SlideShare a Scribd company logo

Enhancing detection with adversary simulation

Mauricio Velazco
Mauricio Velazco

Executing adversary simulations in properly monitored environments allows defenders to test and enhance their detection capabilities. Unfortunately, red & purple team engagements cannot be executed too often. This talk will describe the benefits of blue team led simulations by dissecting common red team techniques, show how they can be detected and release a new tool to simulate them.

Technology
1 of 21
Download to read offline
Embrace the Red: Enhancing detection capabilities with adversary simulation Bsides Baltimore 2019 Mauricio Velazco @mvelazco
$whoami ✘Peruvian ✘Blue team lead ( ex pentester ) ✘@mvelazco ✘Derbycon, Bsides, SANS
Offensive Approach • Vulnerability Scanning • Penetration Testing • Red teaming • …
Adversary simulation / Purple Team Goal: Identify gaps in visibility & detection capabilities ✘Collaborative exercise / knowledge transfer ✘Allows blue to identify and understand TTPs ✘Allows red to identify evasion paths
Adversary Simulation / Purple Team Process
Simulation Scenarios Simulating the same TTP under different scenarios will test detection resilience ✘Example: Kerberoasting Simulation 1: Invoke-Kerberoast –Domain domain.com Simulation 2: GetUserSPNs.py -dc-ip X.X.X.X domain.com/user vs Simulation 3: PowerView / SharpView recon to identify target Rubeus.exe kerberoast /user:secureservice
Password Spraying ✘Iterate through a list of users with a commonly used password ( Winter2019 ) ✘Used to obtain initial access / situational awareness / privilege escalation ✘ https://attack.mitre.org/techniques/T1110/
Password Spray Purple Team #1 ✘ Scenario: Adversary has physical access and connects a rogue device to the network Tools: ldapsearch, medusa. ✘ Validate one password on all domain users against a Domain Controller (NTLM) ldapsearch -x -h host -b "dc=d,dc=com" -D “u" -W -s sub (objectCategory=Computer)(userAccountControl:XX)’ ldapsearch -x -h host -b "dc=d,dc=com" -D “u" -W -s sub '(&objectClass=user))' | grep sAMAccountName medusa -U users.txt -p Winter2019 -M smbnt -h [Dc_ip] -m GROUP:DOMAIN ✘ Assessment: Domain controller properly logging Failed Account Logon Events. 4625 ✘ Detection Event=4625 AND LogonType=3 group by (Client Address ) where unique(Account_Name ) > [Threshold ]
Password Spray Purple Team #2 ✘Scenario Adversary controls a compromised host in the environment Tools: cmd.exe and PowerShell ✘ Validate one password on 50 domain users against a domain computer ( Kerberos ) net user /domain net group “Domain Computers” /domain Invoke-SMBLogin –Username users.txt –Computer Server01 –Password Winter2019 ✘ Assessment Domain controllers not logging Kerberos events. Enable “Audit Kerberos Authentication Service” and “Audit Kerberos Service Ticket Operations”
Password Spray Purple Team #3 ✘ Scenario Adversary controls a compromised host on the environment Tools: cmd.exe & PowerShell ✘ Validate one password on 20 domain users against 20 domain computers. ( NTLM). Sleep 5 seconds between auth attempt. net user /domain net group “Domain Computers” /domain Invoke-SMBLogin –Username users.txt –Computer hosts.txt –Password Winter2019 –Sleep 5 ✘ Assessment: Domain member endpoints events are not centralized. Existing detection analytics does not contemplate a sleep time
Password Spray Purple Team #n #4: Iteration of #1 ( target a DC ) wait 30 seconds between each authentication attempt use local accounts target abroad dcs (random) #5: Iteration of #2 ( target a domain computer ) use NTLM use local accounts target random computers #6: #7: ........................
PurpleSpray https://github.com/mvelazc0/PurpleSpray
PurpleSpray ✘ Executes password spray behavior under different scenarios and conditions within Windows enterprise environment ✘ Helps identify gaps in visibility as well as test, improve and build new detection analytics for spraying attacks ✘ Version 1: two modules, targeting SMB
PurpleSpray Supported Scenarios ✘ Simulate a rogue device or a compromised host ✘ Target random users ( badPwdCount <= 3 ) ✘ Target different roles and random hosts ( lastLogon<= 1 day ) ✘ Spraying domain or local accounts ✘ Using Kerberos or NTLM ✘ Sleep between authentication attempts ✘ Think of more ? --,> @mvelazco
Demo 1 impacket_spray Simulates an adversary leveraging a rogue device in the network
Demo 2 empire_spray Simulates an adversary with control of a compromised domain host
TODO ✘Support other protocols Exchange Web Service ( EWS ) Office 365 / Azure AD HTTP ( Citrix, Vpn portal ) HTTP / NTLM ( ADFS, Lync, Skype ) ✘Reporting ✘Ideas ? -> @mvelazco !
Acknowledgements ✘Impacket ( https://github.com/SecureAuthCorp/impacket ) ✘Empire ( https://github.com/EmpireProject/Empire ) ✘Death Star ( https://github.com/byt3bl33d3r/DeathStar ) ✘Pentesters Framework ( https://github.com/trustedsec/ptf )
Happy Purple Teaming
PurpleSpray https://github.com/mvelazc0/PurpleSpray
Embrace the Red: Enhancing detection capabilities with adversary simulation Bsides Baltimore 2019 Mauricio Velazco @mvelazco

Recommended

Bsides Long Island 2019
Bsides Long Island 2019Bsides Long Island 2019
Bsides Long Island 2019Mauricio Velazco
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...Mauricio Velazco
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsMauricio Velazco
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementMauricio Velazco
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationMauricio Velazco
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 

Recommended

Bsides Long Island 2019
Bsides Long Island 2019Bsides Long Island 2019
Bsides Long Island 2019Mauricio Velazco
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...Mauricio Velazco
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsMauricio Velazco
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementMauricio Velazco
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationMauricio Velazco
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 
Defending Your Network
Defending Your NetworkDefending Your Network
Defending Your NetworkAdam Getchell
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion TechniquesFestival Software Livre
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
A Cyberwarfare Weapon: Slowreq
A Cyberwarfare Weapon: SlowreqA Cyberwarfare Weapon: Slowreq
A Cyberwarfare Weapon: SlowreqCommunity Protection Forum
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue TeamBlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue TeamMauricio Velazco
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
An IDS for browser hijacking
An IDS for browser hijackingAn IDS for browser hijacking
An IDS for browser hijackingDiogo Mónica
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session iMalachi Jones
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 

More Related Content

What's hot

Defending Your Network
Defending Your NetworkDefending Your Network
Defending Your NetworkAdam Getchell
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue TeamBlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue TeamMauricio Velazco
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
An IDS for browser hijacking
An IDS for browser hijackingAn IDS for browser hijacking
An IDS for browser hijackingDiogo Mónica
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session iMalachi Jones
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
 

What's hot (20)

Defending Your Network
Defending Your NetworkDefending Your Network
Defending Your Network
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
A Cyberwarfare Weapon: Slowreq
A Cyberwarfare Weapon: SlowreqA Cyberwarfare Weapon: Slowreq
A Cyberwarfare Weapon: Slowreq
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
 
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue TeamBlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
 
An IDS for browser hijacking
An IDS for browser hijackingAn IDS for browser hijacking
An IDS for browser hijacking
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session i
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
 

Similar to Enhancing detection with adversary simulation

SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception saconPriyanka Aash
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainErik Van Buggenhout
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerForAllSecure
 
Enterprise Linux Exploit Mapper (ELEM) Demo
Enterprise Linux Exploit Mapper (ELEM) DemoEnterprise Linux Exploit Mapper (ELEM) Demo
Enterprise Linux Exploit Mapper (ELEM) Demojasoncallaway
 
74 Methods for Privilege Escalation Part 2
74 Methods for Privilege Escalation Part 274 Methods for Privilege Escalation Part 2
74 Methods for Privilege Escalation Part 2Hadess
 
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por "Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por SegInfo
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemBikrant Gautam
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsDr. Ramchandra Mangrulkar
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 

Similar to Enhancing detection with adversary simulation (20)

SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a Hacker
 
Enterprise Linux Exploit Mapper (ELEM) Demo
Enterprise Linux Exploit Mapper (ELEM) DemoEnterprise Linux Exploit Mapper (ELEM) Demo
Enterprise Linux Exploit Mapper (ELEM) Demo
 
74 Methods for Privilege Escalation Part 2
74 Methods for Privilege Escalation Part 274 Methods for Privilege Escalation Part 2
74 Methods for Privilege Escalation Part 2
 
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por "Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Security War Games
Security War GamesSecurity War Games
Security War Games
 
6620handout4o
6620handout4o6620handout4o
6620handout4o
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 

More from Mauricio Velazco

PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaMauricio Velazco
 
Detection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdfDetection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdfMauricio Velazco
 
LimaHack 2011 - Stuxnet : El arma del futuro
LimaHack 2011 - Stuxnet : El arma del futuroLimaHack 2011 - Stuxnet : El arma del futuro
LimaHack 2011 - Stuxnet : El arma del futuroMauricio Velazco
 
Peruhack 2015 - Cyberespionaje de Naciones
Peruhack 2015 - Cyberespionaje de NacionesPeruhack 2015 - Cyberespionaje de Naciones
Peruhack 2015 - Cyberespionaje de NacionesMauricio Velazco
 
PeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos WindowsPeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos WindowsMauricio Velazco
 
Limahack 2010 - Creando exploits para GNU/Linux
Limahack 2010 - Creando exploits para GNU/LinuxLimahack 2010 - Creando exploits para GNU/Linux
Limahack 2010 - Creando exploits para GNU/LinuxMauricio Velazco
 
Limahack 2009 - SSL no esta roto ... o si ?
Limahack 2009 - SSL no esta roto ... o si ?Limahack 2009 - SSL no esta roto ... o si ?
Limahack 2009 - SSL no esta roto ... o si ?Mauricio Velazco
 
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...Mauricio Velazco
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitMauricio Velazco
 
LinuxWeek 2010 - Client Side Attacks
LinuxWeek 2010 - Client Side AttacksLinuxWeek 2010 - Client Side Attacks
LinuxWeek 2010 - Client Side AttacksMauricio Velazco
 

More from Mauricio Velazco (12)

PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
 
Detection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdfDetection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdf
 
BSides Panama 2022
BSides Panama 2022BSides Panama 2022
BSides Panama 2022
 
LimaHack 2011 - Stuxnet : El arma del futuro
LimaHack 2011 - Stuxnet : El arma del futuroLimaHack 2011 - Stuxnet : El arma del futuro
LimaHack 2011 - Stuxnet : El arma del futuro
 
Peruhack 2015 - Cyberespionaje de Naciones
Peruhack 2015 - Cyberespionaje de NacionesPeruhack 2015 - Cyberespionaje de Naciones
Peruhack 2015 - Cyberespionaje de Naciones
 
PeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos WindowsPeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos Windows
 
Limahack 2010 - Creando exploits para GNU/Linux
Limahack 2010 - Creando exploits para GNU/LinuxLimahack 2010 - Creando exploits para GNU/Linux
Limahack 2010 - Creando exploits para GNU/Linux
 
Limahack 2009 - SSL no esta roto ... o si ?
Limahack 2009 - SSL no esta roto ... o si ?Limahack 2009 - SSL no esta roto ... o si ?
Limahack 2009 - SSL no esta roto ... o si ?
 
Bsides Latam 2019
Bsides Latam 2019Bsides Latam 2019
Bsides Latam 2019
 
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
 
LinuxWeek 2010 - Client Side Attacks
LinuxWeek 2010 - Client Side AttacksLinuxWeek 2010 - Client Side Attacks
LinuxWeek 2010 - Client Side Attacks
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Enhancing detection with adversary simulation

  • 1. Embrace the Red: Enhancing detection capabilities with adversary simulation Bsides Baltimore 2019 Mauricio Velazco @mvelazco
  • 2. $whoami ✘Peruvian ✘Blue team lead ( ex pentester ) ✘@mvelazco ✘Derbycon, Bsides, SANS
  • 3. Offensive Approach • Vulnerability Scanning • Penetration Testing • Red teaming • …
  • 4. Adversary simulation / Purple Team Goal: Identify gaps in visibility & detection capabilities ✘Collaborative exercise / knowledge transfer ✘Allows blue to identify and understand TTPs ✘Allows red to identify evasion paths
  • 6. Simulation Scenarios Simulating the same TTP under different scenarios will test detection resilience ✘Example: Kerberoasting Simulation 1: Invoke-Kerberoast –Domain domain.com Simulation 2: GetUserSPNs.py -dc-ip X.X.X.X domain.com/user vs Simulation 3: PowerView / SharpView recon to identify target Rubeus.exe kerberoast /user:secureservice
  • 7. Password Spraying ✘Iterate through a list of users with a commonly used password ( Winter2019 ) ✘Used to obtain initial access / situational awareness / privilege escalation ✘ https://attack.mitre.org/techniques/T1110/
  • 8. Password Spray Purple Team #1 ✘ Scenario: Adversary has physical access and connects a rogue device to the network Tools: ldapsearch, medusa. ✘ Validate one password on all domain users against a Domain Controller (NTLM) ldapsearch -x -h host -b "dc=d,dc=com" -D “u" -W -s sub (objectCategory=Computer)(userAccountControl:XX)’ ldapsearch -x -h host -b "dc=d,dc=com" -D “u" -W -s sub '(&objectClass=user))' | grep sAMAccountName medusa -U users.txt -p Winter2019 -M smbnt -h [Dc_ip] -m GROUP:DOMAIN ✘ Assessment: Domain controller properly logging Failed Account Logon Events. 4625 ✘ Detection Event=4625 AND LogonType=3 group by (Client Address ) where unique(Account_Name ) > [Threshold ]
  • 9. Password Spray Purple Team #2 ✘Scenario Adversary controls a compromised host in the environment Tools: cmd.exe and PowerShell ✘ Validate one password on 50 domain users against a domain computer ( Kerberos ) net user /domain net group “Domain Computers” /domain Invoke-SMBLogin –Username users.txt –Computer Server01 –Password Winter2019 ✘ Assessment Domain controllers not logging Kerberos events. Enable “Audit Kerberos Authentication Service” and “Audit Kerberos Service Ticket Operations”
  • 10. Password Spray Purple Team #3 ✘ Scenario Adversary controls a compromised host on the environment Tools: cmd.exe & PowerShell ✘ Validate one password on 20 domain users against 20 domain computers. ( NTLM). Sleep 5 seconds between auth attempt. net user /domain net group “Domain Computers” /domain Invoke-SMBLogin –Username users.txt –Computer hosts.txt –Password Winter2019 –Sleep 5 ✘ Assessment: Domain member endpoints events are not centralized. Existing detection analytics does not contemplate a sleep time
  • 11. Password Spray Purple Team #n #4: Iteration of #1 ( target a DC ) wait 30 seconds between each authentication attempt use local accounts target abroad dcs (random) #5: Iteration of #2 ( target a domain computer ) use NTLM use local accounts target random computers #6: #7: ........................
  • 13. PurpleSpray ✘ Executes password spray behavior under different scenarios and conditions within Windows enterprise environment ✘ Helps identify gaps in visibility as well as test, improve and build new detection analytics for spraying attacks ✘ Version 1: two modules, targeting SMB
  • 14. PurpleSpray Supported Scenarios ✘ Simulate a rogue device or a compromised host ✘ Target random users ( badPwdCount <= 3 ) ✘ Target different roles and random hosts ( lastLogon<= 1 day ) ✘ Spraying domain or local accounts ✘ Using Kerberos or NTLM ✘ Sleep between authentication attempts ✘ Think of more ? --,> @mvelazco
  • 15. Demo 1 impacket_spray Simulates an adversary leveraging a rogue device in the network
  • 16. Demo 2 empire_spray Simulates an adversary with control of a compromised domain host
  • 17. TODO ✘Support other protocols Exchange Web Service ( EWS ) Office 365 / Azure AD HTTP ( Citrix, Vpn portal ) HTTP / NTLM ( ADFS, Lync, Skype ) ✘Reporting ✘Ideas ? -> @mvelazco !
  • 18. Acknowledgements ✘Impacket ( https://github.com/SecureAuthCorp/impacket ) ✘Empire ( https://github.com/EmpireProject/Empire ) ✘Death Star ( https://github.com/byt3bl33d3r/DeathStar ) ✘Pentesters Framework ( https://github.com/trustedsec/ptf )
  • 21. Embrace the Red: Enhancing detection capabilities with adversary simulation Bsides Baltimore 2019 Mauricio Velazco @mvelazco