BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations

•

0 likes•223 views

This document discusses PurpleSharp, a tool for simulating cyber attacks within Active Directory environments. PurpleSharp executes adversary techniques listed in MITRE ATT&CK and generates telemetry to help detection teams build, test, and improve detection controls. The document outlines how PurpleSharp can be deployed remotely, impersonate users, vary techniques, and focus on Active Directory. It also advertises a library of pre-made JSON playbooks that simulate AD discovery, lateral movement, and purple teaming with PurpleSharp.

Technology

PurpleSharp 2.0: Active Directory
Attack Simulations
Mauricio Velazco
@mvelazco
#BHUSA @BLACKHATEVENTS

#BHUSA @BLACKHATEVENTS
Agenda
■ Introduction
■ Enter PurpleSharp
■ Active Directory Attack Simulation Playbooks

#BHUSA @BLACKHATEVENTS
#whoami
■ Threat Research @ Splunk
■ @mvelazco
■ https://github.com/mvelazc0
Arequipa, Peru

#BHUSA @BLACKHATEVENTS
Detection engineers need the capability to
generate attack telemetry.

#BHUSA @BLACKHATEVENTS
Adversary Simulation
■ A requirement to write detection analytics
■ Unit and functional testing for detection engineering
■ End-to-end validation of detection posture

#BHUSA @BLACKHATEVENTS
■ Executes adversary techniques
within Windows AD environments
■ Follows MITRE ATT&CK (50+
supported)
■ C# -> NET, Win32 Api
Goal:
Generate attack telemetry that
enables detection teams to build, test
and enhance detection controls.
github.com/mvelazc0/PurpleSharp
www.purplesharp.com

#BHUSA @BLACKHATEVENTS
Enter PurpleSharp
■ Flexible
■ Remote simulation deployment
■ User impersonation
■ Technique variations
■ Active Directory focus

#BHUSA @BLACKHATEVENTS
Flexible
■ A single C# assembly
■ JSON simulation playbooks
■ Customizable technique parameters

#BHUSA @BLACKHATEVENTS
Remote Simulation Deployment
■ Leverages Windows native features
WMI, SMB & Named pipes.
■ Requirements
Network connectivity
Administrative credentials

#BHUSA @BLACKHATEVENTS
Remote Simulation Deployment
■ 3 modules instrument the
simulation: Orchestrator, Scout &
Simulator
■ They synchronize on simulation
details over named pipes using
serialized objects.
■ Similar to PsExec but using
Win32_process WMI class

#BHUSA @BLACKHATEVENTS
User impersonation
First approach:
DuplicateTokenEx
CreateProcessWithTokenW
ImpersonateLoggedOnUser

#BHUSA @BLACKHATEVENTS
User impersonation
■ Scout starts the Simulator as a child
process of explorer.exe using PPID
spooﬁng (T1134.004)
■ Simulation behavior runs under the
context of the logged user
■ Breaks process relationship between
the Scout and Simulator

#BHUSA @BLACKHATEVENTS
User impersonation

#BHUSA @BLACKHATEVENTS
Technique variations
■ Execute the same technique in
different variations
■ Attempt to bypass detection
■ Helps validate detection resilience
CreateRemoteServiceCmdline
T1059.001 - PowerShell

#BHUSA @BLACKHATEVENTS
Technique variations
CreateRemoteServiceCmdline
T1021.002 - Remote Services
#1: sc.exe to create a remote service
#2: CreateService to a create remote
service
#3: ChangeServiceConﬁg to modify an
existing service*
*Initial idea: github.com/Mr-Un1k0d3r/SCShell

#BHUSA @BLACKHATEVENTS
Technique variations
CreateRemoteServiceCmdline
T1110.003 - Password Spraying

#BHUSA @BLACKHATEVENTS
Active Directory focus
■ Techniques targeting AD are the
priority
■ Simulator is able to interact with AD
and domain members in the
context of the logged user
■ LDAP support for random target
selection ( no passwords required )
host_target_type & user_target_type

#BHUSA @BLACKHATEVENTS
Active Directory Attack Simulation
Playbooks

#BHUSA @BLACKHATEVENTS
Active Directory Discovery
■ Playbook #1: AD Discovery with
native tools
■ Playbook #2: AD Discovery with
PowerShell.exe
■ Playbook #3: AD Discovery with LDAP
queries
T1033 - System User Discovery
T1018 - Remote System Discovery
T1482 - Domain Trust Discovery
T1087.001 - Local Account Discovery
T1069.002 - Domain Group Discovery
T1087.001 - Local Account Discovery
T1087.002 - Domain Account Discovery
T1201 - Password Policy Discovery

#BHUSA @BLACKHATEVENTS
Lateral Movement
■ Playbook #1: Remote Service (T1021.002) & Scheduled Task (T1053)
Using Win32 Api CreateService and native binaries
■ Playbook #2: WMI (T1047) and WinRM (T1021.006)
Using the .NET libraries
■ Playbook #3: Remote Service (T1021.002)
Using Win32 Api ChangeServiceConﬁg

