BSides Rochester 2018: Lee Kagan: Red and Blue Ping Pong

•Download as PPTX, PDF•

0 likes•89 views

This document summarizes a talk about attacking and defending Windows systems. The talk covers how attackers can weaponize legitimate Windows tools like PowerShell, WMI, and Active Directory to conduct reconnaissance and execute malicious actions. It then discusses defensive techniques like Sysmon, Device Guard, and Group Policy Objects that can be used to detect and prevent such attacks. The talk includes a demo of red team techniques for lateral movement and privilege escalation, and how a blue team can detect those activities using defensive tools and logs. It concludes by mentioning additional Windows defenses that were not covered in detail.

Technology

IN THIS TALK
About us
1
Windows
for
attacking
2
Windows
for
defending
3
Demo
4
Worthwhile
Mentions
5

About Us
▶ Lee Kagan
▶ RedBlack Security
▶ @InvokeThreatGuy
▶ Adversary systems, Windows things,
▶ C2 design and tradecraft
▶ C3X co-creator
▶ Blog = invokethreat.actor
▶ Anton Ovrutsky
▶ Equitable Life Insurance
▶ @Antonlovesdnb
▶ Security generalist - defensive focus

Windows for
attacking
▶ Microsoft provides a lot
of options to weaponize
stuff
▶ Living off the land
▶ PowerShell, WMI, CIM,
WinRM, ActiveDirectory
▶ .NET & C#
▶ Trusted things!!!
▶ Mitre ATT&CK

▶ AD info via .NET
inside PowerShell
▶ AD OUs via ADSI
inside
PowerShell

▶ AD user info via
ADSI in
PowerShell to get
username,
display name,
UPN and CN

▶ PowerShell
remoting
▶ WMI remote
execution

▶ Show AV via WMI
in PowerShell
▶ Show OS info via
WMI in
PowerShell
▶ Show software
info via
PowerShell
▶ Show processor
info via WMI in
PowerShell

▶ Create registry run key via PowerShell

▶ Generating a self-signed code signing certificate (that we’ll steal and
then stamp our evil thing with)

▶ Sign our evil
file with the
stolen code
signing cert

Windows for
defending
▶ Sysmon
▶ Device Guard
▶ GPOs
▶ Windows 10 / Server 2016
▶ Advanced Threat
Analytics (ATA) /
Advanced Threat
Protection (ATP)
▶ You

LSASS Access – DotNetToJScript
@subTee
@tiraniddo
@gentilkiwi
@JohnLaTw

LSASS Access - Invoke-Mimikatz
@gentilkiwi @JosephBialek @JohnLaTw

Lateral Movement GPO
@jepayneMSFT @PyroTek3 @byt3bl33d3r

Demo Time
SETUP
• Domain joined
Windows 10 Desktop
• Local admin user
• Assumed breach /
post-exploitation
scenario
RED
• Start with PoSh web
download payload
• Process inject into
OneDrive and run
cmd.exe
• Inject into LSASS and
run mimikatz
• Encoded PoSh
• Reg key persistence
• Sign malware with
stolen signing info
• CScript to run
mimikatz as JS
• Beacon traffic
BLUE
• Injected threads
• Parent child relationships
• Suspect command line
• Authenticode mismatches
• Encoded posh
• Command line file content
• LSASS access
• Unmanaged posh
• Registry modifications
• Process network connections

Other Mentions
▶ Module and Transcript
Logging
▶ Script Block Logging
▶ Command Line Auditing
▶ Local Administrator
Password Solution (LAPS)
▶ Just Enough Admin (JEA)
▶ Privileged Access
Workstations (PAW)
▶ AppLocker
▶ Windows 10 / Server 2016
Logging Additions
▶ Credential Guard
▶ Application Guard
▶ Desired State Configuration
(DSC)
▶ Constrained Language Mode
(CLM)
▶ Windows Event Forwarding
(WEF)
▶ AMSI
▶ EMET
▶ ...so much more

Socket.io is a JavaScript library for real-time web applications. It enables real-time and bi-directional communication between web clients and servers. It transparently uses various transports like WebSocket, polling, and flash socket depending on client capabilities. It has features for authorization, timeouts, heartbeats, reconnection, and multiple sockets on the same connection. Socket.io can be used to build real-time applications involving websockets, like chat applications.

