Full Report
David Fletcher & Sally Vandeven // We gave a presentation at the GrrCon hacker conference in Grand Rapids, MI on October 6, 2016. The presentation was a dialogue meant to illustrate the […] The post Red + Blue = Purple appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Main Topic
The content summarizes a presentation titled "Red + Blue = Purple" given at GrrCon 2016, which illustrated the dialogue between offensive security (Red Team) techniques for gaining access, escalating privilege, and achieving domain dominance, and defensive strategies (Blue Team) to counteract these methods.
## Key Points
- The discussion focused on prevalent techniques utilized in typical enterprise environments for initial access, privilege escalation, and lateral movement/dominance.
- Specific offensive techniques detailed include Password Spraying and AppLocker Bypass via Secondary Execution.
- Defensive measures discussed focused on preparing for penetration tests and making the attacker's job more difficult.
## Threat Actors
- Threat actors are generalized as Red Team penetration testers or adversaries leveraging common techniques against enterprise environments.
- No specific named threat groups were attributed in the context provided; the focus is on methodology demonstration.
## TTPs
### Password Spraying
- **Method:** Guessing a single, common password (e.g., "Autumn2016") across a list of user accounts harvested via Active Directory queries (using `wmic` or PowerShell) or OSINT.
- **Evasion:** Spraying must be carefully controlled based on the domain's password lockout policy ("Lockout observation window") to avoid locking accounts. One guess per observation window is the suggested rule of thumb.
- **Tools Mentioned:** `wmic`, PowerShell commands for user enumeration, Beau Bullock’s `Invoke-DomainPasswordSpray.ps1`.
### AppLocker Bypass (Secondary Execution)
- **Method:** Utilizing "secondary execution" where a running process starts a second process, bypassing AppLocker rules applied to the initial executable.
- **Techniques:** Achieved via `RUNDLL32.EXE` or `REGSVR32.EXE` loading a malicious DLL.
- **Example Payload Construction:** Using `msfvenom` to create a malicious DLL designed to make an outbound HTTPS connection.
## Affected Systems
- Typical enterprise Active Directory environments where users might reuse weak, seasonal passwords.
- Windows systems where AppLocker might be deployed, but execution policies are tied to the originating process rather than secondary child processes.
## Mitigations
### For Password Spraying
- Implement strong, unique passwords (though the article highlights common seasonal password pitfalls).
- Understand and monitor account lockout policies, especially concerning service accounts which may not have the same restrictions.
- Blue teams should prepare for penetration tests by hardening configurations.
### For AppLocker Bypass via Secondary Execution
- Implement technical controls to monitor and restrict execution via `RUNDLL32.EXE` and `REGSVR32.EXE` if they are attempting to load unsigned or unauthorized DLLs.
- Detection/preparation strategies should account for execution chains where the parent process is allowed but the child payload is not.
## Conclusion
The goal of the presentation was to show the interplay between offensive and defensive security practices. Adversaries frequently rely on common flaws like weak password hygiene (mitigated by strong policies and complexity) and legitimate Windows binaries used in unexpected ways (like `rundll32.exe`) to bypass application whitelisting controls. Defensive teams must anticipate these specific red team methodologies exemplified here to improve posture.
***
# Morning News Roll-up {current_date}
## Overview
The context provided relates to a security presentation detailing offensive tradecraft (Red Team) versus defensive preparation (Blue Team) encountered at GrrCon 2016.
## Top Stories
### Red Team Technique: Password Spraying Mechanics
- Summary: Detail of how password spraying attacks work by testing one common password across many accounts, respecting account lockout policies by ensuring guesses occur only once per observation window to maintain persistence and avoid detection/lockouts. Command examples for user harvesting and testing via FOR loops are provided.
- Source: [Presentation Content on Password Spraying]
### Blue Team Evasion: Bypassing AppLocker via Secondary Execution
- Summary: Explanation of how attackers bypass AppLocker controls by executing disallowed binaries indirectly through inherently trusted mechanisms like `RUNDLL32.EXE` or `REGSVR32.EXE`. This is used to run malicious code, such as an outbound connection payload created by `msfvenom`.
- Source: [Presentation Content on AppLocker Bypass]
### Defensive Countermeasures: Hardening Against Attack Scenarios
- Summary: The Blue Team portion of the dialogue focused on how defenders can proactively prepare for penetration tests by understanding common attack vectors, such as strengthening password policies relevant to spraying and securing execution paths to prevent secondary execution abuses.
- Source: [Presentation Content on Blue Team Preparation]