Learning C/C++ and Assembly may be the best thing for Offensive Security

I read with interest how various Western Red Teams go through all lengths to get a single Mitre test working nicely, dumping lsass.exe.

In addition, the Blue Teams have a lot of help in this area with EDRs aka expensive Endpoint Detection and Response software hitting all alerts when you even try to get near to lsass.exe process.

Most of the red team companies do write great blogs documenting the efforts they put in their process dumpers.  Obviously they will not share their secret sauce in a free blog.

The logic is simple, why let their months of hard work go down the drain when some nice chaps will download their work to Virustotal or turn them into some machine learning generated signatures when the commercial EDR companies tow Virustotal for intelligence.

If you read their blogs carefully, how do they fool the EDRs using merely C/C++?  Yes, the mention syscall but they do not go reveal all their secrets easily.

Ok, luckily my C/C++ and x86 Assembly are largely intact despite some inactivity and I spent a few days developing software for a Mitre exercise to muck around the lsass.exe which can be extended to a larger red team exercise.


The hint is - "You do not just use C/C++, some knowledge of assembly language is required".  Not those shell code samples you read in many blogs.  

Well, the age of MASM is over, the trick is to make your malware modular modular.  Malware authors are not stupid, they do understand the basic software engineering skills and they have higher motivation than most tired and overworked Blue Team members.

Back to the topic, this is not a new idea, chaps in the 1980s-1990s era were using the same idea in memory trainers.  Well you can say that some legacy memory resident viruses were using the same idea too and somehow this idea came back to haunt modern EDRs.

In the modern era, people do Python and it is probably something better in there resume.  It is hard to find people who do C/C++ and Assembly and you probably feel out of place in the modern Cloud era but no worries, some old ideas if used properly are still valuable in a adversary simulation exercise.

A well run adversary simulation exercise is better than 5 compliance audits or 3 table top exercises.

And if you can write new or modify existing offensive tools in C/C++ or Assembly, you are on the road to interesting adversary simulation scenarios, if you have a chance to sell this idea to the management.

Comments

Post a Comment

Popular posts from this blog

Now go grab bashdb for debugging bash on Visual Studio Code

Image
Strangely by default, the bash debugger or bashdb is not part of the build, so apt installs are out. Therefore we need to spend some time to get bashdb up and and working.    We will need 3 components or the bashdb deb package will complain bitterly that libreadline6 and multiarch-support are missing and refuse to budge. To solve this problem, we need to install bashdb from the deb packages manually.  Go the following websites to download the deb install packages for the following; https://packages.debian.org/jessie/amd64/libreadline6/download https://packages.debian.org/jessie/amd64/multiarch-support/download https://ubuntu.pkgs.org/16.04/ubuntu-universe-amd64/bashdb_4.3.0.91+ds-4_amd64.deb.html To install, su to root and type dpkg -i <deb-package-name> to install the 2 required libraries before installing bashdb . Next fire up the Visual Studio Code that is pre-installed on Parrot OS, for some strange reason, Visual Studio Code is given a strange nam...
Read more

Doing Something That F5 Should Have Done Long Ago

Image
If you are a PT or Offensive chap, you will pay attention to web application parameters for cheap thrills. Generally Red Teams helps the Blue Team, we are not auditors. It is not surprising to find hundreds of parameters for a web application. Now if you are a Blue Team victim, you might want a job switch when you see this below. The next logical step is as follows ...  Question: " Mr F5, is this view exportable? " Answer: " Not until England wins the Euro or World Cup. " In offensive security, we do not take " No " for a lame answer. Parameters' exported.   Nice, now to analyse it for potholes and entry points.
Read more