In this presentation, Erik Van Buggenhout (NVISO founder & SANS Instructor) zooms in on Windows 10 CredentialGuard and how it can be used to protect against LSASS hash dumping (e.g. using Mimikatz). Want to learn more? Join us at SANS SEC599!
The document discusses Windows credential attacks and defenses. It describes common credential theft techniques like dumping credentials from LSASS memory using Mimikatz. It then covers various Windows credential hardening defenses over time like Protected Processes, Restricted Admin, and CredentialGuard. It demonstrates CredentialGuard's effectiveness at preventing credential theft compared to normal and older Windows configurations through a lab demo. The presentation aims to educate on real-world credential attacks while showing that effective defense is possible.
Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives. Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls.
The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decision making when called upon to emulate and adversary TTPs.
It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls.
The C2 Matrix currently has 35 command and control frameworks documented in a Google Sheet, web site, and questionnaire format.
https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0
https://www.thec2matrix.com/matrix
https://ask.thec2matrix.com/
Learn how Red Teams and Blue Teams work together in virtual Purple Teams
Leverage Cyber Threat Intelligence to understand adversary tactics, techniques, and procedures
Perform adversary emulations in Red or Purple Team Exercises
Choose which command and control to use for the assessment to provide the most value
Measure and improve people, process, and technology
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
Katie Nickels and Adam Pennington presented "Turning intelligence into action with MITRE ATT&CK™" at the FIRST CTI Symposium in London on 20 March 2019.
From ATT&CKcon 3.0
By Fred Frey and Jonathan Mulholland, SnapAttack
Atomic Red Team and Sigma are the largest open-source attack simulation and analytic projects. Many organizations utilize one or both internally for security controls validation or supplementing their detections and alerts. Building on the work from these two great communities, we smashed (scientific-term) the attacks and analytics together and applied data science to analyze the results. We'll describe our methodology and testing framework, show the real-world MITRE ATT&CK coverage and gaps, discuss our algorithms for calculating analytic similarity, identifying log sources for a technique, and determining the best analytics to deploy that maximizes ATT&CK coverage.
This project aims to:
- Bring a measurable testing rigor to community analytics to improve adoption
- Test every analytic against every attack, validating the true positive detection
- Understand the log sources required to detect specific attack techniques
- Apply data science to identify analytic similarity (reduce community duplication)
- Identify gaps between the projects' analytics without attack simulations; attack simulations without detections; missing or incorrect MITRE ATT&CK labels, etc
- Automate the process so insights can stay up to date with new attack/analytic contributions over time
- Share our analysis back to the community to improve these projects
Caldera is an automated adversary emulation tool developed by MITRE that links to the MITRE ATT&CK framework. It deploys custom backdoors on target systems to emulate adversary techniques. The tool has a graphical interface to define groups, abilities, adversaries, and operations. Abilities are suites of actions that achieve goals, while adversaries are malicious actors equipped with abilities. Multiple abilities can be grouped in phases, and phases describe the progression of an adversary. Caldera actively attacks targets by deploying backdoors linked to ATT&CK techniques.
Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations are covered. Adversary Emulations are end-to-end attacks against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
This document provides an overview of Katie Nickels' presentation on putting MITRE ATT&CK into action using available resources. Some key points include:
- MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations.
- It can be used for detection, assessment, threat intelligence, and adversary emulation.
- For detection, ATT&CK can help improve focus on post-exploit activity and track gaps/improvements in coverage over time. Existing data sources can be leveraged to detect techniques.
- For assessment and engineering, ATT&CK can guide decisions around tool selection and help identify visibility and risk acceptance gaps.
The document discusses Windows credential attacks and defenses. It describes common credential theft techniques like dumping credentials from LSASS memory using Mimikatz. It then covers various Windows credential hardening defenses over time like Protected Processes, Restricted Admin, and CredentialGuard. It demonstrates CredentialGuard's effectiveness at preventing credential theft compared to normal and older Windows configurations through a lab demo. The presentation aims to educate on real-world credential attacks while showing that effective defense is possible.
Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives. Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls.
