Capture the Flag for Hackers at Black Hat

The rules of the game are simple: there are no rules other than don’t attack certain management systems. Otherwise, the proverbial gloves are encouraged to come off. Files labeled as flags are hidden in systems that are running Symantec Endpoint Protection (SEP). This year at Black Hat, twenty participants from five organizations did all they could to capture a flag and win the five thousand dollar grand prize. The great reward, though, is learning from these contestants who attack with their true-to-the-real-world exploits and file-less attacks meant to subvert SEP in ways the engineers of Symantec may not expect.

2018 is the eighth year Symantec has run Capture the Flag at Black Hat. Most of the contestants have participated before so they do all they can to up their game when they reenlist. To make things interesting, Colin Gibbens, the Symantec man behind the curtain for Capture the Flag, upped the stakes this year by employing deceptors, known as canaries, on the systems. “Canaries are placed on systems as honeypots waiting for someone to access them. They give the hackers false information like bogus usernames and passwords or fake IP’s that are then monitored to see if someone tries to use the information,” explained Colin.

Colin had fifteen systems running this year that were a mixture between Linux and Windows.  Some of the Windows systems were protected with SEP 14 with Endpoint App Isolation and Deception enabled, and the others had no endpoint protection installed. Symantec's EDR solution monitored what the hackers were doing. One of the hackers used Eternal Blue (an NSA-developed exploit that was part of the worldwide WannaCry ransomware attack) to compromise one of the unprotected systems. Another analyst initiated an Eternal Blue attack on a SEP protected systems and was consistently blocked.

While on an unprotected system, one hacker ran Mimikatz to dump credentials he found that were common to the systems run in the game.  From the EDR console, Colin was able to detect the use of this dual-use tool.  With the credentials in hand, the hacker started to login to the accounts. Some of the accounts were active and some Colin had disabled. Once the hacker was on the unprotected system, he started using the credentials to try to move laterally in the environment using a combination of Remote Desktop and System Message Block protocols.  Colin was able to detect this using Symantec EDR. The hacker got on one of the systems that had the deception files on it.  He accessed the files on the system and Colin was able to see that he had obtained them using Symantec EDR.  When the attacker dumped memory, he got Colin’s Domain Admin account and was able to get on one of the systems that held some of the prize flags.  Colin had the prize flags locked down with Hardening.  He and the other participants were trying everything in their arsenal to get to the prize files but were not able to access them.

Another participant was using Kali Linux and exploiting the unprotected systems to initiate a reverse shell.  He was not able to do this with any of the SEP protected systems. He started rooting the system trying to find anything and everything. Colin had created some deceptors on that system, and deleted them. The analyst discovered these baits and started using the fake user accounts that Colin had placed in them to log in to the other systems. Colin was able to detect the lateral attempts with EDR once again.  On the only SEP protected system accessed, the analyst tried to dump the credentials again but was blocked.  With Symantec EDR, Colin could see the attacker moving around on the endpoint and launching commands.  Colin ended up isolating the system from the network, which ended his attempts to compromise the system further.

In the end, all of the participants go home with a number of prizes for discovering other secondary flags that Colin plants for sport and fun. The incentive to bring their A game is taken seriously by those who enlist to capture the flag in a SEP system, so Colin and Symantec makes sure their efforts are rewarded. Though no one has won the grand prize in eight years, the competition inspires great feats in coding exploits that gives Symantec the kind of engagement and learning from white hat hackers that it can use against the black hat hackers out in the world – a unique feat of learning from the good guys while having fun.

If you found this information useful, you may also enjoy:

• Find Symantec at the Incident Response Consortium