When the Shadow Brokers leaked nation-state level hacking tools in April of 2017, I immediately began digging into the post-exploitation capabilities and tradecraft of the supposed “APT” group. I was captivated by the tooling, tradecraft and capabilities that the leaked post-exploitation toolkit, dubbed DanderSpritz, possessed.
But those feelings quickly gave way to concern.
I began testing DanderSpritz and it’s capabilities against next-generation security products (provided by my former employer) and found that not a single security solution I tested would detect—much less prevent—attacks with these tools. I was able to implant, persist and pivot from machines with cutting edge security solutions without triggering a single alert.
That’s when I knew that I—and the security industry at large—had been thinking about security in the wrong way.
As our director of offensive security, Evan “Syn” Anderson, likes to say:
“We’ve been teaching the security industry how to protect against itself, but not how to protect from real, motivated and resourced adversaries.”
Penetration testers—and most red teams—do not have the same incentives as real “advanced” adversaries. Such as the incentive to not get caught. For sophisticated cyber criminals and nation state-level espionage groups, getting caught means potentially losing millions of dollars worth of research and development, custom tooling and attacker time.
Penetration testers do not have the time, funding or incentives to create custom tooling. It is simply not a priority. This is why the security industry has trained it’s blue teams to detect tools such as Metasploit, Mimikatz, PowerShell Empire and Cobalt Strike. They are in the public domain and easy for pentesters to employ.
But if you are a high value target—or if an adversary believes you have the capability to detect “off the shelf” tools—the real adversaries will likely be using custom tools and custom tradecraft.
These well-funded adversaries spend a lot of time and money developing custom post-exploitation tooling and tradecraft that provides them two critical things:
- Situational Awareness
- Operational Security Guarantees
Situational Awareness
One of the most interesting things about the DanderSpritz framework is just how much time and effort it spends running “survey” scripts on the target that they’ve landed on. These survey scripts provide the operator—and the toolkit—invaluable situational awareness.
The DanderSpritz survey collects, stores and displays following information about the target:
- Network interface information (IPs, mac addresses, DNS servers, etc.).
- Operating System Information (Architecture, Version, Platform, Service pack and if Terminal Services is installed).
- Currently running processes.
- List of hardware drivers.
- Installed software and packages.
- All file and folders in the “Program Files” directory.
- Running services.
- Checks for Personal Security Products (PSPs), essentially, it checks what antivirus is installed.
- If “actions” are required to continue exploitation (such as automatically adding exceptions to AV system configurations), they are automatically performed.
- Checks the security auditing configuration.
- Active Directory Domain Information.
- Network information (routing tables, ARP tables, NetBIOS data, etc.).
- Scheduled tasks.
- Performs a persistence checks (identifies other malicious actors’ implants, or commodity malware, which may be be on the computer).
- Dumps passwords.
- Memory and Disk usage information.
- Connected USB drives and other USB devices.
- Files modified recently.
For more details about the capabilities of DanderSpritz, check out my blog post or my talk at DerbyCon.
Situational awareness provides operators the capability to quickly understand the landscape of the implanted target, the network it’s on, and the security controls configured and installed. This situational awareness is critical to ensure the operator—and the tool—is well informed about the environment it is attacking.
Such situational awareness is used to allow the operator to make informed decisions on what tools are safe to use. For instance, the level of risk the attack vector represents for the group and what level of operational security is necessary. The goal, of course, is to not get caught. Because getting caught means creating new tradecraft, re-engineering and re-writing tools and re-training operators. Building tools to make sure they do not get caught is a matter of saving time and money.
Operational Security Guarantees
With the information gathered by DanderSpritz during its “survey” phase, DanderSpritz automatically enables “safety handlers” which prevent its operators and processes from performing actions which may get them discovered. An example: DanderSpritz can prevent tools from writing to the registry, injecting into processes, or dropping binaries onto disk if there are security tools installed that may generate alerts on its activity.
This means that the Equation Group, a likely nation-state adversary, has tested its tooling against most commercially available security products that they are likely to encounter. The group knows exactly what actions should be avoided to ensure no alerts are triggered.
For instance:
The example above shows a “registryadd” safety handler being enabled due to the configuration of an AV product installed on the system.
The tool also ensure that operators do not perform any actions that are “against the rules” or best practice:
Just like defender teams, operational security is extremely important to attackers like the Equation Group. Same for most nation-state adversaries and to well-resourced cyber criminals such as Fin7/Carbanak. These operational security requirements are considered and built into their custom tooling.
We need to stop training the security industry to defend against ourselves. We need to start training blue teams to defend against real, well-resourced, well-trained adversaries who have similar incentives and risks for getting caught. We need a new perspective on information security.