The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decision making when called upon to emulate and adversary TTPs.
It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls.
The C2 Matrix currently has 35 command and control frameworks documented in a Google Sheet, web site, and questionnaire format.
https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0
https://www.thec2matrix.com/matrix
https://ask.thec2matrix.com/
Learn how Red Teams and Blue Teams work together in virtual Purple Teams
Leverage Cyber Threat Intelligence to understand adversary tactics, techniques, and procedures
Perform adversary emulations in Red or Purple Team Exercises
Choose which command and control to use for the assessment to provide the most value
Measure and improve people, process, and technology
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
Katie Nickels and Adam Pennington presented "Turning intelligence into action with MITRE ATT&CK™" at the FIRST CTI Symposium in London on 20 March 2019.
From ATT&CKcon 3.0
By Fred Frey and Jonathan Mulholland, SnapAttack
Atomic Red Team and Sigma are the largest open-source attack simulation and analytic projects. Many organizations utilize one or both internally for security controls validation or supplementing their detections and alerts. Building on the work from these two great communities, we smashed (scientific-term) the attacks and analytics together and applied data science to analyze the results. We'll describe our methodology and testing framework, show the real-world MITRE ATT&CK coverage and gaps, discuss our algorithms for calculating analytic similarity, identifying log sources for a technique, and determining the best analytics to deploy that maximizes ATT&CK coverage.
This project aims to:
- Bring a measurable testing rigor to community analytics to improve adoption
- Test every analytic against every attack, validating the true positive detection
- Understand the log sources required to detect specific attack techniques
- Apply data science to identify analytic similarity (reduce community duplication)
- Identify gaps between the projects' analytics without attack simulations; attack simulations without detections; missing or incorrect MITRE ATT&CK labels, etc
- Automate the process so insights can stay up to date with new attack/analytic contributions over time
- Share our analysis back to the community to improve these projects
Caldera is an automated adversary emulation tool developed by MITRE that links to the MITRE ATT&CK framework. It deploys custom backdoors on target systems to emulate adversary techniques. The tool has a graphical interface to define groups, abilities, adversaries, and operations. Abilities are suites of actions that achieve goals, while adversaries are malicious actors equipped with abilities. Multiple abilities can be grouped in phases, and phases describe the progression of an adversary. Caldera actively attacks targets by deploying backdoors linked to ATT&CK techniques.
Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations are covered. Adversary Emulations are end-to-end attacks against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
This document provides an overview of Katie Nickels' presentation on putting MITRE ATT&CK into action using available resources. Some key points include:
- MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations.
- It can be used for detection, assessment, threat intelligence, and adversary emulation.
- For detection, ATT&CK can help improve focus on post-exploit activity and track gaps/improvements in coverage over time. Existing data sources can be leveraged to detect techniques.
- For assessment and engineering, ATT&CK can guide decisions around tool selection and help identify visibility and risk acceptance gaps.
Presentation slides presented by Cody Thomas and Christopher Korban at x33fcon 2018 about how to jumpstart your purple teaming with the MITRE ATT&CK framework, and accompanying Adversary Emulation Plans
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
Lex Crumpton leads MITRE's defensive ATT&CK efforts. In 2021, they added data sources and detections for monitoring processes interacting with LSASS.exe and detecting credential dumping tools. In 2022, they plan to add more detections and develop the Cyber Analytic Repository to share analytic knowledge. Crumpton invites attendees to learn more about defensive ATT&CK on their website and contact them directly with any other questions.
The Windows Logging Cheat Sheet is the definitive guide on learning where to start with Windows Logging. How to Enable, Configure, Gather and Harvest events so you can catch a hacker in the act.
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
Talk about the evolution of security posture assessments, solving red team problems with ATT&CK-based Adversary Emulation Plans.
Conference: Art into Science - A Conference on Defense 2018
Red Teaming is hot right now. Many people want to get into it just because it sounds cool. While I tend to agree, there are many things to consider. There is way more to red teaming than just "getting in" to organizations. Join us for this one hour webcast where we cover what red team is, why you may want to be a red teamer, and how to become a red teamer.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
PowerShell for Practical Purple TeamingNikhil Mittal
The document discusses purple teaming, which involves red and blue teams working together to improve security. It provides two examples using PowerShell to simulate insider threats and client-side attacks. The first story involves escalating privileges from a normal user to domain admin and creating a golden ticket. The second starts as a non-admin user using a client-side attack like an HTA when PowerShell is blocked. Detection methods like logs, Applocker, and network monitoring are also outlined. The document concludes purple teaming aims to maximize threat simulation benefits by bringing red and blue teams together.
This document discusses adversary emulation and the MITRE Caldera tool. It begins with defining adversary emulation and distinguishing it from penetration testing. Various tools for adversary emulation are presented, including METTA, Atomic Red Team, Infection Monkey, and Covenant. The document then focuses on MITRE Caldera, describing what it is, how to set it up, develop custom abilities and plugins for it. It demonstrates running a quick Caldera operation and concludes by discussing how Caldera can be highly customized and help blue teams test techniques to improve security.
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
This document provides an overview and update on the MITRE ATT&CK framework. It discusses the growth and updates made to ATT&CK in 2019, including the addition of 43 new techniques and 1 new tactic. It also previews upcoming work on implementing sub-techniques to provide more granular detail within techniques, and expanding ATT&CK to new domains like cloud computing and industrial control systems. The large community contribution to ATT&CK is also acknowledged.
The document provides biographies and background information for two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
This document discusses operationalizing cyber threat intelligence by emulating adversary behaviors. It explains how to take cyber threat intelligence and map behaviors to the MITRE ATT&CK framework. Specific focus is given to the "Process Doppelgänging" technique, including understanding the behavior, potential detections, and emulating the behavior. The importance of fully emulating operations and expanding emulations through tools like Caldera is also covered.
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
From ATT&CKcon 3.0
By David Barroso, CounterCraft
When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness.
During the presentation we will see some real examples of how we can use different ATT&CK techniques in order to plan different adversary engagement activities.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
The document discusses credential extraction techniques on Windows systems. It explains that NTLM hashes are stored in the SAM database and Domain Controller's NTDS.dit database, while the LSASS process handles password authentication. Mimikatz is introduced as a tool to extract plaintexts passwords, hashes, and tickets from memory. The document provides steps to use Mimikatz to dump the LSASS process and extract credentials from the dump file.
Presentation slides presented by Cody Thomas and Christopher Korban at x33fcon 2018 about how to jumpstart your purple teaming with the MITRE ATT&CK framework, and accompanying Adversary Emulation Plans
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
Lex Crumpton leads MITRE's defensive ATT&CK efforts. In 2021, they added data sources and detections for monitoring processes interacting with LSASS.exe and detecting credential dumping tools. In 2022, they plan to add more detections and develop the Cyber Analytic Repository to share analytic knowledge. Crumpton invites attendees to learn more about defensive ATT&CK on their website and contact them directly with any other questions.
The Windows Logging Cheat Sheet is the definitive guide on learning where to start with Windows Logging. How to Enable, Configure, Gather and Harvest events so you can catch a hacker in the act.
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
Talk about the evolution of security posture assessments, solving red team problems with ATT&CK-based Adversary Emulation Plans.
Conference: Art into Science - A Conference on Defense 2018
Red Teaming is hot right now. Many people want to get into it just because it sounds cool. While I tend to agree, there are many things to consider. There is way more to red teaming than just "getting in" to organizations. Join us for this one hour webcast where we cover what red team is, why you may want to be a red teamer, and how to become a red teamer.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
PowerShell for Practical Purple TeamingNikhil Mittal
The document discusses purple teaming, which involves red and blue teams working together to improve security. It provides two examples using PowerShell to simulate insider threats and client-side attacks. The first story involves escalating privileges from a normal user to domain admin and creating a golden ticket. The second starts as a non-admin user using a client-side attack like an HTA when PowerShell is blocked. Detection methods like logs, Applocker, and network monitoring are also outlined. The document concludes purple teaming aims to maximize threat simulation benefits by bringing red and blue teams together.
