We’re in the Endgame Now – Analyzing Effects Tactic
Previously we established persistence inside our victims’ network. Now that we hold all the cards and have everything we need for our report, it’s time to make our presence known. As a great man once said “The hardest choices require the strongest of wills” and then he threw his daughter off a cliff. We are about to do the same to this network.
The goal of the effects phase is to implement the effects that were planned from the beginning of the assessment which we definitely remembered to get outlined in the scoping document (probably). Aggressing your adversary’s critical information IS the reason we are doing this assessment. It is what separates us from the renegade hackers and glorified vulnerability scanners. We do everything for a reason on this blog, whether it is taking their network back to the stone age to disrupt operations or leaking their customer black book to their competitors to destroy their business, figuratively speaking of course.
Status of Forces
We left off with a pivot in place on the DMZ and access to the internal network through multiple domain user accounts. Additionally, we have persistent access to multiple computers throughout the network through the command prompt we put in place of ease of access tools. We will skip over the part where we re-gain access to a domain administrator account because I want to focus on the effects phase, not the re-privilege-escalation-because-we-screwed-up phase.
Initial Tactical Engagement
We begin by implementing Air Force doctrine. We establish dominance over the cyber airspace so that we can cyber bomb them with impunity. Finally, we will implement destruction effects ￼￼and disrupt their operations to telegraph our utter dominance of their blue team.
Air superiority. That degree of dominance in the air battle of one force over another that permits the conduct of operations by the former and its related land, sea, air, and space forces at a given time and place without prohibitive interference by the opposing force (JP 1-02). Air superiority may be localized in time and space, or it may be broad and enduring. https://fas.org/irp/doddir/usaf/afdd3-01.pdf
First things first, dismantle any active defenses that could be used against us. We pull a list of domain administrators and privileged users from active directory on the network. They are easy to find because our customer, being the good CISSPs that they are, have their administrator accounts segregated from their user accounts also make sure they end in -ADM. Also, we are able to query all network computers and look at their login logs to find out which workstations are used by domain administrators. For reference the event IDs you are looking for is 4624, successful login attempts. Users get a lockout and workstations get a boot from the domain. We’ve also done our homework to find out the central server that manages the company’s anti-malware services. Just for good measure, we give that a boot from the domain as well. If we were really malicious we’d push a script to every computer on the domain uninstalling the anti-malware program, but because this is a paying customer, we don’t want to cause them too much clean up effort.
Now that we’ve dominated the metaphorical skies of the network we can move on to pillaging the network for all it is worth. A good start is to log on to the CEO’s workstation and pull a copy of everything he has in the documents/desktop folders. Make sure to find out where he has a local copy of his email stored and grab that too. After all, this is the person with the final say on whether or not you get paid and you need some blackmail. Once you are done with that you can go ahead and pull any other C-level you want just for funsies but you’ve made your point, their data is your data now. Pillaging C-levels isn’t the only source of valuable intelligence on the network either. Pulling source code for software products, CGI assets from movie developers, and customer contact lists from sales directorates are all valuable things companies may or may not know they don’t want to lose. Make sure to be HIPAA compliant when stealing medical records from a hospital, or don’t, I’m not your mother.
As the network kneels before us begging for mercy we plan to deliver the final blow. You will be thinking of all the awful things you can do to the network. There are just so many ways to burn it to the ground. Do you want to keep control of the network and play cat and mouse as they try to restore it? Just disable all user accounts and play whack a mole with anyone who manages to get themselves back online. Do you want to frustrate the users instead of outright locking them out? Go ahead and redirect every web page request to a Rick Astley video on the proxy server (https://wiki.squid-cache.org/Features/Redirectors). Want to run a ransomware file you found on the internet on all computers on the network and let them figure it out? You are a fucking psychopath, but I respect it. In the end, since we are professionals and we don’t actually want to destroy the network, we are just going to close ports 80 and 443 on the router/firewall for maximum visibility and minimum cleanup time.
In the end, we are here to prove a point and not to destroy a network. Once we’ve buried the network defenders, pillaged the network, and implemented disruption effects during a time period that we should have telegraphed to the company, we restore the network and destroy the critical information we took. After all, keeping it around is probably not the best idea given all the shady websites we go to during research and exploit development.
Adversary Counter Response
Here are some adversary counter responses to the effects phase. The most common response you will see during this phase is a network defender praying to whatever god they believe in that they will still have a job tomorrow. The next most common response you will see is obliviousness, “What do you mean the users can’t access the internet? Talk to the switch/router guy, not my problem.” Once they do get around to dealing with the all out attack you’ve just levied on them, it’s too late.
Every once and awhile you will get to see some 20-year-old policies that require people to pull the plug on the computer or network that has been infected. Once you make your presence known, some smart dude on the network defenders team may decide to cut the hard line like in transformers 1 and cut off the network from the outside world during restoration. This is not a bad idea because we kept our own access intact while we were implementing effects. Without an actual connection to the network, we cannot maintain the effects while they try to restore them. In the end though, we wanted to disrupt operations on the network, and a network that is isolated in this manner can do nothing for the company.
A last-ditch effort is not to recover the network but stand up a new one by using a recovery disk each and every computer and migrate them individually to a new domain. This will take weeks if our network maintainers know what they are doing and months in a worst-case scenario. In fact, there are multiple companies operating with known intruders on their network because they cannot afford to rebuild the network or dislodge said intruders. #LearningToLoveYourChineseOverlords
Another response is the network defenders using any remaining access left on the network to try and claw their way back to the top. They might have an old domain administrator account that wasn’t named correctly and didn’t get caught up in the account disabling we did to kick them off the network. In this case, it will turn into an active battle between them trying to dislodge you from the network and you trying to figure out what remaining access they have left.
In the end, the network defenders will be trying to undo any of the damage you’ve done and plug the holes they think you came in through. It will be a grueling task and it will all depend on how destructive you want to be. Most network defenders are trained in dislodging and removing malware not in dealing with a fully destructive cyber attack. Depending on your scoping agreement, you may be able to train the next generation of network defenders in dealing with full scale destruction, testing their continuity of operations plan, and thoroughly embarrassing their CIO.
We’ve reached the end of the assessment and implemented our effects. As we analyze everything we’ve done in the effects phase we continue to observe that removing the defenders from the network effectively negates any adversary counter response. At that point, adversaries are limited to physical control of the network to dislodge us and there isn’t much we can do about that. We’ve pillaged and plundered as much as we could and successfully implemented all the effects we came here for. Common debrief items include forgetting to scope what critical information was important to the customer in the initial customer contact, failing to notify the customer when implementing effects that disrupt the network, and accidentally implementing disruption effects against yourself as well. Nothing is worse than a customer surrendering to your superiority and asking you to give them back their network and not being able to.
This concludes our tactical overview of the hacking methodology and examining the tactics, techniques, procedures, and counter tactics that are used when aggressing a network. This was done to serve as a primer for future analysis of current events and anything else I feel like writing about in the blog. I hope you enjoyed! And knowing you did, come back soon for fresh content every week.