Browser Security by pratimesh Pathak ( Buldhana)

Pratimesh Pathak

Offensive Security with Metasploit

egypt

This document discusses Metasploit and modern cybersecurity attacks. It provides a brief history of exploitation from the Golden Era to the Modern Era. It then demonstrates how modern attacks use credentials obtained through tools like Mimikatz to conduct SMB relay attacks and achieve remote code execution. The document also discusses post-exploitation techniques like maintaining presence, achieving persistence, and pivoting. It concludes by offering some mitigation strategies like disabling WPAD, blocking SMB outbound traffic, requiring SMB signing, and implementing proper access controls and monitoring.

Post Metasploitation

egypt

This document discusses techniques for post-exploitation using Metasploit. It covers maintaining presence on a compromised system by examining users and processes. It also discusses achieving persistence through techniques like dropping executable files and modifying autoruns. Pivoting is covered as moving laterally such as relaying NTLM authentication or abusing trust relationships. Specific demonstrations are provided like exploiting an suid misconfiguration on Nmap or using a LNK file drop combined with SMB relay. The document emphasizes developing reliable and readable Metasploit modules to automate post-exploitation tasks.

OneID Garage Door

Jim Fenton

Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...

Security Bootcamp

The document discusses various approaches to mitigate DDoS attacks in 3 sentences or less: The document outlines different types of DDoS attacks and discusses implementing defense in depth across multiple network layers, including hardening operating systems, implementing firewalls and web application firewalls, caching, and using cloud-based mitigation services. Effective mitigation requires identifying vulnerable systems, monitoring logs, testing defenses, and having sufficient resources to handle large-scale attacks. While no single technique prevents all DDoS attacks, implementing layered defenses along with outsourcing to specialized services can help reduce vulnerabilities.

MongoDB Security Introduction - Presentation

Habilelabs

This document discusses 10 different ways to execute code remotely on Windows systems, including native Windows tools like Sysinternals PSExec, methods in Metasploit like PSExec and PSExec-MOF, and other techniques like WMI, PowerShell, and RemCom. Each method is briefly outlined with its positives and negatives. For example, PSExec leaves the PSEXESVC service running but never needs updating, while Metasploit PSExec supports pass-the-hash but some antiviruses may flag the service binary. The document provides an overview of common remote code execution options for pentesters and their relative tradeoffs.

Endpoint is not enough

Sumedt Jitpukdebodin

2023-May.pptx

mnaeemuetcs

This document summarizes an OWASP meeting that included discussion of phishing techniques. The meeting started at 7:05PM and included discussion of the Evilginx phishing framework. Evilginx is an open source man-in-the-middle attack framework that can bypass multifactor authentication by capturing session cookies. The document provided details on how Evilginx works, examples of its usage, and information on creating custom phishing templates ("phishlets") for targeting specific websites and applications.

ZKorum: Building the Next Generation eAgora powered by SSI

SSIMeetup

The immense potential unlocked by SSI in content-centric social networks (forums) is largely unaddressed by the recent wave of decentralized social networks. Enter ZKorum - a network of verifiable communities where members create anonymous polls and discussions. In this episode, Nicolas Gimenez, the Co-Founder and CTO of ZKorum, unveils the Alpha version and delves into its architecture, drawing inspiration from SSI, DWeb, and Password Managers.

