ● https://youtu.be/Hgn-RUa9feo ● https://youtu.be/4mABpw20KMQ ● https://youtu.be/KypCqWSQGwE
  • 13. A FRAMEWORK SHOULD BE: 1. Informative • Track data, environment, operation, OPSEC concerns • Easy to understand user interface • Purple in nature - helping both Red and Blue teams 2. Collaborative • Every operator has their own customized front-end • Can share detailed information easily and quickly 3. Extensible • Easily add/share commands, C2 profiles, payloads • Support multiple operating systems • You shouldn’t have to re-roll a UI for every new payload 13
  • 14. INFORMATIVE: FOR RED TEAMERS ● Operators ● Commands ○ OPSEC (Artifacts, Transforms) ● Payload Types ○ Creation, loading modules, execution help ● Operational Data Model ○ Let’s use all the data we collect/generate in operations ● Task-Response grouping ○ not just data-dump console ● Searching tasks and responses across an operation 14
  • 15. INFORMATIVE: FOR BLUE TEAMERS ● Commands mapped to MITRE ATT&CK ○ Regex matching for more granularity ○ Exports to ATT&CK Navigator ○ Auto populates based on the command ● Host/Network artifact tracking per task ○ Helpful for deconfliction and reporting ○ Auto populated while operating ○ Agents can report updates or new artifacts ○ Soon include exportability of artifacts to Splunk/SIEMs 15
  • 16. COLLABORATIVE ● Web-based GUI ○ No client dependencies besides a modern browser ○ Each operator has their own profile and login ● Users assigned to operations ○ Multiple operations ongoing concurrently ○ Individual tasks sharable amongst team members ● Operators can comment on tasks ○ Seen by all members in that operation 16
  • 17. EXTENSIBLE ● You can create/add any number of payload types across all OSes ○ JXA, Python, C#, Go, etc ○ Can be scripts or compiled ● You can create/add any number of commands for a payload ○ Command templating ● You can create/add/run any number of C2 profiles at a time ○ They run as sub-processes ○ Only bound ports need to be unique 17
  • 19. PAYLOAD TYPES • Add / Edit Payload types • Can be wrappers for full payloads • Macro • MSBuild • DyLib 19
  • 20. COMMANDS • View Code • Provide operator help • Edit code • Add/edit/remove parameters 20
  • 21. COMMAND TRANSFORMS / ATT&CK / ARTIFACTS • Transform commands • Provide ATT&CK Mappings • Indicate host/network artifacts 21
  • 23. C2 PROFILE PARAMETERS • Specify parameters that will be stamped into an agent during creation • “key” value is stamped out with user’s value in agent code 23
  • 24. PAYLOAD CREATION - UI • Pick C2 profile, payload type, and initial commands • Stamp all pieces together 24
  • 25. PAYLOAD CONFIGURATION • All payloads registered in the database • See configuration and comparison to server state at any time 25
  • 26. CALLBACK VIEW • Familiar table of callbacks like most tools • Detailed task data grouped by task (not time) • Add/track optional comments per task 26
  • 27. SHARING SINGULAR TASKS • Click task number on almost any page to view JUST that one task and its output • Easy to share URL amongst team members: /tasks/task# • Only viewable by users assigned to that operation 27
  • 28. TASK VIEW • View all tasks at once across all callbacks • Click to expand and see output 28
  • 29. SEARCH VIEW • Search all task output or task parameters for key words/phrases • Searches across all callbacks in an operation • Faster and more targeted than just 29
  • 30. ATT&CK × Transform commands × Provide ATT&CK Mappings × Indicate host/network artifacts 30
  • 31. APPLY ATT&CK WITH REGEX • Match all tasks where the parameters fit regex: .*id • Check matches and their current ATT&CK mappings 31
  • 32. BASIC ARTIFACT TRACKING • Define formats for artifacts based on commands and command parameters 32
  • 33. COMMAND TRANSFORMS • Toggle transforms on/off locally • Can optionally persist settings globally for all operators • Test outputs of each transform: 33
  • 34. UPLOADING / DOWNLOAD 34 • View all uploads/downloads and file paths across an operation • Real-time updates for in-progress downloads
  • 35. SCREEN CAPTURES 35 • View screen captures by callback or across an entire operation
  • 36. COMMAND COMPLETION 36 • Auto populate available commands based on the associated payload type for the callback • Can use L/R arrow keys to cycle through choices
  • 37. COMMAND PARAMETERS 37 • If a command has registered parameters and you don’t type any on the command line • Pop-up dialog to fill in parameters
  • 38. APFELL AGENTS What does an agent look like? 38
  • 39. PAYLOAD DESIGN CONSIDERATIONS 39 ● Modular ○ All commands are stand-alone ○ Main payload is just management engine ○ C2 is abstracted away ■ Creates plug-and-play C2 functionality ○ Stamp in commands at creation ■ And load more in later ● Inspiration ○ Malware samples: PlugX, Flame, CozyDuke, etc
  • 40. PAYLOAD DESIGN CONSIDERATIONS 40 ● OS Agnostic ○ Apfell is a framework for collaborative operations ○ Payloads can be created for any OS – scripted or compiled ● OPSEC aware ○ Ideally agents track their footprint on host and report back ○ Artifact tracking with real-time data in responses
  • 41. GOING FORWARD What’s next for Apfell? 41
  • 42. FUTURE UPDATES – SHORT TERM ● More encryption ○ Currently just HTTPS ● More payload types across multiple operating systems ○ Python, Mach-O, C#, ELF, Go ● More built-in commands ○ Keylogging, Process Injection, Proxy Pivots 42
  • 43. FUTURE UPDATES – MEDIUM TERM ● More customizable C2 profiles included by default ○ Control GET/POST requests ● More C2 profiles that don’t require external comms ○ SMB, SSH ● More Artifact Tracking / Defensive Guidance ○ Better tracking of operational artifacts ○ Inclusion of defensive measures for commands 43
  • 44. FUTURE UPDATES – LONG TERM ● Create scriptable Python API for greater control ○ Registerable within the UI – no need for RESTful scripting ● Server speed improvements ○ Automated builds ● More UI Upgrades ○ Attackers think in graphs, not lists ● Community driven updates ○ Please contribute! ☺ 44
  • 45. 45 THANKS!Any questions? • Twitter: @its_a_feature_ • GitHub: github.com/its-a-feature/ • https://its-a-feature.github.io • Blog series on creating Apfell • macOS AD discovery (Orchard) It’s not a bug, it’s a feature