Welcome to a new article series discussing Red Team concepts and tactics. In this series, dubbed the Red Team series, I will be going through Windows, Linux, and Mac red team concepts, tactics, and techniques using easy-to-understand examples and explanations. Each article will discuss a specific portion of the overall attack process and will follow the MITRE ATT&CK Atomic Tests matrices.
These articles will be quite long, as I will be grouping the sections by matrix column, rather than breaking each column down into multiple articles.
Regardless of operating system, each Red Team installation will be written in the following order:
Part 1 — Initial Access (all sections are platform agnostic)
Part 2 — Execution (Windows | Linux | Mac)
Part 3 — Persistence (Windows | Linux | Mac)
Part 4 — Privilege Escalation (Windows | Linux | Mac)
Part 5 — Defense Evasion (Windows | Linux | Mac)
Part 6 — Credential Access (Windows | Linux | Mac)
Part 7 — Discovery (Windows | Linux | Mac)
Part 8 — Lateral Movement (Windows | Linux | Mac)
Part 9 — Collection (Windows | Linux | Mac)
Part 10 — Exfiltration (Windows | Linux | Mac)
Part 11 — Command and Control (Windows | Linux | Mac)
Some notes from the author:
- While some of these sections may go into technical detail about different ways to exploit mechanisms, machines, or programs, many sections throughout this article series will focus on less technical attacks, such as phishing.
- Some concepts may apply to multiple operating systems. However, I will still include the explanation for said concept in each version of this article series. This way, regardless of which one you choose to read (though, ideally you’d read all of them for each operating system), you will get a good explanation of every applicable concept/technique.
- In the case that any additional items are added to the ATT&CK matrices, I will edit these articles to include them.
- One of my favorite ways to teach is through the use of analogies. I find that people can more easily understand concepts that they can relate to. With that said, it would be extremely difficult to think of solid analogies for each section of each portion of this article series. However, I will do my best to include as many analogies as possible throughout the entire series, and for those sections that I cannot find a good analogy for, I will simply try to explain the concept/technique well.
- Lastly, this article series will take me a long time to complete, however, I promise I’ll eventually finish the entire thing.
So, let’s get started on:
Red Team: Initial Access
0x01 — Drive-By Compromise
A Drive By attack is a browser-based attack in which the victim simply has to access a website while browsing normally for a malicious agent to gain access to a system. This can be done through the execution of malicious scripts which were injected into the website through previous compromise (this could include persistent cross-site scripting attacks, malicious ads, or other methods of web-application compromise). These attacks usually include the simple download/execution of malware, however, if a browser vulnerability is used in conjunction with a Drive By attack, the malicious agent may be able to arbitrarily execute malicious code or system commands.
While some plugins, such as adblockers and script-blockers, may be able to detect or mitigate Drive by attacks, this may not always be the case — as some attacks, such as a recent Side-Channel attack which can be executed purely through CSS3 features, are extremely difficult to block or detect.
Let’s take a look at an analogy:
Bob Badman is a gangster with an EXTREMELY short temper. One day, while shopping, Vic Temm, a traveling salesman who is new to the town, accidentally bumped into Bob and didn’t apologize. Bob, being a horrible irrational and extremely spiteful man, decided to take revenge on Vic. Bob waited in his car until Vic left the store and then drove by super fast while shooting at Vic through the window.
While this analogy is very grim, it does represent Drive By compromises fairly well. Instead of bumping into a crazy person at a store, the only thing Vic would have to do to get himself attacked would be to accidentally browse on the wrong website. That’s pretty much it. If a website or ad is compromised or is serving malicious code, an adversary could attack Vic as soon as the webpage loaded up.
0x02 — Exploit Public-Facing Application
In this section, we will be talking about exploiting public (internet) facing applications. Throughout the regular information-gathering phase of an attack on a target, adversaries will perform scans and checks that may reveal information on internet facing applications, such as application versions (i.e. Apache 2.2.34). Once application information is gathered, the adversary may try to enter the system through one or multiple applications, either through exploiting previously published vulnerabilities, or through the discovery of new vulnerabilities/exploits for said applications, known as Zero-Day vulnerabilities. The ability to exploit said vulnerabilities may lead to an attacker gaining additional information about a system, performing a Denial of Service attack, or even executing arbitrary code/system commands. For this reason, it is important to ensure all public-facing applications are properly configured, secured, and kept up-to-date.
Let’s take a look at an analogy:
Bob is a burglar. While casing a house, Bob noticed that the owners never lock the back window. Bob is able to break into the house through the window and steal all of the homeowner’s stuff without them ever hearing him.
While exploiting a vulnerability in a public-facing application may not always be as quite as Bob in the above example, it is certainly as effective. The ability to change an application’s control flow on a target system is pivotal in the initial stages of an attack.
Since this form of attack is not specific to any one operating system, as it focuses on the applications hosted rather than the host itself, it is platform agnostic, meaning it can be executed on Windows, Linux, or Mac systems.
0x03 — Hardware Additions
While gaining the ability to add hardware onto/into a target system or infrastructure may be extremely difficult, if an adversary were to gain said opportunity, he/she would effectively gain total control over the target. This is because the adversary could install any number of malicious additions, from hardware keyloggers to additional network access points, and take over the system/infrastructure with ease. Furthermore, while extremely effective, this type of attack is usually only attempted by hired red teams or extremely motivated, highly skilled, adversaries such as state actors.