Security Vulnerabilities: How to Defend Against Them

Martin Vigo

In recent years it became the norm to wake up to news about hackers, cyber attacks, ransom campaigns and NSA. Since 2003 the Open Web Application Security Project (OWASP) is the go-to reference to learn more about security vulnerabilities. OWASP published a list of the Top 10 most common security issues for Web. In this talk, we will review the list to learn the details and discuss how to harden and defend our Web applications from those vulnerabilities. If you care about your product and customer's data, want to become a better developer or are simply interested in the kind of cyber attacks delinquents use to compromise websites, this talk is for you.

Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure

MongoDB

Breaking the cyber kill chain!

Nahidul Kibria

apidays LIVE Australia 2021 - Levelling up database security by thinking in A...

apidays

Kealy OWASP interactive_artifacts

Frank Victory

Malware on workstations is annoying enough, but when an attacker accesses your systems using remote desktop or other interactive software, you feel down right violated. The presentation includes a technical dive into forensic artifacts generated during interactive logon sessions with multiple examples from real-life investigations. The presentation covers well known artifacts including MuiCache, UserAssist, and Windows Recycler, but also explores lesser known artifacts including the RDP Bitmap Cache, the Windows 10 Timeline, and Jumplists. Speaker Bio: Phillip Kealy is the Senior Manager for Incident Response for the Mandiant Denver and Phoenix offices and provides emergency services to clients when a security breach occurs. With over 15 years of experience in both private and public sector environments, Mr. Kealy has a background in incident response, security architecture, and networking

DrupalCamp London 2017 - Web site insecurity

George Boobyer

Common threats to web security with real world case studies of compromised sites, - A 'dissection' of a typical common exploit tool and how it operates, - Simple approaches to mitigating common threats/vulnerabilities, - Defence in depth – an overview of the various components of web security, - Drupal specific measures that standard penetration testing often does not account for. An overview of how to benefit from: - Security monitoring and log analysis - Intrusion Detection Systems & Firewalls - Security headers and Content Security Policies (CSP). see Drupal Camp London for full details: http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it

Secure Software: Action, Comedy or Drama? (2017 edition)

Peter Sabev

Gartner Security & Risk Management Summit 2018

Paula Januszkiewicz

Percona Live 2021 - MongoDB Security Features

Jean Da Silva

When we speak about security, the actual reality is that companies need to comply with multiples frameworks and regulations, and assessing which rules apply to each organization is no easy feat. Over the talk, we will revisit the security feature we can implement in the #MongoDB environment. The aim is to provide further information on what you can use to help your company with future security implementations. The topics presented will be: * Authentication * Authorization * TLS/SSL * External Authentication * Auditing * Log Redaction * Encryption – Data at Rest and Client Field Encryption. Speaker: Jean da Silva – Percona

Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...

Beau Bullock

Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk. Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment. What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools? This lecture will address these questions and more, including a showcase of attacker methodologies.

Achieving compliance With MongoDB Security

Mydbops

The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht

Asaf Hecht

In The Middle of Printers –The (In)Security of Pull Printing Solutions

SecuRing

Big corporations and financial institutions need secure pull printing services which guarantee a proper encryption, data access control and accountability. This research aimed to perform a MITM attack on multifunction printers with embedded software from the most popular vendors. The results are staggering - similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense.

In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...

Jakub Kałużny

The document discusses security issues with pull printing solutions. It provides three examples of security assessments conducted on different vendor products. In the first example, the proprietary protocol was reverse engineered and vulnerabilities like weak encryption were found. The second vendor took security seriously and responded quickly to reported issues. The third example showed vulnerabilities like a lack of encryption that could allow print job tampering. The document emphasizes that pull printing solutions require thorough security testing.

BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...

JosephTesta9

BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...

JosephTesta9

This document discusses the history and modern state of HTTP cookies as a mechanism for web session persistence. It covers the evolution of cookie standards from the original Netscape specification to current RFCs. Key topics covered include cookie flows, same-origin policy implications for cookies, security issues like cross-site request forgery and cookie tampering, and alternative session management approaches like HTTP/2, local storage, and IndexedDB. The presenter is an expert in web security and standards with experience in consulting, research, and teaching.

Similar to BSides Rochester 2018: Lee Kagan: Red and Blue Ping Pong

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Chris Gates

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Rob Fuller

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Chris Gates

Endpoint is not enough

Sumedt Jitpukdebodin

2023-May.pptx

mnaeemuetcs

ZKorum: Building the Next Generation eAgora powered by SSI

SSIMeetup

Security Vulnerabilities: How to Defend Against Them

Martin Vigo

Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure

MongoDB

Breaking the cyber kill chain!

Nahidul Kibria

apidays LIVE Australia 2021 - Levelling up database security by thinking in A...

apidays

Kealy OWASP interactive_artifacts

Frank Victory

DrupalCamp London 2017 - Web site insecurity

George Boobyer

Secure Software: Action, Comedy or Drama? (2017 edition)

Peter Sabev

Gartner Security & Risk Management Summit 2018

Paula Januszkiewicz

Percona Live 2021 - MongoDB Security Features

Jean Da Silva

Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...

Beau Bullock

Achieving compliance With MongoDB Security

Mydbops

The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht

Asaf Hecht

In The Middle of Printers –The (In)Security of Pull Printing Solutions

SecuRing

In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...

Jakub Kałużny

Similar to BSides Rochester 2018: Lee Kagan: Red and Blue Ping Pong (20)

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Endpoint is not enough

2023-May.pptx

ZKorum: Building the Next Generation eAgora powered by SSI

Security Vulnerabilities: How to Defend Against Them

Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure

Breaking the cyber kill chain!

apidays LIVE Australia 2021 - Levelling up database security by thinking in A...

Kealy OWASP interactive_artifacts

DrupalCamp London 2017 - Web site insecurity

Secure Software: Action, Comedy or Drama? (2017 edition)

Gartner Security & Risk Management Summit 2018

Percona Live 2021 - MongoDB Security Features

Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...

Achieving compliance With MongoDB Security

The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht

In The Middle of Printers –The (In)Security of Pull Printing Solutions

In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...

More from JosephTesta9

BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...

JosephTesta9

BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...

JosephTesta9

BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...

JosephTesta9

This document summarizes Justin Moore's presentation on the AutoRepeater Burp Suite plugin. AutoRepeater automates authorization testing in Burp Suite by duplicating requests, modifying values like cookies and parameters, and resending the modified requests. It improves on existing authorization testing plugins by allowing multiple simultaneous modifications to requests and flexible conditional replacements. The demo shows how AutoRepeater can test every request as different users and without authentication parameters to help test authorization mistakes that could lead to vulnerabilities.

BSides Rochester 2018: Dave Kukfa: BinDbg: Easy Windows Debugging for Binary ...

JosephTesta9

BinDbg is a Binary Ninja plugin that allows users to debug Windows binaries by syncing a running Windows debugger (WinDbg) with the Binary Ninja disassembler. This provides dynamic analysis capabilities within Binary Ninja like highlighting branch decisions on the disassembly graph and resolving virtual function calls. The plugin launches and controls debugging sessions directly in Binary Ninja. It addresses a lack of good Windows support in existing debugger integrations for Binary Ninja. Developing the plugin involved challenges like wrestling with the Python debugger interface and determining object types from virtual tables.

BSides Rochester 2018: Timothy Duffy: Civic and Humanitarian Open Source

JosephTesta9

Timothy Duffy gave a presentation on civic and humanitarian open source projects. He began by defining key terms like hacker, open source, and civic hacking. He then discussed several civic hacking projects he has worked on or is involved with, including Motor City Mapping, RHoK The Hood, RocReport, Traffairious, YellR, and MonroeMinutes. He acknowledged organizations that do civic hacking work and provided ideas for future civic projects.

BSides Rochester 2018: Michael West: Sentry, Or: How I Learned To Stop Worryi...

JosephTesta9

Michael created a program called Sentry that automatically deletes or locks down a user's social media accounts and online presence if certain triggering events occur, such as a tweet going viral or containing a specific phrase. Sentry is designed to prevent doxing and unwanted attention on the internet by allowing users to quickly wipe their digital trails. It can integrate with services like Twitter, Cloudflare, and Pushover to change account settings or delete information according to rules defined in a configurable JSON file. The open source tool aims to offer alternatives to total social media abstinence or inaction when online safety is a concern.

BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...

JosephTesta9

This document summarizes a research project using machine learning to detect malware on IoT devices. The research team includes students and researchers from RIT departments. The goals are to protect consumer IoT devices from attacks like Mirai botnets. The proposed solution involves collecting IoT traffic, extracting features, analyzing the traffic with machine learning models, and generating firewall rules. Both supervised and unsupervised learning are discussed. The overall goal is to create an effective IDS/IPS system for IoT without needing frequent signature updates.

BSides Rochester 2018: Issa Hafiri & Christian Halbert: IOT Devices (And Why ...

JosephTesta9

- Many Internet of Things (IoT) devices have poor security which allows them to be easily hacked and taken over. This was demonstrated by the massive Mirai botnet which took advantage of insecure cameras and DVRs. - A cheap wall-mounted surveillance camera was analyzed and found to have cleartext credentials, communication with unauthenticated servers in China, and no protection against replay attacks or default credential abuse, making it trivial to hack. - A baby monitor camera was also found to have numerous open ports, a web interface that could be accessed without authentication, and exposed controls that could be manipulated without authentication, posing risks for privacy and device integrity. Many IoT devices have similar security flaws.

BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...

JosephTesta9

This document summarizes Esteban Rodriguez's talk on injecting keystrokes into plaintext protocols. It discusses how protocols like VNC, HippoRemote, and early versions of Synergy sent keystrokes in plaintext, allowing them to be intercepted using tools like Wireshark. It then demonstrates how intercepted keystrokes could be cracked, monitored, or injected using tools like Metasploit, custom Python scripts, and rogue Synergy servers implemented with Dissonance. Mitigations discussed include encrypting protocols with SSL and verifying server fingerprints. The overall message is that encryption is important and security research helps improve protocols.

BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...

JosephTesta9

This document discusses two open source tools for web application penetration testing: OWASP Code Pulse and Attack Surface Detector. OWASP Code Pulse provides real-time code coverage monitoring of black box testing by instrumenting server bytecode. It helps testers associate endpoints with application methods. Attack Surface Detector performs static code analysis to detect application endpoints, parameters, and parameter types, and imports this data into tools like Burp Suite. Both tools aim to improve test coverage, tuning, and communication by supplementing traditional black box testing.

BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...

JosephTesta9

This document summarizes Chris Partridge's work on scraping and analyzing DNS data to generate threat intelligence. It discusses scraping domain and DNS data at scale, analyzing it for anomalies, integrating threat intelligence, and limitations. The goal is to develop proactive threat intelligence by identifying relationships between domains, IPs, and known bad actors from DNS data and intelligence. Future work includes scaling up data collection, distributed analysis, and integrating findings into security tools.

BSides Rochester 2018: Anthony DiDonato: Virtualization Based Security

JosephTesta9

This document discusses virtualization based security (VBS) and its strengths and weaknesses. It begins with an introduction of the presenter and their experience. The presentation then covers malware attacks with and without VBS protection. It discusses how VBS uses hardware isolation through virtualization to contain threats in isolated environments. Examples of VBS solutions from Microsoft and Bromium are provided and demonstrated. The pros and cons of VBS are reviewed, noting that while it provides strong isolation of threats, knowledge gaps and existing infections can still allow some threats to persist.

More from JosephTesta9 (12)