This past April (4/19 to 4/21) I had the great pleasure and experience of joining the Red Team at 9th NCCDC competition. It was actually my 2nd year on the Red Team and 4th year to attend in total (I judged in 2010 and 2011). McAfee is actually a perpetual sponsor of this event. That being said, I have my own selfish agenda when I attend.
Joining in as part of the Red Team is, by far, on of the most educational experiences I could possibly put myself in. Not only are you tossed into a room w/ folks like Mubix, Vyrus, Raphael Mudge, and others – but also you are on a limited schedule and from the time that the competition starts it’s heated and non-stop.
The general strategy this year was to lay down all our toys and persistence (backdoors, beacons, RATs and other tools) on Day 1. We made very little noise, hoping that the competing teams would gain a false sense of confidence and not notice our presence on their systems. This way on Day 2 when the chaos commences, and the teams choose to just ‘restore from backup’ or ‘revert snapshots’ and the like, they end up restoring all our persistent tools and we retain access and ownership.
And . . . .. . It worked!
Different individuals on the Red Team had their unique tools and methods to gain and retain access and unset the teams’ activities. As the McAfee guy, I choose to rely on some old, tried and true (and very accessible RATs). Most of my activities centered on the use of DarkComet and, to a far lesser degree, DNA.
My philosophy was driven by two primacy goals. First, I know these things work realllllllllly well. And with these RATs on the box, I can control and own everything. Second, and possibly more interesting, is that if these tools work, I know that the teams are not putting any effort into installing/deploying even the most basic endpoint/host-based AV solutions. This is especially intriguing because, as a sponsor, McAfee provided the competition with our software. I purposely did NOT do any crypting/packing/obfuscation on the RATs I generated. I know that McAfee (and just about all other) vendors DID detect these things. Yet, I still managed to install and persist on most of the hosts that I deployed to (deployed via Cobalt Strike btw).
When the competition was over, I chatted with a few competitors, and mentioned this fact. I immediately saw the gears start turning. I could tell they had a real “Ahhhh we should have done that” moment. Not to mention, that McAfee (and others) detect meterpreter/MSF listeners and Trojans as malware/PUPs. Those could have been curtailed as well.
Each year, the teams have to setup, maintain, and safeguard an environment for a faux company/entity. This year the teams were tasked with tasked with the environment of a Correctional Institute. This includes databases for tracking the whereabouts of prisoners, an e-commerce site for a prisoner commissary, and more. From the Red Team perspective, this gives us some of our big bets for getting points deducted from the teams. For example if you kill/mangle/destroy the database for tracking prisoner and personnel, that’s one of the high point items. After all, they don’t want an IT issue to allow prisoners to go unaccounted for or escape, etc. Other hot items include public web site defacement and acquisition of PII (personally identifiable information). For added fun, many of us defaced the web sites by posting the company’s PII for all to see.
All and all it was a fantastic experience. I look forward to future activities with this competition.
UTSA shot a documentary this year. I’ll post details on that once it’s released. However, if you’d like to get some really detailed info, Hak5 released a documentary filmed at the 2012 event. It features great interviews and ‘behind the scenes’ Red Team action. I’m not interviewed, but you can see the top of my head in a couple shots!!
Additional Blogs on NCCDC 2013
- David Cowen - http://mcaf.ee/wid10
- Raphael Mudge - http://mcaf.ee/ageor
- Alex Levinson - http://mcaf.ee/limh1
NCCDC 2013 Red Team Brief - http://mcaf.ee/uodvk
Bonus: We recently did our 2nd AudioParasitics episode with the great Raphael Mudge. This time we have a full and glorious video demo of Cobalt Strike in action. We actually walk though scenarios and give you details on how some of these Red Team activities actually occur.
AudioParasitics Episode 141 (video) - http://mcaf.ee/gep69