BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
•
1 like•253 views
This document discusses PurpleSharp, an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments following the ATT&CK MITRE Framework. PurpleSharp allows detection teams to build and test detection analytics, validate detection resiliency, identify gaps in visibility, verify prevention controls, and more. The document provides information on what PurpleSharp is, why it is useful, and how to access it from GitHub or its documentation site. It also previews two demos of PurpleSharp techniques for execution/persistence and discovery/defense evasion.
Report
Share
Report
Share
Download to read offline
Recommended
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Demo 1: https://www.youtube.com/watch?v=cpnrCkj1308
Demo 2: https://www.youtube.com/watch?v=JmtjtiI3-fc
Demo 2 1/2: https://www.youtube.com/watch?v=KRdNbYbJSiI
Demo 3: https://www.youtube.com/watch?v=6gB-upKXTZ4
Automated adversary simulation is often perceived as a hard, dangerous and complicated program to implement and run. Fear no longer, our methodology and tooling will let you test and measure your defenses throughout your production environment to test not only your detection rule’s resilience but the whole event pipeline as well as your team’s response procedures. In this talk, we’ll share with the audience the open source tools we built and the methodology we use that will allow them to hit the ground running at nearly no cost.
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
Attack2jira is a tool that leverages JIRA's API and the ATTACK-Python-Client library to automate the process of setting up a JIRA project for tracking and measuring coverage of ATT&CK techniques. It creates a JIRA project with custom fields for URLs, tactics, and maturity levels. Then it creates a JIRA issue for each ATT&CK technique to interface collaboration on work logging, documentation, and comments while providing basic reporting.
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
This document discusses techniques for hunting lateral movement using Windows event logs. It describes how attackers often need to move laterally within a network and the common methods they use. It then outlines specific Windows events and logon events that can help identify lateral movement, such as Kerberos authentication events, NTLM events, logon/logoff events, and events related to services, tasks, WMI, and WinRM. It presents examples of hunting queries to detect this suspicious activity. Finally, it introduces Oriana, a threat hunting tool the author created that leverages these event types to identify outliers and suspicious user and computer behavior that could indicate lateral movement.
Bsides NYC 2018 - Hunting for Lateral Movement
This document discusses techniques for lateral movement that adversaries use to access and control remote systems on a network. It outlines various methods like exploiting vulnerabilities, abusing legitimate Windows features like Windows services, scheduled tasks, WMI, WinRM and DCOM. The document also discusses how blue teams can detect these techniques by monitoring authentication events, system events, object access logs, WMI activity and Windows remote management logs. It describes using tools like Oriana and frequency analysis to hunt for lateral movement indicators in Windows event logs collected via Windows Event Forwarding.
MITRE ATTACKcon Power Hour - October
Red Canary's lessons learned from remapping their detection analytics to the MITRE ATT&CK framework include figuring out where analytics are currently mapped, letting code do the work of remapping, reviewing mappings for consistency, finding and fixing legacy mapping issues, and considering conditional mapping approaches. The speaker also emphasizes giving back to the ATT&CK community and having fun with the remapping process.
MITRE ATTACKCon Power Hour - December
This document discusses how the MITRE ATT&CK framework can help sharpen a threat hunting program. It begins with distinguishing threat hunting from threat detection, noting that threat hunting is a proactive manual process of searching through systems to identify signs of adversary activity. The document then provides an overview of the MITRE ATT&CK framework and how its tactics and techniques can be used to structure threat hunting searches. It concludes by explaining how the ATT&CK framework helps focus hunting efforts on the specific techniques adversaries are likely using and improves the ability to communicate findings across security teams.
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
Using commercially available attack tools like OpenBullet, Snipr MBA and BlackBullet has dramatically simplified the act of committing fraud through account takeovers, fake account creation or other automated attack. With thousands of configs available on the web, bad actors can find a pre-defined attacks for the retail, financial services, streaming media or other web application they want to target. If a predefined attack config for your company is discovered, how should you react?
In this session, Will Glazier, head of security research at Cequence Security will provide tips and techniques to help you uncover the existence of an attack config, then demonstrate how it is used in OpenBullet, providing pointers on how to use OpenBullet to your mitigation advantage. A demonstration of Cequence Bot Defense will wrap up the session. Discussion topics for the talk will include:
Researching Attack Configurations
- Forums
- Attack tools
- Using the power of Google
Turning the Tables: OpenBullet Deep Dive
- How it works
- Use it to your advantage: stop the attacks
Using OpenBullet Findings to Prevent Attacks
- Brief demo of Cequence Bot Defense
Secure development in .NET with EPiServer Solita
The document discusses secure development practices for .NET applications. It covers topics like threat modeling, hosting perspectives, and continuous integration tools. The presenter recommends that developers take on security testing roles and provides an "onion model" to conceptualize defense in depth strategies with tools mapped at different layers. Continuous security is emphasized through the development lifecycle.
Recommended
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Demo 1: https://www.youtube.com/watch?v=cpnrCkj1308
Demo 2: https://www.youtube.com/watch?v=JmtjtiI3-fc
Demo 2 1/2: https://www.youtube.com/watch?v=KRdNbYbJSiI
Demo 3: https://www.youtube.com/watch?v=6gB-upKXTZ4
Automated adversary simulation is often perceived as a hard, dangerous and complicated program to implement and run. Fear no longer, our methodology and tooling will let you test and measure your defenses throughout your production environment to test not only your detection rule’s resilience but the whole event pipeline as well as your team’s response procedures. In this talk, we’ll share with the audience the open source tools we built and the methodology we use that will allow them to hit the ground running at nearly no cost.