This document discusses adversary emulation and the MITRE Caldera tool. It begins with defining adversary emulation and distinguishing it from penetration testing. Various tools for adversary emulation are presented, including METTA, Atomic Red Team, Infection Monkey, and Covenant. The document then focuses on MITRE Caldera, describing what it is, how to set it up, develop custom abilities and plugins for it. It demonstrates running a quick Caldera operation and concludes by discussing how Caldera can be highly customized and help blue teams test techniques to improve security.
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
This document provides an overview and update on the MITRE ATT&CK framework. It discusses the growth and updates made to ATT&CK in 2019, including the addition of 43 new techniques and 1 new tactic. It also previews upcoming work on implementing sub-techniques to provide more granular detail within techniques, and expanding ATT&CK to new domains like cloud computing and industrial control systems. The large community contribution to ATT&CK is also acknowledged.
The document provides biographies and background information for two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
This document discusses operationalizing cyber threat intelligence by emulating adversary behaviors. It explains how to take cyber threat intelligence and map behaviors to the MITRE ATT&CK framework. Specific focus is given to the "Process Doppelgänging" technique, including understanding the behavior, potential detections, and emulating the behavior. The importance of fully emulating operations and expanding emulations through tools like Caldera is also covered.
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
From ATT&CKcon 3.0
By David Barroso, CounterCraft
When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness.
During the presentation we will see some real examples of how we can use different ATT&CK techniques in order to plan different adversary engagement activities.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
The document discusses credential extraction techniques on Windows systems. It explains that NTLM hashes are stored in the SAM database and Domain Controller's NTDS.dit database, while the LSASS process handles password authentication. Mimikatz is introduced as a tool to extract plaintexts passwords, hashes, and tickets from memory. The document provides steps to use Mimikatz to dump the LSASS process and extract credentials from the dump file.
The CyberArk Certification is for Cybersecurity experts who want to enhance their
learning skills in the critical identity and access management layer of security.
CyberArk is a privileged access management company that provides the most
comprehensive security solution for any identity, human or machine, across
business apps, remote workforces, hybrid cloud workloads, and the DevOps lifecycle.
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Bruno Caseiro
This document discusses reducing risks through access controls, privilege management, and auditing. It begins with an agenda covering BeyondTrust, security concepts that are rarely implemented properly, high profile breaches in 2013-2014, and ways to reduce the attack surface. The document then discusses least privilege, need to know principles, and summarizes some high profile breaches. It concludes with recommendations for reducing the attack surface such as enforcing least privilege, controlling privileged access, auditing user activity, and patching vulnerabilities.
CyberArk Interview Questions and Answers for 2022.pdfInfosec Train
The CyberArk Certification is for Cybersecurity experts who
want to enhance their learning skills in the critical identity and
access management layer of security. CyberArk is a privileged
access management company that provides the most comprehensive
security solution for any identity, human or machine, across business apps,
remote workforces, hybrid cloud workloads, and the DevOps lifecycle.
CyberArk Interview Questions and Answers for 2023.pdfinfosec train
The CyberArk training develops your skills and provides the expertise needed to build, deploy, and configure the Privileged Account Security Solution. CyberArk course provides a variety of options to choose from.
https://www.infosectrain.com/courses/cyberark-training/
CyberArk Interview Questions and Answers for 2022.pdfinfosec train
CyberArk offers several training options to help individuals gain the knowledge and skills required to implement and administer CyberArk's privileged access security solutions. The CyberArk training develops your skills and provides the expertise needed to build, deploy, and configure the Privileged Account Security Solution. CyberArk course provides a variety of options to choose from.
https://www.infosectrain.com/courses/cyberark-training/
Webinar Mastering Microsoft Security von BaggenstosJenniferMete1
Microsoft 365 Security und Azure Security, Einhaltung von Compliance-Anforderungen unter Berücksichtigung des neuen Schweizer Datenschutzgesetze, Best Practices bei der Einführung und dem Betrieb von Sicherheitslösungen
IBM Share Conference 2010, Boston, Ulf MattssonUlf Mattsson
This document discusses approaches to data protection beyond basic PCI compliance. It presents case studies of organizations using encryption to protect credit card data across various systems. It evaluates options like encryption, tokenization, and monitoring and argues a risk-adjusted approach is best. Centralized key management and policy can provide control while balancing security, performance and transparency across different data types and environments like cloud.
