Throughout 2023, 23p worked with organizations using methods sourced from various threat actors to help find gaps in their detection and response capabilities. We are often tasked with targeting hardened organizations that have multiple layers of security controls that an attacker would need to evade in order to accomplish their goals. These often include mail gateway filters which inspect suspicious links and attachments and Endpoint Detection and Response (EDR) platforms which can identify the execution of malicious code on workstations. These defensive controls are often manned and controlled by blue teams who work to isolate and mitigate detected attackers.

In 2023 we saw major advances in our own capabilities via Large Language Models (LLMs) which we see reflected in the expanding capabilities of malicious threat actors. We also saw over-reliance on Multi-Factor Authentication (MFA) as a security control which allowed us to access various cloud platforms with compromised session tokens. For targets with mature conditional access policies, endpoint compromise was required in which multi-stage implants were deployed to successfully evade EDR for extended periods of time.

Generative A.I for Red Team operations

As Large Language Models are purposed built to generate text they shine in the use case of creating phishing email templates, fake documents, and even code generation.

LLMs are sophisticated artificial intelligence models that are specifically designed to generate text. These models are trained using vast amounts of data, which allows them to learn patterns, grammar, and context from the input text. LLMs use this learned knowledge to generate coherent and contextually relevant text based on given prompts or instructions. While some restrictions are placed on the content, they can generate methods to persuade various LLM platforms to act maliciously. Additionally, by self hosting an LLM, an attacker can use configurations that do not have any restrictions.

The following image shows some sample output:

One of the most important parts of a phishing campaign is creating a believable phishing email. With the explosion of LLMs, phishing templates of high quality can be generated easily.

Offensive Tool Development

Another compelling application we have identified for LLMs is in assisting with offensive tool development. Many software developers have discussed in depth how this technology has enhanced their capabilities. As offensive tool developers, we have been able to greatly speed up our process by leveraging LLM code generation during engagements. For example, we can quickly upgrade or fix broken code, create fully custom post exploitation tools, and create custom implants within a few hours or less. The following example is a C# application we quickly put together in order to search through image files on a windows target.

Scenario Planning

We can also leverage LLMs to generate realistic attack scenarios that can be used for threat modeling exercises, planning red team engagements, and overall assisting in the process of selecting the most realistic Tactics, Techniques, and Procedures (TTPs) based on the known capabilities of threat actors as well as the industry of the target organization:

3rd Party Sending Platforms

In order to get an email past traditional filters such as ProofPoint or Mimecast, some additional work must be done. These platforms work by analyzing sender reputation and suspicious links within email bodies to filter out phishing emails via common indicators. Threat actors are aware of these detections and abuse trusted 3rd party services which provide a trusted sender. DocuSign is a platform utilized by many businesses to sign documents and likely needs no introduction due to its ubiquity in the corporate world. DocuSign is easily abusable by threat actors and provides a free trial that does not even require a credit card. This platform provides a trusted sender as well as the ability to store our phishing URL within a DocuSign document instead of the email body. Using this method we can avoid triggering most email filters and blend in to common communications.

Plenty of alternative 3rd party platforms can be abused in a similar manner, the key things we look for are trusted senders as well as the ability to host phishing links on the platform and keep it out of the email bodies where it would be analyzed. Throughout 2023, 23p has observed Docusign phishing campaigns successfully bypassing mail filters on some of the most hardened mail gateway configurations.

Session Cookie Capture

A common method we saw widely abused this year was the use of session cookie capture methods to bypass MFA. One of the main tools used to accomplish this task would be Evilginx. Evilginx is a man-in-the-middle (MitM) reverse proxy that is commonly used by both security professionals and attackers. It intercepts network traffic between a user's device and the target server, allowing the attacker to capture sensitive information like session cookies.

When a user clicks on a phishing link and lands on a malicious website controlled by the attacker, Evilginx acts as a proxy between the user's device and the legitimate website. Once the user enters their credentials, Evilginx captures the submitted form data, including the username and password. It also intercepts the session cookie that is generated when the user successfully authenticates with the website. The session cookie contains information that identifies the user's session with the website. Once a cookie has been captured, the attacker can impersonate the user and gain unauthorized access to their account without needing to know the user's password. The stolen session cookie can be used to bypass multi-factor authentication (MFA) and gain access to various cloud services associated with the compromised account.

If an organization has well-implemented conditional access policies, then even with compromised session tokens we may not be able to access external services. Microsoft platforms can utilize multiple points of validation such as checking device compliance or certificate based authentication. The following resources are helpful to understand the attack as well offering remediation strategies.

