[Smart] Practical Example

Bret Jordan <jordan.ietf@gmail.com> Sun, 03 March 2019 17:48 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: smart@ietfa.amsl.com
Delivered-To: smart@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6D56130E25 for <smart@ietfa.amsl.com>; Sun, 3 Mar 2019 09:48:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ul2m6-9J7bHz for <smart@ietfa.amsl.com>; Sun, 3 Mar 2019 09:48:21 -0800 (PST)
Received: from mail-it1-x12b.google.com (mail-it1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02552130E1C for <smart@irtf.org>; Sun, 3 Mar 2019 09:48:21 -0800 (PST)
Received: by mail-it1-x12b.google.com with SMTP id g17so4117927ita.2 for <smart@irtf.org>; Sun, 03 Mar 2019 09:48:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:date:to; bh=TUIca4Fg2fG1hwIdyJCeAzD2Vag0RUZxcc9EitpJCMQ=; b=mgcdoL2CeMLe/sbFr4tbVSGLHVtOpDnedhdmW9JiFLq6bC+4fLKSrViLmR4KVOSDgn FZvWGIgncypszLofrqeiE1nJSs4H0O1UvH4vf+hDUzfy9lUbTdfOJgzC29WF7LFpPaRT kNNwZ2/+tQvIxnEnJ5pKNDPht0MMVgZwklG2KfMBW0hG7EEwMC/izb1DpAJRSBERLiPf Ly/Zxgt157SKiL7v+GJkH+VPqQRWL64GdtXb81RD4uDuEt68Xo2dFe6icBnbw47j4RI0 eMx7mhiY6e8nIkSj+NSfBjA5X6mFpvF68Gql3USjjBnkS/hzdZTVP+BZIFw8NOYibGi9 c8fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=TUIca4Fg2fG1hwIdyJCeAzD2Vag0RUZxcc9EitpJCMQ=; b=ENgia37Mn1MkzovJtxXYm0r4JWW3tXQrT4h4UobdHDsu3ZU8J0VRXgEADxKle3NaDh ItUHpZhwlK6zIFkgUa/THEV6lI7YbWPukYZbgdU4SGKus7IXSJ1RlnHefYYd5XMYes0q M8uGiOCzLnu/IACyLEDKOtFrGz+7veShQQc0aQ+U710BLi/4hOSBJjtvsdMvWbGrSTnW yV5Vh7RGYPC1+ks1s0UPfXDyRr7WFQ1ADHgSOa1KjAVrqDOoWZUSj4hmhF7QDwSe/Enx 67M3lBknYxW5GGrqJIez+1pH5Lfzna8USjIc1ba1GY9Xv4WTr82bjGayhDQ2HJMU64Mp IJYA==
X-Gm-Message-State: AHQUAuZrbSI6+ajKP8fXlLpZVAU4YuuKQpl5lmL8C98TzgfTJbYRnXnr JtUCxRLFbqrzLDgVMimCGda5zL+U
X-Google-Smtp-Source: APXvYqxfJbDTKSS3TfLgb/N7GmTqDHByevJUlSJbWQmNIltz1HT2gXv4+Psfbt1g/rlnBmcMOjqTlA==
X-Received: by 2002:a24:5010:: with SMTP id m16mr8127425itb.132.1551635299101; Sun, 03 Mar 2019 09:48:19 -0800 (PST)
Received: from [10.1.111.224] (65-126-127-202.dia.static.qwest.net. [65.126.127.202]) by smtp.gmail.com with ESMTPSA id p141sm2028793itb.39.2019.03.03.09.48.17 for <smart@irtf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 03 Mar 2019 09:48:18 -0800 (PST)
From: Bret Jordan <jordan.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_24358CC2-CD9F-41B6-AB6F-8F4A64BD4371"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Message-Id: <487EFB0F-83D8-49CF-BF6A-DFB3A023A641@gmail.com>
Date: Sun, 03 Mar 2019 10:48:15 -0700
To: smart@irtf.org
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/smart/oduKPEdwUezN4FtAH3aBkOEVwdM>
Subject: [Smart] Practical Example
X-BeenThere: smart@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Stopping Malware And Researching Threats <smart.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/smart>, <mailto:smart-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smart/>
List-Post: <mailto:smart@irtf.org>
List-Help: <mailto:smart-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/smart>, <mailto:smart-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Mar 2019 17:48:24 -0000

All,

For the past month in my free time I have been “walking the packet” through various combinations of these new technologies looking for problems, issues, and potential complications for operational security in the enterprise and critical infrastructure.  I have also started working on some proof of concept code that that can exploit these configurations.  Specifically I have been focused on stage 1 and stage 2 delivery of an intrusion set since if you can prove stage 2 delivery then the data exfiltration is easy.

1) I have not yet seen anything use this in the wild, but that is probably because most of these technologies are not yet broadly enabled. 

2) No, I am not going to release my toolkits or frameworks publicly

3) No, I will not discuss these attacks and exploits over public archived channels. Yes, threat actors do monitor lists like this one. 

I would encourage others here to enable these new technologies in your sandbox and then start walking the packet through the entire configuration.  Once you do that, I would love to talk with you in person and see if your conclusions are similar to mine. 


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."