2024-08-06 –, Diamond
Operational security (OpSec) is a cornerstone in red teaming, necessitating continuous refinement of tools and techniques to avoid detection. This workshop is designed for penetration testers, aspiring red teamers, and individuals seeking to enhance their offensive capabilities. It focuses on customizing the Impacket toolset to improve OpSec during engagements.
Impacket tools such as wmiexec, smbexec, and secretsdump are staples in the toolkit of any red teamer due to their versatility and flexibility in Windows environments. However, their detectability has increased as defensive measures have become more sophisticated. This session proposes modifications to these tools to avoid default IOCs and detections.
Participants will explore various customization strategies, including changing default settings, altering network signatures, and integrating stealthier execution methods. Practical exercises will guide attendees through the process of modifying the Impacket scripts, demonstrating how these changes can significantly enhance operational security in simulated environments.
Attendees will gain hands-on experience modifying the Impacket tool set to remove common IOCs. The workshop aims to foster a deeper understanding of both the tools and the underlying network protocols, enabling participants to tailor their approaches to specific operational contexts and defensive landscapes.
Detailed Description:
This workshop is a collection of the research that has been done to modify the Impacket suite for Red Team Engagements. The session will provide attendees with hands-on experience with tool customization. Overall, attendees will take away a research and testing methodology they can apply to any tooling they use.
Target Audience:
This workshop is ideal for new red team operators, offensive security personnel, and anyone interested in advancing their skills in modifying cybersecurity tools for offensive engagements.
Workshop Benefits:
Attendees will leave the workshop with a framework for tool customization, crucial insights into operational security, and hands-on experience that can be applied in their day-to-day activities.
Objectives:
• Understand common IOCs for wmiexec and smbexec command execution.
• Review command line options to make command execution stealthier.
• Modify code to remove notable IOCs from both wmiexec and smbexec.
• Explore and understand the different credential dumping methods of secretsdump.
• Gain hands-on experience modifying and customizing open-source tools.
Outline:
1. Introduction
a. Impacket introduction
b. Offensive security usage
c. Threat actor usage
2. Understanding smbexec IOCs
a. Command execution
b. Default shares
c. Default service name
3. Modifying smbexec to remove notable IOCs
a. Enabling stealthier options
b. Changing hard coded options
4. Understanding wmiexec IOCs
a. Command execution
b. Default shares
c. UNIX Epoch Time
5. Modifying wmiexec to avoid notable IOCs
a. Enabling stealthier options
b. Command execution changes
c. Process Execution
d. Alternative versions:
i. NetExec version
ii. wmiexec2
iii. wmiexec-pro
6. Understanding secretsdump IOCs
a. DCSync (DRSUAPI) method
b. Volume Shadow Copy (VSS) method
i. smbexec
ii. wmiexec
iii. mmcexec
7. Executing secretsdump
a. Stealthy DCSync
b. Best VSS Option
The following tools will be used:
• impacket (https://github.com/fortra/impacket)
• NetExec (https://github.com/Pennyw0rth/NetExec)
• Wireshark (https://www.wireshark.org/download.html)
• SysInternals suite (https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)
Ryan O'Donnell is a Red Team Operator at Altus Consulting. Over the last 12+ years, Ryan has been performing Penetration Tests, Red Team assessments, and Incident Response investigations. Ryan has conducted workshops at Hack Space Con and Bsides Nova. Ryan has a Masters in Computer Forensics from GMU and the following Certifications: OSCP, OSEP, CRTO, GREM, GCFE, GCIH, CRTO.