Threat Research Blog August 23, 2017

A Deception Researcher’s Take-Aways from the 2017 Black Hat Arsenal

By Dolev Ben Shushan

Most people in cybersecurity are familiar with the Black Hat conference. But whether you know about Black Hat Arsenal depends on how involved you are in the bits and bytes of information security. Some regard Arsenal as one of the best features of the conference. According to the web site, Arsenal allows “independent researchers and the open source community [to] showcase their latest open-source tools and products” in a relaxed, demo-style setting.

Excellent deception design starts with in-depth understanding of the tools and methods attackers use. So Arsenal is one of our favorite places to spend time when we’re out in Las Vegas. This year, more than 100 tools were presented. To provide a glimpse into how deceptions are designed, below we highlight a few of the Arsenal submissions and talk about their implications for cyber deception strategy.

MailSniper, an email harvesting attack tool

MailSniper was presented by Beau Bullock. This is a penetration testing tool that enables attackers to search through Microsoft Exchange mailboxes for specific terms. Attackers will try to identify such things as passwords, intellectual property, and network architecture information within the contents of email. MailSniper is one of the most commonly used tools to automate harvesting of data or to facilitate the hacker’s ability to operate in the network.


Once Phineas Fisher compromised Exchange server data in the Hacking Team breach, he stated, “I have access to the email, the heart of the company”—his acknowledgment of how valuable email data can be. In addition to the Hacking Team breach, mining email was critical in the 2016 US Presidential campaign hack. During the campaign, WikiLeaks released 80,000 emails, including damaging material that suggested the Democratic National Committee was favoring Hillary Clinton rather than remaining neutral.

Knowing how tools like MailSniper work and what attackers are looking for enables illusive to create deceptions that undermine the functioning of these tools. Email deceptions—data-level deceptions—are real mail items containing false information to lure attackers, and are planted in the mailboxes of the organization’s users.

CrackMapExec, a post-exploitation tool

CrackMapExec (CME) was presented in the Arsenal by Marcello Salvati. CME is a post-exploitation tool written in Python that enables an automated security assessment of large Active Directory (AD) networks. CME abuses built-in AD features and protocols. Though meant primarily for offensive purposes, CME can also be used by blue teams to assess account privileges, find possible misconfigurations and simulate attack scenarios. CME has multiple embedded capabilities that support well-known methods used in several attacks, including:

  • RUAG: Credentials Dumping and shares enumeration. security analysts discovered an APT at RUAG, a Swiss government-owned defense technology company. An analysis report notes that the attackers moved laterally through the RUAG network with credentials collected using various tools including Mimikatz and ShareEnum, both of which are contained in CME capabilities.
  • Operation Cobalt Kitty: Credentials dumping and post exploitation tools.  Operation Cobalt Kitty was an APT that targeted a global corporation based in Asia to steal proprietary business information. The attackers’ arsenal contained modified, publicly available tools including Cobalt Strike, PowerSploit, Nishang, Mimikatz and others, which CME provides as sub-components or built-in functionality.


Lets review three of CME’s capabilities

1. Scanning for network shares using CME: 

“Python IP_RANGE_TO_SCAN -u Username -p Pass –shares”. 

This command generates a list of all the open shares and their permissions in the given IP range. Executing this scan with illusive in the network will create a false reality for the attacker; the list of shares will include deceptive ones that will lure attackers into the trap.

2. Listing logged-in users using CME: 

“Python IP_RANGE_TO_SCAN -u Username -p Pass –lusers”. 

This command extracts a list of all users that are logged in to the machines in the given IP range. With deceptions in place, an attacker could be led to believe that additional users are logged into the machine.

3. Dumping credentials for multiple machines using CME: 

“Python IP_RANGE_TO_SCAN -u Username -p Pass -M mimikatz”. 

This extracts all available credentials from the memory and credentials managers of the machines in the IP range. In these credentials, you will find both clear text passwords and NTLM hashes of the logged users. When illusive is deployed in the network, CME will also extract deceptive credentials and hashes.

Deceptions techniques in illusive’s Shares and Windows Deception Families cover many of CME’s capabilities. An attacker that tries to map the network and its available shares will encounter fake shares from the illusive Shares Deception Family. An attacker that tries to dump credentials will encounter our Windows family deceptions.


GoFetch, for automation of lateral movement

GoFetch, presented by Tal Maor, is a tool to automatically exercise a lateral movements plan generated by the BloodHound application. With Bloodhound, any regular domain user can map an entire network and extract the precise path of lateral movements needed to obtain domain admin credentials. To move toward the attack destination, GoFetch advances step by step along the attack path prepared by BloodHound. Mimikatz and remote code execution techniques are used by GoFetch to execute the plan.

Currently there are no publicly known attacks that have used BloodHound or GoFetch, but given the importance of lateral movements in conducting advanced attacks, these are critical tools to be aware of; they shift advantage toward attackers unless new defensive, proactive approaches are taken.

In his talk at DefCon25, illusive’s Head of Security Research, Tom Sela, discussed illusive’s approach, which is to manipulate BloodHound data sources so that the graph it generates will include deceptions. In other words, illusive ensures that the paths to Domain Admins generated by BloodHound are tainted with deceptive information, such as fictitious, high-privilege credentials or hosts. To shift the advantage back to the defenders, the same BloodHound graphs generated by attackers can be used to determine where and how to place bait with maximum effectiveness so that any path to a high-value asset will include at least one deceptive set of credentials or host. 

illusive continually researches attack tools to create tailored deceptions that counter their functions. An important distinction of the illusive networks solution is the quality, breadth, and effectiveness of the deceptions we create. We maintain 15 “families” of deceptions, which are planted across all elements of the infrastructure—endpoints, servers, networks, data and applications. If you’re interested in hearing more about illusive and our approach to deceptions, register for our upcoming webinar.