Choose Your Own Red Team Adventure: What’s Running?

This is a continuation of a Choose Your Own Red Team Adventure series. If you don’t know how you got here, start at the beginning. Otherwise, continue reading …

You didn’t stop to figure out where your phish payload landed. Instead, you prioritized discovering what is running on the host first. After all, that is how you determine what you can safely run.

Your implant has a built-in way of collecting processes and all of the auto-run hooks into the operating system, spitting it out to your screen in an easy to read format. Everything looks good — looks great, actually. You see an outdated anti-virus product and nothing else running. The operating system is old, lacking many of the new security controls. The more you look, the more excited you become. You dig in, start looking at more and more. You find a privilege escalation to get full administrative control of the host. Before long, you’ve forgotten that you were trying to figure out what’s running, and you’ve really started pillaging this system. You dump credentials, upload files, setup persistence, and start moving laterally. The next host is also easy to knock over. You weren’t really going for it, but you’ve got Domain Admin — you’re king of the enterprise network. “This is going to be an excellent report,” you say to yourself. “I’m going to get promoted.”

You find their accounts payable system, give yourself access and take screenshots. You even put it straight into the report, because you draft as you work to save time. You hand off the draft to the technical lead from your team and begin preparations for your next client engagement.

A few weeks later, you get visited at home by the FBI. They flash a warrant, come into your home, and take all of your computers — including your work computers. They ask you questions, but you recall learning from a Law and Order episode that you should not talk and request a lawyer. Your employer hires their own counsel, who throws you under the bus. They’re a small firm, their goal isn’t to protect you. You need your own lawyer. You wonder if you’ll ever work in this field again. What happened???

GAME OVER

Post Analysis

After a couple days traipsing through a rather weak environment, unbeknownst to you, you finally do trip an alert to the Security Operations Center. They quickly realize they don’t have the expertise internally to properly respond to the indicators they see coming from your actions, so they tap into their contract partner, whom they have on retainer for incident response assistance. The situation escalates quickly; they eventually get attribution back to both you and your employer. How? They escalated to the FBI, who performed a forensic image capture and submitted a subpoena request to the hosting provider to discover who paid for the virtual private server hosting the malware callbacks — it was you, well, your corporate credit card anyway.

Now, you didn’t violate the spirit of the Computer Fraud and Abuse Act when you sent that phish to Spaceley’s Sprockets and one employee was so excited by your lure that he forwarded to three friends, one of whom works for a minor federal agency. But your lawyer will get the opportunity to explain all of this, in front of a judge who announces he hates computers and still carries an old-school flip phone to stay in touch with loved ones. Hopefully it turns out OK for you.

THE END