#BHUSA @BLACKHATEVENTS
Active Directory Purple Team Playbook
■ Library of ready-to-use JSON
playbooks for PurpleSharp
■ github.com/mvelazc0/PurpleAD/

#BHUSA @BLACKHATEVENTS
https://github.com/mvelazc0/PurpleSharp
www.purplesharp.com

Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building new and testing existing detection capabilities will be constrained. PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection engineering program. PurpleSharp leverages the MITRE ATT&CK Framework and executes different techniques across the attack life cycle: execution, persistence, privilege escalation, credential access, lateral movement, etc

Defcon 27 - Writing custom backdoor payloads with C#

Mauricio Velazco

This workshop aims to provide attendees hands-on experience on writing custom backdoor payloads using C# for the most common command and control frameworks including Metasploit, Powershell Empire and Cobalt Strike. The workshop consists in 7 lab exercises; each of the exercises goes over a different technique that leverages C# and .NET capabilities to obtain a reverse shell on a victim Windows host. The covered techniques include raw shellcode injection, process injection, process hollowing, runtime compilation, parent pid spoofing, antivirus bypassing, etc. At the end of this workshop attendees will have a clear understanding of these techniques both from an attack and defense perspective. https://www.defcon.org/html/defcon-27/dc-27-workshops.html

SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...

Mauricio Velazco

This document discusses techniques for hunting lateral movement using Windows event logs. It describes how attackers often need to move laterally within a network and the common methods they use. It then outlines specific Windows events and logon events that can help identify lateral movement, such as Kerberos authentication events, NTLM events, logon/logoff events, and events related to services, tasks, WMI, and WinRM. It presents examples of hunting queries to detect this suspicious activity. Finally, it introduces Oriana, a threat hunting tool the author created that leverages these event types to identify outliers and suspicious user and computer behavior that could indicate lateral movement.

Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...

Mauricio Velazco

https://www.youtube.com/watch?v=7TVp4g4hkpg Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building new and testing existing detection capabilities will be constrained. Executing adversary simulations in monitored environments produces the telemetry that allows blue teams to identify gaps in visibility as well as build, test and enhance detection analytics.This presentation will describe a methodology to incorporate adversary simulation into detection programs as well as release a tool blue teams can use to test the resilience of detection controls

Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...

Mauricio Velazco

Bsides Long Island 2019

Mauricio Velazco

Threat hunting is an approach to security that assumes compromise and actively searches a network for signs of attackers without relying on alerts. It involves defining hypotheses about potential attacker behaviors, collecting relevant log and process data from systems, and analyzing that data through rules, signatures, and frequency analysis to identify anomalous activity. Several example hunts were described, including searching for unusual processes, persistence mechanisms, and lateral movement using event logs. Frequency analysis and heuristics can be used to analyze the data and detect outliers.

SELinux Kernel Internals and Architecture - FOSS.IN/2005

James Morris

SELinux is a Linux security module that provides mandatory access controls. It labels important system objects like processes, files, and network packets. These labels contain security context information used by SELinux policies to enforce access rules between subjects and objects. The SELinux policy is compiled and loaded into the kernel, where Linux Security Modules hooks mediate critical operations according to the policy.

Bsides NYC 2018 - Hunting for Lateral Movement

Mauricio Velazco

This document discusses techniques for lateral movement that adversaries use to access and control remote systems on a network. It outlines various methods like exploiting vulnerabilities, abusing legitimate Windows features like Windows services, scheduled tasks, WMI, WinRM and DCOM. The document also discusses how blue teams can detect these techniques by monitoring authentication events, system events, object access logs, WMI activity and Windows remote management logs. It describes using tools like Oriana and frequency analysis to hunt for lateral movement indicators in Windows event logs collected via Windows Event Forwarding.

After obtaining an initial foothold, adversaries will most likely target or abuse Active Directory across the attack lifecycle to achieve operational success. It is essential for Blue Teams to design and deploy proper visibility & detection strategies for AD-based attacks and executing Adversary Simulation/Purple Team exercises can help. This talk will introduce the Active Directory Purple Team Playbook, a library of documented playbooks that describe how to simulate different adversary techniques targeting Active Directory. The playbooks can help blue teams measure detection coverage and identify enhancement opportunities. After this talk, attendees will be able to run purple team exercises against development or production Active Directory environments using open source tools.

Defending Your Network

Adam Getchell

This document provides an overview of various tools for network defense and monitoring including OpenBSD, honeypots, intrusion detection systems, and email filtering. It discusses the goals of setting up a working honeypot using HOACD and IDS using OpenIDS. Details are provided on configuring and using OpenBSD, Honeyd, EtherApe, HOACD, OpenIDS, Snort, and MailDroid. Troubleshooting tips and additional resources for further exploration are also included.

Assume Compromise

Zach Grace

This document discusses moving beyond just prevention of cyber attacks and instead assuming that networks will be breached. It argues that protective technologies will inevitably fail and the focus should shift to detection of breaches. Red team assessments are suggested to shift from just finding vulnerabilities to acting as training partners for blue teams by providing indicators of compromise, attack signatures, and use cases to help improve detection capabilities. A pyramid of pain model is presented to show moving up from just tools to full tactics, techniques and procedures used by attackers.