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
Attack2jira is a tool that leverages JIRA's API and the ATTACK-Python-Client library to automate the process of setting up a JIRA project for tracking and measuring coverage of ATT&CK techniques. It creates a JIRA project with custom fields for URLs, tactics, and maturity levels. Then it creates a JIRA issue for each ATT&CK technique to interface collaboration on work logging, documentation, and comments while providing basic reporting.
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
This document discusses techniques for hunting lateral movement using Windows event logs. It describes how attackers often need to move laterally within a network and the common methods they use. It then outlines specific Windows events and logon events that can help identify lateral movement, such as Kerberos authentication events, NTLM events, logon/logoff events, and events related to services, tasks, WMI, and WinRM. It presents examples of hunting queries to detect this suspicious activity. Finally, it introduces Oriana, a threat hunting tool the author created that leverages these event types to identify outliers and suspicious user and computer behavior that could indicate lateral movement.
Bsides NYC 2018 - Hunting for Lateral Movement
This document discusses techniques for lateral movement that adversaries use to access and control remote systems on a network. It outlines various methods like exploiting vulnerabilities, abusing legitimate Windows features like Windows services, scheduled tasks, WMI, WinRM and DCOM. The document also discusses how blue teams can detect these techniques by monitoring authentication events, system events, object access logs, WMI activity and Windows remote management logs. It describes using tools like Oriana and frequency analysis to hunt for lateral movement indicators in Windows event logs collected via Windows Event Forwarding.
MITRE ATTACKcon Power Hour - October
Red Canary's lessons learned from remapping their detection analytics to the MITRE ATT&CK framework include figuring out where analytics are currently mapped, letting code do the work of remapping, reviewing mappings for consistency, finding and fixing legacy mapping issues, and considering conditional mapping approaches. The speaker also emphasizes giving back to the ATT&CK community and having fun with the remapping process.
MITRE ATTACKCon Power Hour - December
This document discusses how the MITRE ATT&CK framework can help sharpen a threat hunting program. It begins with distinguishing threat hunting from threat detection, noting that threat hunting is a proactive manual process of searching through systems to identify signs of adversary activity. The document then provides an overview of the MITRE ATT&CK framework and how its tactics and techniques can be used to structure threat hunting searches. It concludes by explaining how the ATT&CK framework helps focus hunting efforts on the specific techniques adversaries are likely using and improves the ability to communicate findings across security teams.
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
Using commercially available attack tools like OpenBullet, Snipr MBA and BlackBullet has dramatically simplified the act of committing fraud through account takeovers, fake account creation or other automated attack. With thousands of configs available on the web, bad actors can find a pre-defined attacks for the retail, financial services, streaming media or other web application they want to target. If a predefined attack config for your company is discovered, how should you react?
In this session, Will Glazier, head of security research at Cequence Security will provide tips and techniques to help you uncover the existence of an attack config, then demonstrate how it is used in OpenBullet, providing pointers on how to use OpenBullet to your mitigation advantage. A demonstration of Cequence Bot Defense will wrap up the session. Discussion topics for the talk will include:
Researching Attack Configurations
- Forums
- Attack tools
- Using the power of Google
Turning the Tables: OpenBullet Deep Dive
- How it works
- Use it to your advantage: stop the attacks
Using OpenBullet Findings to Prevent Attacks
- Brief demo of Cequence Bot Defense
Secure development in .NET with EPiServer Solita
The document discusses secure development practices for .NET applications. It covers topics like threat modeling, hosting perspectives, and continuous integration tools. The presenter recommends that developers take on security testing roles and provides an "onion model" to conceptualize defense in depth strategies with tools mapped at different layers. Continuous security is emphasized through the development lifecycle.
Detection and Response Roles
The document defines and provides an overview of different roles involved in detection and response, including threat intelligence analysts, threat researchers, detection engineers, investigators, and incident handlers. It describes the key activities and responsibilities of each role, as well as the typical inputs and outputs. It also provides examples of how these roles may be organized and staffed in a financial company's security operations center.
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
This document discusses integrating MITRE ATT&CK intelligence into Logstash plugins to provide security analysts with more context about threats. It covers writing plugins to extract relevant data from logs and map detections to MITRE tactics and techniques. When data is missing, the plugin uses other intelligence sources to infer classifications. The document demonstrates connecting Logstash pipelines to leverage parsing and enrichment, and shows tools for viewing and debugging pipeline configurations.
Hacking Web Apps by Brent White
Assessing the security posture of a web application is a common project for a penetration tester and a good skill for developers to know. In this talk, We’ll go over the different stages of a web application pen test, from start to finish. We’ll start with tools used during the discovery phase to utilize OSINT sources such as search engines, sub-domain brute-forcing and other methods to help you get a good idea of targets “footprint”, automated scanners and their use, all the way to manual testing and tools used for fuzzing parameters to find potential SQL injection vulnerabilities. We’ll also discuss pro-tips and tricks that we use while conducting a full application penetration assessment. After this talk, you should have a good understanding of what is needed as well as where to start on your journey to hacking web apps.
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
Unit 42 researches threat activity and publishes detailed reports on attack campaigns launched by these adversaries. One of these adversaries, known as Sofacy, has been carrying out attack campaigns on high profile targets for many years and has continued into 2018.
To understand how to defend against these threats, an analyst has to read our reports, process them and mentally map them to their defenses. In most cases we expect readers just "block" all of the indicators we include in the report and assume they are covered. Last year we started using ATT&CK to codify the techniques we observed, linking those techniques to indicator patterns and encoding them into STIX 2 objects, with the goal of creating something that a defender can use to answer the question: "How am I defending against this adversary?" We call these documents, "Adversary Playbooks" as they contain our best approximation of how the adversary launches their attacks.
This talk describes the concept of Adversary Playbooks, as well as provides an overview of the attack campaigns Unit 42 has attributed to the Sofacy group in 2018. It uses the discussed attacks to show how these playbooks are constructed and explain some of the challenges of incorporating ATT&CK and STIX 2 together for this purpose.
Creating Your Own Threat Intel Through Hunting & Visualization
The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments.
In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company.
Visualization. Data science. No machine learning. But pretty pictures.
Here is a blog post I wrote a bit ago about the general theme of internal threat intelligence:
http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225?
Malware for Red Team
Designing Malware for Modern Red Team and Adversary Tradecraft.
Why using python for building malware?
Lesson learn and consideration.
as presented in PyCon ID 2021 (05/12/2021)
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
This session is a practical guide for a rapid prototyping of ATT&CK-based analytics – from technique to detection.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Every time you look around some company or government organization is spouting out some huge number of “cyber-attacks” to their network every day. By no means is it easy, but could it be that there is a little exaggeration of the actuality of the encounters? There is surely a misconception in reporting and the understanding of the attack itself and how organizations account for them. There are “attacks” like port scanning and brute force attempting all across the internet and all hours of the day. Spreading awareness about them will inform the public on just how “intense” these attacks are. To demonstrate this, I bought a nice attractive domain and coupled it with a honey-pot and let the fun begin.
Billions & Billions of Logs
This talk was intended for the 2017 Sans ThreatHunting Summit and 2017 x33fcon. Unfortunately I was unable to attend either.
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Philippe Langlois, Verizon and Joshua Franklin, CIS
Red Team Methodology - A Naked Look
The document provides an overview of a red team consultant's methodology for penetration testing engagements. It discusses various stages of an engagement including pre-engagement reconnaissance using tools like LinkedIn and domain research. It covers external testing techniques like NTLM brute forcing. Internal testing focuses on privileges escalation using tools like Mimikatz and movement using techniques like DLL hijacking. Reporting emphasizes providing a full narrative and findings of high quality over large quantities.
Bsides Long Island 2019
Threat hunting is an approach to security that assumes compromise and actively searches a network for signs of attackers without relying on alerts. It involves defining hypotheses about potential attacker behaviors, collecting relevant log and process data from systems, and analyzing that data through rules, signatures, and frequency analysis to identify anomalous activity. Several example hunts were described, including searching for unusual processes, persistence mechanisms, and lateral movement using event logs. Frequency analysis and heuristics can be used to analyze the data and detect outliers.
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Executing adversary simulations in properly monitored environments allows defenders to test and enhance their detection capabilities. Unfortunately, red & purple team engagements cannot be executed too often. This talk will describe the benefits of blue team led simulations by dissecting common red team techniques, show how they can be detected and release a new tool to simulate them.
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Today there is a dispute over the ethics of operations involving honeypots and honeynets in cyber security. However, many organizations will adopt the use of such techniques and tools to develop defensive strategies to stop attackers. For professional offensive security practitioners, detecting, bypassing, and even avoiding honeypots is a new challenge and much is to be discovered and shared. This brief will work to accomplish these objectives and begin the development of a new framework for Counter Honeypot Operations (CHOps).
Windows Threat Hunting
This document discusses techniques for threat hunting on Windows systems. It covers key areas to focus on during incident triage like processes, network connections, filesystem artifacts and logs. It also describes general hunting scenarios using threat intelligence or without intelligence. Specific techniques and artifacts discussed include the Windows Task Scheduler, ShimCache, AmCache, RecentFileCache, rogue services, timeline analysis using MFT, DLL side loading, DLL injection rootkits, autoruns, and the Wdigest credential storage downgrade attack. The document provides details on what to look for and analyze to effectively hunt for threats on Windows.
Python-Assisted Red-Teaming Operation
Slide yang kupresentasikan di PyCon 2019 (Surabaya, 23/11/2019)
Red-Teaming is a simulation of real world hacking against organization. It has little to no limit of time, location, and method to attack. Only results matter. This talk gives insight about how “hacker” works and how python can be used for sophisticated series of attack.
Security by Weston Hecker
There has been a Ransomware explosion the last 6 years and there have been very little done to stop infections aside from deprecated signature scans and classic malware scanner. Weston will go over a couple proof of concepts that work on even the most current versions of the malware stop from fully infecting the machines that would otherwise be infected with malware that demands 1000s of dollars in some instances. Weston will go over several methods of making your system immune to attacks from ransomware many of them were discovered from actually reverse engineering the malware early this year. Weston will also go over several open source tools to test your environments impact from malware such as Cryptowall and several tools both software and hardware that can protect your systems from malware infecting even methods of abusing the payment gateway system to allow you to get more than one file unlocked for free and Weston will also go into the research about breaking the encryption based on the outputted encrypted files.
Client-Side Penetration Testing Presentation
Full Scope Security
Client-Side Penetration Testing presentation from SOURCE Boston/NotACon/ChicagoCon
Avalanche Disclosure
The document discusses the results of analyzing over 15,000 iOS finance apps. Several common security issues were found, including hardcoded credentials in 4% of apps that could give access to user data and backend systems. Tests revealed unencrypted private keys, authentication secrets, and development environment details. Many apps also contained SMS gateway configurations and open VPN profiles.
PurpleSharp BlackHat Arsenal Asia
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building and testing detection capabilities will be a challenging task.
PurpleSharp is an open-source adversary simulation tool written in C# that executes adversary techniques against Windows environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework’s tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
ArcherySec is an opensource vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities. ArcherySec uses popular opensource tools to perform comprehensive scanning for web applications and networks. It also supports multiple continuous integrations and continuous delivery software. The developers could utilize this tool for the implementation of vulnerability management in the DevOps CI/CD environment.
- Perform Web and Network Vulnerability Scanning using opensource tools.
- Correlates and Collaborate all raw scans data, shows them in a consolidated manner.
- Perform authenticated web scanning.
- Vulnerability Management.
- Enable REST API's for developers to perform scanning and Vulnerability Management.
- JIRA Ticketing System.
- Sub domain discovery and scanning.
- Periodic scans.
- Concurrent scans.
- Integrate with CI/CD software.
More Related Content
What's hot
Detection and Response Roles
The document defines and provides an overview of different roles involved in detection and response, including threat intelligence analysts, threat researchers, detection engineers, investigators, and incident handlers. It describes the key activities and responsibilities of each role, as well as the typical inputs and outputs. It also provides examples of how these roles may be organized and staffed in a financial company's security operations center.
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
This document discusses integrating MITRE ATT&CK intelligence into Logstash plugins to provide security analysts with more context about threats. It covers writing plugins to extract relevant data from logs and map detections to MITRE tactics and techniques. When data is missing, the plugin uses other intelligence sources to infer classifications. The document demonstrates connecting Logstash pipelines to leverage parsing and enrichment, and shows tools for viewing and debugging pipeline configurations.
Hacking Web Apps by Brent White
Assessing the security posture of a web application is a common project for a penetration tester and a good skill for developers to know. In this talk, We’ll go over the different stages of a web application pen test, from start to finish. We’ll start with tools used during the discovery phase to utilize OSINT sources such as search engines, sub-domain brute-forcing and other methods to help you get a good idea of targets “footprint”, automated scanners and their use, all the way to manual testing and tools used for fuzzing parameters to find potential SQL injection vulnerabilities. We’ll also discuss pro-tips and tricks that we use while conducting a full application penetration assessment. After this talk, you should have a good understanding of what is needed as well as where to start on your journey to hacking web apps.
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
Unit 42 researches threat activity and publishes detailed reports on attack campaigns launched by these adversaries. One of these adversaries, known as Sofacy, has been carrying out attack campaigns on high profile targets for many years and has continued into 2018.
To understand how to defend against these threats, an analyst has to read our reports, process them and mentally map them to their defenses. In most cases we expect readers just "block" all of the indicators we include in the report and assume they are covered. Last year we started using ATT&CK to codify the techniques we observed, linking those techniques to indicator patterns and encoding them into STIX 2 objects, with the goal of creating something that a defender can use to answer the question: "How am I defending against this adversary?" We call these documents, "Adversary Playbooks" as they contain our best approximation of how the adversary launches their attacks.
This talk describes the concept of Adversary Playbooks, as well as provides an overview of the attack campaigns Unit 42 has attributed to the Sofacy group in 2018. It uses the discussed attacks to show how these playbooks are constructed and explain some of the challenges of incorporating ATT&CK and STIX 2 together for this purpose.
Creating Your Own Threat Intel Through Hunting & Visualization
The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments.
In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company.
Visualization. Data science. No machine learning. But pretty pictures.
Here is a blog post I wrote a bit ago about the general theme of internal threat intelligence:
http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225?
Malware for Red Team
Designing Malware for Modern Red Team and Adversary Tradecraft.
Why using python for building malware?
Lesson learn and consideration.
as presented in PyCon ID 2021 (05/12/2021)
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
This session is a practical guide for a rapid prototyping of ATT&CK-based analytics – from technique to detection.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Every time you look around some company or government organization is spouting out some huge number of “cyber-attacks” to their network every day. By no means is it easy, but could it be that there is a little exaggeration of the actuality of the encounters? There is surely a misconception in reporting and the understanding of the attack itself and how organizations account for them. There are “attacks” like port scanning and brute force attempting all across the internet and all hours of the day. Spreading awareness about them will inform the public on just how “intense” these attacks are. To demonstrate this, I bought a nice attractive domain and coupled it with a honey-pot and let the fun begin.
Billions & Billions of Logs
This talk was intended for the 2017 Sans ThreatHunting Summit and 2017 x33fcon. Unfortunately I was unable to attend either.
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Philippe Langlois, Verizon and Joshua Franklin, CIS
Red Team Methodology - A Naked Look
The document provides an overview of a red team consultant's methodology for penetration testing engagements. It discusses various stages of an engagement including pre-engagement reconnaissance using tools like LinkedIn and domain research. It covers external testing techniques like NTLM brute forcing. Internal testing focuses on privileges escalation using tools like Mimikatz and movement using techniques like DLL hijacking. Reporting emphasizes providing a full narrative and findings of high quality over large quantities.
Bsides Long Island 2019
Threat hunting is an approach to security that assumes compromise and actively searches a network for signs of attackers without relying on alerts. It involves defining hypotheses about potential attacker behaviors, collecting relevant log and process data from systems, and analyzing that data through rules, signatures, and frequency analysis to identify anomalous activity. Several example hunts were described, including searching for unusual processes, persistence mechanisms, and lateral movement using event logs. Frequency analysis and heuristics can be used to analyze the data and detect outliers.
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Executing adversary simulations in properly monitored environments allows defenders to test and enhance their detection capabilities. Unfortunately, red & purple team engagements cannot be executed too often. This talk will describe the benefits of blue team led simulations by dissecting common red team techniques, show how they can be detected and release a new tool to simulate them.
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Today there is a dispute over the ethics of operations involving honeypots and honeynets in cyber security. However, many organizations will adopt the use of such techniques and tools to develop defensive strategies to stop attackers. For professional offensive security practitioners, detecting, bypassing, and even avoiding honeypots is a new challenge and much is to be discovered and shared. This brief will work to accomplish these objectives and begin the development of a new framework for Counter Honeypot Operations (CHOps).
Windows Threat Hunting
This document discusses techniques for threat hunting on Windows systems. It covers key areas to focus on during incident triage like processes, network connections, filesystem artifacts and logs. It also describes general hunting scenarios using threat intelligence or without intelligence. Specific techniques and artifacts discussed include the Windows Task Scheduler, ShimCache, AmCache, RecentFileCache, rogue services, timeline analysis using MFT, DLL side loading, DLL injection rootkits, autoruns, and the Wdigest credential storage downgrade attack. The document provides details on what to look for and analyze to effectively hunt for threats on Windows.
Python-Assisted Red-Teaming Operation
Slide yang kupresentasikan di PyCon 2019 (Surabaya, 23/11/2019)
Red-Teaming is a simulation of real world hacking against organization. It has little to no limit of time, location, and method to attack. Only results matter. This talk gives insight about how “hacker” works and how python can be used for sophisticated series of attack.
Security by Weston Hecker
There has been a Ransomware explosion the last 6 years and there have been very little done to stop infections aside from deprecated signature scans and classic malware scanner. Weston will go over a couple proof of concepts that work on even the most current versions of the malware stop from fully infecting the machines that would otherwise be infected with malware that demands 1000s of dollars in some instances. Weston will go over several methods of making your system immune to attacks from ransomware many of them were discovered from actually reverse engineering the malware early this year. Weston will also go over several open source tools to test your environments impact from malware such as Cryptowall and several tools both software and hardware that can protect your systems from malware infecting even methods of abusing the payment gateway system to allow you to get more than one file unlocked for free and Weston will also go into the research about breaking the encryption based on the outputted encrypted files.
Client-Side Penetration Testing Presentation
Full Scope Security
Client-Side Penetration Testing presentation from SOURCE Boston/NotACon/ChicagoCon
Avalanche Disclosure
The document discusses the results of analyzing over 15,000 iOS finance apps. Several common security issues were found, including hardcoded credentials in 4% of apps that could give access to user data and backend systems. Tests revealed unencrypted private keys, authentication secrets, and development environment details. Many apps also contained SMS gateway configurations and open VPN profiles.
What's hot (20)
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Similar to BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
PurpleSharp BlackHat Arsenal Asia
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building and testing detection capabilities will be a challenging task.
PurpleSharp is an open-source adversary simulation tool written in C# that executes adversary techniques against Windows environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework’s tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
ArcherySec is an opensource vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities. ArcherySec uses popular opensource tools to perform comprehensive scanning for web applications and networks. It also supports multiple continuous integrations and continuous delivery software. The developers could utilize this tool for the implementation of vulnerability management in the DevOps CI/CD environment.
- Perform Web and Network Vulnerability Scanning using opensource tools.
- Correlates and Collaborate all raw scans data, shows them in a consolidated manner.
- Perform authenticated web scanning.
- Vulnerability Management.
- Enable REST API's for developers to perform scanning and Vulnerability Management.
- JIRA Ticketing System.
- Sub domain discovery and scanning.
- Periodic scans.
- Concurrent scans.
- Integrate with CI/CD software.
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
This document discusses improving the communication of malware analysis by providing reproducible analyses using the malware itself. It proposes supplementing written analyses with demonstrations that instrument the malware. As a case study, it analyzes a piece of POS malware called JackPOS. The document describes setting up the malware's command and control infrastructure and memory scraping functionality. It concludes by demonstrating how to instrument the malware using Python scripts to trace its network communication and track data collection in a reproducible way.
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
This document discusses PurpleSharp, a tool for simulating cyber attacks within Active Directory environments. PurpleSharp executes adversary techniques listed in MITRE ATT&CK and generates telemetry to help detection teams build, test, and improve detection controls. The document outlines how PurpleSharp can be deployed remotely, impersonate users, vary techniques, and focus on Active Directory. It also advertises a library of pre-made JSON playbooks that simulate AD discovery, lateral movement, and purple teaming with PurpleSharp.
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
This document discusses improving the communication of malware analysis by supplementing written reports with demonstrations of the malware's capabilities. It presents a case study of instrumenting and demonstrating point-of-sale (POS) malware called JackPOS. Key points covered include setting up the malware's command and control infrastructure, instrumenting the malware's code to monitor its behavior, and demonstrating how it searches process memory for stolen credit card data. The goal is to make malware analysis more reproducible and educational for other analysts.
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
--- Ido Naor
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
--- Dani Goland
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
Building Your Application Security Data Hub - OWASP AppSecUSA
One of the reasons application security is so challenging to address is that it spans multiple teams within an organization. Development teams build software, security testing teams find vulnerabilities, security operations staff manage applications in production and IT audit organizations make sure that the resulting software meets compliance and governance requirements. In addition, each team has a different toolbox they use to meet their goals, ranging from scanning tools, defect trackers, Integrated Development Environments (IDEs), WAFs and GRC systems. Unfortunately, in most organizations the interactions between these teams is often strained and the flow of data between these disparate tools and systems is non-existent or tediously implemented manually.
In today’s presentation, we will demonstrate how leading organizations are breaking down these barriers between teams and better integrating their disparate tools to enable the flow of application security data between silos to accelerate and simplify their remediation efforts. At the same time, we will show how to collect the proper data to measure the performance and illustrate the improvement of the software security program. The challenges that need to be overcome to enable teams and tools to work seamlessly with one another will be enumerated individually. Team and tool interaction patterns will also be outlined that reduce the friction that will arise while addressing application security risks. Using open source products such as OWASP ZAP, ThreadFix, Bugzilla and Eclipse, a significant amount of time will also be spent demonstrating the kinds of interactions that need to be enabled between tools. This will provide attendees with practical examples on how to replicate a powerful, integrated Application Security program within their own organizations. In addition, how to gather program-wide metrics and regularly calculate measurements such as mean-time-to-fix will also be demonstrated to enable attendees to monitor and ensure the continuing health and performance of their Application Security program.
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty Hunting
Presentation Given by Muhammad Khizer Javed at Qarshi university Lahore, Pakistan.
https;//whoami.securitybreached.org/
@KHIZER_JAEVD47
Real World NLP, ML, and Big Data
The document discusses various natural language processing and machine learning techniques including sentiment analysis, automated essay scoring, content summarization, chatbots, information retrieval, cluster analysis, language neural networks, and language translation. It provides examples and links to resources on topics like word embeddings, one-hot encoding, the curse of dimensionality, neural networks, and building chatbots. Key points discussed are ensuring applications allow for imperfect accuracy from models and that without data, no machine learning is possible.
Malware analysis _ Threat Intelligence Morocco
The document discusses two cyber threats that existed in Morocco:
1. A password info stealer malware that was responsible for 90% of attacks. Intelligence tracking detected around 180GB of leaked data related to Moroccan domains and personal information, and over 320 spammers were identified from the data with connections to Morocco.
2. An ATM dispense malware that was gathered from Moroccan internet service providers. Technical details about the ATM malware were presented, but not summarized.
The document ends by stating that preparations are being made for the "next war", but does not clarify the purpose of the two threats.
Best Ethical Hacking Training By Bhavesh Dewasi
This document discusses ethical hacking and penetration testing. It begins with an introduction to ethical hacking, which involves using the same tools as criminal hackers but legally and ethically to test an organization's security. It describes different types of hackers (white hat, black hat, grey hat) and their motivations. The document outlines the hacking process and skills needed to become an ethical hacker. It discusses advantages like improving security and disadvantages like cost. Finally, it stresses the importance of security awareness and keeping systems updated to protect against criminal hackers.
Adversary Emulation - DerpCon
Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations are covered. Adversary Emulations are end-to-end attacks against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.
CansecWest2019: Infosec Frameworks for Misinformation
Talk given by Sara-Jayne Terp, Pablo Breuer at CanSecWest 2019 on information security frameworks for disinformation
Terp breuer misinfosecframeworks_cansecwest2019
The document discusses frameworks for analyzing misinformation from an information security perspective. It begins by describing the problem of misinformation and how it has evolved, then introduces a misinformation-focused version of the ATT&CK framework for mapping misinformation techniques. The framework is populated with historical misinformation examples and analytical approaches. The goal is to establish common languages and methods to better understand, track, and respond to misinformation operations.
Misinfosec frameworks Cansecwest 2019
The document discusses frameworks for analyzing misinformation from an information security perspective. It begins by describing the problem of misinformation and how it has evolved, then introduces a misinformation-focused version of the ATT&CK framework for mapping misinformation techniques. The framework is populated with real-world examples and analytical approaches. The goal is to establish common languages and methods for understanding, tracking, and responding to misinformation across different communities.
Shift Left Security
In the agile, lean, devops communities people talk about improving security by "shifting left". Patterns and tools are emerging, or re-emerging, that make security less of a pain in the development process while also making applications more secure.
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
https://www.youtube.com/watch?v=7TVp4g4hkpg
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building new and testing existing detection capabilities will be constrained. Executing adversary simulations in monitored environments produces the telemetry that allows blue teams to identify gaps in visibility as well as build, test and enhance detection analytics.This presentation will describe a methodology to incorporate adversary simulation into detection programs as well as release a tool blue teams can use to test the resilience of detection controls
Sandbox vs manual malware analysis v1.1
The document discusses the differences between sandbox analysis and manual analysis of malware. Sandbox analysis uses virtual machines and cloud-based solutions to analyze malware, but may miss artifacts since malware can detect virtual environments. The author argues that manual analysis on bare-metal systems provides more complete artifacts and indicators. Manual analysis allows evaluating malware as it was intended by detonating it directly on hardware.
Blue team reboot - HackFest
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
Similar to BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team (20)
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
CansecWest2019: Infosec Frameworks for Misinformation
CansecWest2019: Infosec Frameworks for Misinformation
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
More from Mauricio Velazco
Detection-as-Code: Test Driven Detection Development.pdf
The document discusses detection-as-code and test driven development for threat detection. It introduces challenges in threat detection and the need for continuous improvement through detection engineering. It advocates applying principles from DevOps like test-driven development, version control systems, and automated workflows to improve security posture. Test driven development for detections requires the capability to replicate attacks to test detections.
BSides Panama 2022
Este documento presenta PurpleSharp, una herramienta en C# que simula técnicas de ataque para generar telemetría y mejorar los programas de detección de seguridad. PurpleSharp puede ejecutar técnicas de forma remota y flexible, variando parámetros y formas de ejecución. Esto permite probar la resiliencia de las detecciones existentes y crear nuevas. El documento también incluye demostraciones de cómo PurpleSharp puede simular el descubrimiento de dominio y movimiento lateral en una red de Active Directory.
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building new and testing existing detection capabilities will be constrained. PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection engineering program. PurpleSharp leverages the MITRE ATT&CK Framework and executes different techniques across the attack life cycle: execution, persistence, privilege escalation, credential access, lateral movement, etc
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
After obtaining an initial foothold, adversaries will most likely target or abuse Active Directory across the attack lifecycle to achieve operational success. It is essential for Blue Teams to design and deploy proper visibility & detection strategies for AD-based attacks and executing Adversary Simulation/Purple Team exercises can help. This talk will introduce the Active Directory Purple Team Playbook, a library of documented playbooks that describe how to simulate different adversary techniques targeting Active Directory. The playbooks can help blue teams measure detection coverage and identify enhancement opportunities. After this talk, attendees will be able to run purple team exercises against development or production Active Directory environments using open source tools.
LimaHack 2011 - Stuxnet : El arma del futuro
Stuxnet fue un gusano informático descubierto en 2010 que apuntaba a sistemas industriales de control Siemens S7 y era capaz de modificar la velocidad y presión de las centrífugas de enriquecimiento de uranio en Irán a través de la explotación de vulnerabilidades de Windows y Siemens. El gusano se propagaba a través de USB y redes compartidas e infectaba sistemas que tuvieran instalados software específico de Siemens. Su objetivo era sabotear el programa nuclear iraní mediante el daño f
Peruhack 2015 - Cyberespionaje de Naciones
Este documento describe varios grupos de ciberespionaje y sus tácticas, técnicas y procedimientos. Incluye detalles sobre operaciones de espionaje digital llevadas a cabo por gobiernos como Stuxnet, APT1 y ataques a OPM y Hacking Team. Explica cómo grupos como Dark Hotel, Codoso y Calc Team utilizan spear phishing, waterholing y exploits de día cero para infectar objetivos y exfiltrar información. Concluye que el ciberespionaje continuará implementando nuevas técnicas a medida que se
PeruHack 2014 - Post Explotacion en Entornos Windows
Este documento presenta técnicas de post explotación en entornos Windows. Explica cómo enumerar dominios activos, obtener hashes de contraseñas locales y de dominio, moverse lateralmente entre sistemas usando técnicas como Pass the Hash, y cómo escalar privilegios a administrador de dominio accediendo a la base de datos NTDS.DIT. El objetivo es proporcionar una introducción a las herramientas y técnicas disponibles para un atacante después de haber obtenido acceso inicial a una red Windows.
Limahack 2010 - Creando exploits para GNU/Linux
Este documento presenta una introducción a Mauricio Velazco, un consultor de seguridad y hacker ético. Explica vulnerabilidades comunes en Linux como desbordamientos de búfer y pila, e introduce conceptos como fuzzing y shellcode. Muestra ejemplos de cómo explotar fallos mediante el control del registro EIP y la inyección de código malicioso.
Limahack 2009 - SSL no esta roto ... o si ?
Este documento describe varios ataques contra el protocolo SSL, incluyendo SSLstrip y ataques de certificados falsos. Explica cómo SSLstrip funciona mediante el envenenamiento de tablas ARP para interceptar tráfico HTTPS y cómo los ataques de certificados falsos pueden aprovechar vulnerabilidades en la validación de nombres comunes en certificados.
Bsides Latam 2019
Este documento presenta sobre el estado actual del Blue Team, la ingeniería de detección y la cacería de amenazas. Resume que el Blue Team asume la violación y que la detección es más importante que la prevención. También resume herramientas como ATT&CK, PurpleSharp y Oriana que ayudan a simular adversarios y mejorar la detección mediante el análisis de frecuencia y la cacería de amenazas.
Defcon 27 - Writing custom backdoor payloads with C#
This workshop aims to provide attendees hands-on experience on writing custom backdoor payloads using C# for the most common command and control frameworks including Metasploit, Powershell Empire and Cobalt Strike. The workshop consists in 7 lab exercises; each of the exercises goes over a different technique that leverages C# and .NET capabilities to obtain a reverse shell on a victim Windows host. The covered techniques include raw shellcode injection, process injection, process hollowing, runtime compilation, parent pid spoofing, antivirus bypassing, etc. At the end of this workshop attendees will have a clear understanding of these techniques both from an attack and defense perspective.
https://www.defcon.org/html/defcon-27/dc-27-workshops.html
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
After obtaining an initial foothold on an environment, attackers are forced to embark in lateral movement techniques in order to be successful in identifying and exfiltrating sensitive information. To stay ahead of the bad guys, the Blue team needs to have a clear understanding of these techniques as well as the forensic artifacts these techniques leave behind on the victim hosts. Armed with this knowledge, we can proactively hunt for lateral movement in the environment before exfiltration can occur. This presentation will analyze Lateral Movement from both a Red and Blue team perspective and introduce Oriana, a lateral movement hunting tool that can assist the Blue team in catching the adversary.
LinuxWeek 2010 - Client Side Attacks
Este documento presenta información sobre ataques de lado del cliente y cómo los hackers pueden aprovechar vulnerabilidades en los clientes de red para acceder a redes internas. Explica que los ataques de ingeniería social dirigidos a usuarios son una forma efectiva de penetrar las defensas perimetrales ya que los usuarios a menudo tienen acceso a recursos valiosos en la red. También describe varias técnicas comunes como el phishing y el pharming que explotan vulnerabilidades en clientes para propagar malware y robar información.
More from Mauricio Velazco (13)
Detection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdf
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
PeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos Windows
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Recently uploaded
TrustArc Webinar - 2024 Global Privacy Survey
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
20240607 QFM018 Elixir Reading List May 2024
Everything I found interesting about the Elixir programming ecosystem in May 2024
Pushing the limits of ePRTC: 100ns holdover for 100 days
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Artificial Intelligence for XMLDevelopment
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Mind map of terminologies used in context of Generative AI
Mind map of common terms used in context of Generative AI.
20240605 QFM017 Machine Intelligence Reading List May 2024
Everything I found interesting about machines behaving intelligently during May 2024
Presentation of the OECD Artificial Intelligence Review of Germany
Consult the full report at https://www.oecd.org/digital/oecd-artificial-intelligence-review-of-germany-609808d6-en.htm
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications.
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Securing your Kubernetes cluster_ a step-by-step guide to success !
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Building RAG with self-deployed Milvus vector database and Snowpark Container...
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
ここ3000字までしか入らないけどタイトルの方がたくさん文字入ると思います。
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...Edge AI and Vision Alliance
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Recently uploaded (20)
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
- 1. Information Classification: General #BHUSA @BLACKHATEVENTS PurpleSharp: Adversary Simulation for the Blue Team Mauricio Velazco @mvelazco
- 2. Information Classification: General #BHUSA @BLACKHATEVENTS #whoami ▪ Arequipa, Peru ▪ Threat Management team lead @ Fortune500 ▪ @mvelazco ▪ Bsides (NY, Charm, LI) , Defcon, Derbycon ▪ https://github.com/mvelazc0
- 3. Information Classification: General #BHUSA @BLACKHATEVENTS The challenge
- 4. Information Classification: General #BHUSA @BLACKHATEVENTS The approach
- 5. Information Classification: General #BHUSA @BLACKHATEVENTS PurpleSharp ▪ Open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments following the ATT&CK MITRE Framework. ▪ Allows detection teams: • Build new detection analytics • Test existing detection analytics • Validate detection resiliency • Identify gaps in visibility • Identify issues with the event pipeline • Verify prevention controls
- 6. Information Classification: General #BHUSA @BLACKHATEVENTS Why PurpleSharp ? ▪ Simplicity ▪ Deploy remote simulations ▪ Credible simulations ▪ Randomness ▪ Attack variations
- 7. Information Classification: General #BHUSA @BLACKHATEVENTS PurpleSharp https://purplesharp.readthedocs.io
- 8. Information Classification: General #BHUSA @BLACKHATEVENTS Demos
- 9. Information Classification: General #BHUSA @BLACKHATEVENTS Demo 1: Execution & Persistence Execution (https://attack.mitre.org/tactics/TA0002/) ▪ Command and Scripting Interpreter: PowerShell (T1059.001) ▪ Command and Scripting Interpreter: Visual Basic (T1059.005) ▪ Scheduled Task/Job: Scheduled Task (T1053.005) Persistence (https://attack.mitre.org/tactics/TA0003/) ▪ Create or Modify System Process: Windows Service (T1543.003) ▪ Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
- 10. Information Classification: General #BHUSA @BLACKHATEVENTS Demo 1
- 11. Information Classification: General #BHUSA @BLACKHATEVENTS Demo 2: Discovery & Defense Evasion Discovery (https://attack.mitre.org/tactics/TA0007/) ▪ Network Share Discovery (T1135) ▪ Network Service Scanning (T1046) ▪ Account Discovery: Domain Account (T1087.002) Defense Evasion (https://attack.mitre.org/tactics/TA0005/) ▪ Process Injection: Portable Executable Injection (T1543.003) ▪ Indicator Removal on Host: Clear Windows Event Logs (T1070.001)
- 12. Information Classification: General #BHUSA @BLACKHATEVENTS Demo 2
- 13. Information Classification: General #BHUSA @BLACKHATEVENTS https://github.com/mvelazc0/PurpleSharp https://purplesharp.readthedocs.io/
- 14. Information Classification: General #BHUSA @BLACKHATEVENTS PurpleSharp: Adversary Simulation for the Blue Team Mauricio Velazco @mvelazco