0x04 — Replication Through Removable Media
Removable Media is anything you can quickly plug in and then remove (i.e. flash drives, external hard drives, etc.). As in section 0x03, while gaining the ability to physically access a system or infrastructure is a challenge of its own, once you’re able to plug something in it’s essentially game over for your target. Often, when attempting to infiltrate a target network through removable media, an adversary will simply drop a bunch of flash drives outside of the target’s office/base. The idea is, eventually someone walking in will see one, pick it up, and plug it into their computer — infecting the system with the autorun malware that was installed onto the drive.
The true benefit of removable media attacks is being able to attack air-gapped or otherwise heavily defended systems. For example, it is said that removable media played a large role in the Stuxnet virus’ propagation.
Since every operating system can handle removable media, this attack is platform agnostic, meaning it can be executed on Windows, Linux, or Mac environments.
0x05 — Spearphishing Attacks (Attachment and Link)
Please note: The MITRE ATT&CK Matrix breaks this section down into 2 sections: Spearphishing Attachment and Spearphishing Link. However, since both are 99% exactly the same, I decided to group them together into one section.
Spearphishing (also known as phishing) attacks are email-based attacks in which a malicious agent sends an email that looks like a legitimate email from the targets boss, a company, or any other trustworthy party, either to a specific person or to a large number of people. These emails may include malicious links or attachments that direct a user to a malicious webpage or infect the user’s system with malware.
Phishing attacks are by far the easiest and most widely-used means of gaining initial access into a target’s system or infrastructure. This is because of the fact that they are extremely easy to perform and can be made to look extremely legitimate.
While the malware that phishing attacks deploy may not be platform agnostic, phishing attacks themselves — as they are primarily done through email, which is platform agnostic — can be executed on any environment regardless of operating system.
0x06 — Spearphishing via Service
While normal phishing attacks are done through email, phishing can be done through any media in which an adversary can mask themselves as a legitimate user/service and gain enough of the target’s trust to have them click a link or run a program that was supplied to them by said adversary. Furthermore, while many large-scale email clients (such as gmail) now come with some phishing protections built in, many services (like the Facebook Messenger, Whatsapp, etc.) do not have any built in phishing protection. For this reason, some adversaries choose to perform their phishing attacks through different services. However, at the core, the attack is still essentially the same as the attack described in section 0x05 — An attacker will send a message to either a specific target or a large amount of potential targets. This message will look like a legitimate message from a friend, coworker, service, or other trusted party and will include either a malicious link or a malicious attachment.
Since social media platforms and other mechanisms that may be used for phishing via service attacks are not specific to any one operating system, this attack is platform agnostic — meaning it can be executed on any environment.
0x07 — Supply Chain Compromise
Supply Chain Compromise is by far the most difficult means of infiltrating a target infrastructure/system. This is because it involves manipulation of systems, programs, or tools during their production/development process. While this attack would only be feasible for large state actors or otherwise EXTREMELY motivated and EXTREMELY powerful adversaries, it is an extremely effective means of infiltration.
One solid example of supply chain compromise would be the CIA’s actions as detailed in the Vault-7 wikileaks releases. In which the CIA implanted malicious mechanisms into different products/systems by intercepting them during the production and/or delivery process.
Let’s take a look at an analogy:
Bob is an assassin who has been hired to kill Mr. Vic Temm. Bob known that Vic likes to eat the same meal at the same restaurant every Wednesday. Bob disguises himself as a waiter, take’s Vic’s order, and before delivering his food, adds some poison that will kill Vic in 10 days.
In the above example, Bob’s attack took a lot of planning and was difficult to execute in a way that would not implicate him in any way. However, once executed, Bob’s plan was extremely effective.
Since this attack is not specific to any one platform or operating system it is completely platform agnostic, meaning it can be executed on any environment.
0x08 — Trusted Relationship
While directly attacking a target can be an effective means of infiltration, sometimes it is easier for an adversary to leverage a trusted third party’s access instead. For example, in the 2013 Target hack, attackers first gained access to a third party heating and ventilation company which target used. This company had access to Target’s network and allowed the malicious agents to pivot onto the network, effectively infiltrating Target’s infrastructure without any issue.
Trusted relationship attacks can be most effective during company acquisition periods, as the merging networks may not be fully secured yet, however, in many cases, victims simply do not do enough due diligence or security analysis on the third parties who are provided access to their network.
While the third party’s network/infrastructure may not be fully platform agnostic, this attack — at its core — can be executed on any environment, since it simply leverages the trust between two parties, rather than any specific technologies.
0x09 — Valid Accounts
Stealing valid accounts from users can be done through phishing attacks (see sections 0x05 and 0x06) or through other methods of social engineering.
This attack really doesn’t require much explanation, an adversary will gain valid credentials and infiltrate a system using them.
While “Robert Hackerman, the County Password Inspector” seems pretty ridiculous, social engineering in general can be an extremely effective, and an extremely efficient, means of infiltrating a target infrastructure/system.
0x0A — Conclusion
While initial access into a target infrastructure/system is limited to a small number of methods, once in the system the adversary must navigate through platform-specific methods, numerous defenses, and other pitfalls.
I hope this article was helpful. Please subscribe to my medium account or follow me on twitter (@bcdannyboy), as I will be posting the next parts of this article series as soon as possible!
Thank’s for reading!