BlueHat v18 || Linear time shellcode detection using state machines and opera...

BlueHat Security Conference

Aditya Joshi, Microsoft Abhishek Singh, Microsoft Shellcode detection is critical in the identification of persistent threats. Attackers employ them in exploitation, post-exploitation toolkits and macro-based malware routinely to evade detection. Our research also shows that shellcode in the wild are evolving to defeat many of the static analysis techniques employed to detect them. We will present a fast, platform agnostic approach (Windows/Linux) that been successful in detecting many real world shellcode compromises as part of the ASC Fileless attack feature (Process Investigator). Our approach employs state machines, virtual stack/register representation and operand expression heuristics to identify suspicious machine code patterns in milliseconds. We identify the basic heuristics that are commonly employed in shellcode. This allows us to be more robust against attackers that constantly evolve to thwart pure signature or byte stream sequence based approaches. Each instruction is passed to a series of activation functions that look for platform specific patterns generally needed in Stage 1 shellcode. As we process the stream of instructions we scan for hashing loops, in-segment/out-segment calls/jumps, current instruction pointer determination, system calls, locating system data structures, anti-debugging and anti-hooking behaviors in the machine code. We then correlate these findings to give a maliciousness score. We will deep dive into the concepts and demo obfuscated shellcodes.

Defcon 22-colby-moore-patrick-wardle-synack-drop cam

Priyanka Aash

This document describes how an implant could be developed for a Dropcam camera device. It begins by providing background on Dropcam and its capabilities. It then details steps taken to gain root access to the device, including exploiting vulnerabilities in Busybox and OpenSSL. Methods are proposed for persisting access, communicating with a C&C server, determining the device's location, and infecting hosts that view video from the Dropcam. The document concludes by conceptualizing how audio/video capture and injection of hooks could be implemented on the device and connected systems.

How Safe is your Link ?

Peter Hlavaty

As @nicowaisman mentioned in his talk Aleatory Persistent Threat, old school heap specific exploiting is dying. And with each windows SP or new version, is harder to attack heap itself. Heap management adapt quickly and include new mittigation techniques. But sometimes is better to rethink the idea of mittigation and do this technique properly even half version of it will cover all known heap exploit techniques…

'Malware Analysis' by PP Singh

Bipin Upadhyay

Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...

Ivan Piskunov

Алексей Старов - Как проводить киберраследования?

HackIT Ukraine

«Cybercrime» является особым направлением в области компьютерной безопасности и приватности. Это направление объединяет научные работы, которые исследуют различные сценарии атак или мошенничества, анализируют вредоносные экосистемы, обнаруживают злоумышленников и изучает их методы с целью разработки эффективных мер противодействия. В текущем докладе будут предоставлены рекомендации о том, как проводить киберрасследования, основываясь на примерах из наших работ и статей. Например, я расскажу о нашем масштабном исследовании вредоносных веб-оболочек и как мы смогли обнаружить жертв и нападающих по всему земному шару, а так же о том, как мы использовали навыки социальной инженерии, чтобы исследовать экосистему мошеннической технической поддержки, и многое другое. Моя цель состоит в том, чтобы заинтересовать научных исследователей и других представителей области ИБ в работе по направлению “Cybercrime”, в поиске различных путей предотвращения и расследования киберпреступлений. А также, показать, что подобные полезные исследования не всегда требует огромных ресурсов и сотрудничеств. Формат доклада: разговор в виде легкого семинара с элементами коллективного мозгового штурма (ноутбук не требуется). Мы рассмотрим 3 урока, из каждого выделяя полезные методы, инструменты и навыки. Язык: русский (с элементами английского).

AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay

INCIDE

SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...

EC-Council

In todays IT security world, we accept and embrace that the technology is constantly changing, we are very often still amazed at the rapid growth of the technology evolution and how it has far superseded beyond expectations, whilst thinking about the potential uses of this new technology we get excited and then it hits us! What about the security implications for our organization?? Holy Crap what did you say about SS7? In this presentation, Wayne will take you through some real live demonstrations of Network Crypto Hacking and Exploitation using the latest custom built, SWAT (Special Weapons and Technology) cyber-warfare hacking tools. To help us defend against the latest threats, that sends our risk rating scores off the chart? We do as we have always done! Research the threat viability, learn and deploy defense and mitigation options. For this very reason its imperative for us to stay up-to date with new emerging threats tactics.

Veil-PowerView - NovaHackers

VeilFramework

Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...

RootedCON

The document discusses various techniques for achieving persistence on a Windows system without administrator privileges. These include hijacking shell extensions and COM objects by modifying registry keys, taking advantage of globally unique identifiers (GUIDs) and paths stored in the registry. The document recommends hijacking extension handlers and using PowerShell to bypass restrictions when writing to the registry for stealthier persistence.

BlueHat v18 || The matrix has you - protecting linux using deception

BlueHat Security Conference

Ross Bevington, Microsoft In ‘The Matrix’ sentient machines subdue the population by developing a highly sophisticated simulation. High interaction honeypots are a lot like The Matrix, designed to convince an attacker to execute an attack so we can monitor them. But these honeypots are flawed! Attackers are continually adapting in order to evade our defenses - meaning that it’s often not enough to just set up a honeypot and watch the results roll in. Is a new approach better? Did you know that 40% of IaaS VMs in Azure are Linux? For Microsoft to protect itself and its customers Linux is a priority. At MSTIC we’ve developed a new type of Linux honeypot that allows us to deceive and control the behavior of an attacker. We are using this to understand the person behind the attack, examining them as they examine us. Using these techniques, we are able to better track the person behind the threat, build better protections and ultimately protect more Linux users - whether they are using Azure or not. In this presentation I’ll show some of the successes of running a Matrix like environment, failures where a glitch was spotted as well as deception approaches that could be applied to other domains. Finally I’ll show how easy it is to leverage Azure’s big data capabilities to build and ultimately query all this data at scale as well as how you can immediately reap the benefits of this work by connecting your Linux box to Azure Security Center.

A Distributed Malware Analysis System Cuckoo Sandbox

Andy Lee

This document describes a distributed malware analysis system using Cuckoo Sandbox. It discusses: 1) Cuckoo Sandbox is an open source automated malware analysis system that runs binary files in virtual machines to record behaviors like API calls, files created, registry access, and network traffic. 2) The motivation for a distributed system is that the computing power of a single machine is limited, causing performance bottlenecks for analyzing large numbers of samples. 3) The distributed Cuckoo system uses a master-worker architecture to assign analysis tasks to multiple worker nodes in parallel, reducing total analysis time and allowing the system to scale to more samples as hardware resources increase.

Advanced Weapons Training for the Empire

Jeremy Johnson

Csw2016 wang docker_escapetechnology

CanSecWest

This document summarizes Docker escape techniques. It begins with an overview of Docker and how it uses namespaces and control groups (cgroups) for isolation. It then discusses vulnerabilities in Docker from untrusted images and escaping namespaces to access the host or other containers. The main part describes the Docker escape technology, which involves getting a task structure handle, resetting its namespaces proxy to the initial namespace, and gaining root access on the host system by exploiting vulnerabilities or setting credentials. Example code is provided to switch the filesystem structure and namespace proxy to escape the container.

Internal Pentest: from z3r0 to h3r0

marcioalma

1000 to 0

Sunny Neo

The document discusses various techniques for Linux and Windows privilege escalation, including exploiting SUID/SGID files, sudo misconfigurations, weak folder permissions, PATH variables, symbolic links, unquoted service paths, DLL hijacking, and the "Hot Potato" technique combining NBNS spoofing, WPAD MITM, and HTTP-SMB relaying. It provides examples and references for further reading on exploiting common misconfigurations to gain elevated privileges on Linux and Windows systems. The presenter's goal is to raise awareness of typical issues rather than enable harm.

Di shen pacsec_final

PacSecJP

- The document discusses exploiting unconventional use-after-free (UAF) bugs in the Android kernel perf system to gain root privileges on Android devices. - It describes two UAF bugs, CVE-2016-6787 and CVE-2017-0403, that are difficult to exploit due to lack of control over freed objects and inability to achieve code execution. - Novel exploitation techniques are proposed, such as freezing threads to gain time to refill freed objects for CVE-2016-6787 and compromising the pipe subsystem to achieve arbitrary kernel writes for CVE-2017-0403.

Wielding a cortana

Will Schroeder

theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf

Gabriel Mathenge

What's hot

SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks

Mauricio Velazco

Defending Your Network

Adam Getchell

Assume Compromise

Zach Grace

BlueHat v18 || Linear time shellcode detection using state machines and opera...

BlueHat Security Conference

Defcon 22-colby-moore-patrick-wardle-synack-drop cam

Priyanka Aash

How Safe is your Link ?

Peter Hlavaty

'Malware Analysis' by PP Singh

Bipin Upadhyay

Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...

Ivan Piskunov

Алексей Старов - Как проводить киберраследования?

HackIT Ukraine

AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay

INCIDE

SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...

EC-Council

Veil-PowerView - NovaHackers

VeilFramework

Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...

RootedCON

BlueHat v18 || The matrix has you - protecting linux using deception

BlueHat Security Conference

A Distributed Malware Analysis System Cuckoo Sandbox

Andy Lee

Advanced Weapons Training for the Empire

Jeremy Johnson

Csw2016 wang docker_escapetechnology

CanSecWest

Internal Pentest: from z3r0 to h3r0

marcioalma

1000 to 0

Sunny Neo

Di shen pacsec_final

PacSecJP

What's hot (20)

SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks

Defending Your Network

Assume Compromise

BlueHat v18 || Linear time shellcode detection using state machines and opera...

Defcon 22-colby-moore-patrick-wardle-synack-drop cam

How Safe is your Link ?

'Malware Analysis' by PP Singh

Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...

Алексей Старов - Как проводить киберраследования?

AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay

SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...

Veil-PowerView - NovaHackers

Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...

BlueHat v18 || The matrix has you - protecting linux using deception

A Distributed Malware Analysis System Cuckoo Sandbox

Advanced Weapons Training for the Empire

Csw2016 wang docker_escapetechnology

Internal Pentest: from z3r0 to h3r0

1000 to 0

Di shen pacsec_final

Similar to BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations

Wielding a cortana

Will Schroeder

theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf

Gabriel Mathenge

Penetration Testing and Intrusion Detection System

Bikrant Gautam

This document provides an overview of penetration testing techniques, including forms of cyber attacks like buffer overflows and SQL injection. It discusses using Metasploit and other commercial tools like Canvas to conduct network penetration testing. It also covers post-exploitation techniques such as password cracking, privilege escalation, and data exfiltration. The goal of a penetration test is to simulate a real attack to evaluate system defenses and identify vulnerabilities.

EMBA - Firmware analysis - Black Hat Arsenal USA 2022

MichaelM85042

IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area, the used operating systems are summarized with the term firmware. The devices themselves, also called embedded devices, are essential in the private and industrial environments as well as in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection: With EMBA you always know which public exploits are available for the target firmware. Besides the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this, EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more. EMBA is the open-source firmware scanner, created by penetration testers for penetration testers. Project page: https://github.com/e-m-b-a/emba Conference page: https://www.blackhat.com/us-22/arsenal/schedule/index.html#emba--open-source-firmware-security-testing-26596

How to measure your security response readiness?

Tomasz Jakubowski

This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.

Applied machine learning defeating modern malicious documents

Priyanka Aash

A common tactic adopted by attackers for initial exploitation is the use of malicious code embedded in Microsoft Office documents. This attack vector is not new, but attackers are still having success. This session will dive into the details of these techniques, introduce some machine learning approaches to analyze and detect these attempts, and explore the output in Elasticsearch and Kibana. (Source : RSA Conference USA 2017)

From P0W3R to SH3LL

Arthur Paixão

This document provides an overview of using PowerShell for offensive security purposes. It discusses PowerShell syntax, common commands, and various open source tools and frameworks like PowerSploit, Empire, BloodHound, and Nishang that can be used for tasks like reconnaissance, gaining access, maintaining access, and privilege escalation on Windows systems. The document also provides examples of using PowerShell to bypass execution policies and obfuscate scripts to avoid detection.

Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits

Harsh Bothra

The process of penetration testing starts with the "Reconnaissance Phase". This phase, if performed carefully, always provides a winning situation. However, Often in the application security and bug bounty hunting, recon is mapped to finding some assets and uncovering hidden endpoints only & is somewhat under-utilized. Recon is the most crucial thing in application security and bug bounties which always keeps you separated from a competing crowd and gives easy wins. In "Weaponizing Recon - Weaponizing Recon - Shamshing Applications for Security Vulnerabilities & Profit", will cover the deepest and most interesting recon methodologies to be one step ahead of your competition and how to utilize the tools and publicly available information to map your attack surface & maximize the profit. During the talk, we will cover: 1. Introduction to Recon 2. Basic Recon 101 3. Mapping Attack Surface with Basic Recon 4. Weaponizing Recon to Hit Attack Surface 5. Recon Hacks 101 6. Practical Offensive Recon 7. Automating Recon for Profit 8. Finding Vulnerabilities with Recon 9. Creating your own Recon Map 10. Practical Examples & Demonstrations

I hunt sys admins 2.0

Will Schroeder

This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.

Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon

Sanjiv Kawa

C#Web Sec Oct27 2010 Final

Rich Helton

This document summarizes a C# web security class presentation from October 2010. It introduces various types of web attacks like SQL injection and cross-site scripting. It provides examples of vulnerable practice websites like Hackme Bank and Hackme Books to demonstrate SQL injection. It also lists resources for web security checklists, tools for scanning websites, and anonymization techniques. Common fixes for SQL injection like using stored procedures and parameterized queries are also discussed.

Intrusion Techniques

Festival Software Livre

Adversary Emulation and Cracking The Bridge – Overview EMERSON EDUARDO RODRIGUES

EMERSON EDUARDO RODRIGUES

This document provides an overview of adversary emulation and the Cracking The Bridge framework. It includes definitions and concepts related to adversary emulation, links to resources on the topic, and descriptions of tools that can be used for tasks involved in adversary emulation like reconnaissance, exploitation, and lateral movement. The document is intended as an introduction and guide to implementing adversary emulation programs and exercises.

PurpleSharp BlackHat Arsenal Asia

Mauricio Velazco

Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building and testing detection capabilities will be a challenging task. PurpleSharp is an open-source adversary simulation tool written in C# that executes adversary techniques against Windows environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework’s tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.

SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx

JasonOstrom1

The document discusses Purple Teaming and infrastructure as code (IaC) tools for security simulation labs. It introduces BlueCloud and PurpleCloud simulation labs, with BlueCloud being a single Windows host lab for adversary simulation and PurpleCloud being an open-source tool that automates the creation of labs in Azure, including labs with Azure Active Directory and a detection engineering focus. Purple Teaming is described as Red and Blue teams collaborating to improve defenses through adversary emulations. IaC tools like Terraform and Pulumi are discussed for provisioning lab infrastructure.

Owning computers without shell access dark

Royce Davis

Reverse Engineering Malware - A Practical Guide

intertelinvestigations

The document discusses challenges in malware analysis and describes a system for automated static malware analysis. It outlines techniques for capturing malware, disassembling malware binaries, resolving obfuscated API calls, and handling obfuscation techniques used by malware authors to evade analysis. The system aims to unpack malware, recover the original program structure, and produce a higher-level representation to facilitate understanding the malware's purpose and functionality.

ADVERSARY EMULATION MATRIX by Joas EMERSON EDUARDO RODRIGUES

EMERSON EDUARDO RODRIGUES

The Veil-Framework

VeilFramework

Mapping Detection Coverage

Jared Atkinson

In this presentation, Jared Atkinson and Jonathan Johnson discuss the problem that many security professionals are facing today. How exactly do I know if my detection will actually detect the thing I want to detect? We discuss the importance of testing telemetry coverage and using abstraction to build a representative sample set of Atomic tests to validate detection coverage. Scripts used in presentation can be found below: Process Access: https://gist.github.com/jaredcatkinson/9c7a1af2261a752432230a4148ecfe02 Process Read: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1

Similar to BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations (20)

Wielding a cortana

theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf

Penetration Testing and Intrusion Detection System

EMBA - Firmware analysis - Black Hat Arsenal USA 2022

How to measure your security response readiness?

Applied machine learning defeating modern malicious documents

From P0W3R to SH3LL

Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits

I hunt sys admins 2.0

Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon

C#Web Sec Oct27 2010 Final

Intrusion Techniques

Adversary Emulation and Cracking The Bridge – Overview EMERSON EDUARDO RODRIGUES

PurpleSharp BlackHat Arsenal Asia

SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx

Owning computers without shell access dark

Reverse Engineering Malware - A Practical Guide

ADVERSARY EMULATION MATRIX by Joas EMERSON EDUARDO RODRIGUES

The Veil-Framework

Mapping Detection Coverage

More from Mauricio Velazco

Detection-as-Code: Test Driven Detection Development.pdf

Mauricio Velazco

The document discusses detection-as-code and test driven development for threat detection. It introduces challenges in threat detection and the need for continuous improvement through detection engineering. It advocates applying principles from DevOps like test-driven development, version control systems, and automated workflows to improve security posture. Test driven development for detections requires the capability to replicate attacks to test detections.

BSides Panama 2022

Mauricio Velazco

Este documento presenta PurpleSharp, una herramienta en C# que simula técnicas de ataque para generar telemetría y mejorar los programas de detección de seguridad. PurpleSharp puede ejecutar técnicas de forma remota y flexible, variando parámetros y formas de ejecución. Esto permite probar la resiliencia de las detecciones existentes y crear nuevas. El documento también incluye demostraciones de cómo PurpleSharp puede simular el descubrimiento de dominio y movimiento lateral en una red de Active Directory.

Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...

Mauricio Velazco

Demo 1: https://www.youtube.com/watch?v=cpnrCkj1308 Demo 2: https://www.youtube.com/watch?v=JmtjtiI3-fc Demo 2 1/2: https://www.youtube.com/watch?v=KRdNbYbJSiI Demo 3: https://www.youtube.com/watch?v=6gB-upKXTZ4 Automated adversary simulation is often perceived as a hard, dangerous and complicated program to implement and run. Fear no longer, our methodology and tooling will let you test and measure your defenses throughout your production environment to test not only your detection rule’s resilience but the whole event pipeline as well as your team’s response procedures. In this talk, we’ll share with the audience the open source tools we built and the methodology we use that will allow them to hit the ground running at nearly no cost.

BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team

Mauricio Velazco

This document discusses PurpleSharp, an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments following the ATT&CK MITRE Framework. PurpleSharp allows detection teams to build and test detection analytics, validate detection resiliency, identify gaps in visibility, verify prevention controls, and more. The document provides information on what PurpleSharp is, why it is useful, and how to access it from GitHub or its documentation site. It also previews two demos of PurpleSharp techniques for execution/persistence and discovery/defense evasion.

LimaHack 2011 - Stuxnet : El arma del futuro

Mauricio Velazco

Stuxnet fue un gusano informático descubierto en 2010 que apuntaba a sistemas industriales de control Siemens S7 y era capaz de modificar la velocidad y presión de las centrífugas de enriquecimiento de uranio en Irán a través de la explotación de vulnerabilidades de Windows y Siemens. El gusano se propagaba a través de USB y redes compartidas e infectaba sistemas que tuvieran instalados software específico de Siemens. Su objetivo era sabotear el programa nuclear iraní mediante el daño f

Peruhack 2015 - Cyberespionaje de Naciones

Mauricio Velazco

Este documento describe varios grupos de ciberespionaje y sus tácticas, técnicas y procedimientos. Incluye detalles sobre operaciones de espionaje digital llevadas a cabo por gobiernos como Stuxnet, APT1 y ataques a OPM y Hacking Team. Explica cómo grupos como Dark Hotel, Codoso y Calc Team utilizan spear phishing, waterholing y exploits de día cero para infectar objetivos y exfiltrar información. Concluye que el ciberespionaje continuará implementando nuevas técnicas a medida que se

PeruHack 2014 - Post Explotacion en Entornos Windows

Mauricio Velazco

Este documento presenta técnicas de post explotación en entornos Windows. Explica cómo enumerar dominios activos, obtener hashes de contraseñas locales y de dominio, moverse lateralmente entre sistemas usando técnicas como Pass the Hash, y cómo escalar privilegios a administrador de dominio accediendo a la base de datos NTDS.DIT. El objetivo es proporcionar una introducción a las herramientas y técnicas disponibles para un atacante después de haber obtenido acceso inicial a una red Windows.

