Event RPE: The Capulets and the Montagues
RPE: The Capulets and the Montagues
Date: TBD, 2019 | Location: DreamPort Facility in Columbia MD
Romeo and Juliet (the play, not the movie) was believed to have been written between 1591 and 1595. In the play, the House of Capulet is sworn enemy to the House of Montague. In Act 1 Scene 1 taunts between the two opposing families end in an armed confrontation between Benvolio and Tybalt while in Act 3 Scene 1, Tybalt and Mercutio fight to an unfortunate end. For those of you whose job it is to defend networks, you know that there aren't two major events between your opponents, there are unfortunately hundreds or thousands.
For those of you who conduct operations designed to gain access to a customer or opponent's network (e.g. penetration test, capture the flag, etc.) you know sometimes only 1 victory is all that is necessary. Do you plan your approach to a target? What is involved in a cyber operation like penetration test? Ok most people don't consider a penetration test an offensive cyber operation but DreamPort does. We aren't talking about a tabletop exercise were people theorize on what vulnerabilities exist but actual developers and operators using offensive cyber operational tools (OCO) to gain remote access to a target (with permission, of course). In this RPE, we want to bring multiple teams together to help answer questions such as: What are the steps required to plan and execute a campaign of operations to gain access to a network or target? What tools should be used? Can you repurpose a previously used or harvested sample? In what order should you use your tools? How do you ensure persistence on your target when your opposition has more than 2 decades of experience in both attacking and defending networks?
In this RPE, DreamPort will be looking for teams to:
- Select/Customize or develop commercial and open source offensive software for planning offensive cyber operations to gain unauthorized remote access to fictitious RodinCorp network we built for RPE-003. (TL/DR: don't just 'capture a flag', take persistent control of the servers.)
- Repurpose previously harvested malware and OCO tools for re-use.
- Use these tools including repurposed samples in live operations (Capulets) where DreamPort personnel will defend this network (Montagues) with active response techniques.
The winner(s) of this competition will be the group(s) that can successfully gain access to our operational network. Unlike the play, the defense is not sworn enemies with the offense.
There are details about this fictitious RodinCorp network we will release in advance of this RPE that should be suitable for targeting purposes. Yes, someone might accidentally click on something, yes IT will have made a mistake or two. Keep in mind, you will only be granted permission to engage targets specified by DreamPort and must respect email addresses and computers defined as 'hands-off'.
Please note, participants may NOT exploit or run operations against each other. You may only focus on targets defined by DreamPort as in-scope. Any detection of offensive actions taken against another team will result in immediate action which may include barring from this and future RPE.
Participants may utilize cloud-hosted resources (e.g. VPC, custom DNS) for this event, but they are responsible for all costs associated with these resources. For planning purposes, you can assume resources will not be required for more than 1 week but you may want to reserve 1 month. Participants should also plan on bringing their own devices for launching operations.
Participants should remember, they must not plagiarize or steal the copyrighted or licensed work of another person or company. They are free to bring tools to bear in this RPE they have paid appropriate license fees.
DreamPort is an unclassified facility and the fictitious RodinCorp network will have vulnerabilities that can be exploited using tools found in the 'usual locations' such as GitHub, VulnDB etc. We want to identify candidates who can use open source and commonly known tools to identify vulnerabilities or vulnerable employees and then plan follow-on offensive operations focusing on those targets and we are interested in teams who can modify open source offensive tools based on open source technology (e.g. MetaSploit, Routersploit, Powershell Empire, Veil Framework, Scapy, Pupy, libPCAP, Python Requests, PhantomJS, and more). But, what do you do if you have no tool to 'git clone' and throw?
In this RPE, we are most interested in teams or individuals who can repurpose previously known malicious samples recovered in the wild for use in their OCO against RodinCorp. Have you ever considered what is involved in the re-use of a piece of malware? We are looking for the teams who can repurpose a sample and use it for operational effectiveness while minimizing the risks posed by that tool. For this reason, we will provide a small selection of tools which we have deemed safe for use in OCO against the RodinCorp network if proper safeguards have been met. As an offensive team you are free to use this tool if you validate your repurposing efforts with DreamPort first.
We won't tell you everything in advance about the samples in this set, that takes all of the fun out of it. We will tell you the following:
- There will be both 32-bit and 64-bit samples in this set
- There will be Portable Executable (PE), Executable Linker Format (ELF), and Java samples
- There might be some scripted sample(s)
- There might be sample with source
Rules of Engagement
Each participating team will be required to submit a signed Rules of Engagement (RoE) in advance of seeing any details about potential targets in advance of the RPE. Exploits or attacks which are successful but detected will result in a box being reimaged or defensive response actions (e.g. firewall updates, process termination) so if you want credit for any transient success you will need to capture some proof to present (e.g. process listing, file you created, screenshot you took). We strongly encourage teams to partner up and work together on this RPE.
The winning team(s) will be required to demonstrate proof of persistent access, but additional points will be granted in the following order:
- Undetected, sustained and persistent system level remote access to RodinCorp
Additional point opportunities (detected attacks):
- Usage of repurposed samples for obtaining and maintain access.
- Sustained and persistent system level remote access to at least 1 endpoint within RodinCorp network
- Transient system level remote access to at least 1 endpoint within RodinCorp
- Sustained and persistent user level remote access to at least 1 endpoint within RodinCorp
- Proof of user interaction but no successful remote access (e.g. phishing email)
As a point of clarification, it's one thing to trick an unsuspecting user into clicking on a hyperlink in a phishing message, but it's another to steal or guess their credentials (from Phishing) and then reuse them a remote access operation (e.g. Remote Desktop) while even worse, trick a user into opening a macro-laced document and spawning a PowerShell Empire remote session.
If attacks are detected but stopped in play during this RPE, participants will receive partial credit compared to those attacks which go undiscovered. Participants will be interviewed to provide a play-by-play of their campaign against the RodinCorp target.
There will be no points awarded for denial of service attacks against the RodinCorp network. Please do not plan on any DoS attacks.
This RPE requires participants have the at least intermediate the following skills:
- CobaltStrike/Armitage/Veil Framework
- Social Engineering Toolkit/BEEF
- Pupy/Powershell Empire
- Malware Analysis
- Binary Ninja
- Sandbox Execution
- Software Debugging
While there are several products (open source and commercial) which assist in this OCO process, we believe no product can provide this level of functionality alone (e.g. malware repurposing). This is a human intensive problem and requires some advanced training to be successful. We want to identify the team of players and the complete set of tools they use to gain remote access to a network. We are especially interested in teams who can:
- Repurpose a previously known malware sample
- Gain remote access without detection in a compressed Timeframe
- Alter an approach in real Time (if an attack is detected)
- Modify or alter known products to escape detection
- Construct a tool on-demand for a specific purpose