Operational Security (OPSEC) is one of the most important aspects to consider in Adversary Simulations (usually called "Red Teaming"). When talking about OPSEC, it is common to think around matters like AV/EDR evasion, avoiding "noises" or using builtin/legitimate tools whenever is possible. In fact, the scope of the term OPSEC is usually wider than that.
OPSEC usually refers to the identification and protection of data that could be useful for an adversary. In Adversary Simulations, the adversary is the organisation's security team (Blue Team) and the goal is to improve their detection capabilities. This is why the maturity of an organisation should dictate the complexity required to carry out these operations, so that the objectives are met with the minimum effort, as it would do an attacker in real life.
For example, for experienced Blue Teams, the mere fact of using legitimate tools such as net.exe (e.g. “net users /domain”) or powershell.exe could be a reason for the whole operation to be discovered, whereas in other organisations or situations these same actions could remain completely unnoticed.
In this presentation we will discuss how you should review and understand your own toolset and procedures in order to gain OPSEC. We will comprehend how to deal with trade-offs, and why understanding your adversary is key in that matter. In addition, sources of detection (disk, memory, network...) and resources commonly employed by defenders (events, hooks, callbacks...) will be explained visually and practically to help you building and improving your operations.
Understanding and Hiding your Operations’ goal is to be a resource for comprehending the meaning of OPSEC and creating awareness in your operations, so as you can successfully face – and improve – experienced security teams and their detection capabilities.
PowerShell for Practical Purple TeamingNikhil Mittal
The document discusses purple teaming, which involves red and blue teams working together to improve security. It provides two examples using PowerShell to simulate insider threats and client-side attacks. The first story involves escalating privileges from a normal user to domain admin and creating a golden ticket. The second starts as a non-admin user using a client-side attack like an HTA when PowerShell is blocked. Detection methods like logs, Applocker, and network monitoring are also outlined. The document concludes purple teaming aims to maximize threat simulation benefits by bringing red and blue teams together.
The document provides an overview of a red team consultant's methodology for penetration testing engagements. It discusses various stages of an engagement including pre-engagement reconnaissance using tools like LinkedIn and domain research. It covers external testing techniques like NTLM brute forcing. Internal testing focuses on privileges escalation using tools like Mimikatz and movement using techniques like DLL hijacking. Reporting emphasizes providing a full narrative and findings of high quality over large quantities.
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
Nikhil Mittal presented methods for evading detection by Microsoft Advanced Threat Analytics (ATA). ATA detects attacks by monitoring traffic to domain controllers, but can be bypassed by avoiding direct queries to the DC. Reconnaissance techniques like SPN scanning and hunting domain admin tokens on other machines go undetected. Overpass-the-hash and golden tickets can bypass ATA if the encryption type matches normal traffic. False events can also be generated by triggering unusual detections for fake users.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
This document summarizes information about three individuals - Andy, Rohan, and Will - who work at Specter Ops creating security tools like BloodHound. It provides details on their jobs, tool development experience, conference presentations, training experience, and Twitter accounts. It then outlines abuse primitives that can be exploited through misconfigurations in Active Directory object ACLs. Finally, it demonstrates how to use tools like PowerView, SharpHound, and BloodHound to find misconfigurations and attack paths in Active Directory.
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
1. The document discusses breaking trusts between Active Directory forests by leveraging compromised unconstrained delegation and the "printer bug" to coerce authentication across forest boundaries.
2. It explains how a compromised server with unconstrained delegation in one forest can be used to extract ticket granting tickets (TGTs) that can then be reused to access resources in a separate, trusting forest.
3. The "printer bug" allows remotely forcing authentication and is used to extract TGTs from the separate forest to circumvent typical cross-forest security restrictions. This bypasses the assumption that forests provide a security boundary when two-way trusts exist between them.
PowerShell for Practical Purple TeamingNikhil Mittal
The document discusses purple teaming, which involves red and blue teams working together to improve security. It provides two examples using PowerShell to simulate insider threats and client-side attacks. The first story involves escalating privileges from a normal user to domain admin and creating a golden ticket. The second starts as a non-admin user using a client-side attack like an HTA when PowerShell is blocked. Detection methods like logs, Applocker, and network monitoring are also outlined. The document concludes purple teaming aims to maximize threat simulation benefits by bringing red and blue teams together.
The document provides an overview of a red team consultant's methodology for penetration testing engagements. It discusses various stages of an engagement including pre-engagement reconnaissance using tools like LinkedIn and domain research. It covers external testing techniques like NTLM brute forcing. Internal testing focuses on privileges escalation using tools like Mimikatz and movement using techniques like DLL hijacking. Reporting emphasizes providing a full narrative and findings of high quality over large quantities.
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
Nikhil Mittal presented methods for evading detection by Microsoft Advanced Threat Analytics (ATA). ATA detects attacks by monitoring traffic to domain controllers, but can be bypassed by avoiding direct queries to the DC. Reconnaissance techniques like SPN scanning and hunting domain admin tokens on other machines go undetected. Overpass-the-hash and golden tickets can bypass ATA if the encryption type matches normal traffic. False events can also be generated by triggering unusual detections for fake users.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
This document summarizes information about three individuals - Andy, Rohan, and Will - who work at Specter Ops creating security tools like BloodHound. It provides details on their jobs, tool development experience, conference presentations, training experience, and Twitter accounts. It then outlines abuse primitives that can be exploited through misconfigurations in Active Directory object ACLs. Finally, it demonstrates how to use tools like PowerView, SharpHound, and BloodHound to find misconfigurations and attack paths in Active Directory.
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
1. The document discusses breaking trusts between Active Directory forests by leveraging compromised unconstrained delegation and the "printer bug" to coerce authentication across forest boundaries.
2. It explains how a compromised server with unconstrained delegation in one forest can be used to extract ticket granting tickets (TGTs) that can then be reused to access resources in a separate, trusting forest.
3. The "printer bug" allows remotely forcing authentication and is used to extract TGTs from the separate forest to circumvent typical cross-forest security restrictions. This bypasses the assumption that forests provide a security boundary when two-way trusts exist between them.
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
How to Hunt for Lateral Movement on Your NetworkSqrrl
The document discusses threat hunting for lateral movement. It begins with an overview of lateral movement, describing it as techniques attackers use to access and control systems within a network. It then covers the lateral movement process, including initial compromise, reconnaissance, credential theft, and lateral movement events. The document demonstrates Sqrrl's lateral movement detectors, which use data science techniques like graph analysis and machine learning to detect lateral movement in network data. It discusses building a lateral movement detector by aligning it with TTPs, using classifiers to rank events, and implementing it at scale in Spark.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
The document discusses various methods attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes techniques like copying files over SMB, using WMI, WinRM, PowerShell remoting, scheduled tasks, and others. For each technique, it outlines the required network access and system privileges, and provides the most relevant event log entries that could be used for detection. The goal is to help analysts understand lateral movement techniques and know what to look for when hunting for suspicious remote executions in Windows logs and environments.
The document provides biographies and background information for two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
The document provides biographies and background information on two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
This document summarizes a presentation on designing Active Directory DACL backdoors for persistence after gaining initial domain elevation. It discusses how DACL misconfigurations can provide stealthy, long-term access. Specific techniques covered include hiding DACLs and principals from easy enumeration, as well as case studies on backdoors involving DCSync rights, AdminSDHolder, LAPS passwords, Exchange objects, and abusing GPOs. Defenses discussed include proper event log collection and SACL auditing. The document provides an overview of how DACLs can be stealthily misconfigured to maintain access without immediate detection.
Web 2.0 Performance and Reliability: How to Run Large Web Appsadunne
The document discusses operations engineering and monitoring systems. Some key points:
- Operations is often overlooked compared to product development and engineering, but it is a form of engineering and critical for ensuring systems run reliably.
- Effective monitoring involves collecting data, alerting on issues, and trend analysis to aid capacity planning. Tools mentioned include Nagios, Ganglia, Cricket, and custom Ganglia metrics.
- When debugging issues, follow best practices like understanding the system, methodically testing changes, keeping an audit trail, and ensuring the root cause is actually fixed.
- Automation is important for managing systems at scale. Tools like Puppet, Cobbler, Koan, and EC2 automation are recommended to
Red Teaming is hot right now. Many people want to get into it just because it sounds cool. While I tend to agree, there are many things to consider. There is way more to red teaming than just "getting in" to organizations. Join us for this one hour webcast where we cover what red team is, why you may want to be a red teamer, and how to become a red teamer.
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
How to Hunt for Lateral Movement on Your NetworkSqrrl
The document discusses threat hunting for lateral movement. It begins with an overview of lateral movement, describing it as techniques attackers use to access and control systems within a network. It then covers the lateral movement process, including initial compromise, reconnaissance, credential theft, and lateral movement events. The document demonstrates Sqrrl's lateral movement detectors, which use data science techniques like graph analysis and machine learning to detect lateral movement in network data. It discusses building a lateral movement detector by aligning it with TTPs, using classifiers to rank events, and implementing it at scale in Spark.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
The document discusses various methods attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes techniques like copying files over SMB, using WMI, WinRM, PowerShell remoting, scheduled tasks, and others. For each technique, it outlines the required network access and system privileges, and provides the most relevant event log entries that could be used for detection. The goal is to help analysts understand lateral movement techniques and know what to look for when hunting for suspicious remote executions in Windows logs and environments.
The document provides biographies and background information for two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
The document provides biographies and background information on two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
This document summarizes a presentation on designing Active Directory DACL backdoors for persistence after gaining initial domain elevation. It discusses how DACL misconfigurations can provide stealthy, long-term access. Specific techniques covered include hiding DACLs and principals from easy enumeration, as well as case studies on backdoors involving DCSync rights, AdminSDHolder, LAPS passwords, Exchange objects, and abusing GPOs. Defenses discussed include proper event log collection and SACL auditing. The document provides an overview of how DACLs can be stealthily misconfigured to maintain access without immediate detection.
