The Hacker's Cache
The show that decrypts the secrets of offensive cybersecurity, one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
The Hacker's Cache
#9 Red Teaming & Malware Development ft. Nathan Rice
In this conversation, Kyser Clark interviews Nathan Rice, a senior penetration tester, about his background and experience in cybersecurity. They discuss the differences between penetration testing and red team operations, the importance of starting with penetration testing before moving to red teaming, and the challenges and rewards of obtaining certifications. They also touch on the skills required for malware development and the importance of staying up to date with evolving techniques. Nathan shares advice for aspiring red team operators and emphasizes the need to be proactive and not be afraid to ask questions.
Connect with Nathan Rice: https://www.linkedin.com/in/nathan-rice-b52209123/
Takeaways
- Penetration testing and red team operations have distinct differences, with red teaming requiring more patience, stealth, and intent to emulate real-world threat adversaries.
- Starting with penetration testing before transitioning to red team operations is recommended, as the skills learned in penetration testing translate well to red teaming.
- Obtaining certifications in cybersecurity, such as OSCP and OSEP, can be challenging and may require multiple attempts, but they provide valuable knowledge and recognition in the field.
- Malware development skills are important for red team operators, as having the ability to create custom tools and bypass EDRs is crucial for success.
- Aspiring red team operators should not be afraid to ask questions, be proactive, and not get caught up in analysis paralysis. Getting caught is part of the learning process and should be used as an opportunity to improve.
- Moving with intent and being able to think creatively are essential skills for red team operators, as they need to constantly adapt and find new ways to bypass defenses.
Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY
Music by Karl Casey @ White Bat Audio
Attention viewers/Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.
The postings on this site are my own and may not represent the positions of ...
[Kyser Clark] (0:00 - 0:06) When you're doing a red team engagement compared to a penetration test, do you feel more like a threat actor at that point?
[Nathan Rice] (0:06 - 0:21) Oh absolutely, that is the real, the best cure to imposter syndrome I think I've ever had was if this were a real phish and this were real everything, like if I was actually a bad guy, I'd be like a millionaire right now. The company was thrilled with us too, they loved it, and I was like, okay, I did some good.
[Kyser Clark] (0:21 - 0:27) How much malware development does a red teamer have to know? Can you get by by not knowing how to develop malware?
[Nathan Rice] (0:27 - 0:31) I would say you can get by, but you're going to have a really uphill battle with it.
[Kyser Clark] (0:31 - 2:07) Hi I'm Kyser Clark and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
Hello, hello, welcome to The Hacker's Cache. My name is Kyser Clark, the host of the show. I have six years of experience in the field.
I currently work full-time as a penetration tester. I have 12 certifications, a bachelor's degree in cybersecurity, and I'm currently working on a master's degree in cybersecurity. Today I have Nathan Rice who started out as a SOC analyst and did that for almost two years then migrated to full-time penetration tester and did that for just over a year and in the current position he is a senior penetration tester and he's been in that position for almost two years.
For education, he has a bachelor's degree in information systems and technology and for certifications Nathan has the Zero Point Security Red Team Operator so that's the CRTO, Zero Point Security Red Team Lead which is the CRTL, OffSec Exploit Developer that's the OSED, OffSec Experienced Penetration Tester that's the OSEP, OffSec Certified Professional that's the OSCP, OffSec Wireless Professional OSWP, and the I&E Security Junior Penetration Tester that is the EJPT.
So Nathan go ahead and walk through your background unpack some of that experience and introduce yourself to the audience.
[Nathan Rice] (2:07 - 3:32) Hey thank you for having me on. I'm Nate Rice. Yeah got my bachelor's degree back in 2018 I believe, late 2018, on information system security. Then I started out as a SOC analyst from there as my first job, mostly just for tuning EDR, going through, you know, phishing emails, the whole nine yards there, pretty standard SOC stuff from there.
While I was in college, actually, the head for the cybersecurity program there and I bonded. I had just some stuff going on in my personal life and he just kind of happened to be like, you know, like he helped like the youth groups and did a lot of good work for the community so he and I kind of, he helped kind of get me through some stuff. So it still led me into cybersecurity from there because at first I just wanted to be IT didn't really have a whole lot of pathing from there. So he introduced me into the world of offensive security where he showed me Offensive Security's certified professional and a few of the other certs for hacking, so to speak.
So I got super involved in those while I was a security analyst, got through a few of them, and pivoted into penetration testing from there. From there on I started focusing mostly in malware development just because that's really what my team needed at the time as we were getting gobbled up by EDR. A good chunk of the time I took the initiative to start learning that in malware development. From there on I just kind of kept going with it and I also began focusing on Android mobile apps from there.
It's kind of a little side mission when learning things from there. Currently, I'm a senior penetration tester at Verizon with the Threat Research Advisory Center there where I do a combination of penetration testing and red team operations.
[Kyser Clark] (3:33 - 3:36) So what does red team operations look like compared to penetration testing?
[Nathan Rice] (3:37 - 4:33) So penetration testing is kind of kicking the door down and we're just finding as many bugs as possible. We don't care about our noise, how loud we are, if we're triggering like security alerts from like Defender or like EDR. Whereas red team operations we have to take our time, be slow, we're really doing our best to emulate a real-world threat adversary, and from there we actually have to, if we get caught, the blue team can kick us out of the network they're actively hunting for us.
A lot of the time security analysts and blue teams don't even know we're doing a red team. To them we're just real adversaries. So we have, there's an element of stealth and moving with intent that goes on with a red team operation that you just don't get with the penetration test.
Usually we're moving towards objectives, so that's compromising PII, ransomware in the domain, getting access to like secret files or like sensitive information. It kind of varies day to day or op to op of what we're going for. We move a lot more intently with the red team.
[Kyser Clark] (4:33 - 4:59) That's a very important clarification to make. A lot of people don't understand penetration testing and red teaming and what the difference is between the two, so that's why I wanted you to talk about that for people that didn't know. When it comes to like penetration testing and red team operations do you think one has to be a pen tester before they can become a red team operator or do you think someone can go straight to red team operations if that's where they wanted to go?
[Nathan Rice] (4:59 - 5:46) You should definitely start with penetration testing before you go into red team operations if we're ignoring all the physical penetration testing and just sticking strictly to the network-based. Red teaming is just penetration testing with moving more intently so the skills translate very well it's just a lot more patience and just being very careful and just knowing what we call saturation level whenever we're working so oh this command might trigger an EDR alert or some kind of alert somewhere on like a SIM and just knowing how to work through those past those whereas penetration testing you know you're not concerned with that you can just run the command it's just moving it you're running the same commands and doing the same steps just more in a stealthy manner just knowing what you're doing to kind of sidestep things.
So yeah penetration testing is a good start red teaming is just the same thing but it's moving more like I said more intently so to speak.
[Kyser Clark] (5:47 - 5:58) Right and what would you say to people who are currently a penetration tester and they're looking to become like a red team operator how does one acquire the skills to go from pen tester to red teamer?
[Nathan Rice] (5:59 - 7:02) Certifications are a big step there as if you're already a penetration tester and you're wanting to red team you're already 80% of the way there you probably know what to do in a penetration test say your objective in the red team is to get domain admin you probably already know how to get domain admin if you're a penetration tester and you've looked at Active Directory it's just kind of knowing what to like how to operate one within a command and control server because usually we're more focused in command and control that way and persistence and it's just knowing how to do things where like things like Defender for Identity or like EDR wouldn't pick up on there's courses for it as well like I did I'm sure this will come up later but I did the Zero Point Securities red team ops and the other red team ops too for the lead and it does a good job about showing you the differences so to speak versus like doing like the penetration testing with Kali course for example where you're just moving more intently and knowing oh this creates a anti this creates an event log for Defender here if I run it this way but if I go another route something might not create that alert so a blue team might not be as clued in to activity.
[Kyser Clark] (7:02 - 7:23) Speaking of certs so you have like a bunch of them and you have some of like the higher higher level ones so I was looking at yours and like like my highest certification is OSCP and that's like in the middle of your stack so you have like tons above that and I'm just curious you know did you pass all your certs on your first try how many times how many times have you failed certs and what was the hardest challenge to overcome?
[Nathan Rice] (7:23 - 11:11) Yeah absolutely not the first time no that's just the nature of the beast with OffSec stuff they're a beast to tackle. I think my OSCP took me four or five times if I'm remembering right and this was all during the pandemic at the time I believe I passed it in 2019 at the OSCP. I passed the OSWP, I meant to test at 3 p.m. and I tested 3 a.m. because I misclicked the portal so I was just dead tired taking it it was not that was not a fun experience, fun course not a fun experience. Both the red team ops courses were pretty straightforward I passed them first try they were excellent experiences can't recommend them enough they're fantastic. OSEP took me two times as well thankfully not five times like the OSCP. I got really stuck early on some of the more initial access techniques with OSEP I didn't understand very well the first time I went through it so I got stuck pretty early and then I had some just family stuff going on so my head wasn't in at the first attempt. Second attempt OSEP you need new 10 flags effectively to pass or a special secret.txt one unless they've updated it since I've taken it but I believe I got the first nine flags in about eight hours on my second attempt got stuck on the last flag could not figure it out for the life of me went to bed wrote the entire report minus that flag as I was eating dinner the next night to 48-hour practical exam it hits me like oh wait maybe it's this and it was so then it was just like add three screenshots to my report send it into OffSec I was done for the day and I was two days on that so OSED was absolutely the hardest one of the ones I have so far that's a Offensive Security's Exploit Developer which is the old OSCP buffer overflows but just on steroids they start throwing data execution prevention which prevents you from doing you know jumping to the stack and executing ASLR for example which randomizes addresses in memory and it's just getting around a ton of 32-bit windows mitigation techniques to understand buffer overflows and you know in memory attacks for 32-bit apps that course was insane good knowledge good course really hard exam without getting too specific with it it it's a 48-hour practical exam it took me I believe the entirety of a day to get through the first I would say the first good chunk of it I tried to take some melatonin to sleep later that night it just made me loopy like I was so out of it because I was so stressed out just thinking about the course I don't think I don't even think I think I slept maybe three hours the entire time got back up got a quick shower got back at it for the next little bit of it accidentally deleted like half my work about three quarters of the way through for that for the second part of it had to start from scratch again lost power because of a storm for about three hours I thought for sure the brokers would kick me out power comes back on after about 30 minutes of it being out like like three hours through the second half of doing it in figure it out for the most part my part of my VM corrupts luckily I've been taking you know cloud backups but I'm out about 10 minutes worth of work I do it again at this point it's like four in the morning from day two I've not slept at all I'm just jerking around just horribly like barely I'm like dizzy get everything I need write the report at like four I start the report at four in the morning my test terminates in five hours so I hurry up get that done I think I submitted like my test ended like 9:30 I think I submitted my report like 9:20 and then I couldn't sleep because all the nerves like oh what if I forgot something what if I forgot a screenshot what if I didn't do something right and I think I got the pass email two hours later I mean I don't care what anyone says I tried harder on the OffSec ethos on that one that was the most painful certification experience I've ever had I told myself if I didn't I told myself it just wasn't meant to be if I failed that one because I was not doing that a second time well it took a year off my life.
[Kyser Clark] (11:11 - 12:44) What an incredible story, that's so many challenges like that's like you know all the extra like it's hard enough without all the problems and you had all the problems and you really did try hard that is incredible yeah OffSec certs are definitely no joke and that's why I asked that question because there's a lot of people on our field that pursue the OffSec certs and you know you don't you don't pass them all on your first try and I think it's important for people to understand uh so you're talking about the OSEP I went through that course twice and uh I didn't even go to the challenge list because I didn't feel confident in my ability to to start that so and then there was a need for me to learn web hacking so I went to the OSWA that's the OffSec Web Assessor I failed that one twice uh the first time I actually started that course or the exam and I didn't really feel like 100 confident but I was like you know what I got OffSec unlimited which really helps because I got unlimited retries so like if I fail it's it's whatever because I heard someone in the discord was like the best preparation for the exam is the exam itself because unfortunately that exam or sorry that course only has eight challenge labs challenge machines and uh that's what made it hard in my opinion compared to like an OSCP where there's like you know right now there's like 54 50 something uh challenge boxes and I passed my OSCP on the first try because there was 54 challenge boxes but then OSWA there's only eight practices and and then I failed twice but that's why I asked that question because they are extremely difficult and um I you know I want to get some higher more OffSec certs under my belt and I fully expect to fail and there's no
[Nathan Rice] (12:44 - 13:08) shame in failing OffSec yeah absolutely nothing wrong with that it's expected if they're everyone thinks they're hard I mean I know seasoned professionals who think they're hard I mean I question if I can even pass the OSCP again if I take it and I've been doing this for years so yeah absolutely zero shame and failing the OffSec stuff just as long as you pick yourself up and keep going that's really that's all there is to it.
[Kyser Clark] (13:08 - 13:44) That's great advice and that's why I asked that question because that's you know so someone who's aspiring to you know I got the OSCP on my first try but you know I don't expect to get the other ones on the first try like I said I've already failed OSWA twice now so let's go ahead and uh let's do a rapid fire round are you ready?
[Nathan Rice] (13:45 - 13:53) Yep, ready for the rapid fire questions.
[Kyser Clark] (13:53 - 14:02) Alright for new listeners slash viewers Nathan will have 30 seconds to answer five questions if he answers five questions in 30 seconds he will get a bonus sixth question that's unrelated to cybersecurity. The time will start after I finish asking the first question here we go okay what is your favorite place to get cybersecurity news?
[Nathan Rice] (13:45 - 13:53) Uh InfoSec Institute or just Twitter.
[Kyser Clark] (13:53 - 14:02) Best hacker alive today?
[Nathan Rice] (14:03 - 14:13) Uh Tiberius is up there but Morten is Schneck as well.
[Kyser Clark] (14:13 - 14:41) Ethical hacking art or science?
[Nathan Rice] (14:03 - 14:13) Science.
[Kyser Clark] (14:03 - 14:13) Most overrated cybersecurity threat?
[Nathan Rice] (14:03 - 14:13) Shoot that's a good one AI.
[Kyser Clark] (14:13 - 14:41) Most memorable hacking experience?
[Nathan Rice] (14:03 - 14:13) The first time I ever got RCE was on a chili cook-off form.
[Kyser Clark] (14:13 - 14:41) I think that was about 32 seconds that was just that was just past the 30 second mark that was close I think if you would have just if you wouldn't explain on that last one I think you would have got it but good responses though man I think my most my favorite response you gave me was most overrated cybersecurity threat being AI. I want you to talk about that why do you think it's overrated?
[Nathan Rice] (14:41 - 15:36) I think a lot of people really overanalyze what AI is capable of at the moment right now. AI has kind of been explicitly how I explained it to people who aren't in the field at all is it's kind of like we were able to program an idiot to respond to things and for some reason every company so far has just been like let's put that in everything even when it sometimes it doesn't belong and I don't think there's necessarily severe issues with your security and AI right now because I know AI security is a big thing and topic right now and I think it's just really just making sure you know it's just prompt security and just not being able to massage things it's more there's a fine line between quality assurance and security and I think AI is a little too new to really have a strong distinction yet I don't think AI is quite there where everyone thinks it is yet like the prompts and responses for a lot of the models are good but I don't think it's just going to print its own private key or we're not getting into like war games or terminator with it anytime soon like some people think.
[Kyser Clark] (15:36 - 15:55) Yeah I don't think like you said like war games and terminator I don't think that's going to happen soon however I don't know if you heard about it but like Samsung developers that you know they placed some source code in ChatGPT and then like the whole world knew about it. Do you not think that's like a high cybersecurity risk?
[Nathan Rice] (15:55 - 16:13) I mean it is but it's not like how anything different than like uploading stuff to like GitHub at the end of the day just it's more so just knowing data privacy for your developers and they're not upload things that I knowingly share data you know I mean if I if I put code at GitHub repo and leave it public on accident because I didn't read like is it who's a chat is it AI's fault or is it the
[Kyser Clark] (16:13 - 16:58) developer's fault for leaking it that's a good point yeah so so you're saying that we should you know it's not really a security risk it's more of like an end user responsibility to not put your personal information and secure information in a bot yeah it's not reading the terms of service at the end of the day at that point okay yeah I see what you're saying yeah you're you're absolutely right you know because at the end of the day we are responsible because we don't have the AI you know ChatGPT signed a non-disclosure agreement like we you know if we could do that somehow then then that would be interesting but yeah definitely uh it is important to know like anything you put in a chatbot like just assume the world's gonna know that about you so don't put anything too personal in there or like don't put like proprietary data on there right they tell
[Nathan Rice] (16:58 - 17:02) you in the terms of service and you know what they're gonna do you just gotta read it.
[Kyser Clark] (17:02 - 17:12) Yeah I'm not gonna lie I haven't read any of that stuff I just uh I just hear the the security vulnerabilities like on the news like oh Samsung developers put source code in ChatGPT now we have the source code.
[Nathan Rice] (17:12 - 17:17) I'm like whoa oh I didn't like oh I didn't read it either I had ChatGPT summarize it for me.
[Kyser Clark] (17:21 - 17:40) That's great I want to get back on the topic of red teaming and pentesting because you do both and it's really nice to know like the differences between the two and especially me as a pentester who doesn't do red teaming you know my my goal is eventually do some more red team operations because I think it's more fun do you would you agree with that?
[Nathan Rice] (17:40 - 18:47) It's more stressful but it's more rewarding at the same time it's just to get domain admin on a pentest I have got a little numb to anymore but getting domain admin on a red team is something special to know you went the extra mile you're undetected you beat EDR you beat all the SIM traffic none of the analysts saw you it's so much more rewarding and the tradecraft for it's just evolving every single day a lot of the pentesting hasn't I don't want to say it hasn't come very far because it absolutely has but it's a lot of the same old same old of okay they left LLMNR on I relayed I got on there's DA running as a service you know just some stuff like that it's a lot of those look the same but like red teams are pretty different every single time it's like oh okay they're running you know best EDR on the market okay I just wrote this uh this loader two weeks ago let's see what happens okay cool beacon checked in we're in holy crap that never happens or oh they gobbled us up the first time up and the SOC locked our account like within 30 seconds okay it's gonna be one of these tests it's it's so rewarding to when we actually do get through.
[Kyser Clark] (18:47 - 18:51) So when you're doing a red team engagement compared to a penetration test do you feel more like a threat?
[Nathan Rice] (18:51 - 19:37) Actor at that point? Oh absolutely yeah there's if you ever like getting my first red team win I'd say with my team we get more wins than losses at this point I wouldn't have exact metrics but we win pretty often but it's like that is the real the best cure to imposter syndrome I think I've ever had was okay if this were a real fish and this were a real everything like okay if I was actually a bad guy like I'd be like a millionaire right now if we were if we were actually moving within 10 and that like I that was the best cure honestly just to not to repeat myself best cure for imposter syndrome I ever have like like okay cool we actually did it all the training and stuff paid off well I actually like the company was like thrilled with us too like they were they loved it and I was like okay I did some good I got to you know I made it this is this is great.
[Kyser Clark] (19:37 - 19:43) Essentially as you bring up the how the company reacted to your success how did the blue team
[Nathan Rice] (19:43 - 20:53) React to your success? We always make sure to include some like good things they did at the same time so there's a few times that they definitely like probably cued into it because we had our persistence was really good on a few of the tests so they got a couple of us but they didn't smack them all the way but we you know we walked them through we did we showed them the techniques the EDR we have another team that kind of helped tune the EDRs to get certain alerts and make sure they're actually getting everything and we found out at the end of the suite ransomware and like their ransomware prevention was so just messed up that if this would happen for for real they would have been down for like days so we you know decrypted all the test stuff and you know that could have saved that could have really saved them someday in the future not having all that set up right and to find that was a huge value for them and that was like a real cement it was like okay I'm where I'm supposed to be right now just you know you're getting all the like hearing the praise from the team of the client and the rest of the team for all of that like you're there to break stuff that's kind of what you're supposed to do so like you know we don't be shy when you're talking to the client because like you're there to find things if you just tell them nope you're good that can be valuable at times when they truly are good but you're also you know don't be afraid to tell them oh yeah we're domain admin because that's literally what you're there for.
[Kyser Clark] (20:53 - 20:58) So you do so you have multiple clients is that how you're kind of set up in your organization right now?
[Nathan Rice] (20:58 - 21:13) Pretty much yeah we have a new one probably every two weeks, month, two months. The operations kind of vary in length but they go kind of all over the place but it's very rarely is it the same client twice or more than two or three times.
[Kyser Clark] (21:13 - 21:40) Okay that's actually one of the things I was going to ask was like if you had a repeat client and you have a successful red team engagement and you you know like you said like a huge one where you get domain admin you went through the SIM you went through all their incident response all that stuff and you have to tell them you have to tell them exactly what you did so they get better is that like going in for the next round like if you have a repeat client is it I'm assuming it's a lot harder because you basically just told them all your techniques right?
[Nathan Rice] (21:40 - 22:12) Not all this not always sometimes we find another route sometimes you know they didn't fix it but more times than not they did and it's it's always really nice to see when they did it's always a test of skill from our team as well whenever we go in we run them over they are a lot better the second time around thanks you know thankfully to our recommendations and then it's like okay it's game on now okay now we're we're back to square one not square one but okay it's okay game on let's see where it goes it's always it's just nice to see wherever the seeing you know clients improve plus as you know I said nice test of skill for us at the same time.
[Kyser Clark] (22:12 - 22:49) Yeah that sounds fun I'd really that's one of my goals is to get into more red team engagement stuff like you said you it's nice to see the clients you know fix the stuff because as a pentester like I would get on a test and you know I would see the last year report and the same findings are still there you're like why did you not fix any of these stuff and then I have to put the same findings on the next year report and that's that's frustrating as a pentester you're like like yeah I have findings here but at the same time it's like I you know you should be you know fixing these.
[Nathan Rice] (22:49 - 23:01) Yeah I was just like finding new stuff too because whenever I find the repeat stuff I feel like I'm just copying someone else's homework right it's like oh someone else found this I'm just repeating it I'm just going yeah it drives me nuts it's nice to find new stuff.
[Kyser Clark] (23:01 - 23:19) Yeah it doesn't feel good when you're just like copying pasting from the last report and then you're putting it in this report it makes you feel like you didn't do anything.
[Nathan Rice] (23:01 - 23:19) Yeah I just feel like I wasted everyone's time at that point.
[Kyser Clark] (23:01 - 23:19) Yep so blue teamers if you're listening if you get a if you get a report pentest report red team report fix your stuff blue teamers you can turn off SMB signing it is possible I promise it's probably it's possible not easy but possible.
[Kyser Clark] (23:26 - 23:36) So, you talked about malware development. How much malware development does a red teamer have to know? Can you get by without knowing how to develop malware?
[Nathan Rice] (23:36 - 26:00) I would say you can get by, but you're going to have a really uphill battle with it. Occasionally, a new loader will come up on GitHub, but usually within a couple days, EDRs are starting to signature it. Having your own tooling off the shelf that you can use just to pull out of your back pocket to get command and control is critical in today's red team world. I started off getting all my malware development skills with the OSEP from OffSec, and I just fell in love with the malware sections of that course. It was just so fun trying to get around Windows Defender and just get different techniques to load and just getting that Meterpreter checked in, whatever it says, like this, I get it in Cobalt Strike mixed up with that checked in, but they're just so interchangeable anymore to me. Just to see it check in, Defender's on, everything's on, but just like addicting to me. So, I just got super into it and just learning new techniques. Once you have that base, you kind of know where to go from there. The EDR evading payloads and the ones that are taught in OSEP are not that different. There's just a few little tweaks to it. Just for an example, OSEP teaches a little bit about it and it's using pretty traditional Windows API calls where there's just to get around EDR, if you just change to like syscall, like indirect syscalls and just use the same calls, just skip a few steps and just do everything straight from ntdll.dll and do syscalls from there and just not call it directly from kernel where it's signatured in an EDR, for example, then you're through. The principle is the same, it's just how you actually go about it is just mildly different. It's a good test of just being able to think on your feet as well when you're writing malware because you're doing the same action, you're just having to do it differently and get creative with it. Sometimes you win, sometimes you lose. That's just the cat and mouse game of malware development between the blue and red team as is. That's okay if they catch it. Nothing's bulletproof, and the EDRs are getting better every day and they should, they're keeping us safe at the end of the day. I just recently got into a MalDev Academy subscription. I saw it on Twitter, a few big-name guys run that, and that's been amazing for malware development. For any of the listeners, MalDev Academy subscriptions are fantastic. I would absolutely recommend them if you're looking to go that route with it or start experimenting around with it. Even for the blue team, just to be able to write some malware and look at it with your EDR and start signaturing techniques, that's a godsend to your organization overall, just to have more eyes on the processes and what they're doing.
