Presented at
44CON 2019,
Sept. 13, 2019, 9:30 a.m.
(149 minutes).
Sheepl is a tool designed to emulate user behaviour and has matured into a platform for supporting tradecraft development for both red and blue teams. The tool was born out of a personal need for ‘sparring’ partners without the predictability of knowing when things are going to happen.
Using a representative network I plan to give participants hands on experience of creating Sheepl that can be used to attack, execute commands and emulate real world user actions such as browsing, opening emails, interacting with command environments and creating content.
The environment will also have a monitoring solution deployed that can be used to trace commands that will be executed from the ATT&CK framework. The workshop will also cover creating Sheepl that respond to events on a system and the example used will be to create Sheepl that watch for supplied process names and kill these automatically after a period of time. This is good for operational security considerations when looking at Red Team tradecraft development and for CTF style events.
I will also show the process of creating custom tasks to extend Sheepl capabilities and how sequences of tasks can be saved as JSON profiles. The goal is that by the end of the workshop, participants will have a solid understanding of the planning and workflow for creating Sheepl that support specific learning objectives as well as generating more realistic end user behaviour within training environments.
Presenters:
-
Matt Lorentzen
Matt has 20 years IT industry experience working within government, military, finance, education and commercial sectors. He is a senior security consultant and penetration tester at SpiderLabs with a focus on red team engagements.
Before joining SpiderLabs, he worked with Hewlett Packard Enterprise as a CHECK Team Leader delivering penetration testing services to a global client list. Prior to HPE, Matt ran his own IT consultancy company for 7 years.
Links:
Similar Presentations: