Announcing Our Formal Partnership with Palantir

When we founded SpecterOps, one of the core principles we pursued was to assemble a team who would constantly innovate and push the industry forward with research, tooling, and a commitment to benefit the entire security community. We are proud of the achievements of our team, but our innovation doesn’t occur in a vacuum; rather, it is fueled by amazing customers who work with us to constantly improve their security posture. It is their steadfast commitment to securing their respective environments that inspire us to improve. Among all our customers, Palantir has, by far, pushed us the hardest and inspired some of our best contributions to the community.

Over time, SpecterOps and the Palantir InfoSec team have grown a strong, mutual respect based on our regular collaboration, engagement with the broader community, and commitment to transparency in the security community. We are also strong supporters of the core missions of Palantir whose platform helps combat global terrorism and child abuse, among other critical mission sets. As such, I am extremely excited to announce an expansion of the great relationship we already have to a formal partnership with Palantir. A formal partnership seemed only natural considering our extensive work history, alignment of business objectives, and mutual commitment to our community. More than anything else, our partnership will demonstrate our deep, mutual commitment to improving security practices in our community. I’d like to highlight that shared commitment in a little more detail:

Commitment to Open-Source and Transparency

Transparency to our customers and the community is a founding and deeply held principal of all aspects of what we do at SpecterOps, and we certainly appreciate it when others share a similar commitment. As such, Palantir has gained our respect for their public contributions. As the maintainers of many open-source projects, we were very pleased to see Palantir’s commitment to maintaining open-source projects which include DetectionLab, DARKSURGEON, and their Alerting and Detection Strategies Framework (ADS).

Commitment to Improving Security for Customers and the Community

We were extremely impressed when Palantir released their Alerting and Detection Strategy Framework (ADS) — a framework for creating robust detections and incident response plans in a collaborative fashion. Not long after the framework was released, our team adopted the framework and methodology internally, building out a suite of ADS’ that can be quickly translated and deployed for our diverse set of customers. It is our hope that as the ADS framework gains industry visibility, more organizations will adopt what Palantir has generously shared with the community.

Additionally, much of the innovation coming from our team (Empire, BloodHound, our transition to C# tooling, etc.) was formed partially out of necessity through the Palantir InfoSec team’s vigilance and commitment to improvement in detecting our actions during red team operations. In so many cases when you hear people state, “yeah but who actually implements that control” (e.g. application whitelisting, SACL auditing, etc.), Palantir implements those controls and in a fashion where they always put people and process ahead of product. To this day, our team members approach our red team operations with a healthy fear of what their CIRT team will do to them.

Examples of Innovation Through Collaboration

To demonstrate how we have worked together and how Palantir has already forced our team to innovate, I’ll present two recent use cases. In both these cases, our red team was detected, ultimately forcing us to develop new tooling/tradecraft. In return, our red team tradecraft helped the Palantir InfoSec team to improve their security tradecraft. Use cases like these highlight our belief that the collaborative red/blue innovation is the best way we can, as a community, push forward meaningful security improvements.

Kerberoasting

Kerberoasting, developed by Tim Medin is an attack technique used heavily by our team. It permits an attacker who is in possession of a Kerberos service ticket (TGS ticket) to, under certain circumstances, brute force the plain-text credentials of the user account backing the service. Not long after Sean Metcalf released his fantastic post on detecting Kerberoasting, the Palantir CIRT team quickly turned his post into a production detection which subsequently caused the actions of our red team to be caught. Not only was the technique detected, but all the other extensive telemetry they captured supplied them with the investigative context they needed to quickly build a timeline and expose the extent of our operations.

In Sean’s post, he mentions establishing honey accounts as an attractive target for Kerberoasting. In response to the Palantir CIRTs detections, we improved our red team tradecraft to ensure we conduct more thorough reconnaissance against potential Kerberoasting targets to ensure that they are unlikely to be decoy accounts. We also advise students how to conduct Kerberoasting with a greater understanding of the detectable indicators they may generate in our Red Team Operations course.

Additionally, Sean mentions in his post that Kerberoasting, as currently weaponized, involves requesting an RC4 TGS ticket. Under this assumption, a high-fidelity detection can be built. At the time of this writing, there is no publicly known tooling that enables you to request a TGS ticket using AES. A next logical step in improving red team tradecraft would be building a capability that could circumvent the core of the heuristic described in Sean’s post, but as the Palantir CIRT team knows well, detection engineering is a journey, not an end-state.

Many organizations have yet to implement Kerberoasting detections, which is a shame. As such, red teams will likely fly under the radar without having improve their tradecraft and tooling for some time. However, in this case, Palantir forced us to rethink how we conduct this particular attack and look at ways we could circumvent this detection strategy. Not only were we impressed with their level of detection capability, our hope is that this is an example of red/blue interactions that increase innovation and allow us to release capabilities that push boundaries in the security industry.

macOS Keylogging

Among the security tooling present on Palantir’s large fleet of macOS systems is an extensive osquery deployment. We’ve used macOS keyloggers previously on engagements with success. However, when osquery introduced the event_taps table (a component used in many macOS keyloggers), Palantir quickly turned around an ADS to alert to any such suspicious usage in a manner that was specific and resistant to false positives in their environment. Their production detection quickly caught our red team keylogging activity and gave their CIRT a wealth of additional investigative context for nearly all of our TTPs/tools in use during the operation.

Keylogging will almost always be a crucial component in achieving red team objectives, so we couldn’t just give up on this macOS tradecraft and were forced to innovate. Doing some digging, Chris Ross found that HID devices can be polled directly, avoiding the need to utilize event taps. Chris quickly turned around a new macOS keylogger and validated that osquery event_taps events were not being generated. The specific technique used was turned over to Palantir for the purposes of building improved keylogger detections.

Conclusion

We welcome this “rinse and repeat” cycle of constant red vs. blue innovation and the Palantir InfoSec team has supplied a steady source of motivation to our red team for improving tradecraft. In return, Palantir benefits from building robust detections for all the techniques we employ for offensive operations. The community benefits as well, through our shared commitment to publicly release the red and blue tradecraft we develop.

We’re extremely excited to more formally define our partnership with Palantir and solidify our long term relationship. Our teams will continue to push each other forward in new offensive tradecraft and defensive methodology. While the circumstances of how we developed new tradecraft won’t always be known, stay tuned for the inevitable releases our collaboration will produce! On a related note, if you happen to be looking to work for a world-class detection team tackling complex defensive problems, Palantir’s InfoSec team is hiring!!