Defending against the EvilGinx 2 MFA Bypass - https://techcommunity.microsoft.com/t5/microsoft-entra/defending-against-the-evilginx2-mfa-bypass/m-p/501719

Evilginx MitM Attack Framework - https://github.com/kgretzky/evilginx2

Steal Web Session Cookie - https://attack.mitre.org/techniques/T1539/

Another technique worth mentioning is the use of WebView2 for phishing session tokens from an endpoint. There were instances in 2023 where the use of WebView2 techniques had higher success rate than the use of EvilGinx.

Modified version of Microsoft’s WebView2 code - https://github.com/mrd0x/WebView2-Cookie-Stealer

Help Desk Account Takeover

Another common method we have seen abused with a high success rate with is social engineering of an organization’s help desks. These teams are usually overworked, understaffed, and commonly deal with credential resets, login issues, and other technical assistance to an organization. While this method is non-technical, it can lead to high impact compromises. For example, the Lapsus$ threat actor group has been known to use social engineering of help desks to compromise major companies. The general methodology we follow for this is to find as much information about target users as possible. This often includes job title, length at company, likely coworkers, usernames, leaked credentials, and more.

Armed with this information we can often call an organization’s helpdesk and simply ask for a password reset. Followed by this we can do a secondary call to a later helpdesk shift and request a new phone be added to the users account due to an issue with the existing phone. Helpdesks generally ask for name, number, and username and rarely follow more validation than this. With this low-tech vector, we can quickly take over an employees account and gather any sensitive data they have access to.

Microsoft Security Blog - https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Multi-stage software implants

HTML smuggling is a technique used by attackers to deliver malicious files to a target system while disguising them as harmless content. It takes advantage of the way web browsers handle certain file types such as HTML and JavaScript.

In order to break apart our infection chain and avoid detection by EDR, threat actors like to create multiple files with specific tasks to ultimately execute code on an endpoint device. An attack chain we commonly utilized this year was .HTML smuggling page which would force a download of a .VBS displaying a “PDF” to the user while downloading a malicious dynamic-link libraries (.DLL) to the target system.

Visual Basic Scripting (VBS) is a scripting language developed by Microsoft that is based on Visual Basic. Crafted VBS files contain code that can be executed by the Windows Script Host (WSH). VBS is often used for various automation tasks, system administration, and scripting within Windows environments. It allows users to write scripts to perform actions such as file manipulation, system configuration, and interacting with other applications. Using VBS we can quickly create loaders which have low detection rates and can automate various tasks on a windows system.

DLL hijacking is a technique used by attackers to exploit the way Windows operating systems search for and load DLLs when executing a program some of which may not longer be in the same location. Analyzing this behavior, we can find applications which are looking for .DLL files which are no longer in the path the application is familiar with.

Chaining together HTML Smuggling, Visual Basic Scripting, and .DLL hijacking, we can create an evasive attack chain with a minimal detection level as the .HTML simply downloads a file and the .VBS does the same and code run will be executed within the context of OneDrive. These techniques have been utilized by multiple threat actors to compromise organizations throughout recent years. The following links provide more information about these technologies and techniques.

Obfuscated Files or Information: HTML Smuggling - https://attack.mitre.org/techniques/T1027/006/

Command and Scripting Interpreter: Visual Basic - https://attack.mitre.org/techniques/T1059/005/

Hijack Execution Flow: DLL Side-Loading - https://attack.mitre.org/techniques/T1574/002/

Best Practices to minimize the impact of these attacks

The following recommendations should be considered to reduce risk related to these attacks. First, implement conditional access policies on logins wherever possible to mitigate the risk from captured session tokens. Second, ensure you and your organizations are aware of 3rd party service abuse of platforms such as DocuSign. Third, implement validation and alerting related to suspicious password reset requests. This is especially necessary for accounts with elevated privileges. Fourth, implement protections such as web filtering and endpoint security solutions to help mitigate the risk of HTML smuggling attacks. Finally, it can not be overstated that user awareness and education are a critical component of your overall strategy. In the context of this post, user awareness should address the dangers of downloading files from untrusted sources.

Conclusion

As cyber threats continue to evolve, red teams play a vital role in helping organizations identify vulnerabilities and enhance their security posture. These tactics are based on those of threat actors who successfully target organizations. 23p red team will continue to study these techniques and apply them to our customers in order to test their capabilities against evolving threats.

Is your organization using these defense techniques to raise the bar for a would-be adversary? Let’s talk, we’re friendly.

About 23p

23p is an international cybersecurity services provider that specializes in advanced threat emulation. 23p offers a range of services including advanced threat modeling, various flavors of red team assessments, and individualized purple team assessments that help your teams be better prepared to defend your critical business systems and data. 23p is distinguished by its unique methodologies that incorporate 23p’s Live Fire Replay™ and Rigor Rating™.

International reach, combined with expertise and specialized methodologies, makes 23p a valuable partner for organizations around the world seeking to enhance their cybersecurity posture in a dynamic threat landscape.

Secured By Design™