It has often been said that if history doesn’t repeat itself, it sure as heck rhymes. Nowhere is this truer than in cyber security. And one of the most common “rhymes” is the trouble that blue teams have in detecting red team tools and activity in a network. Now the reasons for this can be numerous, especially because the blue teams need to get it right every time, whereas red teams only need to get it right once. But one of the more common experiences I’ve observed is that blue teams often have a hard time hunting or detecting the tools that red teams are known to use. That is why I sat down with some of our hunt team to look at some of the most common tools that red teams use – such as Cobalt Strike, Brute Ratel, Meterpreter, and PowerShell Empire – and how blue teams and hunt teams can hunt for them.
Red Team Tools: Cobalt Strike
Probably one of the most common red team tools employed by red teams (and a lot of adversaries, too!) today is Cobalt Strike. Cobalt Strike is a fully featured and commercially available penetration testing tool offered by Washington, DC-based Strategic Cyber LLC. The tool is advertised for “Adversary Simulations and Red Team Operations” however its significant customization and capabilities have led to its use by a wide variety of threat actors for a variety of motivations. Cobalt Strike also incorporates a variety of other post-exploitation tools, such as Mimikatz, in order to expand its functionality.
Once a red team (or adversary) has established a foothold, one of the most common tactics they are likely to focus on is execution. Execution is what enables adversaries to detonate their tools on a system, often with the goal of remaining undetected by security controls and teams. One of the most common methods for this is to use a scripting interpreter – which in the case of Windows is often PowerShell. As a result, a lot of security controls are keeping a watchful eye on PowerShell and the processes it spawns. However, Cobalt Strike (amongst many others) have found a clever method to bypass this by loading PowerShell directly into memory, often using something like unmanagedpowershell which can run PowerShell in memory without spawning powershell.exe.
One of the easiest methods to hunt for this activity is to look for DLLs being loaded associated with a PowerShell runtime environment that is not the default PowerShell executable. This can help identify possible malicious activity.
Red Team Tools: Brute Ratel
Another of the most popular red team tools used by adversaries and red teams alike is a tool referred to as Brute Ratel. Brute Ratel is an attack simulation and post-exploitation toolkit created by Chetan Nayak (a former red teamer for Mandiant and Crowdstrike), and released in 2020. The post-exploitation toolkit is a customizable command and control framework that gives users capabilities such as (but not limited to): injecting shellcode into processes, executing script execution and writing C2 channels (like Slack, Microsoft teams).
One of the first techniques many red teams and adversaries use once they establish themselves is downloading additional tools. Many modern security tools are able to easily detect an attacker using tools such as a headless browser or similar methods. However, a method that can sometimes be overlooked is leveraging existing binaries that exist on the system already (often referred to a living off the land, or LOLBins). One of the most popular tools for this purpose is certutil which is a command-line program on Windows Operating Systems, and that is used as a part of Certificate Services. It can be used to configure Certificate Services, verify certificates, and more certificate related activities. One command parameter within CertUtil, urlcache, can be used to perform URL cache management actions – adversaries have realized they can use this to download malicious files. But how does one detect this activity?
A simple method to detect this activity is to look for files that are initiating a download via CertUtil.exe’s “urlcache” parameter. CertUtil is typically not utilized to download executables or files in general from the web, as such its usage to download files from the Internet should be considered suspicious.
Red Team Tools: Metasploit
One of the go-to red team tools that red teams and adversaries alike are known to use widely is Metasploit. Metasploit is a very common attack framework used to aid in penetration testing and malicious activity.
While Metasploit has a wide array of capabilities, one of the most common functions adversaries, and red teams, alike use it for is to achieve lateral movement and performing actions on remote systems. One of the most common techniques for accomplishing this is by abusing PsExec for service installation.
A great way to detect Metasploit’s activity is to look for service installations containing names that are consistent with the schema used by Metasploit’s PsExec tool while simultaneously looking for a binary bearing the same name in the “Windows” directory. Attackers and red teams can change this naming convention, but many are unaware of this. It offers a great start to hunt for Metasploit activity.
Hunt Teams and Blue Teams can have difficulty with hunting for red team activity – often because they struggle to detect even common red team tools. Cyborg Security’s hunt team has put together a FREE collection of the most common behaviors that organizations and teams can hunt for today to detect common red team tools in action. Get your FREE Community account today using promocode “REDTEAM“!