Adversarial Post-Exploitation: Lessons From The Pros

Presented at BSidesDC 2016, Oct. 22, 2016, 3:30 p.m. (50 minutes).

With the recent evolution in red teaming and a shift towards adversary emulation for network assessments, the source of inspiration for offensive tactics, techniques and procedures (TTPs) must change. An offensive force looking to deliver realistic engagements can and should use analysis of adversarial toolkits to better their tradecraft. First, this talk will cover the process of deconstructing real world toolkits for practical analysis and use. To apply the process, this talk will analyze certain post-exploitation features seen in the wild and how adversaries use them to accomplish their malicious objectives. Next, similarities will be drawn between the objectives of the adversary and the objectives of the red team to demonstrate how these novel tradecraft ideas can be beneficial for training as well. Finally, PowerShell code built to emulate the adversary actions will be demoed and released for practical use in engagements.


Presenters:

  • Justin Warner - Offensive Network Services Lead at Adaptive Threat Division, Veris Group
    Justin Warner is a red-teamer and the Offensive Network Services Lead for Veris Group’s Adaptive Threat Division but dabbles in security research when he is feeling inspired. As an Air Force Academy graduate and former USAF Cyber Operations Officer, he gained experience with large scale operations at the national level. Justin has a passion for threat research, reverse engineering, and red team operations. He is a cofounder of the PowerShell Empire project, actively participates on numerous open source projects and is a participant in various red team events in the DC area.
  • Chris Ross - Penetration Tester at Adaptive Threat Division, Veris Group
    Chris Ross currently works in the Adaptive Threat Division at Veris as a penetration tester and red teamer. Chris is an offensive PowerShell advocate and loves developing offensive tools in both PowerShell and Python. He particularly enjoys the challenge of developing capabilities to emulate real world toolkits. Chris is a developer on the EmPyre Mac/Linux post-exploitation toolkit and a contributor to the community across numerous other toolsets.

Links:

Similar Presentations: