SpacialSec Blog

SadCamper is a tool which coins the term "Recursive File Location Randomization - RFLR" which formally demonstrates a particular aspect of "moving target defense" by empowering administrators to obscure the location of buisness-critical data targetted by attackers, effectively stopping threat actor exfiltration in its path

The Example Of Address Space Layout Randomization - ASLR

Before the implementation of Address Space Layout Randomization (ASLR), attackers frequently exploited the predictable fixed locations of system libraries, such as Kernel32.dll on Windows, to execute malicious shellcode on vulnerable systems. Kernel32.dll, being a core Windows library that provides access to vital system functionalities, was a prime target because its APIs facilitated operations crucial for the execution of arbitrary code, such as creating processes or manipulating memory. The static memory address locations of these libraries and their exported functions enabled attackers to craft exploits with hardcoded addresses pointing directly to useful functions within these libraries. This method was particularly effective in buffer overflow attacks, where attackers could overflow a buffer with malicious input, achieve execution, and locate system api's to conduct operations with ease. The predictability of library locations drastically simplified the development of reliable exploits that could be reused across many systems.

The introduction of ASLR was a widespread mitigation technique which significantly increased the difficulty of such attacks by randomizing the addresses of loaded libraries and executables on each system, making the exploitation of such vulnerabilities considerably more challenging and requiring attackers to employ more sophisticated techniques to achieve reliable exploitation.

The principle here, summarized, was to randomize the location of system libraries and tell 'authorized code', but not 'unauthorized code'"

The concept of filesystems

Filesystems represent a significant challenge in the field of cybersecurity, as they turn the very same files designed for system operation into targets of exfiltration by attackers.

Enter RFLR - Randomizing Location of sensitive files to defend against threat actor exfiltration

Continuing from the foundation set by RFLR, SadCamper introduces the concept of ,Recursive File Location Randomization (RFLR) which extends the principle of unpredictability to the filesystem level.

How RFLR Works

RFLR works by utilizing various state of the art techniques to prevent the identification and exfiltration of sensitive files. This means that even if attackers can navigate a system's defenses and execute code, identifying files for exfiltration can lead them to a halt.

For example, by relocating all the files on a windows filesystem to the recycling bin, data exfiltraiton scripts that rely on files being in certain directories (C:\Users, C:\Windows) will be stopped in their tracks. This approach, while simple, adds a significant hurdle for attackers, especially those relying on automated tools and scripts that expect these binaries to reside at known locations.

Conclusion - The Beginning Of Sad Camping With SadCamper

SadCamper emerges as a beacon of innovative defense, heralding the era of Sad Camping for system administrators and security teams. By introducing the concept of Recursive File Location Randomization (RFLR), SadCamper not only amplifies the security posture of organizations through the concept of "moving target defense" and "security through obscurity", but also sets a precedent for the dynamic and adaptive defense mechanisms necessary in today's digital battleground. The tool's ability to obfuscate the paths to buisness sensitive data — a technique underscored by the glaring prevalence of hardcoded paths in both offensive and defensive tools on GitHub—serves as a critical countermeasure against attackers' reliance on predictability. SadCamper exemplifies the kind of inventive strategies that will be paramount in thwarting attackers' efforts, ensuring that organizations can indeed look forward to many happy camping experiences in their security endeavors. This is not the end but rather the beginning where SadCamper leads the way in setting a new paradigm of defense.

SadCamper is available on Github, is free and open source software and will be extended and improved over time. Any and all feedback or input is appreciated!

Additionally, SpacialSec offers its customers a version slightly ahead of the community version which adds additional protections to maintain an advantage. We’ll be adding optional registry modification in the next few days.