Vibing Your Way Through an Enterprise: How Attackers are Becoming More Sneaky presented at GrrCon2018 2018

by Matthew Eidelberg,

Summary : Traditional defenses are no longer adequate when faced with modern attacks – attackers will always find a way in. Once an attacker has established a foothold inside a domain, their primary objective is to compromise their target as quickly as possible without being detected. Whether that target is sensitive data stored on a file server, or the compromise of a Domain Admin account, the attacker must first formulate a plan of attack. This plan often involves strategic lateral movement throughout a network. Because of this, many organizations have the begun the practice of monitoring for threats based on traffic patterns and characteristics of user activity, known as threat hunting. Threat hunting solutions can be employed to detect and prevent these types of attacks. By reviewing not only known attack signatures, but also analyzing behavioral characteristics of both user and system traffic to detect malicious activities, attackers can be stopped from moving deeper into a network. Unfortunately, these tools and appliances are not perfect, and adversaries are constantly developing new techniques to remain undetected. The two main categories that this talk will focus on are techniques attackers can perform to carry out domain enumeration, as well as, hunting users and systems which can be leveraged for elevated access while remaining undetected. I will cover techniques attackers can perform, utilizing the objects integral to a domain environment, how are they effective and why they work. Finally, I will discuss and provide recommendations to help combat and mitigate these techniques. I’ve developed a framework called Vibe, which utilizes these techniques to perform lateral movement while remaining undetected. This tool uses zero PowerShell to carry out these actions. This tool is not only for red teams, but can be used by blue teams to simulate threat actors in an effort to tune their defenses.