Web 2.0 Performance and Reliability: How to Run Large Web Appsadunne
The document discusses operations engineering and monitoring systems. Some key points:
- Operations is often overlooked compared to product development and engineering, but it is a form of engineering and critical for ensuring systems run reliably.
- Effective monitoring involves collecting data, alerting on issues, and trend analysis to aid capacity planning. Tools mentioned include Nagios, Ganglia, Cricket, and custom Ganglia metrics.
- When debugging issues, follow best practices like understanding the system, methodically testing changes, keeping an audit trail, and ensuring the root cause is actually fixed.
- Automation is important for managing systems at scale. Tools like Puppet, Cobbler, Koan, and EC2 automation are recommended to
Red Teaming is hot right now. Many people want to get into it just because it sounds cool. While I tend to agree, there are many things to consider. There is way more to red teaming than just "getting in" to organizations. Join us for this one hour webcast where we cover what red team is, why you may want to be a red teamer, and how to become a red teamer.
The document provides information about a Drupal training session on fixing a broken Drupal site. It includes an agenda for the lab session which involves fixing issues related to site building, security, performance, and content architecture through exercises. Participants will be split into teams and each given a broken Drupal site to work on fixing. Automated tools and techniques for profiling site performance will be demonstrated.
This document provides a security checklist for TYPO3 with recommendations around secure passwords, disabling directory listings, backing up data, restricting backend and FTP user access, and protections against iframe and link manipulation attacks. Regular security checks, updates, backups, and access restrictions are emphasized to maintain the safety of a TYPO3 installation. Additional resources for further information on TYPO3 security are also provided.
Drupal Camp Atlanta 2011 - Drupal SecurityMediacurrent
Introduction to security on Drupal and introduces some testing tools, common problems and solutions.
We also introduce the concept of a response team and best practices to get you started.
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
https://www.youtube.com/watch?v=7TVp4g4hkpg
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building new and testing existing detection capabilities will be constrained. Executing adversary simulations in monitored environments produces the telemetry that allows blue teams to identify gaps in visibility as well as build, test and enhance detection analytics.This presentation will describe a methodology to incorporate adversary simulation into detection programs as well as release a tool blue teams can use to test the resilience of detection controls
Basic presentation of cryptography mechanismsMarian Marinov
This document summarizes Marian Marinov's presentation on cryptography. It discusses password cracking using John the Ripper, analyzing languages using frequency analysis to crack codes like the Enigma machine. It also covers chosen plaintext/ciphertext attacks, known plaintext attacks, and how these were used to crack protocols like SSL. Common attacks on SSL like BEAST, CRIME, and POODLE are outlined. Finally, cracking WiFi passwords using tools like Aircrack-ng is briefly discussed.
Windows logging workshop - BSides Austin 2014Michael Gough
This document provides an overview of a workshop on Windows logging. The workshop aims to teach attendees how to use Windows logging to detect attacks like the Target data breach. It discusses enabling and configuring Windows logging, collecting logs using commands, and analyzing logs with Splunk. The presentation covers malware behavior, Windows logging components, enabling auditing of important events in security and system logs, and installing the Splunk Universal Forwarder to send logs to Splunk Storm for analysis.
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
This document discusses penetration testing approaches from the past compared to today. It notes that in the past, penetration testing was easier because networks had fewer security controls like firewalls and patches. The document then provides tips and techniques for identifying security controls like load balancers, intrusion prevention systems, and web application firewalls that may be in place on modern networks. It also discusses ways to potentially bypass these controls like using encryption, proxies, or virtual private networks.
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
The document is a presentation on security analytics and finding malicious activities by looking for anomalies in large amounts of data. It discusses challenges such as the increasing spending on cybersecurity while breaches continue to rise. It advocates collecting the right data from the right devices for long enough to enable detection. The presentation outlines techniques for analyzing endpoint, DNS, web proxy, network traffic, and DHCP logs to detect tactics used by adversaries. It emphasizes the importance of profiling normal behavior to identify deviations that could indicate security incidents.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
DrupalCamp London 2017 - Web site insecurity George Boobyer
Common threats to web security with real world case studies of compromised sites,
- A 'dissection' of a typical common exploit tool and how it operates,
- Simple approaches to mitigating common threats/vulnerabilities,
- Defence in depth – an overview of the various components of web security,
- Drupal specific measures that standard penetration testing often does not account for.
An overview of how to benefit from:
- Security monitoring and log analysis
- Intrusion Detection Systems & Firewalls
- Security headers and Content Security Policies (CSP).
see Drupal Camp London for full details:
http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it
Public facing web sites are constantly under attack and keeping websites protected is an arms race, yet security rarely gets a look-in at specification and budget allocation stages of delivering a web site - or at best is an afterthought. Yet everyone has an expectation of security and QOS that implies it is central to every project.
Security considerations should pervade all stages of a project from initial specification, throughout development and testing and on to ongoing hosting and maintenance.
In this session I will cover:
* Common threats to web security with real world case studies of compromised sites,
* Simple approaches to mitigating common threats/vulnerabilities,
* Defence in depth – an overview of the various components of web security,
* Drupal specific measures that standard penetration testing often does not account for.
* An overview of how to benefit from:
* Security monitoring and log analysis
* Intrusion Detection Systems & Firewalls
* Security headers and Content Security Policies (CSP).
Comments: https://joind.in/talk/8bbea
This was a presentation I gave back in 2000 on Linux Security. Even though some of it is definitely dated there's still some relevant stuff in it since security is mainly common sense stuff.
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
This document discusses fileless or memory-based malware that exists only in memory and provides recommendations for detecting and responding to it. It recommends:
1. Developing a process to monitor running processes and modules for signs of injection or unauthorized code. Tools like Log-MD-Premium can help detect these memory-only infections.
2. Enabling detailed process logging, especially of command lines, to provide visibility. Detections and hunting can then focus on suspicious process activity.
3. Extracting and analyzing files from memory dumps or live systems to identify malware artifacts and indicators through static file evaluation and string analysis.
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
Presented by: Julien Voisin and Thibault Koechlin
Suhosin is a great PHP module, but unfortunately, it’s getting old, new ways have been found to compromise PHP applications, and some aren’t working anymore; and it doesn’t play well with the shiny new PHP 7. As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) PHP security module, that provides several features that we needed: passively killing several PHP-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications’ code.
The document discusses improving security user interfaces (UIs) on web browsers. It proposes replacing the ubiquitous padlock icon with an identity indicator called "Larry" that clearly shows website identity using extended validation certificates. Larry is evaluated against five rules for good security UI ("MRRAB"): meaningful, relevant, robust, available, and brave. The document also considers other aspects of security UI and explores ideas like using social connections and past browsing history to help users identify legitimate websites. It aims to spark discussion on making security indicators more understandable and effective for users.
Similar to Understanding and hiding your operations (20)
The importance of sustainable and efficient computational practices in artificial intelligence (AI) and deep learning has become increasingly critical. This webinar focuses on the intersection of sustainability and AI, highlighting the significance of energy-efficient deep learning, innovative randomization techniques in neural networks, the potential of reservoir computing, and the cutting-edge realm of neuromorphic computing. This webinar aims to connect theoretical knowledge with practical applications and provide insights into how these innovative approaches can lead to more robust, efficient, and environmentally conscious AI systems.
Webinar Speaker: Prof. Claudio Gallicchio, Assistant Professor, University of Pisa
Claudio Gallicchio is an Assistant Professor at the Department of Computer Science of the University of Pisa, Italy. His research involves merging concepts from Deep Learning, Dynamical Systems, and Randomized Neural Systems, and he has co-authored over 100 scientific publications on the subject. He is the founder of the IEEE CIS Task Force on Reservoir Computing, and the co-founder and chair of the IEEE Task Force on Randomization-based Neural Networks and Learning Systems. He is an associate editor of IEEE Transactions on Neural Networks and Learning Systems (TNNLS).
This presentation by OECD, OECD Secretariat, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
This presentation by Professor Alex Robson, Deputy Chair of Australia’s Productivity Commission, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
This presentation by Tim Capel, Director of the UK Information Commissioner’s Office Legal Service, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
This presentation by Katharine Kemp, Associate Professor at the Faculty of Law & Justice at UNSW Sydney, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by Nathaniel Lane, Associate Professor in Economics at Oxford University, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij
This is a workshop about communication and collaboration. We will experience how we can analyze the reasons for resistance to change (exercise 1) and practice how to improve our conversation style and be more in control and effective in the way we communicate (exercise 2).
This session will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
Abstract:
Let’s talk about powerful conversations! We all know how to lead a constructive conversation, right? Then why is it so difficult to have those conversations with people at work, especially those in powerful positions that show resistance to change?
Learning to control and direct conversations takes understanding and practice.
We can combine our innate empathy with our analytical skills to gain a deeper understanding of complex situations at work. Join this session to learn how to prepare for difficult conversations and how to improve our agile conversations in order to be more influential without power. We will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
In the session you will experience how preparing and reflecting on your conversation can help you be more influential at work. You will learn how to communicate more effectively with the people needed to achieve positive change. You will leave with a self-revised version of a difficult conversation and a practical model to use when you get back to work.
Come learn more on how to become a real influencer!
Carrer goals.pptx and their importance in real lifeartemacademy2
Career goals serve as a roadmap for individuals, guiding them toward achieving long-term professional aspirations and personal fulfillment. Establishing clear career goals enables professionals to focus their efforts on developing specific skills, gaining relevant experience, and making strategic decisions that align with their desired career trajectory. By setting both short-term and long-term objectives, individuals can systematically track their progress, make necessary adjustments, and stay motivated. Short-term goals often include acquiring new qualifications, mastering particular competencies, or securing a specific role, while long-term goals might encompass reaching executive positions, becoming industry experts, or launching entrepreneurial ventures.
Moreover, having well-defined career goals fosters a sense of purpose and direction, enhancing job satisfaction and overall productivity. It encourages continuous learning and adaptation, as professionals remain attuned to industry trends and evolving job market demands. Career goals also facilitate better time management and resource allocation, as individuals prioritize tasks and opportunities that advance their professional growth. In addition, articulating career goals can aid in networking and mentorship, as it allows individuals to communicate their aspirations clearly to potential mentors, colleagues, and employers, thereby opening doors to valuable guidance and support. Ultimately, career goals are integral to personal and professional development, driving individuals toward sustained success and fulfillment in their chosen fields.
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfBen Linders
Psychological safety in teams is important; team members must feel safe and able to communicate and collaborate effectively to deliver value. It’s also necessary to build long-lasting teams since things will happen and relationships will be strained.
But, how safe is a team? How can we determine if there are any factors that make the team unsafe or have an impact on the team’s culture?
In this mini-workshop, we’ll play games for psychological safety and team culture utilizing a deck of coaching cards, The Psychological Safety Cards. We will learn how to use gamification to gain a better understanding of what’s going on in teams. Individuals share what they have learned from working in teams, what has impacted the team’s safety and culture, and what has led to positive change.
Different game formats will be played in groups in parallel. Examples are an ice-breaker to get people talking about psychological safety, a constellation where people take positions about aspects of psychological safety in their team or organization, and collaborative card games where people work together to create an environment that fosters psychological safety.
This presentation by OECD, OECD Secretariat, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
This presentation by Juraj Čorba, Chair of OECD Working Party on Artificial Intelligence Governance (AIGO), was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
XP 2024 presentation: A New Look to Leadershipsamililja
Presentation slides from XP2024 conference, Bolzano IT. The slides describe a new view to leadership and combines it with anthro-complexity (aka cynefin).
2. www.crummie5.club
# ATTL4S
• Daniel López Jiménez (a.k.a. ATTL4S)
• Twitter: @DaniLJ94
• GitHub: @ATTL4S
• Youtube: ATTL4S
• Loves Windows and Active Directory security
• Security Consultant at NCC Group
• Associate Teacher at Universidad Castilla-La Mancha (MCSI)
Public Speaking: NavajaNegra, No cON Name, h-c0n, Hack&Beers
Posts: Crummie5, NCC Group’s blog, Hackplayers
Certs: CRTO, PACES, OSCP, CRTE
3. www.crummie5.club
# ElephantSe4l
• Godlike Programmer and Elephant Seal
• Twitter: @ElephantSe4l
• GitHub: @ElephantSe4l
• Very curious, he enjoys understanding complex and weird things
• Mind behind all the low-level contents of my talks
This has been written by ATTL4S
5. www.crummie5.club
The goal of this talk is being a resource for comprehending the meaning of OPSEC
and creating awareness in your operations, so as you can successfully face – and
improve – experienced security teams and their detection capabilities
6. www.crummie5.club
Disclaimer
• This talk aims to offer a general overview of the Operational Security subject for
those who are interested in studying it in depth
• There is quite a lot of information here for just a 45” talk, expect me not giving
tons of details
• We do really hope you enjoy this talk and learn something!!
8. www.crummie5.club
Adversary Simulation
• You probably heard of Red Team assessments
“Emulation of adversarial behaviours and techniques used by
real-world threat actors”
• The goal of these assessments is improving the organisation’s security team
• One of the most important things a threat actor will take care of is not getting
caught!
18. www.crummie5.club
Operational Security (OPSEC)
You may be thinking
• Avoiding too much “noise”
• AV / EDR evasion
• Using legitimate / built-in tools instead of malware
• In fact, when we talk about OPSEC the scope is usually wider
Identification and protection of data that could be useful for an adversary
20. www.crummie5.club
Robbing a Bank (Easy & Fast)
Do not get detected Do not raise suspicions Do not leave forensic traces
1 2 3
Understand your tools
Understand your procedures
Understand your adversary
22. www.crummie5.club
• Does this tool depend on executing other binaries? (cmd.exe, wmic.exe,
powershell.exe…)
• Can I implement the same behaviour without executing them?
• Well-known signatures or patterns?
• Can I configure or modify them easily?
• Obfuscation? encryption?
• Do I really need THIS tool for THIS purpose?
• Do I really need Mimikatz to dump LSASS?
• Do I really need SharpHound to check if this user has DCSync rights?
• Do I really need to create a new service to move laterally to that system?
24. www.crummie5.club
• There is no perfect solution for every-single situation
• E.g. Sometimes working in memory is the safest place. Other times might be better writing a
file to disk
• Obsessing with OPSEC can be a double-edged sword
• There must be a balance between effort and efficiency
• Please do not forget we are here to improve Blue Team’s detection capabilities!
• How mature your adversary is will mark the minimum security you’ll need in the
operation
26. www.crummie5.club
The Adversary
• The organization’s security team A.K.A Blue Team
• Blue Team tasks often include:
• Hardening the environment (patching, logging…)
• Monitoring unusual behaviour (IOCs, suspicious activity…)
• Responding to incidents (system isolation, account lockouts…)
• Investigating the origin of those incidents (forensic traces, artifacts…)
• Understanding these as an attacker will help us in terms of OPSEC
27. www.crummie5.club
Data is Key
• The lowest common denominator of most Blue Team activities is
data
• Defenders depend on the data belonging to the assets they want to
protect
• How do you protect something if you don’t know what’s happening there?
https://threathunterplaybook.com/pre-hunt/data_management.html
28. www.crummie5.club
• This data should be relevant for its purposes (data quality)
“Nowadays, while most organizations are great at collecting data, they usually do not
manage it well to make sense of it” – Roberto Rodriguez (@Cyb3rWard0g)
• It is used to create defensive capabilities
• Creating timelines and data correlations
• Configuring alerts for suspicious patterns and behaviours
• Blocking well-known patterns and behaviours
• …
• This applies to how AVs / EDRs work
https://threathunterplaybook.com/pre-hunt/data_management.html
33. www.crummie5.club
How is this Data Obtained?
• Defenders need mechanisms to gather the appropriate data for those
systems they want to protect
• Sysmon
• EDR agents
• Logs
• …
• These mechanisms often leverage features and techniques such as:
• Event Tracing for Windows (ETW)
• Callback objects
• Hooking techniques
36. www.crummie5.club
ETW, Callbacks n Hooks
• Not an in-depth explanation. We are going to see a brief overview of
how these work
• The intend is showing the amount of information available to
defenders for threat hunting and other activities
• Getting in touch with these will naturally create a feeling of security
awareness on us
47. www.crummie5.club
Kernel Callbacks
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/callback-objects
• Windows has a callback mechanism in the Kernel
• One of the Microsoft’s responses to prevent Kernel hooking
• This mechanism provides a way for drivers to receive notifications when certain
conditions are satisfied
• Drivers can define callback objects with a name and a set of attributes
• Drivers can register callback routines for those callback objects
• When conditions are met for a callback, the System calls all the routines registered in it
• Pre-operation callbacks
• Post-operation callbacks
• User-mode callbacks not as heavily used as kernel ones
48. www.crummie5.club
• Callbacks can be used to obtain knowledge or carry out actions when certain
conditions are met
• Object Callbacks: associated to objects such as processes, threads or desktops (e.g. process
creations or deletions)
• Registry Callbacks: associated to the registry (e.g. modifying or creating hives / keys)
• Filesystem Callbacks (Mini-Filters): associated to interactions with the NTFS filesystem (e.g.
creating or deleting a file)
• …
50. www.crummie5.club
Hooking
• Technique used to alter a process’ execution flow and behaviour
• Kernel hooking is restricted in 64-bit thanks to Kernel Patch Protection (KPP)
• Anti-Rootkit Measurement
• Microsoft implemented the Kernel callback mechanism along with ETW modifications as
alternatives
• For user-mode hookings, there are a lot of approaches
• Inline hooks
• IAT/EAT hooks
• ...
• EDR/AV agents are widely-known for performing user-mode hookings
52. www.crummie5.club
Sum Up
• Defenders need different mechanisms to achieve wider visibility
• These mechanisms are likely leveraging things like ETW, kernel callbacks and user-land hooks
• They can therefore provide huge visibility of what is happening in a system
• As an attacker, it is important to be aware of these mechanisms so as to adapt
our operations properly
• Remember
“How mature your adversary is will mark the minimum security you’ll need in the operation”
54. www.crummie5.club
Facing a Mature Adversary
• The following slides will show different things a mature Blue Team will be looking
nowadays
• The idea is understanding the impact a mature Blue Team can have through
different examples
• Areas that will be covered
• Disk indicators
• Memory indicators
• Process indicators
• Network indicators
56. www.crummie5.club
Common indicators they will be looking in those files
• Are there any public signatures associated to malware?
• Offensive-related strings within the file? (e.g. common patterns or names)
• Offensive-related API functions in the import table? (e.g. VirtualAlloc,
VirtualProtect…)
• Valid signature from a trusted entity?
• Location where those files were dropped?
59. www.crummie5.club
OPSEC
• Your file drops should appear legit!
• Drop location
• Filename
• Import Table
• Description
• Company
• …
• Want to avoid signatures and suspicious strings?
• Modify your code or use some kind of obfuscation / encryption
60. www.crummie5.club
Interesting Links
• Hashing vs. Encryption vs. Encoding vs. Obfuscation
• https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/
• Engineering antivirus evasion
• https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/
• HELK - SIGMA rules
• https://github.com/Cyb3rWard0g/HELK/tree/46f3f984466bec09380cc4cb65dbfec8af567a3a/docker/helk-jupyter/notebooks/sigma
• Tracking Malware with Import Hashing
• https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
• Using Custom Covenant Listener Profiles & Grunt Templates to Elude AV
• https://offensivedefence.co.uk/posts/covenant-profiles-templates/
• Cobalt Strike - The Artifact Kit
• https://www.youtube.com/watch?v=yWVzTooJGTo
61. www.crummie5.club
Process Indicators
Defensive mechanisms (and defenders) are often actively looking for
new processes and their behaviour
• Kernel Callbacks
• PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine…
• ETW
• Microsoft-Windows-Kernel-Process, EventLog-Microsoft-Windows-Sysmon-Operational,
Microsoft-Windows-Threat-Intelligence…
• User-land hooks
62. www.crummie5.club
Common indicators they will be looking in processes
• Parent / child relationships
• Word -> PowerShell
• Processes never seen in the system
• Legitimate tools used by malware (LOLBAS)
• Suspicious command-line arguments
• wmic process call create “powershell.exe -enc …”
• Suspicious API usage
• Process injection, .NET CLR reflections…
• Processes accessing other key processes
• LSASS
67. www.crummie5.club
OPSEC
• Avoid creating new processes as much as possible
• Can you execute your capability within your process? Local injections might help
• PPID spoofing might help for parent/child relationships
• Try to blend in – avoid weird behaviours as possible
• Your process needs Internet? Try working in the context of a process that does this
• Avoid common offensive patterns
• Avoid remote code injections as possible
• Command-line arguments?
• Command-line spoofing might help
68. www.crummie5.club
Interesting Links
• Will Burgess - Red Teaming in the EDR age
• https://www.youtube.com/watch?v=l8nkXCOYQC4
• Securi-Tay 2017 - Advanced Attack Detection
• https://www.youtube.com/watch?v=ihElrBBJQo8
• Raphael Mudge - Session Prepping and Session Passing
• https://www.youtube.com/watch?v=4xnBn5ZVkKE
• Adam Chester – How to Argue like Cobalt Strike
• https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
• ired.team - Parent Process ID (PPID) Spoofing
• https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
70. www.crummie5.clubIn-memory Evasion (2018) – Raphael Mudge
Common indicators they will be looking in memory:
• PE files in memory not associated with a module on disk
• MZ header, “This program cannot be run…”
• Module-less threads (A.K.A injected threads)
• The start address of the thread points to a location with no module associated
• Suspicious memory permissions such as RWX
• Malware-associated strings
• In-memory vs on-disk comparisons
• Process hollowings, dll hollowings…
72. www.crummie5.club
OPSEC
Raphael Mudge - In-memory Evasion (3 of 4) - Evasion
• Your thread’s start address points to a location with no module associated?
• Update the address to a more convenient location (e.g. using SetThreadContext)
• Memory injected PE files with no module associated?
• Module stomping might help
• Avoid stagers!
• Stagers require several requirements that will reduce your OPSEC. Use stageless payloads
• Avoid RWX memory permissions
• Watchout your memory contents
• PE headers, sneaky strings…
• Obfuscate memory when it is not in use
73. www.crummie5.club
Interesting Links
• The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
• Taking Hunting to the Next Level: Hunting in Memory - SANS Threat Hunting Summit 2017
• https://www.youtube.com/watch?v=EVBCoV8lpWc
• Adam Chester - Understanding and Evading Get-InjectedThread
• https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
• Raphael Mudge - In-memory Evasion
• https://www.youtube.com/playlist?list=PL9HO6M_MU2nc5Q31qd2CwpZ8J4KFMhgnK
• Cobalt Strike – Malleable PE, Process Injection, and Post Exploitation
• https://www.cobaltstrike.com/help-malleable-postex
• Elastic - Hunting In Memory
• https://www.elastic.co/es/blog/hunting-memory
• Bypassing Memory Scanners with Cobalt Strike and Gargoyle
• https://labs.f-secure.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle/
74. www.crummie5.club
Network Indicators
Defensive mechanisms (and defenders) are often actively looking for
suspicious network activity within systems
• ETW
• Microsoft-Windows-Winsock-AFD, Microsoft-Windows-TCPIP…
• Callbacks
• WskAcceptEvent, WskReceiveEvent…
• IDS/IPS solutions, WAFs, corporate proxies…
75. www.crummie5.club
• Common indicators they will be looking and doing
• Traffic inspection
• SSL/TLS inspection
• Domains and IPs accessed
• Domain categorization? Cert information? Weird names?
• Amount of traffic
• Processes beaconing
• Fixed times
78. www.crummie5.club
OPSEC
• Your traffic should look legit!
• Try to impersonate common services that are reaching the Internet
• C2’s like Covenant or Cobalt Strike have configurable network profiles
• Cook your domains over low heat
• Domain categorization, domain age, domain names…
• Route your traffic through high-trust domains
• Domain fronting
• Take care of your C2 infra
• Use redirectors between your backend and your targets
• Agent beaconing?
• Configure proper delay and jitter percentages!
79. www.crummie5.club
Interesting Links
• SSL/TLS Interception Challenge from the Shadow to the Light
• https://www.sans.org/reading-room/whitepapers/covert/ssl-tls-interception-challenge-shadow-light-38870
• Being a Good Domain Shepherd
• https://posts.specterops.io/being-a-good-domain-shepherd-57754edd955f
• https://posts.specterops.io/being-a-good-domain-shepherd-part-2-5e8597c3fe63
• Tom Steele - Escape and Evasion Egressing Restricted Networks
• https://www.optiv.com/explore-optiv-insights/blog/escape-and-evasion-egressing-restricted-networks
• Cobalt Strike – Malleable Command and Control
• https://www.cobaltstrike.com/help-malleable-c2
• https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b
• https://github.com/rsmudge/Malleable-C2-Profiles
• Covenant – Listener Profiles
• https://github.com/cobbr/Covenant/wiki/Listener-Profiles
• Red-Team-Infrastructure-Wiki
• https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
81. www.crummie5.club
• Defensive actions are not usually consequence of a single heuristic, as it would
lead to a good amount of false positives
• Defenders and defensive products often require a combination of different
heuristics for alerts and actions
• A good detection will try to cover an attack capability as a “whole”, instead of
just focusing on specific tools or signatures
82. www.crummie5.club
• Defensive actions are not usually consequence of a single heuristic, as it would
lead to a good amount of false positives
• Defenders and defensive products often require a combination of different
heuristics for alerts and actions
• A good detection will try to cover an attack capability as a “whole”, instead of
just focusing on specific tools or signatures
83. www.crummie5.club
Capability Abstraction
Jared Atkinson’s Capability Abstraction is a good example of what a good detection
approach may look like:
“The idea is that an attacker’s tools are merely an abstraction of their
attack capabilities, and detection engineers must understand how to
evaluate abstraction while building detection logic” – Jared Atkinson
https://posts.specterops.io/capability-abstraction-fbeaeeb26384
86. www.crummie5.club
Paths of Execution
• When you execute a tool (e.g. Mimikatz), different things are
executed under the hood
• Capability Abstraction decomposes tools into different layers of
execution
• Each layer holds key functionality related to the tool and its main purpose
(technique)
• Each layer also represents each context where the execution flow passes
through (unmanaged, managed, userland, kernel, RPC, network...)
87. www.crummie5.club
• You can think of these as Paths of Execution
• As an attacker, you should be aware of your Paths of Execution:
• Is there any step in my path that might not be essential?
• Would it be interesting to avoid certain steps by starting the execution from a
lower level?
• Lower level of execution means smaller detection surface?
91. www.crummie5.club
• Studying Paths of Execution is something like performing a threat modelling of
your tools (where the risk is being detected)
• We want to identify all the obvious weaknesses associated to our paths
• Useless process executions
• Useless usage of arguments
• Unnecessary calls
• …
• But as we may be thinking… weaknesses will not always be obvious
• It might depend on the context or situation we are operating
92. www.crummie5.club
We will use syscalls as an example of something that can be extremely useful in
some cases, but not so much in others
93. www.crummie5.club
System Calls
• Commonly called syscalls, they are the lowest level of execution available from user-
mode
• They switch the execution from user-mode to kernel-mode
• They offer considerable advantages to offensive tooling
• Avoiding userland hooks, avoiding certain signatures and heuristics detections…
• We are essentially avoiding multiple steps from our Path of Execution
• As with everything, they also entail certain OPSEC considerations
97. www.crummie5.club
System Calls - OPSEC
• If you are doing a dynamic extraction of service numbers, watchout how you do
it!
• Freshycalls’ way of extracting these numbers might be of interest for you
• Manual Syscall executions can be detected using ETW
• Masked Syscalls might help
• Virtualization can be used to hook Syscalls, be aware of that!
https://www.crummie5.club/freshycalls/
99. www.crummie5.club
Why Should I Use a C2
• You probably have noticed we’ve been talking about Cobalt Strike, Metasploit and
even Covenant
• Adversary Simulations require:
• Operators to simulate real-world theat actors
• Reliable tools that offer the necessary functionality in a customizable way
• That’s why we want to use a C2!
100. www.crummie5.clubhttps://www.metasploit.com/
• Working with agents allows us to centralize all the functionality and
customizations in one single place
• We don’t want millions of tools, and new processes are expensive!
• Including everything within a custom-made agent or framework requires a
lot of time though
• Mature tools such as Metasploit or Cobalt Strike offer reliability and years
of work on their shoulders, give some love to them
101. Is anybody still awake?
45min talk haha yeah
MANY THANKS!
Any Question?