SlideShare a Scribd company logo

BSIDES-PR Keynote Hunting for Bad Guys

Download as PPTX, PDF
J
Joff Thyer

This document discusses techniques for hunting bad guys on networks, including identifying client-side attacks, malware command and control channels, post-exploitation activities, and hunting artifacts. It provides examples of using DNS logs, firewall logs, HTTP logs, registry keys, installed software inventories, and the AMCache registry hive to look for anomalous behaviors that could indicate security compromises. The goal is to actively hunt for threats rather than just detecting known bad behaviors.

Internet
1 of 46
Hunting for Bad Guys Author: Joff Thyer © 2016
About me • Joff Thyer • Senior Consultant, Pen Tester and Security Researcher • Black Hills Information Security • Security Weekly Co-Host • SANS Instructor, SEC-573 Python for Pen Tester • Twitter: @joff_thyer
Client Side Attacks • Humans are more vulnerable than anything else • Social Engineering opportunities abound • Spear Phishing • Phone Calls • USB Drops • People download and click, and run things all the time…
Client Side Approaches • Exploit vulnerable software • Operating Systems and Apps. • Thank you Adobe… • Browsers and mobile
Exploitation challenges • Accuracy of recon • What versions of software are people running? • Defense software watching for exploitation behaviors • Endpoint defense software signatures • Address Space Layout Randomization (ASLR) • Data Execution Prevention (DEP) • The Enhanced Mitigation Experience Toolkit (EMET)
Client Side Approaches • Just create the malware anyway… • Why exploit vulnerable software when people will run stuff for you? • Attractive Apps in Google Play Store • Awesome spreadsheets – people love running macros! • Java droppers • Pretty websites
Malware C2 Channel • Lots of possibilities for creating a C2 channel • PowerShell Empire MS-Office Macro • Metasploit Meterpreter MS-Office Macro • Standalone Visual Basic (wscript / cscript) • EXE’s and DLL content • PowerShell Empire Script Stager • DNSCAT2 covert DNS channel
Metasploit EXE’s still work… • Msfvenom within Metasploit is still very useful if you: • Generate a 64-bit binary • Use a legitimate windows binary as template • Use the “exe-only” option rather than “exe”.
Msfvenom - write.exe w/ payload • Windows x64 write.exe used as template • PE/COFF file “.text” section gets modified with payload (space permitting) • Section header characteristics gets modified to also be writeable. • Endpoint detection solutions don’t seem to be detecting 64-bit often.
C2 established, now what? • Lets assume your spear phishing campaign has worked, and you have an established beach head. • Lets assume your goal is to ex-filtrate sensitive intellectual property • Next steps? • Further recon. • Escalation • Pivot / Lateral movement
Recon / Post Exploitation • PowerShell Empire, Powerview, and Metasploit all have a rich collection of post exploitation methods. • Metasploit examples • Winenum, enum_ad_users, enum_ad_groups, enum_ad_computers • Metasploit’s ”extapi”. (thanks Carlos) • adsi_computer_enum, adsi_dc_enum, adsi_group_enum • PowerShell Empire / PowerView • Invoke-ShareFinder • Invoke-FileFinder • Get-NetUser • Get-NetComputer • Invoke-UserHunter
Recon: BloodHound • “BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.” https://github.com/adaptivethreat/BloodHound • Gathers all the data in one single PowerShell applet • Computers, Users, Groups, Sessions, Local Admins • Download resulting “CSV” files, import into database, and visualize. PS C:> Get-BloodHoundData | Export-BloodHoundCSV
Recon • Even if you only have a simple backdoor shell C:> NET USERS /DOMAIN C:> NET GROUP “Domain Admins” /DOMAIN C:> NET GROUP “Enterprise Admins” /DOMAIN C:> NET GROUP “Domain Controllers” /DOMAIN C:> NET LOCALGROUP Administrators C:> NET VIEW /DOMAIN:CORP
Escalation Opportunities • PowerShell Empire / PowerUp.ps1 / PowerSploit • Group Policy Preferences (Get-GPPPassword) • Invoke-AllChecks • Unattended installation XML files with creds • Files with sensitive credential data on shares • Over-privileged users / medium integrity process / Bypass UAC • Misconfigured services • Misconfigured ACLs • Unquoted Service Paths • Improper permissions of service EXE files • The Always Install Elevated registry key for MSI files. • Path DLL hijacking • Password Spraying!!
Pivoting / Lateral Movement • Assuming we have a domain admin or widespread locally administrative credential. • Either with standalone commands, binaries, Metasploit, or Empire, we can pivot… • PSExec / Invoke-PSExec • Invoke-WMI • Invoke-PSRemoting
Hunt Teaming • Actively looking for advanced attackers • Advanced persistent pen-testers / attackers will bypass defenses • Actively hunt for initial C2, and Post Compromise activity • Must have close coordination with security and operations teams • Must analyze lots of data and accelerate decision making
Hunt Teaming • Assumes that defenses will be broken and a compromise will or has already occurred • A more data analytical approach to hunt for threats: • Initial focus on a macro level rather than individual endpoints • Examine patterns and behavior of live network activity • Look for deviations from baseline behavior • Examine artifacts of potential compromise • Compare endpoint data in a larger group context • How does endpoint citizen A deviate from citizen B?
Hunt Teaming: Baselines • 20 Critical Security Controls • https://www.cisecurity.org/critical-controls.cfm • TOP 5: • CSC#1: Inventory of Authorized and Unauthorized Devices • CSC#2: Inventory of Authorized and Unauthorized Software • CSC#3: Secure Configurations of Hardware and Software • CSC#4: Continuous Vulnerability Assessment and Remediation • CSC#5: Controlled Use Of Administrative Privileges
Hunting for C2: DNS Logs • Log queries and count them • Compare peer group endpoints • They should all behave similarly • Vast majority of queries will be “A”, ”CNAME” records • What if one endpoint is: • Receiving many NXDOMAIN responses • Producing lots of lesser used query types (TXT, SOA, MX) • Querying at a high frequency • Count them all, produce mean, median and standard deviation
Hunting for C2: Proxy Logs • Malware reliably depends on TCP port 80 (HTTP), and TCP port 443 (HTTPS). • Malware often uses unusual HTTP User-Agent strings • Count the frequencies of all user-agent strings over time • Look very closely at the low frequency counts • Examine the user-agent strings for legitimacy • Look closely at the devices using unusual user-agent strings
Hunting for C2: Firewall Logs • Obtain firewall logs with session setup and tear-down • 48 hours or more of logging is preferred • Create a script that parses the log and shows TCP session length for all sessions in the log • Sort the output in descending order of session length • Specifically note any sessions that remain open • Are long duration TCP sessions normal?
Hunting for C2: Beacons • Use a sampling method across TCP/UDP connection tuples to analyze frequency • A Discrete Fast Fourier Transform (DFFT) can be used to convert from the original “time” domain to a “frequency” domain. • DFFT application can be used to highlight regular beaconing. • In other words, beacons will show up with a high correlation on specific frequencies • K-Means distance from nearest neighbor clustering algorithms can be used also.
Hunting for C2: HTTP User-Agent • Either from proxy, firewall logs, or from live traffic • Obtain frequency count of all HTTP User-Agent headers over time. • Ensure that the data being assessed are similar client side devices • Sort the final count by frequency • Analyze the least frequently seen User-Agent strings • Compare with baseline software installation on devices. • Squid proxy quick one liner… # cat access.log.1 | cut -d']' -f2 | cut -d'"' -f6 | sort | uniq -c | sort -k 1,9 –rn
Hunting C2: HTTP URL Length • RFC2616 does not explicitly limit URL length • General recommendation that web servers should not rely on URLs > 255 chars • Malware agents will often use long, and complex URLs • Environment information encoded within URL • Data content encoded with base64 within URL
Hunting for Credential Use • We can use a ”Honey Tokens” technique to stage fake credentials in memory? (Credential Canaries) • C:> runas /user:CORPservicetech /netonly cmd.exe • Make the credential look juicy… • Like “servicetech” or ”localadmin” or similar • So if attacker uses Mimikatz and/or dumps hashes from memory it is attractive! • If ANYONE attempts to use these account names, they are not your friend. LOOK for logon events using this fake cred!!!! • https://isc.sans.edu/diary/Detecting+Mimikatz+Use+On+Your+Network/19311
Hunting for Pivoting • Might initiate with an SMB scan to determine neighboring systems that can be logged into • Remote login will be attempted with one of: • PSExec • WMI • Windows Remoting / PSRemote
Hunting for Pivot: PSExec • PSExec does the following: • Logs into remote system • Creates a new service to start a process • Removes service once process has executed • Noisy in event logs – System Event 7045 • Empire tells you: “not opsec safe”
PSExec Service Creation • System Log Event 7045: Service Creation
Hunting for Pivot: WMI • Very quiet in event logs – pretty much nothing… • You can enable WMI event tracing but details are sparse • Audit of “Process Creation” events provides limited info.
Hunting for Pivot: WMI/PsExec SysInternals Sysmon
Hunting: Useful Windows Event IDs • Must collect events from workstations also! • Security, and Application Event Logs • 1102: Audit Log Cleared • 4624 / 4625: Logon Success and Failure • 4688: Process Creation • 4720 / 4722: User Account Created / Enabled • 4732: Member added to security enabled localgroup • 7045: New service installed
Hunting: Who are you talking to?
Hunting Artifacts • What software is installed across the domain? • Do all workstations adhere to a single baseline? • If not, why? • What are the “Run”, and “RunOnce” registry keys across the domain? • Count strings by frequency and sort • Look for low frequency counts
Hunting Artifacts: Domain Wide • Use ADSI/LDAP to query for list of workstations $DirSearcher = New-Object ` System.DirectoryServices.DirectorySearcher([adsi]’’) $DirSearcher.Filter = ‘(objectClass=Computer)’ $DirSearcher.FindAll().GetEnumerator() ` | ForEach-Object { $_.Properties.name } •OR, if you have RSAT then, Get-ADComputer -Filter ‘ObjectClass -eq “Computer”’ | select -expand DNSHostName
Hunting Artifacts: Run/RunOnce Keys $cred = Get-Credential Invoke-Command -Credential $cred -ComputerName myhostname -ScriptBlock {Get-Item HKLM:SoftwareMicrosoftWindowsCurrentVersion Run} Invoke-Command -Credential $cred -ComputerName myhostname -ScriptBlock {Get-Item HKLM:SoftwareMicrosoftWindowsCurrentVersion RunOnce}
Hunting: Run/RunOnce (WMI) $HKLM = 2147483650 $reg_run = "SoftwareMicrosoftWindowsCurrentVersionRun" $registry = Get-WmiObject StdRegProv ` -Namespace Root/Default ` -Credential $cred ` -ComputerName $Target –List $enum = $registry.EnumValues($HKLM, $reg_run) ForEach ($key in $enum.sNames) { $value = ($registry.GetStringValue($HKLM, $reg_run, $key)).sValue Write-Output " [+] $reg_run : $key = $value” }
Hunting: Installed Software Invoke-Command -Credential $cred ` -ComputerName myhostname ` -ScriptBlock ` {Get-ItemProperty ` HKLM:SoftwareMicrosoftWindowsUninstall* ` | Select displayname, publisher, installdate}
Hunting Artifacts: WMIC • WMI/WBEM is a really powerful way of getting information across the domain C:> wmic product get name,version C:>wmic /node:@systems.txt product get description,name,vendor /format:csv > SoftwareInventory.txt • The /node:@systems.txt allows you to run the same command on multiple systems. You do not need to do this here. We are simply telling you how the file was created.
Hunting Artifacts: more WMIC You can pull the .exe You can also pull the registry keys
Hunting Artifacts: AMCache • In Windows 8 and up, the AMCache registry hive is a part of the application experience and compatibility features • Formally known as “RecentFileCache.bcf” but some patched versions of Windows 7 use “AMCache.hve” also. • Its all part of the Microsoft compatibility SHIM infrastructure. • Sweet! Microsoft Windows has its own rootkit! • Google: “amcache goldmine” (Yogesh Katri) • http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html
Hunting Artifacts: AMCache • The Application Experience toolkit stores a lot of interesting information into the AMCache registry hive. • This becomes a really good place to perform forensic activities.
Hunting Artifacts: AMCache • Information that is stored in this hive includes: • Full executable path • Created and modified timestamps • SHA1 hash of the file • PE linker timestamp • PE header data and some file version info
Hunting Artifacts: AMCache • Using PowerShell we can perform some recursion through the AMCache hive • Local administrator access required. • You will probably find that the registry hive file is locked by the application experience service processes • Volume Shadow Copies are your friend • Create or use existing volume shadow copy • Mount the registry hive in PowerShell and explore…
Hunting Artifacts: AMCache
Hunting Artifacts: AMCache • you can visit my BitBucket repo, and fetch a script to do similar things… • https://bitbucket.org/jsthyer/getamcache
Conclusion • Move from detecting known bad, to seeking out probable threats. • Leverage the design of your networks, and/or consider new design elements to help show you probable threats! • Move beyond what outside security vendors consider is a threat to what YOU consider to be a threat. • There are never silver bullets, only hard work. • Happy Hunting!

Recommended

External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Addios!
Addios!Addios!
Addios!Chong-Kuan Chen
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 

Recommended

External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Addios!
Addios!Addios!
Addios!Chong-Kuan Chen
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
1000 to 0
1000 to 01000 to 0
1000 to 0Sunny Neo
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest ApocalypseBeau Bullock
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014Chong-Kuan Chen
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceSam Bowne
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the GapWill Schroeder
 

More Related Content

What's hot

Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest ApocalypseBeau Bullock
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceSam Bowne
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 

What's hot (20)

Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest Apocalypse
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
 

Viewers also liked

PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 

Viewers also liked (6)

PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 

Similar to BSIDES-PR Keynote Hunting for Bad Guys

H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Brandon Arvanaghi
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptxTckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptxAlfredObia1
 
Powering up on PowerShell - BSides Charleston - Nov 2018
Powering up on PowerShell - BSides Charleston - Nov 2018Powering up on PowerShell - BSides Charleston - Nov 2018
Powering up on PowerShell - BSides Charleston - Nov 2018Fernando Tomlinson, CISSP, MBA
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 

Similar to BSIDES-PR Keynote Hunting for Bad Guys (20)

H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating Applications
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptxTckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
 
Powering up on PowerShell - BSides Charleston - Nov 2018
Powering up on PowerShell - BSides Charleston - Nov 2018Powering up on PowerShell - BSides Charleston - Nov 2018
Powering up on PowerShell - BSides Charleston - Nov 2018
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 

Recently uploaded

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 

Recently uploaded (20)

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 

BSIDES-PR Keynote Hunting for Bad Guys

  • 1. Hunting for Bad Guys Author: Joff Thyer © 2016
  • 2. About me • Joff Thyer • Senior Consultant, Pen Tester and Security Researcher • Black Hills Information Security • Security Weekly Co-Host • SANS Instructor, SEC-573 Python for Pen Tester • Twitter: @joff_thyer
  • 3. Client Side Attacks • Humans are more vulnerable than anything else • Social Engineering opportunities abound • Spear Phishing • Phone Calls • USB Drops • People download and click, and run things all the time…
  • 4. Client Side Approaches • Exploit vulnerable software • Operating Systems and Apps. • Thank you Adobe… • Browsers and mobile
  • 5. Exploitation challenges • Accuracy of recon • What versions of software are people running? • Defense software watching for exploitation behaviors • Endpoint defense software signatures • Address Space Layout Randomization (ASLR) • Data Execution Prevention (DEP) • The Enhanced Mitigation Experience Toolkit (EMET)
  • 6. Client Side Approaches • Just create the malware anyway… • Why exploit vulnerable software when people will run stuff for you? • Attractive Apps in Google Play Store • Awesome spreadsheets – people love running macros! • Java droppers • Pretty websites
  • 7. Malware C2 Channel • Lots of possibilities for creating a C2 channel • PowerShell Empire MS-Office Macro • Metasploit Meterpreter MS-Office Macro • Standalone Visual Basic (wscript / cscript) • EXE’s and DLL content • PowerShell Empire Script Stager • DNSCAT2 covert DNS channel
  • 8. Metasploit EXE’s still work… • Msfvenom within Metasploit is still very useful if you: • Generate a 64-bit binary • Use a legitimate windows binary as template • Use the “exe-only” option rather than “exe”.
  • 9. Msfvenom - write.exe w/ payload • Windows x64 write.exe used as template • PE/COFF file “.text” section gets modified with payload (space permitting) • Section header characteristics gets modified to also be writeable. • Endpoint detection solutions don’t seem to be detecting 64-bit often.
  • 10. C2 established, now what? • Lets assume your spear phishing campaign has worked, and you have an established beach head. • Lets assume your goal is to ex-filtrate sensitive intellectual property • Next steps? • Further recon. • Escalation • Pivot / Lateral movement
  • 11. Recon / Post Exploitation • PowerShell Empire, Powerview, and Metasploit all have a rich collection of post exploitation methods. • Metasploit examples • Winenum, enum_ad_users, enum_ad_groups, enum_ad_computers • Metasploit’s ”extapi”. (thanks Carlos) • adsi_computer_enum, adsi_dc_enum, adsi_group_enum • PowerShell Empire / PowerView • Invoke-ShareFinder • Invoke-FileFinder • Get-NetUser • Get-NetComputer • Invoke-UserHunter
  • 12. Recon: BloodHound • “BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.” https://github.com/adaptivethreat/BloodHound • Gathers all the data in one single PowerShell applet • Computers, Users, Groups, Sessions, Local Admins • Download resulting “CSV” files, import into database, and visualize. PS C:> Get-BloodHoundData | Export-BloodHoundCSV
  • 13. Recon • Even if you only have a simple backdoor shell C:> NET USERS /DOMAIN C:> NET GROUP “Domain Admins” /DOMAIN C:> NET GROUP “Enterprise Admins” /DOMAIN C:> NET GROUP “Domain Controllers” /DOMAIN C:> NET LOCALGROUP Administrators C:> NET VIEW /DOMAIN:CORP
  • 14. Escalation Opportunities • PowerShell Empire / PowerUp.ps1 / PowerSploit • Group Policy Preferences (Get-GPPPassword) • Invoke-AllChecks • Unattended installation XML files with creds • Files with sensitive credential data on shares • Over-privileged users / medium integrity process / Bypass UAC • Misconfigured services • Misconfigured ACLs • Unquoted Service Paths • Improper permissions of service EXE files • The Always Install Elevated registry key for MSI files. • Path DLL hijacking • Password Spraying!!
  • 15. Pivoting / Lateral Movement • Assuming we have a domain admin or widespread locally administrative credential. • Either with standalone commands, binaries, Metasploit, or Empire, we can pivot… • PSExec / Invoke-PSExec • Invoke-WMI • Invoke-PSRemoting
  • 16. Hunt Teaming • Actively looking for advanced attackers • Advanced persistent pen-testers / attackers will bypass defenses • Actively hunt for initial C2, and Post Compromise activity • Must have close coordination with security and operations teams • Must analyze lots of data and accelerate decision making
