Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Wrangle Your Defense Using Offensive Tactics BSides CT 2019

95 views

Published on

The key to a good defense is understanding the offense. Grab your lasso and hop in the saddle because this talk will cover attack techniques that are regularly used to compromise networks and how they can be leveraged by the blue team to build a stronger defense. Forget vulnerability scanners, in this talk we cover issues they rarely catch, which include: Discovering unknown weaknesses externally and internally, weak passwords, in-memory credential theft and privilege abuse.

Learn how to discover, exploit and defend against those weaknesses using a number of free and/or open-source tools, as well as defense tips and the IOCs needed to tune your SIEM. Lastly, the MITRE ATT&CK framework will be introduced, so that you can utilize the same tactics on the entire gamut of known attack vectors.

Published in: Technology
  • Be the first to like this

Wrangle Your Defense Using Offensive Tactics BSides CT 2019

  1. 1. 1 Wrangle Your Defense Using Offensive Tactics By: Matt Dunn
  2. 2. 2 Who Am I W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • Hacker • Pentester • Consultant • Build Hackers • Love Open-Source
  3. 3. 3 Bad News W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
  4. 4. 4 Overview W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Make your network more secure, by understanding common attack paths and how to defend against them.
  5. 5. 5 Overview W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • This Talk Is Mostly High Level Make your network more secure, by understanding common attack paths and how to defend against them.
  6. 6. 6 Overview W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • This Talk Is Mostly High Level • GET PERMISSION FIRST! Make your network more secure, by understanding common attack paths and how to defend against them.
  7. 7. 7 Overview W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • This Talk Is Mostly High Level • GET PERMISSION FIRST! • Network Discovery Make your network more secure, by understanding common attack paths and how to defend against them.
  8. 8. 8 Overview W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • This Talk Is Mostly High Level • GET PERMISSION FIRST! • Network Discovery • Attacking And Defending Against Password Issues Make your network more secure, by understanding common attack paths and how to defend against them.
  9. 9. 9 Overview W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • This Talk Is Mostly High Level • GET PERMISSION FIRST! • Network Discovery • Attacking And Defending Against Password Issues • Stealing Credentials From Memory Make your network more secure, by understanding common attack paths and how to defend against them.
  10. 10. 10 Overview W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • This Talk Is Mostly High Level • GET PERMISSION FIRST! • Network Discovery • Attacking And Defending Against Password Issues • Stealing Credentials From Memory • Analyzing Active Directory Environments Make your network more secure, by understanding common attack paths and how to defend against them.
  11. 11. 11 Overview W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • This Talk Is Mostly High Level • GET PERMISSION FIRST! • Network Discovery • Attacking And Defending Against Password Issues • Stealing Credentials From Memory • Analyzing Active Directory Environments • Using The MITRE ATT@CK Framework To Go Further Make your network more secure, by understanding common attack paths and how to defend against them.
  12. 12. 12 Dealing With The Unknown: Locating Weakness W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S What To Look For
  13. 13. 13 Dealing With The Unknown: Locating Weakness W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S What To Look For • Items That Do Not Belong On The Internet • Citrix management consoles with default creds
  14. 14. 14 Dealing With The Unknown: Locating Weakness W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S What To Look For • Items That Do Not Belong On The Internet • Citrix management consoles with default creds • Default Or Non Existent Passwords • No one should be able to login to all your cameras or printers with admin:admin
  15. 15. 15 Dealing With The Unknown: Locating Weakness W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S What To Look For • Items That Do Not Belong On The Internet • Citrix management consoles with default creds • Default Or Non Existent Passwords • No one should be able to login to all your cameras or printers with admin:admin • Items On Incorrect Network Segments • Can you see the SQL ports for backend databases from the workstation network?
  16. 16. 16 Dealing With The Unknown: Locating Weakness W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S What To Look For • Items That Do Not Belong On The Internet • Citrix management consoles with default creds • Default Or Non Existent Passwords • No one should be able to login to all your cameras or printers with admin:admin • Items On Incorrect Network Segments • Can you see the SQL ports for backend databases from the workstation network? • Anything That Looks Really Old • Sometimes the IT graveyard is the corporate network
  17. 17. 17 Dealing With The Unknown: Discovery W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S How To Find Things
  18. 18. 18 Dealing With The Unknown: Discovery W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • Port Scanner • Support for Windows, Linux, OSX and Unix Nmap
  19. 19. 19 Dealing With The Unknown: Discovery W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Simple Nmap Scan
  20. 20. 20 Dealing With The Unknown: Discovery W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Nmap Documentation • Too Many Options To Cover In This Talk • https://nmap.org/book/ • Youtube, Google, Blogs To Find More
  21. 21. 21 Dealing With The Unknown: Discovery W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S EyeWitness • Linux Tool (Officially Supported On Kali And Debian) • Screenshots HTTP/HTTPS • Quickly Visualize Web Interfaces On A Network • Security cameras • Portal logins • VPN logins
  22. 22. 22 Dealing With The Unknown: Discovery W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S EyeWitness – Report
  23. 23. 23 Dealing With The Unknown: Defense W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Utilizing What Is Discovered • Regularly Perform Discovery To Find Gaps • Fix The Gaps
  24. 24. 24 Weak Passwords: Intro W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Weak Passwords Passwords that are default, easily guessed or easily cracked.
  25. 25. 25 Weak Passwords: Intro W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Common Types of Weak Passwords • Default Passwords • admin:admin • root:toor
  26. 26. 26 Weak Passwords: Intro W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Common Types of Weak Passwords • Default Passwords • admin:admin • root:toor • Easy To Guess Passwords • Fall2019! • Companyname1
  27. 27. 27 Weak Passwords: Intro W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Common Types of Weak Passwords • Default Passwords • admin:admin • root:toor • Easy To Guess Passwords • Fall2019! • Companyname1 • Password Reuse • Local admin passwords • Same password used across service accounts • Etc.
  28. 28. 28 Weak Passwords: Why They Matter W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Why Should We Care About Weak Passwords? • So what Michael is stupid and has the password Bsides2019, he is just a basic user
  29. 29. 29 Weak Passwords: Why They Matter W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Why Should We Care About Weak Passwords? • So what Michael is stupid and has the password Bsides2019, he is just a basic user • Attackers only need one weak link to move into a network
  30. 30. 30 Weak Passwords: Why They Matter W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Why Should We Care About Weak Passwords? • So what Michael is stupid and has the password Bsides2019, he is just a basic user • Attackers only need one weak link to move into a network • It often isn’t difficult to move from a basic user up the ladder
  31. 31. 31 Weak Passwords: Attacking Weak Passwords W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Password Guessing/Spraying • Testing commonly used passwords against a user, or list of users, at a slow rate (Avoid Lockouts)
  32. 32. 32 Weak Passwords: Attacking Weak Passwords W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Password Guessing/Spraying • Testing commonly used passwords against a user, or list of users, at a slow rate (Avoid Lockouts) • Standard password complexity settings do not prevent the use of easy to guess passwords
  33. 33. 33 Weak Passwords: Attacking Weak Passwords W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Password Guessing - Tools • BurpSuite (Free version has speed limitations)
  34. 34. 34 Weak Passwords: Attacking Weak Passwords W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Password Guessing - Tools • BurpSuite (Free version has speed limitations) • Spraycharles (Open-source, web based logins) • https://github.com/Tw1sm/spraycharles
  35. 35. 35 Weak Passwords: Attacking Weak Passwords W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Password Guessing - Tools • BurpSuite (Free version has speed limitations) • Spraycharles (Open-source, web based logins) • https://github.com/Tw1sm/spraycharles • DomainPasswordSpray (Open-source, Windows networks) • https://github.com/dafthack/DomainPasswordSpray
  36. 36. 36 Weak Passwords: Attacking Weak Passwords W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S What To Do With The Passwords? • Log Into Things • Email • Helpdesk Ticketing System • Create ticket, attach Excel file with malware in it • VPN
  37. 37. 37 Weak Passwords: Attacking Weak Passwords W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S What To Do With The Passwords? • Log Into Things • Email • Helpdesk Ticketing System • Create ticket, attach Excel file with malware in it • VPN • CrackMapExec • Utilize passwords and hashes to authenticate to systems and perform actions
  38. 38. 38 Weak Passwords: Attacking Weak Passwords W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S CrackMapExec Example
  39. 39. 39 Weak Passwords: Attacking Weak Passwords W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S CrackMapExec Example – Checking For Local Admin Access Valid Password Found
  40. 40. 40 Weak Passwords: Attacking Weak Passwords W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S CrackMapExec Example – Checking For Local Admin Access Valid Password Found Valid Password Local Admin Account Disabled
  41. 41. 41 Weak Passwords: Attacking Weak Passwords W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S CrackMapExec Example – Checking For Local Admin Access Valid Password Found Valid Password Local Admin Account Disabled Invalid Password
  42. 42. 42 Weak Passwords: Blue Team W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Defending Against Weak Passwords
  43. 43. 43 Weak Passwords: Blue Team W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Evaluate Your Passwords First • DSInternals – https://github.com/MichaelGrafnetter/DSInternals • Open-source PowerShell module • Contains password auditing feature that does not require cracking passwords • Test-PasswordQuality • https://github.com/MichaelGrafnetter/DSInternals/blob/master/Docum entation/PowerShell/Test-PasswordQuality.md#test-passwordquality
  44. 44. 44 Weak Passwords: Blue Team W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S DSInternals Example:
  45. 45. 45 Weak Passwords: Blue Team W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Block Bad Passwords • Password Filters • CredDefense (Open-source) • https://github.com/CredDefense/CredDefense • Anixis (Paid) • https://anixis.com/products/ppe/ • Nfront (Paid) • https://nfrontsecurity.com/products/nfront-password-filter/
  46. 46. 46 Weak Passwords: Blue Team W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Stop The Reuse Of Local Admin Passwords • Microsoft Laps - https://www.microsoft.com/en-us/download/details.aspx?id=46899 • Microsoft’s free solution to deploying and managing unique local admin passwords
  47. 47. 47 Weak Passwords: IOCs W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Detection
  48. 48. 48 Weak Passwords: IOCs W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S What To Watch For • Windows Event ID 4625 “Logon failure” • Monitor for high numbers of these (threshold will vary from org to org)
  49. 49. 49 Weak Passwords: IOCs W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S What To Watch For • Windows Event ID 4625 “Logon failure” • Monitor for high numbers of these (threshold will vary from org to org) • Windows Event ID 4771 “Kerberos pre-authentication failed” • ID 4625 only covers SMB logins • If we guess passwords using the LDAP service on a Domain Controller that triggers event ID 4771
  50. 50. 50 Weak Passwords: IOCs W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S What To Watch For • Windows Event ID 4625 “Logon failure” • Monitor for high numbers of these (threshold will vary from org to org) • Windows Event ID 4771 “Kerberos pre-authentication failed” • ID 4625 only covers SMB logins • If we guess passwords using the LDAP service on a Domain Controller that triggers event ID 4771 • Consider Also Watching Successes • Have the ability to track if any successful guesses were obtained
  51. 51. 51 Weak Passwords: IOCs W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S What To Watch For • Windows Event ID 4625 “Logon failure” • Monitor for high numbers of these (threshold will vary from org to org) • Windows Event ID 4771 “Kerberos pre-authentication failed” • ID 4625 only covers SMB logins • If we guess passwords using the LDAP service on a Domain Controller that triggers event ID 4771 • Consider Also Watching Successes • Have the ability to track if any successful guesses were obtained • Make Sure You Have All The Logs You Need • Often some systems my not be forwarding all the logs needed to determine the source of an attack • For instance, if the attacker is hitting the VPN, the Domain Controller logs won’t necessarily tell you what IP the attacker is coming from
  52. 52. 52 Weak Passwords: IOCs W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S What To Watch For • Windows Event ID 4625 “Logon failure” • Monitor for high numbers of these (threshold will vary from org to org) • Windows Event ID 4771 “Kerberos pre-authentication failed” • ID 4625 only covers SMB logins • If we guess passwords using the LDAP service on a Domain Controller that triggers event ID 4771 • Consider Also Watching Successes • Have the ability to track if any successful guesses were obtained • Make Sure You Have All The Logs You Need • Often some systems my not be forwarding all the logs needed to determine the source of an attack • For instance, if the attacker is hitting the VPN, the Domain Controller logs won’t necessarily tell you what IP the attacker is coming from • Failed Login Attempts On Service Accounts Or Honey Accounts
  53. 53. 53 In-Memory Credential Theft: Intro W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Getting Deeper Access
  54. 54. 54 In-Memory Credential Theft: Intro W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Stealing Credentials From Memory • Systems often hold passwords and/or hashes in-memory
  55. 55. 55 In-Memory Credential Theft: Intro W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Stealing Credentials From Memory • Systems often hold passwords and/or hashes in-memory • Credentials in-memory can be stolen using tools such as Mimikatz
  56. 56. 56 In-Memory Credential Theft: Examples W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Stealing Credentials From Memory – Examples Windows 7 • Wdigest enabled by default • Stores clear text credentials
  57. 57. 57 In-Memory Credential Theft: Examples W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Stealing Credentials From Memory – Examples Windows 10 • Wdigest disabled by default • Hashes
  58. 58. 58 In-Memory Credential Theft: Defense W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Defending Against Mimikatz • Disable The SeDebugPrivilege Via Group Policy • Mimikatz requires SeDebugPrivilege for many actions • Configure and push a policy that contains no users or groups
  59. 59. 59 In-Memory Credential Theft: Defense W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Defending Against Mimikatz • Disable The SeDebugPrivilege Via Group Policy • Mimikatz requires SeDebugPrivilege for many actions • Configure and push a policy that contains no users or groups • Disable WDigest In The Registry • PowerShell example • Set-ItemProperty -Force -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest" - Name "UseLogonCredential" -Value “0“
  60. 60. 60 In-Memory Credential Theft: Defense W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Defending Against Mimikatz • Disable The SeDebugPrivilege Via Group Policy • Mimikatz requires SeDebugPrivilege for many actions • Configure and push a policy that contains no users or groups • Disable WDigest In The Registry • PowerShell example • Set-ItemProperty -Force -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest" - Name "UseLogonCredential" -Value “0“ • Use CredentialGuard • Protects LSA process • Will cause problems for NTLMv1, MS-CHAPv2, Digest and CredSSP authentication • Check for the usage of these protocols in any Single-Sign-On (SSO) solutions to avoid problems
  61. 61. 61 In-Memory Credential Theft: Defense W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Defending Against Mimikatz • Disable The SeDebugPrivilege Via Group Policy • Mimikatz requires SeDebugPrivilege for many actions • Configure and push a policy that contains no users or groups • Disable WDigest In The Registry • PowerShell example • Set-ItemProperty -Force -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest" - Name "UseLogonCredential" -Value “0“ • Use CredentialGuard • Protects LSA process • Will cause problems for NTLMv1, MS-CHAPv2, Digest and CredSSP authentication • Check for the usage of these protocols in any Single-Sign-On (SSO) solutions to avoid problems • Protect LSASS.exe Using An EDR Solution • Many EDR solutions have the ability to block processes from accessing LSASS.exe
  62. 62. 62 In-Memory Credential Theft: Detection W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Detecting Mimikatz • Security Event ID • 4688 • Often attackers do not customize Mimikatz fully, leaving common commands behind • Be on the look out for things like Mimikatz.exe, sekurlsa, sekurlsa::logonpasswords, lsass.exe and etc. in this event ID • Sysmon Event ID • 1 • The same items listed above can also be found in Sysmon Event ID 1 • Yara Rules • Included in code repo • https://github.com/gentilkiwi/mimikatz
  63. 63. 63 Privilege Abuse: Intro W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Get Credentials > Understand What You Have
  64. 64. 64 Privilege Abuse: BloodHound W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S BloodHound • One of the best ways for attackers and defenders to understand an Active Directory environment
  65. 65. 65 Privilege Abuse: BloodHound W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S BloodHound • One of the best ways for attackers and defenders to understand an Active Directory environment • Windows and Linux Support
  66. 66. 66 Privilege Abuse: BloodHound W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S BloodHound • One of the best ways for attackers and defenders to understand an Active Directory environment • Windows and Linux Support • Run collector as any domain user
  67. 67. 67 Privilege Abuse: BloodHound W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S BloodHound • One of the best ways for attackers and defenders to understand an Active Directory environment • Windows and Linux Support • Run collector as any domain user • Points out possible privilege escalation paths
  68. 68. 68 Privilege Abuse: BloodHound W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S BloodHound • One of the best ways for attackers and defenders to understand an Active Directory environment • Windows and Linux Support • Run collector as any domain user • Points out possible privilege escalation paths • Helps identify gaps in least privilege
  69. 69. 69 Privilege Abuse: BloodHound W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S BloodHound – Example:
  70. 70. 70 Privilege Abuse: Defense W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Defending Against BloodHound And AD Enumeration: • Provide User Permissions On A Least Privilege Model • The helpdesk doesn’t need domain admin to troubleshoot laptops
  71. 71. 71 Privilege Abuse: Defense W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Defending Against BloodHound And AD Enumeration: • Provide User Permissions On A Least Privilege Model • The helpdesk doesn’t need domain admin to troubleshoot laptops • Use Bloodhound To Find And Break Weak Links
  72. 72. 72 Privilege Abuse: Defense W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Defending Against BloodHound And AD Enumeration: • Provide User Permissions On A Least Privilege Model • The helpdesk doesn’t need domain admin to troubleshoot laptops • Use Bloodhound To Find And Break Weak Links • Detect Bloodhound By Creating Honey Tokens • http://www.stuffithoughtiknew.com/2019/02/detecting- bloodhound.html
  73. 73. 73 Privilege Abuse: Defense W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Defending Against BloodHound And AD Enumeration: • Provide User Permissions On A Least Privilege Model • The helpdesk doesn’t need domain admin to troubleshoot laptops • Use Bloodhound To Find And Break Weak Links • Detect Bloodhound By Creating Honey Tokens • http://www.stuffithoughtiknew.com/2019/02/detecting- bloodhound.html • Break Bloodhound Using Adsecurity.Org Tips • https://adsecurity.org/wp-content/uploads/2019/09/2019- DerbyCon-ActiveDirectorySecurity- BeyondTheEasyButton-Metcalf.pdf
  74. 74. 74 Privilege Abuse: Defense W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Defending Against BloodHound And AD Enumeration: • Provide User Permissions On A Least Privilege Model • The helpdesk doesn’t need domain admin to troubleshoot laptops • Use Bloodhound To Find And Break Weak Links • Detect Bloodhound By Creating Honey Tokens • http://www.stuffithoughtiknew.com/2019/02/detecting- bloodhound.html • Break Bloodhound Using Adsecurity.Org Tips • https://adsecurity.org/wp-content/uploads/2019/09/2019- DerbyCon-ActiveDirectorySecurity- BeyondTheEasyButton-Metcalf.pdf • PingCastle • AD Security Tool • https://www.pingcastle.com/
  75. 75. 75 Go Further W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
  76. 76. 76 Go Further W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • I’ve only covered a small number of security concerns
  77. 77. 77 Go Further W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • I’ve only covered a small number of security concerns • Be proactive and go beyond blinky boxes
  78. 78. 78 Go Further W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • I’ve only covered a small number of security concerns • Be proactive and go beyond blinky boxes • Use MITRE ATT&CK to evaluate and measure your defense
  79. 79. 79 Go Further: MITRE ATT&CK W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
  80. 80. 80 Go Further: MITRE ATT&CK W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Using MITRE ATT&CK: • Focus on common attacks for your industry segment first
  81. 81. 81 Go Further: MITRE ATT&CK W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Using MITRE ATT&CK: • Focus on common attacks for your industry segment first • Can you? • Prevent a technique • Detect a technique
  82. 82. 82 Go Further: MITRE ATT&CK W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Using MITRE ATT&CK: • Focus on common attacks for your industry segment first • Can you? • Prevent a technique • Detect a technique • Fix prevention and detection where lacking
  83. 83. 83 Go Further: MITRE ATT&CK W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S Using MITRE ATT&CK: • Focus on common attacks for your industry segment first • Can you? • Prevent a technique • Detect a technique • Fix prevention and detection where lacking • Consider purple teaming
  84. 84. 84 Thank You For Listening! W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
  85. 85. 85 Keep In Touch W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S How To Contact Me • Email: mdunn@schneiderdowns.com • Twitter: @MattThePlanet
  86. 86. 86 References W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S • https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5 • https://adsecurity.org/?page_id=1821 • https://docs.microsoft.com/en-us/windows/security/identity-protection/credential- guard/credential-guard-how-it-works • https://adsecurity.org/wp-content/uploads/2019/09/2019-DerbyCon-ActiveDirectorySecurity- BeyondTheEasyButton-Metcalf.pdf

×