Hello 0x00sec, long time no see!
Today I decided to start a discussion around innovative Red Team TTP’s we have encountered or used.
For those who are not familiar with the concept; RT and Pentest methodologies have different goals in mind. Despite using similar methods, they answer different questions.
PT Questions: Can my infrastructure be hacked? If so, how?
PT Goals: Discovery of various attack paths into a system. (The concept of “attack path” is the nuance between a PT and a Vulnerability Assessment. VA focus on singular vulnerabilities, whereas PT focus on exploiting vulnerabilities towards a specific impact. This act of exploitation is called an “attack path”.)
RT Questions: Am I prepared against real world attacks? Can I detect when I’m being attacked? Can I stop it before it causes any damage?
RT Goals: Emulating or simulating various type of threats and measuring the efficiency of incident detection and response process.
I think the subject of this discussion is more clear now. When talking about Red Team TTP’s we’re NOT talking about: pentesting tools, attack techniques, exploits, RATs or crypters (unless the technique is novel).
TTP 1: Using “Unquoted Service Paths” to mislead analysts
If you’re going to deploy your backdoor as a new service, leverage “unquoted service path” to confuse detection systems and the SOC.
Service path: C:\Program Files\decoymalware.exe
Real malware: C:\Program.exe
You could use decoymalware.exe as a means to deceive security operators. Maybe put a legitimate and signed binary there so when your new service is discovered and binary is uploaded to VT it would seem completely innocent and the alert might get disregarded as a false positive.
Or if its likely that this will be further investigated you could put a completely irrelevant malware to mislead. A known cryptominer maybe? It is malicious but not really that important so the alert regarding to your backdoor will be quickly “resolved”.
TTP 2: Using Remote Drive Mapping to steal NTLM hashes
In several investigations I came across LNK files pointing to remote smb paths. Their purpose was to force the client to authenticate with the attacker’s smb server. Thus, the attacker could steal the victim’s NTLM hash. I found this usage of RDM’s innovative.
TTP 3: DNS Poisoning and Injecting into Google Analytics JS
Now think about the browsing activity of a normal user. Probably more than half of the webpages he’ll visit will be requesting JS files from Google Analytics. So if you can somehow redirect these requests to your own webserver (by DNS poisoning, or MITM, or sth else) and replace these JS files, you will have the perfect C2 system for your malware! Your malware won’t have to send even a single TCP packet. The browsing activity of your victim will be the carrier of your messages and it will be frequent enough!
What are your favorite Red Team TTP’s? Please write them below