Limahack 2010 - Creando exploits para GNU/Linux

Mauricio Velazco

Limahack 2009 - SSL no esta roto ... o si ?

Mauricio Velazco

Bsides Latam 2019

Mauricio Velazco

Este documento presenta sobre el estado actual del Blue Team, la ingeniería de detección y la cacería de amenazas. Resume que el Blue Team asume la violación y que la detección es más importante que la prevención. También resume herramientas como ATT&CK, PurpleSharp y Oriana que ayudan a simular adversarios y mejorar la detección mediante el análisis de frecuencia y la cacería de amenazas.

ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...

Mauricio Velazco

Attack2jira is a tool that leverages JIRA's API and the ATTACK-Python-Client library to automate the process of setting up a JIRA project for tracking and measuring coverage of ATT&CK techniques. It creates a JIRA project with custom fields for URLs, tactics, and maturity levels. Then it creates a JIRA issue for each ATT&CK technique to interface collaboration on work logging, documentation, and comments while providing basic reporting.

Derbycon 2017: Hunting Lateral Movement For Fun & Profit

Mauricio Velazco

After obtaining an initial foothold on an environment, attackers are forced to embark in lateral movement techniques in order to be successful in identifying and exfiltrating sensitive information. To stay ahead of the bad guys, the Blue team needs to have a clear understanding of these techniques as well as the forensic artifacts these techniques leave behind on the victim hosts. Armed with this knowledge, we can proactively hunt for lateral movement in the environment before exfiltration can occur. This presentation will analyze Lateral Movement from both a Red and Blue team perspective and introduce Oriana, a lateral movement hunting tool that can assist the Blue team in catching the adversary.

LinuxWeek 2010 - Client Side Attacks

Mauricio Velazco

Este documento presenta información sobre ataques de lado del cliente y cómo los hackers pueden aprovechar vulnerabilidades en los clientes de red para acceder a redes internas. Explica que los ataques de ingeniería social dirigidos a usuarios son una forma efectiva de penetrar las defensas perimetrales ya que los usuarios a menudo tienen acceso a recursos valiosos en la red. También describe varias técnicas comunes como el phishing y el pharming que explotan vulnerabilidades en clientes para propagar malware y robar información.

More from Mauricio Velazco (13)

Detection-as-Code: Test Driven Detection Development.pdf

BSides Panama 2022

Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...

BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team

LimaHack 2011 - Stuxnet : El arma del futuro

Peruhack 2015 - Cyberespionaje de Naciones

PeruHack 2014 - Post Explotacion en Entornos Windows

Limahack 2010 - Creando exploits para GNU/Linux

Limahack 2009 - SSL no esta roto ... o si ?

Bsides Latam 2019

ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...

Derbycon 2017: Hunting Lateral Movement For Fun & Profit

LinuxWeek 2010 - Client Side Attacks

Recently uploaded

Data structures and Algorithms in Python.pdf

TIPNGVN2

DevOps and Testing slides at DASA Connect

Kari Kakkonen

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Large Language Model (LLM) and it’s Geospatial Applications

Rohit Gautam

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

RESUME BUILDER APPLICATION Project for students

KAMESHS29

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

Full-RAG: A modern architecture for hyper-personalization

Zilliz

Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

Malak Abu Hammad

Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers: * What is Vector Search? * Importance and benefits of vector search * Practical use cases across various industries * Step-by-step implementation guide * Live demos with code snippets * Enhancing LLM capabilities with vector search * Best practices and optimization strategies Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications. #MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Neo4j

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

How to Get CNIC Information System with Paksim Ga.pptx

danishmna97

Recently uploaded (20)

Data structures and Algorithms in Python.pdf

DevOps and Testing slides at DASA Connect

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Essentials of Automations: The Art of Triggers and Actions in FME

Large Language Model (LLM) and it’s Geospatial Applications

Securing your Kubernetes cluster_ a step-by-step guide to success !

RESUME BUILDER APPLICATION Project for students

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

Video Streaming: Then, Now, and in the Future

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Artificial Intelligence for XMLDevelopment

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Full-RAG: A modern architecture for hyper-personalization

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Monitoring Java Application Security with JDK Tools and JFR Events

20240609 QFM020 Irresponsible AI Reading List May 2024

How to Get CNIC Information System with Paksim Ga.pptx

BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations

1. PurpleSharp 2.0: Active Directory Attack Simulations Mauricio Velazco @mvelazco #BHUSA @BLACKHATEVENTS

2. #BHUSA @BLACKHATEVENTS Agenda ■ Introduction ■ Enter PurpleSharp ■ Active Directory Attack Simulation Playbooks

3. #BHUSA @BLACKHATEVENTS Introduction

4. #BHUSA @BLACKHATEVENTS #whoami ■ Threat Research @ Splunk ■ @mvelazco ■ https://github.com/mvelazc0 Arequipa, Peru

5. #BHUSA @BLACKHATEVENTS Detection engineers need the capability to generate attack telemetry.

