Now that the attack surface has been mapped, a malicious payload can be created to exploit any weaknesses found. The kinds of payloads used here will be dictated by the technology discovered during the recon stage. Particular systems may have been found through Shodan by studying the background of key employees, or through looking at information found with Google Docs. This module will cover how simple it can be for a threat actor to create malicious payloads for different operating systems. You'll start by looking at some encryption methods. Once you finish this video, make sure you check out the simulation videos and have a go yourself. First, let's take a look at encryption. Once the attack surface has been mapped, a weakness may have been found, a payload will need to be decided and configured. However the attacker will also need to consider disguising it. This process is known as obfuscation, and is a key step in the cyber kill chain. Put simply obfuscation is a term for hiding your tracks. To obfuscate a payload, the attacker may rely upon several encoding and encryption techniques. Malware analysts must understand the different methods of obfuscating payloads in order to prevent and detect a breach. If malware samples can be captured, they will be obfuscated to prevent understanding what their true purposes and where their server is. The obfuscating of payloads is commonly done via encryption. Put simply, encryption is a way of converting a message, also known as encoding into something that only the receiver can understand. The message can then be decoded by someone who knows the way that it was encoded. One way that messages can be encoded is with numbering systems, such as binary, hexadecimal or Base64. Binary is a base two numbering system with decimal we count from zero to nine, and once we exceed that value, we add a one into the most significant column. We do exactly the same with binary except we only count from zero to one, and once we exceed this value, we add a one to the most significant column. This is done from right to left, starting with a one and continues in the chain by the power of two. Essentially a one means that the number is being used, but a zero means it is not. As seen on the slide, the number five can be read in binary as 0101 with decimal numbers one and four being used, creating a decimal value of five. Understanding this numbering system is of fundamental importance to any work you will do within cyber security, no matter the area. Hexadecimal is a base 16 numbering system, it is the most sensible way for humans to represent one byte using only two characters. Rather than as a number between zero to 255, we can express the value as anywhere from 00 to FF. As with decimal, we count from zero to nine with base 16, we keep counting in the units column after we have surpassed nine, we continue to count from A to F. This allows us to express 16 values in each position. Base64 is as the name suggests, a Base64 numbering system, with each column being able to express a value between zero and 63, it is commonly used as a way of encoding data into a system that only accepts text. It is a very common method of obfuscating payloads in order to avoid signature-based detection by either an IDS or antivirus. While binary, hexadecimal and Base64 encoding methods can circumvent a poorly trained intrusion detection system, IDS, they can easily be reversed by an operator that can recognize them. As such, they aren't the most sophisticated form of encryption. Encoding is useful for avoiding systems that do not take the time to investigate unusual traffic or files. However, if a threat actor pits themselves against a developed cyber security capability, such as an information security operations team, they will seek to encrypt the data in transit across the network and the data at rest on disk. Encryption techniques however, are not reversed by IDS, encryption hides information using an algorithm. This algorithm is known as the cipher, only those with a key to the cipher can view the intended message. Being able to recognize some simple ciphers will allow you to understand the mechanics behind encryption. We will now look at two classical ciphers, as well as how the XOR operation can be used to encrypt using a binary stream as the key. A substitution cipher simply exchanges one character in place of another one. The letter A may have been exchanged for an F, for example, this means the letter F will occur as regularly in the encrypted message. Despite being encrypted, the message will have the same format as the plain text. If we take the phrase, the quick brown fox jumps over the lazy dog, and use a simple shift of one letter across the alphabet, the message appears to be simple gibberish. However, it can be broken with statistical analysis. As can be seen, the sentence structure remains the same and repetitious letters are used. A transposition cipher reorders the text while maintaining the character value, where a substitution cipher exchanges characters in place, a transposition cipher moves characters around. This helps it resist cryptanalysis by hiding the structure of words. The intended message can be placed into a grid with any punctuation removed, the message is inserted horizontally and the encrypted message is presented vertically. The transmitted message is sent as fixed length words, which can be indicative of the size of the grid used. In the example shown the structure has been broken into a grid of eight by five. Spaces are used after each five letters. While a square grid is the most common, other shapes can be used, such as the Spartans scytale which dates back to 2000 BC. In this case, the message can only be deciphered with the correct scytale. This eliminates the main weakness of substitution ciphers in that the construction of plain text words can be seen and studied. With a transposition cipher, words are of a uniform length and plain text word, construction or letter repetition cannot be studied. XOR encryption is a means of combining two binary streams to create one new stream that contains hidden information which cannot be retrieved without the other stream that was used to create it. The XOR operation is at the core of many more advanced ciphers. One stream is the message and the other is a secret stream shared by both parties. The message and key must be reduced to binary. When using a key that is shorter than the message, the key is repeated and combined with the message. If the key is as long as the message, is totally random, shared securely, stored securely, and no part of it is ever reused, the encryption becomes totally unbreakable. This is known as a one-time pad. When combining the two ciphers, the XOR function will output a one if the inputs are different, and a zero if they're the same, quite simple, really, but from the attacker's perspective, they cannot know from which stream the difference came, and for an output of zero what the values of the inputs were that produced the zero, two zeros or two ones. Now that we've looked at how an attacker can obfuscate a payload, let's take a look at some forms of weaponised payloads. While the taxonomy of malware spans many different families, they will all breach the system in one of two ways through some vulnerability in the target's operating system, or via an application that is installed on it. Some payloads will abuse a vulnerability in the OS or an application on the target machine. While some will simply make use of a functionality that is already permitted to a user. For example, using the install util binary within Windows, will bypass the AppLocker restriction on Windows. This is because of the call it makes to an uninstall entry point within a compiled binary. Others might make use of access to PowerShell, or the ability to run active content within Microsoft Office documents. Being familiar with how these tools can be used will allow you to be able to understand the signatures of these payloads. Analyzing and studying these malicious files is a part of malware analysis. Being able to create and deploy the same kinds of payloads that a threat actor would use, will allow you to better craft defenses to prevent a breach occurring in the first place, detect it should it succeed, and respond to it with a quarantine. After this is done, it is potentially possible to recover from the attack and feed lessons learned into the organization's future security operations. Desktop devices are ubiquitous and are often the primary target of attacks both against organizations and individuals. Windows devices are the most common in large enterprises and can offer a huge attack surface. Whilst administrative systems such as your Azure Active Directory Group Policy, and AppLocker, offer very granular control over Windows endpoints, there can be oversight. Combining this with unnecessary services being left enabled or unconfigured, an attacker can enumerate vulnerable users, brute force access to accounts, or inject a buffer overflow, a particularly dangerous form of malware. Whilst Group Policy and AppLocker have done a great deal to empower administrators and system architects with the tools to tailor account privileges, there are still lots of holes in those systems. Once an attacker is able to execute anything from a Windows domain client, it's only ever a matter of time until that attacker is able to gain root access on the domain controller. Bloodhound is an excellent tool that allows an attacker to map out the path between their account and the domain controller. Bloodhound will provide a route of machines and accounts that will need to be breached in order to leverage delegated privileges and gain domain admin. Another useful tool to deploy within Windows machines is the PowerUp PowerShell script. This script allows you to identify opportunities for privilege escalation within that Windows system. Two types of Windows payloads are operating system payloads. These can take the form of an executable file that the attacker must convince the victim to download and run AppLocker GPO. They can be disguised using the obfuscation techniques we learned about earlier to evade antivirus HIDS and NIDS, and application payloads, this type of payload is executed on the host system, but it must be executed by a specific program. Common targets are the Microsoft Office and web browsers. Application payloads might require the victim to pull the content from some remote location. This could be done by retrieving emails or loading a web page. Operating system and application payloads can harbor malicious content designed to provide an attacker with control over the compromised machine. Payloads may also be delivered via a listening port, open on the target's device. This was the case with the EternalBlue exploit, which was behind the WannaCry ransomware attack that crippled the NHS in 2017. The same process applied to create payloads for the Windows operating systems can also be applied to Linux OS. Command and control can be established over a Linux machine by creating and delivering a weaponised payload. Just as with Windows, the command and control channel used could be disguised to appear as permitted encrypted traffic such as HTTPS, SSH, or even DNS. The rise of smartphones has made them increasingly subject to attacks. Mobile devices represent a unique price to attackers due to the access to information on the device itself, and information it has access to on attached networks. Mobile devices can blur an organization's security perimeter, meaning devices that have trusted access to certain networks and information may physically leave the premises. Users may then connect the device to an untrustworthy network such as an unsecured public network in a hotel or coffee shop. These devices may also bring infections in with them from outside of the network, where the malware may be able to get loaded onto the organization's network. Mobile devices have access to a range of incredibly valuable information to an attacker. This includes conversations in voice and text, login credentials, video and audio capture, contacts, GPS coordinates, and access to an organization's associated networks. This module has covered obfuscation, the method by which threat actors hide their intent, three common encoding methods, binary, hexadecimal and Base64. Encryption and decryption using substitution, transposition and XOR ciphers, three types of operating system payloads, including Windows weaponised payloads, mobile operating system payloads and Linux payloads. You'll now have the opportunity to use a system known as the Metasploit framework, which can assist in weaponisation. Watch the simulation videos and then have a go at them yourself.