  • 17. Hunt Teaming • Assumes that defenses will be broken and a compromise will or has already occurred • A more data analytical approach to hunt for threats: • Initial focus on a macro level rather than individual endpoints • Examine patterns and behavior of live network activity • Look for deviations from baseline behavior • Examine artifacts of potential compromise • Compare endpoint data in a larger group context • How does endpoint citizen A deviate from citizen B?
  • 18. Hunt Teaming: Baselines • 20 Critical Security Controls • https://www.cisecurity.org/critical-controls.cfm • TOP 5: • CSC#1: Inventory of Authorized and Unauthorized Devices • CSC#2: Inventory of Authorized and Unauthorized Software • CSC#3: Secure Configurations of Hardware and Software • CSC#4: Continuous Vulnerability Assessment and Remediation • CSC#5: Controlled Use Of Administrative Privileges
  • 19. Hunting for C2: DNS Logs • Log queries and count them • Compare peer group endpoints • They should all behave similarly • Vast majority of queries will be “A”, ”CNAME” records • What if one endpoint is: • Receiving many NXDOMAIN responses • Producing lots of lesser used query types (TXT, SOA, MX) • Querying at a high frequency • Count them all, produce mean, median and standard deviation
  • 20. Hunting for C2: Proxy Logs • Malware reliably depends on TCP port 80 (HTTP), and TCP port 443 (HTTPS). • Malware often uses unusual HTTP User-Agent strings • Count the frequencies of all user-agent strings over time • Look very closely at the low frequency counts • Examine the user-agent strings for legitimacy • Look closely at the devices using unusual user-agent strings
  • 21. Hunting for C2: Firewall Logs • Obtain firewall logs with session setup and tear-down • 48 hours or more of logging is preferred • Create a script that parses the log and shows TCP session length for all sessions in the log • Sort the output in descending order of session length • Specifically note any sessions that remain open • Are long duration TCP sessions normal?
  • 22. Hunting for C2: Beacons • Use a sampling method across TCP/UDP connection tuples to analyze frequency • A Discrete Fast Fourier Transform (DFFT) can be used to convert from the original “time” domain to a “frequency” domain. • DFFT application can be used to highlight regular beaconing. • In other words, beacons will show up with a high correlation on specific frequencies • K-Means distance from nearest neighbor clustering algorithms can be used also.
  • 23. Hunting for C2: HTTP User-Agent • Either from proxy, firewall logs, or from live traffic • Obtain frequency count of all HTTP User-Agent headers over time. • Ensure that the data being assessed are similar client side devices • Sort the final count by frequency • Analyze the least frequently seen User-Agent strings • Compare with baseline software installation on devices. • Squid proxy quick one liner… # cat access.log.1 | cut -d']' -f2 | cut -d'"' -f6 | sort | uniq -c | sort -k 1,9 –rn
  • 24. Hunting C2: HTTP URL Length • RFC2616 does not explicitly limit URL length • General recommendation that web servers should not rely on URLs > 255 chars • Malware agents will often use long, and complex URLs • Environment information encoded within URL • Data content encoded with base64 within URL
  • 25. Hunting for Credential Use • We can use a ”Honey Tokens” technique to stage fake credentials in memory? (Credential Canaries) • C:> runas /user:CORPservicetech /netonly cmd.exe • Make the credential look juicy… • Like “servicetech” or ”localadmin” or similar • So if attacker uses Mimikatz and/or dumps hashes from memory it is attractive! • If ANYONE attempts to use these account names, they are not your friend. LOOK for logon events using this fake cred!!!! • https://isc.sans.edu/diary/Detecting+Mimikatz+Use+On+Your+Network/19311
  • 26. Hunting for Pivoting • Might initiate with an SMB scan to determine neighboring systems that can be logged into • Remote login will be attempted with one of: • PSExec • WMI • Windows Remoting / PSRemote
  • 27. Hunting for Pivot: PSExec • PSExec does the following: • Logs into remote system • Creates a new service to start a process • Removes service once process has executed • Noisy in event logs – System Event 7045 • Empire tells you: “not opsec safe”
  • 28. PSExec Service Creation • System Log Event 7045: Service Creation
  • 29. Hunting for Pivot: WMI • Very quiet in event logs – pretty much nothing… • You can enable WMI event tracing but details are sparse • Audit of “Process Creation” events provides limited info.