6. #BHUSA @BLACKHATEVENTS Adversary Simulation ■ A requirement to write detection analytics ■ Unit and functional testing for detection engineering ■ End-to-end validation of detection posture

7. #BHUSA @BLACKHATEVENTS PurpleSharp

8. #BHUSA @BLACKHATEVENTS ■ Executes adversary techniques within Windows AD environments ■ Follows MITRE ATT&CK (50+ supported) ■ C# -> NET, Win32 Api Goal: Generate attack telemetry that enables detection teams to build, test and enhance detection controls. github.com/mvelazc0/PurpleSharp www.purplesharp.com

9. #BHUSA @BLACKHATEVENTS Enter PurpleSharp ■ Flexible ■ Remote simulation deployment ■ User impersonation ■ Technique variations ■ Active Directory focus

10. #BHUSA @BLACKHATEVENTS Flexible ■ A single C# assembly ■ JSON simulation playbooks ■ Customizable technique parameters

11. #BHUSA @BLACKHATEVENTS Flexible

12. #BHUSA @BLACKHATEVENTS Remote Simulation Deployment ■ Leverages Windows native features WMI, SMB & Named pipes. ■ Requirements Network connectivity Administrative credentials

13. #BHUSA @BLACKHATEVENTS Remote Simulation Deployment ■ 3 modules instrument the simulation: Orchestrator, Scout & Simulator ■ They synchronize on simulation details over named pipes using serialized objects. ■ Similar to PsExec but using Win32_process WMI class

14. #BHUSA @BLACKHATEVENTS User impersonation First approach: DuplicateTokenEx CreateProcessWithTokenW ImpersonateLoggedOnUser

15. #BHUSA @BLACKHATEVENTS User impersonation ■ Scout starts the Simulator as a child process of explorer.exe using PPID spooﬁng (T1134.004) ■ Simulation behavior runs under the context of the logged user ■ Breaks process relationship between the Scout and Simulator

16. #BHUSA @BLACKHATEVENTS User impersonation

17. #BHUSA @BLACKHATEVENTS Technique variations ■ Execute the same technique in different variations ■ Attempt to bypass detection ■ Helps validate detection resilience CreateRemoteServiceCmdline T1059.001 - PowerShell

18. #BHUSA @BLACKHATEVENTS Technique variations CreateRemoteServiceCmdline T1021.002 - Remote Services #1: sc.exe to create a remote service #2: CreateService to a create remote service #3: ChangeServiceConﬁg to modify an existing service* *Initial idea: github.com/Mr-Un1k0d3r/SCShell

19. #BHUSA @BLACKHATEVENTS Technique variations CreateRemoteServiceCmdline T1110.003 - Password Spraying

20. #BHUSA @BLACKHATEVENTS Active Directory focus ■ Techniques targeting AD are the priority ■ Simulator is able to interact with AD and domain members in the context of the logged user ■ LDAP support for random target selection ( no passwords required ) host_target_type & user_target_type

21. #BHUSA @BLACKHATEVENTS Active Directory Attack Simulation Playbooks

22. #BHUSA @BLACKHATEVENTS Lab

23. #BHUSA @BLACKHATEVENTS Active Directory Discovery ■ Playbook #1: AD Discovery with native tools ■ Playbook #2: AD Discovery with PowerShell.exe ■ Playbook #3: AD Discovery with LDAP queries T1033 - System User Discovery T1018 - Remote System Discovery T1482 - Domain Trust Discovery T1087.001 - Local Account Discovery T1069.002 - Domain Group Discovery T1087.001 - Local Account Discovery T1087.002 - Domain Account Discovery T1201 - Password Policy Discovery

24. #BHUSA @BLACKHATEVENTS Lateral Movement ■ Playbook #1: Remote Service (T1021.002) & Scheduled Task (T1053) Using Win32 Api CreateService and native binaries ■ Playbook #2: WMI (T1047) and WinRM (T1021.006) Using the .NET libraries ■ Playbook #3: Remote Service (T1021.002) Using Win32 Api ChangeServiceConﬁg

25. #BHUSA @BLACKHATEVENTS Lateral Movement

26. #BHUSA @BLACKHATEVENTS Active Directory Purple Team Playbook ■ Library of ready-to-use JSON playbooks for PurpleSharp ■ github.com/mvelazc0/PurpleAD/

27. #BHUSA @BLACKHATEVENTS https://github.com/mvelazc0/PurpleSharp www.purplesharp.com

28. PurpleSharp 2.0: Active Directory Attack Simulations Mauricio Velazco @mvelazco #BHUSA @BLACKHATEVENTS

BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations

Similar to BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations (20)

More from Mauricio Velazco

More from Mauricio Velazco (13)

Recently uploaded

Recently uploaded (20)

BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations