Foreword xxiii
Introduction xxvii
Chapter 1 Medical Records (In)security 1
An Introduction to Simulating Advanced Persistent Threat 2
Background and Mission Briefi ng 2
Payload Delivery Part 1: Learning How to Use the VBA Macro 5
How NOT to Stage a VBA Attack 6
Examining the VBA Code 11
Avoid Using Shellcode 11
Automatic Code Execution 13
Using a VBA/VBS Dual Stager 13
Keep Code Generic Whenever Possible 14
Code Obfuscation 15
Enticing Users 16
Command and Control Part 1: Basics and Essentials 19
The Attack 23
Bypassing Authentication 23
Summary 27
Exercises 28
Chapter 2 Stealing Research 29
Background and Mission Briefi ng 30
Payload Delivery Part 2: Using the
Java Applet for Payload Delivery 31
Java Code Signing for Fun and Profit 32
Writing a Java Applet Stager 36
Create a Convincing Pretext 39
Signing the Stager 40
Notes on Payload Persistence 41
Microsoft Windows 41
Linux 42
OSX 45
Command and Control Part 2: Advanced Attack Management 45
Adding Stealth and Multiple System Management 45
Implementing a Command Structure 47
Building a Management Interface 48
The Attack 49
Situational Awareness 50
Using AD to Gather Intelligence 50
Analyzing AD Output 51
Attack Against Vulnerable Secondary System 52
Credential Reuse Against Primary Target System 53
Summary 54
Exercises 55
Chapter 3 Twenty-First Century Heist 57
What Might Work? 57
Nothing Is Secure 58
Organizational Politics 58
APT Modeling versus Traditional Penetration Testing 59
Background and Mission Briefi ng 59
Command and Control Part III: Advanced Channels and Data Exfi ltration 60
Notes on Intrusion Detection and the Security Operations Center 64
The SOC Team 65
How the SOC Works 65
SOC Reaction Time and Disruption 66
IDS Evasion 67
False Positives 67
Payload Delivery Part III: Physical Media 68
A Whole New Kind of Social Engineering 68
Target Location Profi ling 69
Gathering Targets 69
The Attack 72
Summary 75
Exercises 75
Chapter 4 Pharma Karma 77
Background and Mission Briefi ng 78
Payload Delivery Part IV: Client-Side Exploits 1 79
The Curse That Is Flash 79
At Least You Can Live Without It 81
Memory Corruption Bugs: Dos and Don’ts 81
Reeling in the Target 83
Command and Control Part IV: Metasploit Integration 86
Metasploit Integration Basics 86
Server Confi guration 86
Black Hats/White Hats 87
What Have I Said About AV? 88
Pivoting 89
The Attack 89
The Hard Disk Firewall Fail 90
Metasploit Demonstration 90
Under the Hood 91
The Benefits of Admin 92
Typical Subnet Cloning 96
Recovering Passwords 96
Making a Shopping List 99
Summary 101
Exercises 101
Chapter 5 Guns and Ammo 103
Background and Mission Briefing 104
Payload Delivery Part V: Simulating a Ransomware Attack 106
What Is Ransomware? 106
Why Simulate a Ransomware Attack? 107
A Model for Ransomware Simulation 107
Asymmetric Cryptography 108
Remote Key Generation 109
Targeting Files 110
Requesting the Ransom 111
Maintaining C2 111
Final Thoughts 112
Command and Control Part V: Creating a Covert C2 Solution 112
Introducing the Onion Router 112
The Torrc File 113
Configuring a C2 Agent to Use the Tor Network 115
Bridges 115
New Strategies in Stealth and Deployment 116
VBA Redux: Alternative Command-Line Attack Vectors 116
PowerShell 117
FTP 117
Windows Scripting Host (WSH) 118
BITSadmin 118
Simple Payload Obfuscation 119
Alternative Strategies in Antivirus Evasion 121
The Attack 125
Gun Design Engineer Answers Your Questions 126
Identifying the Players 127
Smart(er) VBA Document Deployment 128
Email and Saved Passwords 131
Keyloggers and Cookies 132
Bringing It All Together 133
Summary 134
Exercises 135
Chapter 6 Criminal Intelligence 137
Payload Delivery Part VI: Deploying with HTA 138
Malware Detection 140
Privilege Escalation in Microsoft Windows 141
Escalating Privileges with Local Exploits 143
Exploiting Automated OS Installations 147
Exploiting the Task Scheduler 147
Exploiting Vulnerable Services 149
Hijacking DLLs 151
Mining the Windows Registry 154
Command and Control Part VI: The Creeper Box 155
Creeper Box Specifi cation 155
Introducing the Raspberry Pi and Its Components 156
GPIO 157
Choosing an OS 157
Configuring Full-Disk Encryption 158
A Word on Stealth 163
Configuring Out-of-Band Command and Control Using 3G/4G 164
Creating a Transparent Bridge 168
Using a Pi as a Wireless AP to Provision Access by Remote
Keyloggers 169
The Attack 171
Spoofing Caller ID and SMS Messages 172
Summary 174
Exercises 174
Chapter 7 War Games 175
Background and Mission Briefi ng 176
Payload Delivery Part VII: USB Shotgun Attack 178
USB Media 178
A Little Social Engineering 179
Command and Control Part VII: Advanced Autonomous Data Exfiltration 180
What We Mean When We Talk About “Autonomy” 180
Means of Egress 181
The Attack 185
Constructing a Payload to Attack a Classified Network 187
Stealthy 3G/4G Software Install 188
Attacking the Target and Deploying the Payload 189
Efficient “Burst-Rate” Data Exfiltration 190
Summary 191
Exercises 191
Chapter 8 Hack Journalists 193
Briefing 193
Advanced Concepts in Social Engineering 194
Cold Reading 194
C2 Part VIII: Experimental Concepts in Command and Control 199
Scenario 1: C2 Server Guided Agent Management 199
Scenario 2: Semi-Autonomous C2 Agent Management 202
Payload Delivery Part VIII: Miscellaneous Rich Web Content 205
Java Web Start 205
Adobe AIR 206
A Word on HTML5 207
The Attack 207
Summary 211
Exercises 211
Chapter 9 Northern Exposure 213
Overview 214
Operating Systems 214
Red Star Desktop 3.0 215
Red Star Server 3.0 219
North Korean Public IP Space 221
The North Korean Telephone System 224
Approved Mobile Devices 228
The “Walled Garden”: The Kwangmyong Intranet 230
Audio and Video Eavesdropping 231
Summary 233
Exercises 234
Index 235