Embrace The Red

This post is part of a series about Offensive BPF that I’m working on to learn how BPFs use will impact offensive security, malware and detection engineering. Click the “ebpf” tag to see all relevant posts. In the last post we talked about a basic bpftrace script to install a BPF program that runs commands upon connecting from a specific IP with a specific magic source port. This post will dive into this idea more by leveraging more a complex solution.

This post is part of a series about Offensive BPF that I’m working on to learn about BPF to understand attacks and defenses, click the “ebpf” tag to see all relevant posts. I’m learning BPF to understand how its use will impact offensive security, malware, and detection engineering. One offsec idea that quickly comes to mind with BPF is to observe network traffic and act upon specific events. So, I wanted to see if/how bpftrace, a popular tool for running BPF programs, can be used to create potential backdoors, and what evidence to look for as defenders.

Over the last few years eBPF has gained a lot of traction in the Linux community and beyond. eBPF’s offensive usage is also slowly getting more attention. So, I decided to dive into the topic from a red teaming point of view to learn about it to raise awareness and share the journey. Similar to the format of my Machine Learning Attack Series, there will be a serious of posts around BPF usage in offensive settings, and also how its misuse can be detected.

In this 25 minute video I’m explaining the foundations of Web Application Security. The video covers the basic building blocks of web applications, such as HTML, HTTP, JavaScript and Cookies. Furthermore core web applications security concepts such as the Same-Origin Policy are discussed in detail. The goal is to provide foundational knowledge to help grasp security vulnerabilities, such as XSS, CSRF, SQLi, tab-nabbing, etc. later on. In the past I have trained and presented content like this to thousands of engineers at large organizations and cloud providers, hence its quite optimized for best learning and comprehension outcome.

On Unix/Linux users with a uid=0 are root. This means any security checks are bypassed for them. An adversary might go ahead and create a new account, or set an existing account’s user identifier (uid) or group identifier to zero. A simple way to do this is to update /etc/passwd of an account, or use usermod -u 0 -o mallory. Let’s create a new user named mallory: wuzzi@saturn:/$ sudo adduser mallory [.

This post is part of the machine learning attack series. It’s been a while that I did a Husky AI and offensive machine learning related post. This weekend I had some time to try out Counterfit. My goal was to understand what Counterfit is, how it works, and use it to turn Shadowbunny into a husky. Let’s get started. What is Counterfit? With Counterfit you can test your machine learning models and endpoints for specific adversarial attacks.

I like using procdump on Windows. It’s quite handy for software development when systems have memory leaks or performance issues, procdump allows to set thresholds to trigger creation of a core dump. BUT, it’s also super useful to search processes for secrets and other information. For instance, this one liner will dump the memory of all processes to hard disk and then you can search them as you see fit.

In this very short post I wanna talk mention The Silver Searcher, which I just learned about a few weeks ago. In the past I have written quite a bit about the importance of credential hunting for your organization and some cool built-in operating system indexing features that can be used as well. Of course grep and findstr are also in every red teamers toolbox. As part of a coding project I recently learned about “The Silver Searcher”, which is very fast and has some neat features built it.

Many Windows applications and services are implemented using an automation infrastructure called Component Object Model (COM). COM has been around for decades and its useful for programming, sharing of code at binary level, usage from scripting languages, and well, red teaming. Wide Usage of Component Object Model Many products are implemented as COM objects, including Microsoft Office. Using PowerShell (or other languages) COM objects can be created to fully automate applications and services.

Until the Apple Airtag came out a few months ago I hadn’t really looked into the tag tracking market. Turns out there were already quite a lot of offerings available before Apple joined the market, most notably Tile. However, I wanted to try out the Airtag and ended up ordering a few. This post will explore three things: Removing the speaker of my Airtag Using Browser APIs to scan for Airtags (if you don’t have an iPhone but someone tries to stalk you this might be handy) Explore data exfiltration via Airtags and Apple’s “Find My” network By the way, when you order your Airtags online you can customize them.

This rather lengthy post goes into reasons for having an offensive security program and in particular, on how a red team can help improve the immune system of your organization. This is the high-level outline of the post: Security breaches cannot be entirely prevented Implications of a breach Automated malware can hit your organization at any time Security investments - run as fast as you can, just to stay in place The immune system of your organization Embracing the red With regular cadence companies are compromised and suffer breaches.

Recently Google’s FLoC proposal has been making the rounds in the news. FLoC stands for “federated learning of cohorts” and is Google’s vision how to perform user profiling in Chrome going forward. Currently user tracking and profiling happens (mostly) via cookies, but many browser vendors have been supportive of protection of their users and started blocking third party and tracking cookies - or at least offer features in their browser to enable blocking.

A nifty way for adversaries to acquire passwords during post-exploitation is to spoof credential dialogs and perform a local phishing attack. This means tricking a user on a compromised computer to enter their password. Unfortunately, users are conditioned to enter their credentials frequently and therefore don’t question random passwords prompts too much. Long, long time ago… but nothing has changed The idea to spoof a credential dialog is one of the most simple ideas one might come up with.

You probably heard of NFTs (non-fungible tokens). They are receiving a lot of interest over the last several months. I did some digging and realized that there are some bigger issues with the standards and various interpretations and implementations of it, and how centralized many offerings are. What is an NFT The idea behind it is simple, use a blockchain (and cryptography) to assign and be able to proof ownership over a specific piece of digital content.

Next week (on March, 9th 2021) I will be speaking at the Hong Kong Information Security Summit 2021. 歡迎, 你好! I was invited to share my thoughts around protecting the modern (and remote) workplace. Of course, my talk is addressing this topic from a red teaming point of view. Conference details are here. The adversary will come to your house The name of the talk is “Red Team Strategies for Helping Protect the Modern Workplace” which might seem less creative, but there is some (hopefullly) good and interesting information in my talk.

The other day I read this blog post about “The Death of Manual Red Teams” and I thought I’d take a moment to comment on it to provide an alternative perspective. In my opinion the premise of the blog post is backwards, highlighting a lack of understanding of what red teaming is about. For instance the following sentence in the post seems quite incorrect: “Red teaming is the process of using existing, already known security bugs and vulnerabilities to hack a system.

The Kindle (ebook) edition of “Cybersecurity Attacks - Red Team Strategies” is currently free on Amazon. Grab your copy while it lasts and spread the word!

The other day Microsoft published a great deep dive around the second stage payloads and hands-on hacking activities of the Solarwinds/Sunburst incidents that where uncovered late 2020. One thing that is so interesting is the use of off the shelve Cobalt Strike tooling and templates for command & control. After doing all the hard work and customization to seamlessly backdoor binaries the adversaries sem to use Cobalt Strike. Intel for Red Teamers Although, they did add customizations with some interesting features, which are interesting for red teamers to be aware of.

Survivorship bias is an interesting thing that we can observe nearly daily. It is the success stories of exponentially growing startups, the motivational speaker who shares their insights on how to be successful and so forth. What is it exactly? What is survivorship bias? Wikipedia defines it as “…the logical error of concentrating on the people or things that made it past some selection process and overlooking those that did not, typically because of their lack of visibility.

Security metrics are an interesting topic. Over the years I used “scores” as a tool to identify and shine light on problematic areas or highlight lack of engineering and security quality of certain teams. A security score should not seen as an objective or absoulte measure, but it allows to compare systems with each other at a relative scale, and by sharing the score it makes people ask questions. I have seen showing management ask vivid questions when they see a chart with their service and a score next to it: