--- breaks: true --- <style> /* html, body, .ui-content { background-color: #0D1117; color: #ddd; } .markdown-body h1, .markdown-body h2, .markdown-body h3, .markdown-body h4, .markdown-body h5, .markdown-body h6 { color: #ddd; } .markdown-body h1, .markdown-body h2 { border-bottom-color: #ffffff69; } .markdown-body h1 .octicon-link, .markdown-body h2 .octicon-link, .markdown-body h3 .octicon-link, .markdown-body h4 .octicon-link, .markdown-body h5 .octicon-link, .markdown-body h6 .octicon-link { color: #fff; } .markdown-body img { background-color: transparent; } .markdown-body pre { background-color: #161B22; border-radius: 8px; color: white; } .ui-toc-dropdown .nav>.active:focus>a, .ui-toc-dropdown .nav>.active:hover>a, .ui-toc-dropdown .nav>.active>a { color: white; border-left: 2px solid white; } .expand-toggle:hover, .expand-toggle:focus, .back-to-top:hover, .back-to-top:focus, .go-to-bottom:hover, .go-to-bottom:focus { color: white; } .ui-toc-dropdown { background-color: #0D1117; } .ui-toc-label.btn { background-color: #191919; color: white; } .ui-toc-dropdown .nav>li>a:focus, .ui-toc-dropdown .nav>li>a:hover { color: white; border-left: 1px solid white; } .markdown-body blockquote { color: #bcbcbc; } .markdown-body table tr { background-color: #5f5f5f; } .markdown-body table tr:nth-child(2n) { background-color: #4f4f4f; } .markdown-body code, .markdown-body tt { color: #eee; background-color: rgba(230, 230, 230, 0.36); } a, .open-files-container li.selected a { color: #5EB7E0; } .hljs { display: block; overflow-x: auto; padding: 0.5em; background: #1E1E1E; color: #DCDCDC; } .hljs-keyword, .hljs-literal, .hljs-symbol, .hljs-name { color: #569CD6; } .hljs-link { color: #569CD6; text-decoration: underline; } .hljs-built_in, .hljs-type { color: #4EC9B0; } .hljs-number, .hljs-class { color: #B8D7A3; } .hljs-string, .hljs-meta-string { color: #D69D85; } .hljs-regexp, .hljs-template-tag { color: #9A5334; } .hljs-subst, .hljs-function, .hljs-title, .hljs-params, .hljs-formula { color: #DCDCDC; } .hljs-comment, .hljs-quote { color: #57A64A; font-style: italic; } .hljs-doctag { color: #608B4E; } .hljs-meta, .hljs-meta-keyword, .hljs-tag { color: #9B9B9B; } .hljs-variable, .hljs-template-variable { color: #BD63C5; } .hljs-attr, .hljs-attribute, .hljs-builtin-name { color: #9CDCFE; } .hljs-section { color: gold; } .hljs-emphasis { font-style: italic; } .hljs-strong { font-weight: bold; } .hljs-bullet, .hljs-selector-tag, .hljs-selector-id, .hljs-selector-class, .hljs-selector-attr, .hljs-selector-pseudo { color: #D7BA7D; } .hljs-addition { background-color: #144212; display: inline-block; width: 100%; } .hljs-deletion { background-color: #600; display: inline-block; width: 100%; } */ </style> # Generating Cyber-Injects for Army Systems For the current and future members of the Army Cyber Defence branch of HQSIGS&COMDSYS on the generation of cyber injects within Army air-gapped systems. ## Background Planning cyber injects for army facilities can be extremely challenging, and depending on the objective and restrictions, it may be completely impossible. Typically—with no internet access and several layers of security restrictions, all tools must be already present within the systems, or re-created from scratch. This documentation will cover the complete architecture and process of generating a cyber-inject—more specifically for Exercise Tiger Balm 2022 (ExTiB22). ## ExTiB22 ExTiB22 was held in Pasir Laba camp, which hosts a typical centralised air-gapped ultra-minimal Windows 10 Local Area Network (LAN) server. ### Scenario The attacker(s) has compromised a device with enough privileges to host a server on the secured LAN. The attacker(s) can then send a phishing email to all users which contains a Uniform Resource Identifier (URI) to a website. On page load, the website exfiltrates user-tagged credentials back to the compromised server. With the exfiltrated credentials, the attacker(s) have the potential to study the victim's presence and habits. ## Hosting a Web Server With the layers of restrictions present, the technically-inclined generalist may conclude this at first glance to be impossible. This is because contemporary software engineers will typically install several third-party software and boilerplate before attempting to host a web server. Instead, we can use the built-in Internet Information System (IIS) that has been present in Windows systems since 1995. See [**Annex A**](#Annex-A) for more information. ## Serving a Web Application To serve a web application with IIS, we must use `ASP.NET Web Forms`. `ASP.NET Web Forms` is a widely-supported built-in web application framework for Windows systems, released since 2002. Applications in these framework are written in C# and/or JavaScript^1^. See [**Annex B**](#Annex-B) for more information. <sup>^1^In most military systems, JavaScript is actively blocked.</sup> ## Exfiltrating User-Tagged Credentials User-tagged credentials are credentials that contain information of the user. In ExTiB22, we store the user's local Internet Protocol (IP) address to keep track of our victims during the exercise. There are a few reasons to use IP addresses instead of other types of credentials. - IP address retrieval is less noisy to antivirus software - IP addresses will never contain forbidden ASCII characters for Windows systems - Army systems typically keep a record of every IP address and the device they belong to See [**Annex C**](#Annex-C) for more information. ## Scaling Up With the ability to host a web server in the military LAN, the possibilities for cyber-injects are greatly broadened. See [**Annex D**](#Annex-D) for more information. ## Conclusion ## Annexes ### Annex A Very technical explanation here ### Annex B Code here ### Annex C In ExTiB22, the attacker(s) retrieve the victim's timestamp and IP address on page load. This information is then stored onto the compromised server. ```csharp= public static string LogFilePath { get; set; } void PageLoad(object sender, EventArgs e) { string userIP = this.GetIP(); LogFilePath = String.Format( "{0}/{1}.txt", Request.PhysicalApplicationPath, userIP ) using (TextWriter textWriter = new StreamWriter(LogFilePath, true)) { if (!File.Exists(LogFilePath)) File.Create(LogFilePath); textWriter.WriteLine("Time: {0}", DateTime.Now.ToString("HH:mm:ss")); } } ``` The IP address can be retrieved through the `Request.UserHostAddress` API. ```csharp= string GetIP() { string userIP = Request.UserHostAddress; return userIP == "::1" ? "localhost" : userIP; } ``` ### Annex D More code here