Jesse V. Burke presents on adversarial RDP tactics, techniques, and procedures (TTPs). The presentation reviews the RDP attack cycle from initial reconnaissance using tools like Shodan to identify open RDP ports, through exploitation of vulnerabilities like MS12-020 and EsteemAudit, lateral movement using session hijacking, and potential mitigations. It provides details on common RDP attacks like brute forcing passwords, downgrading encryption, and using tools like Cain & Abel or Seth to perform man-in-the-middle attacks to decrypt credentials. The presentation emphasizes that proper patching, firewalls, and securing RDP connections can help prevent many external and internal RDP attacks.
This document discusses how Thales can help organizations securely adopt cloud applications and manage access. It notes that single sign-on alone in a hybrid IT environment poses security risks if credentials are compromised. Thales' SafeNet Trusted Access allows validating identities, determining trust levels, and applying access controls for cloud services. It can leverage Windows authentication and PKI to enhance convenience without additional authentication. The document also outlines Thales' key management and encryption solutions for data at rest, applications, big data, and the cloud.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
1. The document discusses an advanced retail breach where an attacker was able to access a third party contractor's system after phishing their credentials, use that to access the retailer's internal file server, infect POS systems with malware to scrape credit card data from RAM, send the data to an internal server, and then exfiltrate it to external FTP servers in Russia.
2. The IBM X-Force monitors threats and educates customers on security challenges. It analyzed this attack to understand how the attacker was able to compromise systems and extract card data without detection.
3. The document provides recommendations to prevent similar attacks, such as endpoint protection, network segmentation, monitoring and detection of anomalies, and incident response planning.
Presentation by Ismael Valenzuela from Intel Security about ransomware and how enterprises can design their IR responses to mitigate ransomware threats.
This document outlines the process of threat modeling for computer security. It discusses assessing security risks from an adversary's perspective to understand threats during requirements, design, and testing. The threat modeling process involves understanding the adversary's view, characterizing the system security, and evaluating threats. Techniques include attack trees, data flow diagrams, STRIDE categorization, and DREAD risk evaluation.
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...MohamedOmerMusa
This document contains 31 multiple choice questions about information security concepts from the CompTIA Security+ exam. The questions cover topics like security controls, threat actors, reconnaissance tools, vulnerability scanning, and supply chain risks. Example questions ask about the properties of secure systems, non-repudiation, security operations centers, DevSecOps teams, and more.
Security by Design: An Introduction to Drupal SecurityTara Arnold
This document provides an introduction to Drupal security. It discusses security by design principles in Drupal, including keeping the core and modules updated, using the Drupal API, and securing custom modules. It also covers encrypting sensitive data, the importance of key management for encryption and APIs, performing site audits and security best practices, and resources to improve security such as encryption and key management modules.
Security by design: An Introduction to Drupal SecurityMediacurrent
Security experts from Mediacurrent, Townsend Security and Lockr uncover how you can protect your site from the growing cybercrime business by starting off on the right foot. This interactive webinar will get you the foundation you need to protect your site and your organization when using Drupal.
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024Michael Noel
The document discusses various modern cyberattack threats faced by organizations. It covers spear phishing attacks targeting executives to gain credentials for lateral attacks. It also discusses state-sponsored hacking organizations seeking to steal trade secrets. Ransomware attacks encrypting data and demanding payment are also covered. The document provides tips for defending against these threats, including implementing multi-factor authentication, privileged access management, and using Microsoft security tools.
Similar to Windows 10 CredentialGuard vs Mimikatz - SEC599 (20)
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
2. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Who am I?
2
• Co-founder
• Incident Response & Threat
Hunting
• Lead Author & Instructor SEC599
• Instructor SEC560, 561, 562, 542
3. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What I’d like to discuss today
3
Quick Introduction
Refresher: Windows credentials attacks
Let’s talk defenses
What defense mechanisms were introduced
before?
CredentialGuard
What is this CredentialGuard you speak of?
Demo
The proof is in the pudding!CredentialGuard
VS
4. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What I’d like to discuss today
4
Quick Introduction
Refresher: Windows credentials attacks
Let’s talk defenses
What defense mechanisms were introduced
before?
CredentialGuard
What is this CredentialGuard you speak of?
Demo
The proof is in the pudding!CredentialGuard
VS
5. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Stealing Windows credentials – where in the Cyber Kill Chain?
5
Reconnaissan
ce
Delivery Installation
Action on
Objectives
Weaponizatio
n
Exploitation
Command &
Control
Windows credentials are typically a target for adversaries in the later stages
of the compromise. After obtaining an initial foothold, credentials are
stolen to further escalate privileges / move laterally in the environment!
6. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Windows credentials attacks
6
Aside from generic attacks such as phishing or keylogging, the table below lists some of the
most common ways used by adversaries to obtain Windows credentials:
SANS Senior Instructor Chad Tilbury has an excellent presentation on Windows Credentials Attacks, Mitigations & Defence:
https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
7. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Introducing some of these tools – Capturing NTLMv2
7
For different reasons, Kerberos could not be available, in which case Windows will revert
to NTLMv2 Challenge / Response authentication:
Domain
Controller
1. Request authentication
Service
Database
Server
2. Challenge
3. Response
Client
Workstation
6. Server sends response to
client
The authenticating system uses the
hashed credential to calculate a
response based on the challenge sent
by the server
In a Windows domain environment, the
NTLM challenge & response will be
forwarded to the domain controller for
validation of credentials
4. Forward Chal + Resp
5. Validation
8. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Introducing some of these tools – Responder – Capturing NTLMv2
8
Responder is (amongst others) an LLMNR, NBT-NS and MDNS poisoner. It will attempt to trick systems
to connect / authenticate to the system it is running on. It will then attempt to sniff the authentication
challenge (e.g. NTLMv2), which could be cracked by a password cracking tool.
9. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Dumping credentials from LSASS memory
9
Once an initial entry point in the network has been obtained, dumping credentials from LSASS memory in
particular has become extremely popular:
• Open ups attack vector against users that aren’t locally configured (domain users). Furthermore,
stolen credentials are in clear-text (Windows 7) or NT hash (Windows 10) format, so can immediately
be reused in Pass-the-Hash attacks
• Common attack flow:
1. Obtain local admin access to one system in domain
2. Lure domain admin to machine (e.g. Call Helpdesk)
3. Dump credentials from memory
4. Own the domain (“Domain dominance”)
5. Persist domain ownage (Golden ticket, DCSync, Skeleton Key,…)
• Tools like Bloodhound create entire attack trees that reveal relationships
between accounts and systems to facilitate this
10. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Dumping credentials from LSASS memory – Common technique
10
Due to its size & complexity, it’s often difficult for administrators to retain a good
overview of how privileges are assigned across the environment. Adversaries
can leverage this to spot excessive privileges which can be used in lateral
movement…
AD structure diagrams
The below diagram
(generated by the attacking
tool BloodHoundAD), reveals
an interesting way of how
adversaries could laterally
move through the target
environment: In a few steps,
Erik could easily steal the
hashes of Stephen, thereby
obtaining Domain Admin
privileges.
User:
Erik
Group:
Work-
station
admins
PC:
Work-
station
1
Group:
Domain
admins
User:
Stephen
HasSession
11. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Dumping credentials from LSASS memory – Mimikatz
11
Due to its high reliability & flexibility, it is used by adversaries and penetration
testers alike. Several variations have been created and it has been included as a
module in the Metasploit Meterpreter attacking tool.
Mimikatz is a free, open-source Windows tool built by Benjamin Delpy
(@gentilkiwi) to extract credentials from Windows computers. Its second
version is often referred to as “Kiwi”.
