Event RPE-001: The Chameleon and the Snake

Events

RPE-001: The Chameleon and the Snake

THIS EVENT IS COMPLETE. THANK YOU FOR YOUR PARTICIPATION AND SUPPORT!

Date: September 17-20, 2018 | Location: UMBC Training Center in Columbia MD

See updated scores here!

Check out photos from the RPE-001 Social here!


Overview

This RPE specifically targets malware signature diversity and signature measurement for Microsoft Windows (x86 and amd64) in a simulated operational environment at a realistic pace. We want to challenge participants to:

  1. As an 'attacker', create (through integration, enhancement or from scratch) a single tool for altering the signature of an operational tool for Microsoft Windows without changing functionality
  2. As a defender, create (through integration, enhancement or from scratch) a single tool for the fully automated classification of an unknown Windows Executable as malware/benign, variant of known sample, attributed to known group (based on previously established knowledge)

This RPE will be treated as a force on force exercise where each side has a specific goal:

  • DEFENSE – Good Guys are a series of 3-5 computer network defense, malware analysts and live forensic experts who specialize in Microsoft Windows. These guys are no stranger to programming and understanding C#, C/C++ and Python/Ruby. They understand all the traditional malware analysis tools such as Cuckoo Sandbox, Wireshark, ssdeep, Capstone Disassembler
  • OFFENSE – A fictitious hacker collective that is a team of 3-5 individuals who specialize in malware and the Microsoft Portable Executable Format, Windows API, malware techniques and communication

Each side should select a leader, but we explicitly leave this decision up to participants. DreamPort personnel will be exercise control (EXCON) operating in a manner to ensure each side gets information and inputs they need and evaluating the outcome without unduly influencing either side. We suggest that this RPE should exclude commercial products but welcome commercial participants so long as they don't violate company NDA or Acceptable Use Policies using trade secrets or patented technologies.

Details

DEFENSE is under constant cyber-attack from their enemies including the OFFENSE. They are bombarded with constant threats 24x7 some of which result in successful intrusions into the DEFENSE network known as HQ. HQ is a sensitive environment consisting of virtual and bare metal machines (no more than 20 endpoints) that is supposed to be disconnected from the Internet but unfortunately it is not. Since there are illicit and undocumented Internet connections, these threats may unfortunately leave behind remote access trojans and other malware samples on-disk and in-memory of multiple mission critical Microsoft Windows 7, Windows 10 and Windows Server 2012 stations within HQ. These trojans are sophisticated enough to call out for command and control (C2) instructions when DEFENSE is not expecting. DEFENSE employs a team of experts who have access to any open source tools they need for malware and intrusion analysis but there are too many hosts, too many threats and not enough time.

In this challenge, we will pit the DEFENSE versus the OFFENSE. OFFENSE will be given a series of Windows malware samples sourced from across the Internet with which to work. DEFENSE will be given a small subset of Windows malware sample files that were previously attributed to OFFENSE. The job of OFFENSE in this RPE is to build upon existing known packer tools and libraries (or start from scratch) and create a single tool capable of modifying any Portable Executable file (not .net at this time) so that it is mis-attributed and mistakenly labeled as benign. The job of DEFENSE is to utilize existing open source (or that which you bring with legal permission) technology to create a single tool capable of classifying a Portable Executable file as:

  • Benign or Threat
  • If Threat:
    • What group can it be attributed to (given the pre-classified samples you will have access to)?
    • Is it a variant of a known sample? If so, which?

We require that each tool (OFFENSE and DEFENSE) provide some type of additional output beyond the classification so that an operator can directly explain or lookup and explain why a sample was classified the way it was. There are no expectations on the format of this output so long as a team member can interpret. This point is referenced again later when we discuss scoring.

It should be noted that it is acceptable for both OFFENSE and DEFENSE to use freely available tools or websites to check any sample they are working with (or against). We deliberately do not mention any tool names in this description, this is left up to the challenger(s). This challenge is planned to last for 4 days. This is the 'window of opportunity' for OFFENSE to attack with increased chances for success. It is insufficient to rely on these services alone as they are disjoint, prone to false positives and will not explain their answer in many cases.

HQ will be a simulated entity as it doesn't need to physically exist for this content to work. Exercise Control or (EXCON who are representatives of DreamPort) will periodically issue security alerts to DEFENSE that include multiple files that have been named by fictious security systems as being part of suspected intrusion(s). A security alert will be a USB disk with a collection of files (benign and malicious) that have been named in a security alert. One hour prior to the delivery of this USB disk to DEFENSE, EXCON will notify OFFENSE they must deliver their next sample(s) on USB disk (and provide disks to OFFENSE at that time). Provided they are returned EXCON within the hour, EXCON will then add additional files for randomization purposes. DEFENSE must take these files and provide an answer on the status of each file in the alert within 60 minutes. The answers can be provided written on a piece of paper to EXCON but DEFENSE must be prepared to show their work. As we discuss in scoring below, DEFENSE must be able to explain their tool conclusions to a third party (e.g. EXCON) but in the real-world tempo of this RPE we can address this later if an EXCON participant is not available. For this reason, both DEFENSE and OFFENSE must take care to ensure their work is repeatable.

Before the RPE even begins, DEFENSE and OFFENSE will have access to past incident report intelligence that names a small number of malware samples that have been previously attributed to OFFENSE. They should use this data wisely. When processing a security alert, DEFENSE should analyze files named in the security alert and determine which files are malware (which maybe suspected to be or are not), which files can be attributed to OFFENSE, and if any alerts warrant further investigation. If they choose to attribute a sample to OFFENSE, they must provide an explanation as to why.

Both DEFENSE and OFFENSE must bring their own stations and they may bring any unclassified tools or techniques they wish provided they agree that:

  • United States Cyber Command reserves the right to release the tool/technique as open source at some point in the future.
  • They are not violating company agreements or NDA by using the tools outside of work.

DEFENSE cannot predict how often the security alerts will 'pop' within HQ. For planning purposes, EXCON will inject malware into the simulated HQ at least once per day including the first day of the conference.

Who should sign up?

We will accept both teams (of no more than 5) and individuals. We need offense and defense here people, not just one side!

What should I bring?

You need to be prepared to bring your own machine(s). Internet access will be provided. There are a limited number of outlets so do not bring more than two machines per person (no one said you can't run a Pi Cluster if you have enough USB ports) one better not be rolling a half-rack into our facility!

Other Details

  • This RPE is entirely unclassified. All tools and techniques used must be unclassified
  • Further engagement details, teaming, equipment, scoring, and success criteria details will be provided upon registration for event.

FAQs

Yes we could, but while there are some good (and some older) tools available, they don't fit within the bounds of what we want especially that 'one' tool that can rapidly analyze in addition to that 'one' tool that can alter. To be effective at either side (offense or defense), you must know and understand the other. We want the participants to consider what's available now (with our without a credit card) as the 'art of the possible'. We want to go further and we want to get there fast.
No, it's not but this number was chosen deliberately as there is a heavy burden on DEFENSE 24x7. In the past, any times we have been forced to analyze malware in 72 hours or less and we want this engagement to have a real-world urgent feel. We may revisit this in the future!
Sure, but you must agree to the stipulations we described previously.
We would love to BUT DreamPort is a non-profit! We are not overflowing with money! Use the free version, buy your own, or build something better. In the future we hope to provide tools, but this engagement is about breaking new ground.
Yes, you can, provided you describe the exact version you used.
We are excluding .NET, .SYS, .CPL, .FON, COM, ActiveX. These are specialized examples of PE and we don't want to deal with them 'yet'). We are not distinguishing between 32-bit and 64-bit, BOTH are considered in-scope.
No, you can use any OS you wish provided we could buy it in the future.
Yes, you can but you will be randomly assigned a team and you must chose either OFFENSE or DEFENSE.
Yes, we encourage this.
We anticipate a maximum of 5 teams on each side or 50 participants, whichever is achieved first.
We have several options we are considering ranging from:
  • Collapsing teams together
  • Evaluating OFFENSE offline if no DEFENSE participates

How can I participate?

Want to participate? Registration is closed.

Questions?

For any RPE-001 questions or concerns, please contact us.

Thank You

A special thanks goes out to Brian and Dorian whose good ideas serve as an influence for this RPE.

Sample Malware Family ALPHA

DreamPort has created a sample malware family ALPHA that participants can use as an offense sample. Source for ALPHA will be released on GitHub as soon as possible. Each ALPHA sample is a statically compiled 32-bit binary designed to work with the CyberPoint C2 platform Keystone (also soon to be released on GitHub). While it looks, smells and acts like malware, we wrote it, it's safe! There is no better way to get close to reality than using a live sample for testing signature diversity and signature measurement.

Introduction

This project is our inaugural release of technology from DreamPort! ALPHA is a sample program written to mimmic a low-tech basic remote access trojan for Microsoft Windows. It was created as a 'fire starter' for the DreamPort RPE described on this page.

ALPHA also serves a number of other purposes:

  1. It is a referesher (for me) in Windows tool development
  2. It demonstrates the power of leveraging open source for faster turn-around
  3. It is the first sample that can be controlled from my (formerly theoretical) C2 system called KeyStone (link coming soon)

Warning

I will be featuring this warning everywhere. Don't download this with malicious intent. If you know what you are doing you wouldn't be using ALPHA to carry out some offensive action. This isn't the last tool I plan on releasing from DreamPort (hence the name) and the warning applies everywhere.

Building ALPHA

There are three interface projects in the ALPHA solution, an EXE, a simple EXE and a DLL. In actuality, most of the functionality in ALPHA comes from libALPHA. This is an old tactic of a lazy person. Don't write code twice unless you have to or are told to. All of my testing took place on Windows 7 Ultimate running Visual Studio 2017. From what I see here you can get a trial version of Visual Studio 2017 if you want to dip your toes in this water:

https://visualstudio.microsoft.com/downloads/

You need the following projects at the same directory level as Alpha:

  • APR
  • CURL
  • Expat
  • Jansson
  • libsodium
  • libssh2
  • OpenSSL

It's not easy to get these to build but it is possible.

This is technically the complete source for ALPHA:

alpha.7z

Malware Training Samples

All files are encrypted with password. Password will be emailed to registered participants.

known_group_1.zip (70 Mb .zip)

known_group_2.zip (18 Mb .zip)

known_group_3.zip (83 Mb .zip)

offense_samples.zip (22 Mb .zip)

UPDATED 9.14.18: offense_samples_2.zip (3.62 Mb .zip)

A few notes:

  1. We have noticed Ubuntu Linux 16.04.5 is unable to use the ArchiveManager to decompress the original offense_samples_2.zip, presumably due to the use of 7Zip to prepare the archive. Please use 7Zip on Ubuntu from the gnome-terminal to decompress the archive.
  2. The password for offense_samples_2.zip now matches the other sample archives 'dreamportfindsanswers!'
  3. All three (3) ALPHA example variants are now provided in this archive instead of just the DLL.

PowerPoint Presentation

Download the PowerPoint presentation from 9.14.18 below:

DreamPort-RPE-001-Introduction-09-091418.pdf (2.81 Mb .PDF)