[Kyser Clark] (26:00 - 26:40) The main takeaway I got from that was, because like I said, I was going through the OSEP course and like you say, you would learn how to bypass Windows Defender and some of the off-the-shelf antivirus products out there and you'll bypass them, and that is, you're like, oh my gosh, this bypassed Windows Defender and this bypassed the AV that I was running on my host machine. I was like, this beat my AV, I'm like, oh my gosh, this is dangerous. I guess I was under the impression that course was, it's not going to be EDR, the payloads, the techniques they teach you, but you're saying those techniques, if you take those and tweak them, then you can bypass them.
[Nathan Rice] (26:40 - 27:34) Absolutely, yeah. Most of the malware is basically open a chunk of memory, stick some instructions in it, and execute it. That's kind of an oversimplification, but that's what you're doing. You just got to get creative on how you open the chunk of memory, how you copy instructions to it, and how you execute them. Just doing stuff like syscalls or trying to obstruct the memory page, whether it's a local process or remote process, you can play with different techniques of that and it's going to run eventually. It was such an eye-opening experience for me when I was a SOC analyst going through OSEP at the time because it's like, oh, our EDR will catch it, our EDR catches everything. Oh, our EDR does not catch everything. Oh no. Oh, we got to tune this. Oh no. That was such an eye-opening, I think that was really like when I went from junior to senior, it was that moment of realization of, oh, this is not bulletproof and just having that real eye-opening experience of, oh, we have to tune this, we got to really proactively keep an eye on this.
[Kyser Clark] (27:34 - 27:40) I want you to talk about uploading your malware to VirusTotal and some of those.
[Nathan Rice] (27:40 - 28:48) Never do that. Yeah, never do that. You're tattling on yourself. Never do that. They're going to be on there eventually. If you're running a payload against EDR, it's just going to cloud upload that, just the name of the game with it. I mean, it happens, but yeah, don't tattle on yourself at that point. The other original course I think taught using like AntiScan, but that's behind a paywall now, which is a shame because I used to use AntiScan a lot, but nowadays it's just better off just testing live. Just have a box that doesn't have internet access to detonate your payload and just have it go straight to you. Don't have any redirectors or jump through things, just straight, just team server or an interpreter server and box on the same network, just have it go straight to you. Make sure cloud uploads are disabled, make sure it doesn't have internet access so telemetry doesn't get through to the actual EDR provider. Then that's effectively how we're testing from there and just update it every now and again. The signatures period, just give it internet access or just revert, give it internet access from a snapshot, give it access, update the EDR, turn the internet back off. The cloud solutions or the website scanning solutions are just not worth running at this point.
[Kyser Clark] (28:48 - 29:00) When it comes to malware development, programming and coding is a skill that you have to have. What languages should someone really understand to create malware that's going to bypass EDR and stuff?
[Nathan Rice] (29:00 - 30:28) I'm a bit biased just because I do a lot of Nim work, but I think Nim has been a great malware language so far. It writes like Python, compiles like C, and it compiles ugly. It's really hard to get a good analysis on Nim payloads. Assembly is pretty handy to know as well because a lot of the malware techniques use, especially when you start getting really messy with jump calls and doing things like Heaven's Gate, for example, you need some assembly knowledge to know what's going on with that. Plus it's just good to be able to look at some of the assembly anyway and know what this is doing. I started out with C# and Python with my programming. They're both pretty simple, they have a pretty good learning curve from there, and then moving on to some more niche ones like Nim, Go, and some assembly are generally useful. Those are what I generally recommend because the goal of malware is you want it to be not picked up by signature checks. For Defender to signature you right out the gate, it needs to be portable. If the client's not running Java on their computer, you wouldn't want to write Java malware and drop it because it's not going to run. The same with Python. It has to be somewhat easy to write. You don't want to sit there and struggle with syntax while writing the malware instead of actually detonating it. You need portability, ease of writing, and some level of obfuscation when it's dropped. If they compile kind of ugly, then that's generally pretty desirable as well. Nim and Go are great examples of those two.
[Kyser Clark] (30:28 - 30:43) Okay, yeah, thanks for that. I never even really thought about Nim, so that's good to know. Someone like me who wants to eventually get the OSED and the OSEP, do you think there's an order of importance with if you want to get both of those, do you think one should come before the other or does it not matter?
[Nathan Rice] (30:43 - 31:14) If your goal is red teaming and penetration testing, EP is infinitely more useful. ED is a great course on its own, but I don't use the knowledge in that very often in my day-to-day. I'm just really wanting for the OSC3 just kind of a rite of passage. I think I wasn't really in the space when the OSC was around, so I just feel like it's got a bit of a rite of passage to get that. I had a little bit of a malware analysis background anyway just through some internships and such, so a lot of those skills in OSED were familiar. It was just putting the exploit twist on it.
[Kyser Clark] (31:14 - 31:25) You said you're not using your OffSec Exploit Developer skills day-to-day too much. Explain what that course is and what you actually learned and who it would be applicable to.
[Nathan Rice] (31:25 - 33:04) Yeah, so the Offensive Security's Exploit Developer is 32-bit Windows application exploitation. You're taking a compiled 32-bit app and you're just kind of doing a getting a buffer overflow on it. You're running analysis on it, and you're also going to be bypassing a lot of Windows mitigations built into your memory stacks. If you do the OSCP, at least when you used to, there was a buffer overflow section where it would walk you through essentially attacking its application's memory and being able to get remote code execution on it. It's just that times a hundred because now you have to get around all of the common Windows mitigations for that as well as being able to identify them as well without any kind of source code whatsoever. That app's focused more on exploit research and exploit development. It's kind of a stepping stone between nothing and their Offensive Security's Exploitation Expert course where you're just looking at compiled applications, digging in the weeds of its assembly instructions and finding vulnerabilities. As a penetration tester and red team operator, very seldom do I hunt for zero days unless it's an application-specific test. If I'm on an internal network and it's a thousand hosts on an Active Directory network, I don't have time to sit there and reverse engineer an app. I gotta find as much as possible and that's just a lot of the time off-the-shelf exploits and vulnerabilities. It can't be helped for the sake of time. Not that there isn't a place for that course because it absolutely was a great course and exploit research is a growing field. As a penetration tester and red team operator, we don't use that skill day-to-day very much.
[Kyser Clark] (33:05 - 33:18) Okay, that's really good to know and that's something I didn't know, so thanks for answering that. Unfortunately, we're out of time, so I want to ask you the final question. Do you have any additional cybersecurity hot takes or hidden wisdom you'd like to share?
[Nathan Rice] (33:18 - 34:15) I think the best thing I can give, just some generic advice for someone who's wanting to aspire to be red team, don't be afraid to jump in. It's red team, not red person. Don't be afraid to actually do things and ask your team, "Hey, what if we do this exploit here?" because your insight might be pretty valuable. One of the best penetration testers I know just started red teaming with us. He shifted from just doing senior penetration testing work to beginning red team. His knowledge wasn't impeccable, it's just knowing how to spin it to move intently and how to get a very stealthy manner with it. Don't be afraid to ask questions and don't get analysis paralysis. Don't be afraid to get caught because we're just going to get caught sometimes. It's just the nature of the beast. It's cat and mouse. You can't win every single time with that, so don't get analysis paralysis. Don't not be careful with the assumption of, "Well, if I get caught it doesn't matter," because that's not what I'm saying. I'm just saying don't be afraid to try things because sometimes it might just stick.
[Kyser Clark] (34:15 - 34:43) Yeah, you said moving with intent. That is definitely a skill that in itself, you can have a bunch of knowledge but if you don't know how to apply it then it doesn't really matter. So, moving with intent, that is a good way of putting it. Alright Nathan, well thank you so much for your time. Thanks for doing this session with me. I learned a lot here and I'm sure the audience did as well. Where can the audience find you if they want to get a hold of you, if they want to connect with you?
[Nathan Rice] (34:43 - 34:48) I would say the best places to get a hold of me are the InfoSec Prep Discord servers. That's discord.gg/infosecprep. Just ask for possum, I'll be around.
[Kyser Clark] (34:48 - 35:05) Perfect. Audience, best place to get a hold of me is on my website kyserclark.com. If you enjoyed the episode, check out another episode and drop a review if you haven't already. Thank you so much for watching, thanks for your attention. This is Kyser signing off.