“Mimikatz is a tool I've made to learn C and make somes experiments with
Windows security. It's now well known to extract plaintexts passwords,
hash, PIN code and kerberos tickets from memory. Mimikatz can also
perform pass-the-hash, pass-the-ticket or build Golden tickets.”
12. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Dumping credentials from LSASS memory – The primacy of Mimikatz
12
Executing command
privilege::debug to enable
the debug privilege.
Executing
command
lsadump::lsa
/inject will dump
the hashes from
the LSA process
(lsaass.exe).
13. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Dumping credentials from LSASS memory – Mimikatz in the news
13
The popularity of Mimikatz has sky-rocketed over the last few years:
• In 2017, the NotPetya ransomware used various components of Mimikatz to supports its
lateral movement
• In several APT investigations, Mimikatz is part of the standard toolkit used by advanced
adversaries (Amongst others, Oilrig, Cobalt Kitty & APT-28 have been observed to use
(variants of) Mimikatz)
• Penetration testing & red teaming frameworks include (variants of) Mimikatz:
• Metasploit Meterpreter has a built-in Mimikatz module
Powershell Empire has a built-in version of Mimikatz
14. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Dumping credentials from LSASS memory – Some advanced Mimikatz features
14
• To prevent AV detection, Mimikatz supports an offline mode, where a dump of the LSASS
process can be fed to Mimikatz. This dump-file can be created by built-in Windows tools
(e.g. Task Manager) or the SysInternals toolkit. This removes the need of running a “hacking
tool” like Mimikatz on the target system…
• Mimikatz can impersonate a Domain Controller and replicate all password hashes using
MS-DRSR (Directory Replication Service Remote Protocol), labelled “DCSync” in Mimikatz
• Mimikatz can create AD persistence by generating golden tickets or installing a backdoor in
memory of the Domain Controller (“Skeleton Key” attack)
15. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What I’d like to discuss today
15
Quick Introduction
Refresher: Windows credentials attacks
Let’s talk defenses
What defense mechanisms were introduced
before?
CredentialGuard
What is this CredentialGuard you speak of?
Demo
The proof is in the pudding!CredentialGuard
VS
16. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What’s left behind?
16
http://technet.microsoft.com/en-us/windows-server-docs/security/securing-
privileged-access/securing-privileged-access-reference-material
17. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What’s left behind? – Mimikatz point of view
17
18. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Generic recommendations – Isolate Domain Controllers
18
Put domain
controllers in a
different
network than
other servers
and
workstations.
Use at least
firewalls to
separate the
networks.
Domain controllers
network
Inner network
21. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Focused improvements - Windows 8 / 2012 – Restricted Admin
21
The idea of “Restricted Admin” mode is that credentials are not sent upon establishing of an
RDP session, so the chances of capturing them using Mimikatz are lower!
Source: https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard
22. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Focused improvements - Windows 8 / 2012 – Restricted Admin
22
In a bit more detail:
Normal RDP
• Erik enters his password to the RDP client.
• RDP client performs network logon to the
target server to authorize Erik.
• Erik is authorized & the RDP client securely
relays the credentials to the target machine
over a secure channel.
• The target server uses there credentials to
perform an interactive logon on behalf of
Erik.
Restricted Admin
• RDP will try to interactively log on to the
remote machine without sending credentials
• The actual credentials are not required in
order to set up the connectivity
24. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Focused improvements - Windows 8 / 2012 – Protected Processes
24
In order to prevent hash dumping attacks aimed at the
LSA process, Microsoft introduced “Protected
Processes” as of Windows 8 & Windows Server 2012.
• Protected processes were first introduced in
Windows Vista for DRM (Digital Rights
Management) purposes, but were adapted for
“security purposes” in Windows 8
• The screenshot on the right provides an example of
the lsass.exe process running as a “protected
process”
• Protected Processes are implemented in the Kernel
software and can thus be defeated…
27. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Focused improvements - Windows 8 / 2012 – Domain Protected Users
27
“Protected Users” enforces a number of restrictions on affected users, which try to defend
against several of the attack strategies previously mentioned:
Disable authentication using NTLM
=> Protect against Responder-style attacks
Wdigest & CredSSP clear-text credentials no longer stored in LSASS
=> Less results when LSASS memory dumping
On a device running Windows 8.1, passwords are not cached
=> Protect against dumping of cached credentials (default Windows: 10 latest users)
Kerberos will not use DES or RC4 during pre-authentication
=> Protect against “Kerberoasting” attacks
28. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What I’d like to discuss today
28
Quick Introduction
Refresher: Windows credentials attacks
Let’s talk defenses
What defense mechanisms were introduced
before?
CredentialGuard
What is this CredentialGuard you speak of?
Demo
The proof is in the pudding!CredentialGuard
VS
30. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Windows high-level architecture – Without CredentialGuard
30
31. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Having a look at the processes – Without CredentialGuard
31
32. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Windows high-level architecture – With CredentialGuard
32
When Credential Guard is
enabled, the LSA process still
runs in userland.
The actual credentials are
stored in the isolated LSA
process (LsaIso.exe).
This process does not run
under Windows, but in the
Virtual Secure Mode.
33. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Windows high-level architecture – With CredentialGuard
33
34. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Some caveats
34
35. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Some caveats – Another interesting attack strategy!
35
36. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What I’d like to discuss today
36
Quick Introduction
Refresher: Windows credentials attacks
Let’s talk defenses
What defense mechanisms were introduced
before?
CredentialGuard
What is this CredentialGuard you speak of?
Demo
The proof is in the pudding!CredentialGuard
VS
37. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Demo time
37
39. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Want to learn more?
39
Want support?
Get in touch with NVISO’s experts, we’d be happy to discuss how we
can help further!
Want to learn more?
Join SEC599 – Defeating Advanced Adversaries!
• London – April 2018
• Amsterdam – September 2018
• Brussels – October 2018
More locations available at
https://www.sans.org/course/defeating-advanced-adversaries-
kill-chain-defenses
Editor's Notes
Welcome to SANS Security SEC599: Defeating Advanced Adversaries.
In this course, you will build essential skills required to fend off today’s advanced cyber attacks. The course will be highly hands-on, as we help you develop skills by exercising them in hands-on, realistic lab settings. Although this is not a penetration testing course, we will have sufficient attention for the offensive side of the spectrum. We will provide you with a deep technical understanding of how advanced adversaries work, as this will help us be more efficient defenders. Likewise, we will inform you on how to respond to cyber security attacks, but will primarily focus on how to prevent and detect them.
Our goal is to keep the course as interactive as possible. If you have a question, please let the instructor know. Discussions about relevant topics are incredibly important in a class like this, as we have numerous attendees with various levels of skill coming into the class. Share your insights and ask questions. The instructor does reserve the right, however, to take a conversation offline during a break or outside of class in the interest of time and applicability of the topic.
As course authors, we welcome any comments, questions, or suggestions pertaining to the course material. We would also like to extend our thanks to Didier Stevens (a SANS ISC handler), whose contributions greatly helped improve the course.
Erik Van Buggenhout
erik.van.buggenhout@gmail.com
www.nviso.be
Stephen Sims
ssims@sans.org
www.sans.org
Update: C01
The Cyber Kill Chain ®
As we are the defenders of digital assets of our company or organization, we face adversaries using digital methods to attack our digital assets. It would be useful to have a digital equivalent of the military kill chain so that we can structure our defenses accordingly.
Different groups and organizations have worked on documenting adversaries' methods in a digital kill chain. Lockheed Martin developed the trademarked “Cyber Kill Chain ®”, which has risen in popularity to become one of the most used frameworks to describe cyber attacks. An alternative, slightly adopted variant is Dell SecureWorks’ “Cyber Kill Chain”. Both chains have more steps than the military kill chain.
Lockheed Martin: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions On Objectives.
Dell SecureWorks: Target Defined, Recon, Development, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives, Objective Met
For the purpose of our course, we will follow a similar structure, as most online publications related to cyber attacks do the same.
References:
http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html
https://www.secureworks.com/resources/wp-breaking-the-kill-chain