  • 30. Hunting for Pivot: WMI/PsExec SysInternals Sysmon
  • 31. Hunting: Useful Windows Event IDs • Must collect events from workstations also! • Security, and Application Event Logs • 1102: Audit Log Cleared • 4624 / 4625: Logon Success and Failure • 4688: Process Creation • 4720 / 4722: User Account Created / Enabled • 4732: Member added to security enabled localgroup • 7045: New service installed
  • 32. Hunting: Who are you talking to?
  • 33. Hunting Artifacts • What software is installed across the domain? • Do all workstations adhere to a single baseline? • If not, why? • What are the “Run”, and “RunOnce” registry keys across the domain? • Count strings by frequency and sort • Look for low frequency counts
  • 34. Hunting Artifacts: Domain Wide • Use ADSI/LDAP to query for list of workstations $DirSearcher = New-Object ` System.DirectoryServices.DirectorySearcher([adsi]’’) $DirSearcher.Filter = ‘(objectClass=Computer)’ $DirSearcher.FindAll().GetEnumerator() ` | ForEach-Object { $_.Properties.name } •OR, if you have RSAT then, Get-ADComputer -Filter ‘ObjectClass -eq “Computer”’ | select -expand DNSHostName
  • 35. Hunting Artifacts: Run/RunOnce Keys $cred = Get-Credential Invoke-Command -Credential $cred -ComputerName myhostname -ScriptBlock {Get-Item HKLM:SoftwareMicrosoftWindowsCurrentVersion Run} Invoke-Command -Credential $cred -ComputerName myhostname -ScriptBlock {Get-Item HKLM:SoftwareMicrosoftWindowsCurrentVersion RunOnce}
  • 36. Hunting: Run/RunOnce (WMI) $HKLM = 2147483650 $reg_run = "SoftwareMicrosoftWindowsCurrentVersionRun" $registry = Get-WmiObject StdRegProv ` -Namespace Root/Default ` -Credential $cred ` -ComputerName $Target –List $enum = $registry.EnumValues($HKLM, $reg_run) ForEach ($key in $enum.sNames) { $value = ($registry.GetStringValue($HKLM, $reg_run, $key)).sValue Write-Output " [+] $reg_run : $key = $value” }
  • 37. Hunting: Installed Software Invoke-Command -Credential $cred ` -ComputerName myhostname ` -ScriptBlock ` {Get-ItemProperty ` HKLM:SoftwareMicrosoftWindowsUninstall* ` | Select displayname, publisher, installdate}
  • 38. Hunting Artifacts: WMIC • WMI/WBEM is a really powerful way of getting information across the domain C:> wmic product get name,version C:>wmic /node:@systems.txt product get description,name,vendor /format:csv > SoftwareInventory.txt • The /node:@systems.txt allows you to run the same command on multiple systems. You do not need to do this here. We are simply telling you how the file was created.
  • 39. Hunting Artifacts: more WMIC You can pull the .exe You can also pull the registry keys
  • 40. Hunting Artifacts: AMCache • In Windows 8 and up, the AMCache registry hive is a part of the application experience and compatibility features • Formally known as “RecentFileCache.bcf” but some patched versions of Windows 7 use “AMCache.hve” also. • Its all part of the Microsoft compatibility SHIM infrastructure. • Sweet! Microsoft Windows has its own rootkit! • Google: “amcache goldmine” (Yogesh Katri) • http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html
  • 41. Hunting Artifacts: AMCache • The Application Experience toolkit stores a lot of interesting information into the AMCache registry hive. • This becomes a really good place to perform forensic activities.
  • 42. Hunting Artifacts: AMCache • Information that is stored in this hive includes: • Full executable path • Created and modified timestamps • SHA1 hash of the file • PE linker timestamp • PE header data and some file version info
  • 43. Hunting Artifacts: AMCache • Using PowerShell we can perform some recursion through the AMCache hive • Local administrator access required. • You will probably find that the registry hive file is locked by the application experience service processes • Volume Shadow Copies are your friend • Create or use existing volume shadow copy • Mount the registry hive in PowerShell and explore…
  • 45. Hunting Artifacts: AMCache • you can visit my BitBucket repo, and fetch a script to do similar things… • https://bitbucket.org/jsthyer/getamcache
  • 46. Conclusion • Move from detecting known bad, to seeking out probable threats. • Leverage the design of your networks, and/or consider new design elements to help show you probable threats! • Move beyond what outside security vendors consider is a threat to what YOU consider to be a threat. • There are never silver bullets, only hard work. • Happy Hunting!