SlideShare a Scribd company logo

Red Team P2 Adversary Emulation

S
soheil hashemi

https://sindadsec.ir/

Internet
1 of 49
Download to read offline
Red Team P2 Adversary Emulation ‫سینداد‬ ‫ارتباط‬ ‫امن‬ ‫مهندسی‬ ‫شرکت‬ s i n d a d s e c . i r
Whoami Soheil Hashemi Ms.c Network Computers Penetration Testing | Red Teaming | Purple Teaming Security Course Instructor Twitter | Telegram 1 sindadsec.ir
MITRE ATTACK • TACTIC, TECHNIQUE, PROCEDURES [TTP] — APT GROUPs • Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, Impact 3
Adversary Emulation • After Purple Teaming with Threat Intelligence Report of Organization Start Emulating Specific APT attack • Breach and Attack Simulation vs Adversary Emulation Platform 4
Reconnaissance (10) • Attack Surface Management => Framework find Assets and Vulnerabilities • Techniques (OSINT) • Active Scanning • Gather Victim Host Information • Gather Victim Identity Information • Gather Victim Network Information • Gather Victim Org Information • Phishing for Information • Search Closed Sources • Search Open Technical Databases • Search Open Websites/Domains • Search Victim-Owned Websites 5
Reconnaissance-Tools • Maltego-CE • Ammas • Sn1per • SET • Nikto • Recon-ng • Shodan • Spiderfoot 6
Reconnaissance-APT Groups • APT28-> Phishing for Information • Lazarus-> Gather Victim Org Information -> pretexting Spearphishing 7
Resource Development(7) • Acquire Infrastructure • Compromise Accounts • Compromise Infrastructure • Develop capabilities • Establish Accounts • Obtain capabilities • Stage capabilities • => Privilege Escalation and client Execution 8
Resource Development-APT Groups • APT28 => Domains, Web Services, Email Accounts,Tool • Lazarus => Domains, Server,Web Services, Malware, Email Accounts, Social Media Accounts, Code Signing Certificates, Digital Certificates,Tool • APT41 => Tool 9
Initial Access(9) • Drive-by compromise • Exploit Public-Facing Application • External Remote Service • Hardware Additions • Phishing • Replication Through Removable Media • Supply Chain Compromise • Trusted Relationship • Valid Accounts 1 0
Initial Access-Tools • Aircrack-ng • Lunckystrike • Wifi-pumpkin • GoPhish • SQLmap • King Phisher • Bash Bunny 1 1
Initial Access-APT Groups • APT28- Drive-by Compromise, Exploit Public-Facing Application, External Remote Services, Replication Through removal Media, Trusted Relationship, Valid Accounts, Spearphishing Attachment, Spearphishing Link, cloud Accounts • Lazarus- Drive-by Compromise, Valid Accounts, Spearphishing Attachment, Spearphishing Link, Spearphishing Via services • APT41- Spearphishing Attachment, compromise software supply chain 1 2
Execution (12) • Command and Scripting Interpreter • Container Administration Command • Deploy Container • Exploitation for Client Execution • Native API • Scheduled Task/Job • Shared Modules • Software Deployment Tools • System Services • User Execution • Windows Management Instrumentation 1 3
Execution-Tools • Macro • Donut 1 4
Execution-APT Groups • APT28=> Powershell, Windows Command Shell, Dynamic Data Exchange, Malicious File, Malicious Link • Lazarus=> Powershell, VisualBasic, Windows Command shell, Schedule Task,Malicious File, Malicious Link • APT41=> Powershell, Unix Shell, Windows command Shell, Schedule Task, Service Execution 1 5
Persistence (19) • Account Manipulation • BITS Jobs • Boot or Logon Autostart Execution • Boot or Logon Initialization Scripts • Browser Extensions • Compromise Client Software Binary • Create Account • Create or Modify System Process • Event Triggered Execution • External Remote Services • Hijack Execution Flow • Implant InternalImage • Modify AuthenticationProcess • Office Application Startup • Pre-OS Boot • Scheduled Task/Job • Server Software Component • Traffic Signaling • Valid Accounts 1 6
Persistence-Tools • Empire • Impact • Pwncat 1 7
Persistence-APT Groups • APT28=>Additional Email Delegated Permissions, Registry Run keys/Startup Folder, Logon Script(windows), Component Object model Hijacking, Office Test, Bootkit, WebShell, Cloud Accounts,Exploiting Privilege Escalation, Valid Accounts • Lazarus=> Registry Run keys/Startup Folder, Shortcut Modification, Windows Service, DLL Side-Loading, KernelCallbackTable, Bootkit, Scheduled Task, Valid Accounts • Registry Run keys/Startup Folder, Windows Service, Accessibility Features,DLL Search Order Hijacking, DLL Side-Loading, Dynamic Linker Hijacking, Bootkit, Schedule Task, Process Injection, Valid Accounts 1 8
Privilege Escalation (13) • Abuse Elevation Control Mechanism • Access Token Manipulation • Boot or Logon Autostart Execution • Boot or Logon Initialization Scripts • Create or Modify System Process • Domain Policy Modification • Escape to Host • Event Triggered Execution • Exploitation for Privilege Escalation • Hijack Execution Flow • Process Injection • Scheduled Task/Job • Valid Accounts 1 9
Privilege Escalation-Tools • Rubeus • UACme • SharpUP 2 0
Privilege Escalation-APT Groups • APT28=> Token Impersonation Theft, Registry Run keys/folder, Logon Scripts, Component Object model Hacking, Cloud Accounts, Deobfuscation/Decode Files and information, Exploitation for Defense Evasion • Lazarus=> Create Process with Token, Registry Run Keys/ Startup Folder, Shortcut Modification, Windows Service, DLL Side-loading, Kernel Callback Table, DLL Injection, Schedule Task • APT41=>Registry Run Keys/ Startup Folder, Windows Service, Accessibility Features, DLL Search Order Hijacking,DLL Side- Loading,Bits Jobs, Modify Registry, Process Injection, Rootkit 2 1
Defense Evasion(42) • Abuse Elevation Control Mechanism • Access Token Manipulation • BITS Jobs • Build Image on Host • Debugger Evasion • Deobfuscate/Decode Files or Information • Deploy Container • Direct Volume Access • Domain Policy Modification • Execution Guardrails • Exploitation for Defense Evasion • File and Directory Permissions Modification • Hide Artifacts • Hijack Execution Flow • Impair Defenses • Indicator Removal on Host • Indirect Command Execution • Masquerading • Modify Authentication Process • Modify Cloud Compute Infrastructure 2 2
Defense Evasion(42) • Modify Registry • Modify System Image • Network Boundary Bridging • Obfuscated Files or Information • Plist File Modification • Pre-OS Boot • Process Injection • Reflective Code Loading • Rogue Domain Controller • Rootkit • Subvert Trust Controls • System Binary Proxy Execution • System Script Proxy Execution • Template Injection • Traffic Signaling • Trusted Developer Utilities Proxy Execution • Unused/Unsupported Cloud Regions • Use Alternate Authentication Material • Valid Accounts • Virtualization/Sandbox Evasion , Weaken Encryption , XSL Script Processing 2 3
Defense Evasion-Tools •Meterpreter •Proxychains •Invoke-obfuscation •Veil 2 4
Defense Evasion-APT Groups •APT28=> •Lazarus=> •APT41=> 2 5
Credential Access(16) • Adversary-in-the-Middle • Brute Force • Credentials from Password Stores • Exploitation for Credential Access • Forced Authentication • Forge Web Credentials • Input Capture • Modify Authentication Process • Multi-Factor Authentication Interception • Multi-Factor Authentication Request Generation • Network Sniffing • OS Credential Dumping • Steal Application Access Token • Steal or Forge Kerberos Tickets • Steal Web Session Cookie • Unsecured Credentials 2 6
Credential Access-Tools • Mimikatz • Hashcat • Responder • Cain & Able • John the Ripper • THC Hydra • LaZagne 2 7
Credential Access-APT Groups • APT28=> • Lazarus=> • APT41=> 2 8
Discovery(30) • Account Discovery • Application Window Discovery • Browser Bookmark Discovery • Cloud Infrastructure Discovery • Cloud Service Dashboard • Cloud Service Discovery • Cloud Storage Object Discovery • Container and Resource Discovery • Debugger Evasion • Domain Trust Discovery • File and Directory Discovery • Group Policy Discovery • Network Service Discovery • Network Share Discovery • Network Sniffing • Password Policy Discovery • Peripheral Device Discovery • Permission Groups Discovery • Process Discovery • Query Registry 2 9
Discovery(30) • Remote System Discovery • Software Discovery • System Information Discovery • System Location Discovery • System Network Configuration Discovery • System Network Connections Discovery • System Owner/User Discovery • System Service Discovery • System Time Discovery • Virtualization/Sandbox Evasion 3 0
Discovery-Tools • BloodHound • SeatBelt • Kismet • ADRecon 3 1
Discovery-APT Groups • APT28=> • Lazarus=> • APT41=> 3 2
Lateral Movement(9) • Exploitation of Remote Services • Internal Spearphishing • Lateral Tool Transfer • Remote Service Session Hijacking • Remote Services • Replication Through Removable Media • Software Deployment Tools • Taint Shared Content • Use Alternate Authentication Material 3 3
Lateral Movement-TOOLS • Mimikatz • PSexec • WMIOPS • CrackMapEXEC • Infection Monkey 3 4
Lateral Movement-APT Groups • APT28=> • Lazarus=> • APT41=> 3 5
Collection(17) • Adversary-in-the-Middle • Archive Collected Data • Audio Capture • Automated Collection • Browser Session Hijacking • Clipboard Data • Data from Cloud Storage Object • Data from Configuration Repository • Data from Information Repositories • Data from Local System • Data from Network Shared Drive • Data from Removable Media • Data Staged • Email Collection • Input Capture • Screen Capture • Video Capture 3 6
Collection-TOOLS • PowerSploit • POwerUPSQL 3 7
Collection-APT Groups • APT28=> • Lazarus=> • APT41=> 3 8
C2(16) • Application Layer Protocol • Communication Through Removable Media • Data Encoding • Data Obfuscation • Dynamic Resolution • Encrypted Channel • Fallback Channels • Ingress Tool Transfer • Multi-Stage Channels • Non-Application Layer Protocol • Non-Standard Port • Protocol Tunneling • Proxy • Remote Access Software • Traffic Signaling • Web Service 3 9
C2-TOOLS • Covenant • Pupy • Empire • Merlin • POshC2 4 0
C2-APT Groups • APT28=> • Lazarus=> • APT41=> 4 1
Exfiltration(9) • Automated Exfiltration • Data Transfer Size Limits • Exfiltration Over Alternative Protocol • Exfiltration Over C2 Channel • Exfiltration Over Other Network Medium • Exfiltration Over Physical Medium • Exfiltration Over Web Service • Scheduled Transfer • Transfer Data to Cloud Account 4 2
Exfiltration-Tools • DNScat2 • ClockifyFactory • Powershell-RAT 4 3
Exfiltration-APT Groups • APT28=> • Lazarus=> • APT41=> 4 4
Impacts(13) • Account Access Removal • Data Destruction • Data Encrypted for Impact • Data Manipulation • Defacement • Disk Wipe • Endpoint Denial of Service • Firmware Corruption • Inhibit System Recovery • Network Denial of Service • Resource Hijacking • Service Stop • System Shutdown/Reboot 4 5
Impacts-TOOLS • Slows • Low Orbit Lon Cannon(LOIC) • Ransomware 4 6
Impacts-APT Groups • APT28=> • Lazarus=> • APT41=> 4 7
Result • Security Breach • Damage Ransomware • Damage Data Leak • Damage Ics Network • Damage Denial Of Service 4 8
4 9

Recommended

2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHostway|HOSTING
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration toolsJenishChauhan4
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Web Application Security Session for Web Developers
Web Application Security Session for Web DevelopersWeb Application Security Session for Web Developers
Web Application Security Session for Web DevelopersKrishna Srikanth Manda
 

Recommended

2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHostway|HOSTING
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration toolsJenishChauhan4
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Web Application Security Session for Web Developers
Web Application Security Session for Web DevelopersWeb Application Security Session for Web Developers
Web Application Security Session for Web DevelopersKrishna Srikanth Manda
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptxTckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptxAlfredObia1
 
122 naver-deview2013-tizen-universal-device-platform-r20131014
122 naver-deview2013-tizen-universal-device-platform-r20131014122 naver-deview2013-tizen-universal-device-platform-r20131014
122 naver-deview2013-tizen-universal-device-platform-r20131014NAVER D2
 
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkSplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkGeorg Knon
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Cyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmCyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmMuhammadJalalShah1
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...Priyanka Aash
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksYossi Sassi
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdfAdvanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdfInfosec train
 
Advanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_contentAdvanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_contentpriyanshamadhwal2
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingRishabha Garg
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 
Cyber Security # Lec 4
Cyber Security # Lec 4 Cyber Security # Lec 4
Cyber Security # Lec 4 Kabul Education University
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceCall Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 

More Related Content

Similar to Red Team P2 Adversary Emulation

Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptxTckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptxAlfredObia1
 
122 naver-deview2013-tizen-universal-device-platform-r20131014
122 naver-deview2013-tizen-universal-device-platform-r20131014122 naver-deview2013-tizen-universal-device-platform-r20131014
122 naver-deview2013-tizen-universal-device-platform-r20131014NAVER D2
 
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkSplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkGeorg Knon
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Cyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmCyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmMuhammadJalalShah1
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...Priyanka Aash
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksYossi Sassi
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdfAdvanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdfInfosec train
 
Advanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_contentAdvanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_contentpriyanshamadhwal2
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 

Similar to Red Team P2 Adversary Emulation (20)

Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptxTckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
 
122 naver-deview2013-tizen-universal-device-platform-r20131014
122 naver-deview2013-tizen-universal-device-platform-r20131014122 naver-deview2013-tizen-universal-device-platform-r20131014
122 naver-deview2013-tizen-universal-device-platform-r20131014
 
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkSplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Cyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmCyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pm
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdfAdvanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
 
Advanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_contentAdvanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_content
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
Cyber Security # Lec 4
Cyber Security # Lec 4 Cyber Security # Lec 4
Cyber Security # Lec 4
 

Recently uploaded

Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 

Recently uploaded (20)

Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 

Red Team P2 Adversary Emulation

  • 1. Red Team P2 Adversary Emulation ‫سینداد‬ ‫ارتباط‬ ‫امن‬ ‫مهندسی‬ ‫شرکت‬ s i n d a d s e c . i r
  • 2. Whoami Soheil Hashemi Ms.c Network Computers Penetration Testing | Red Teaming | Purple Teaming Security Course Instructor Twitter | Telegram 1 sindadsec.ir
  • 3. MITRE ATTACK • TACTIC, TECHNIQUE, PROCEDURES [TTP] — APT GROUPs • Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, Impact 3
  • 4. Adversary Emulation • After Purple Teaming with Threat Intelligence Report of Organization Start Emulating Specific APT attack • Breach and Attack Simulation vs Adversary Emulation Platform 4
  • 5. Reconnaissance (10) • Attack Surface Management => Framework find Assets and Vulnerabilities • Techniques (OSINT) • Active Scanning • Gather Victim Host Information • Gather Victim Identity Information • Gather Victim Network Information • Gather Victim Org Information • Phishing for Information • Search Closed Sources • Search Open Technical Databases • Search Open Websites/Domains • Search Victim-Owned Websites 5
  • 6. Reconnaissance-Tools • Maltego-CE • Ammas • Sn1per • SET • Nikto • Recon-ng • Shodan • Spiderfoot 6
  • 7. Reconnaissance-APT Groups • APT28-> Phishing for Information • Lazarus-> Gather Victim Org Information -> pretexting Spearphishing 7
  • 8. Resource Development(7) • Acquire Infrastructure • Compromise Accounts • Compromise Infrastructure • Develop capabilities • Establish Accounts • Obtain capabilities • Stage capabilities • => Privilege Escalation and client Execution 8
  • 9. Resource Development-APT Groups • APT28 => Domains, Web Services, Email Accounts,Tool • Lazarus => Domains, Server,Web Services, Malware, Email Accounts, Social Media Accounts, Code Signing Certificates, Digital Certificates,Tool • APT41 => Tool 9
  • 10. Initial Access(9) • Drive-by compromise • Exploit Public-Facing Application • External Remote Service • Hardware Additions • Phishing • Replication Through Removable Media • Supply Chain Compromise • Trusted Relationship • Valid Accounts 1 0
  • 11. Initial Access-Tools • Aircrack-ng • Lunckystrike • Wifi-pumpkin • GoPhish • SQLmap • King Phisher • Bash Bunny 1 1
  • 12. Initial Access-APT Groups • APT28- Drive-by Compromise, Exploit Public-Facing Application, External Remote Services, Replication Through removal Media, Trusted Relationship, Valid Accounts, Spearphishing Attachment, Spearphishing Link, cloud Accounts • Lazarus- Drive-by Compromise, Valid Accounts, Spearphishing Attachment, Spearphishing Link, Spearphishing Via services • APT41- Spearphishing Attachment, compromise software supply chain 1 2
  • 13. Execution (12) • Command and Scripting Interpreter • Container Administration Command • Deploy Container • Exploitation for Client Execution • Native API • Scheduled Task/Job • Shared Modules • Software Deployment Tools • System Services • User Execution • Windows Management Instrumentation 1 3
  • 15. Execution-APT Groups • APT28=> Powershell, Windows Command Shell, Dynamic Data Exchange, Malicious File, Malicious Link • Lazarus=> Powershell, VisualBasic, Windows Command shell, Schedule Task,Malicious File, Malicious Link • APT41=> Powershell, Unix Shell, Windows command Shell, Schedule Task, Service Execution 1 5
  • 16. Persistence (19) • Account Manipulation • BITS Jobs • Boot or Logon Autostart Execution • Boot or Logon Initialization Scripts • Browser Extensions • Compromise Client Software Binary • Create Account • Create or Modify System Process • Event Triggered Execution • External Remote Services • Hijack Execution Flow • Implant InternalImage • Modify AuthenticationProcess • Office Application Startup • Pre-OS Boot • Scheduled Task/Job • Server Software Component • Traffic Signaling • Valid Accounts 1 6
  • 18. Persistence-APT Groups • APT28=>Additional Email Delegated Permissions, Registry Run keys/Startup Folder, Logon Script(windows), Component Object model Hijacking, Office Test, Bootkit, WebShell, Cloud Accounts,Exploiting Privilege Escalation, Valid Accounts • Lazarus=> Registry Run keys/Startup Folder, Shortcut Modification, Windows Service, DLL Side-Loading, KernelCallbackTable, Bootkit, Scheduled Task, Valid Accounts • Registry Run keys/Startup Folder, Windows Service, Accessibility Features,DLL Search Order Hijacking, DLL Side-Loading, Dynamic Linker Hijacking, Bootkit, Schedule Task, Process Injection, Valid Accounts 1 8
  • 19. Privilege Escalation (13) • Abuse Elevation Control Mechanism • Access Token Manipulation • Boot or Logon Autostart Execution • Boot or Logon Initialization Scripts • Create or Modify System Process • Domain Policy Modification • Escape to Host • Event Triggered Execution • Exploitation for Privilege Escalation • Hijack Execution Flow • Process Injection • Scheduled Task/Job • Valid Accounts 1 9
  • 21. Privilege Escalation-APT Groups • APT28=> Token Impersonation Theft, Registry Run keys/folder, Logon Scripts, Component Object model Hacking, Cloud Accounts, Deobfuscation/Decode Files and information, Exploitation for Defense Evasion • Lazarus=> Create Process with Token, Registry Run Keys/ Startup Folder, Shortcut Modification, Windows Service, DLL Side-loading, Kernel Callback Table, DLL Injection, Schedule Task • APT41=>Registry Run Keys/ Startup Folder, Windows Service, Accessibility Features, DLL Search Order Hijacking,DLL Side- Loading,Bits Jobs, Modify Registry, Process Injection, Rootkit 2 1
  • 22. Defense Evasion(42) • Abuse Elevation Control Mechanism • Access Token Manipulation • BITS Jobs • Build Image on Host • Debugger Evasion • Deobfuscate/Decode Files or Information • Deploy Container • Direct Volume Access • Domain Policy Modification • Execution Guardrails • Exploitation for Defense Evasion • File and Directory Permissions Modification • Hide Artifacts • Hijack Execution Flow • Impair Defenses • Indicator Removal on Host • Indirect Command Execution • Masquerading • Modify Authentication Process • Modify Cloud Compute Infrastructure 2 2
  • 23. Defense Evasion(42) • Modify Registry • Modify System Image • Network Boundary Bridging • Obfuscated Files or Information • Plist File Modification • Pre-OS Boot • Process Injection • Reflective Code Loading • Rogue Domain Controller • Rootkit • Subvert Trust Controls • System Binary Proxy Execution • System Script Proxy Execution • Template Injection • Traffic Signaling • Trusted Developer Utilities Proxy Execution • Unused/Unsupported Cloud Regions • Use Alternate Authentication Material • Valid Accounts • Virtualization/Sandbox Evasion , Weaken Encryption , XSL Script Processing 2 3
  • 26. Credential Access(16) • Adversary-in-the-Middle • Brute Force • Credentials from Password Stores • Exploitation for Credential Access • Forced Authentication • Forge Web Credentials • Input Capture • Modify Authentication Process • Multi-Factor Authentication Interception • Multi-Factor Authentication Request Generation • Network Sniffing • OS Credential Dumping • Steal Application Access Token • Steal or Forge Kerberos Tickets • Steal Web Session Cookie • Unsecured Credentials 2 6
  • 27. Credential Access-Tools • Mimikatz • Hashcat • Responder • Cain & Able • John the Ripper • THC Hydra • LaZagne 2 7
  • 28. Credential Access-APT Groups • APT28=> • Lazarus=> • APT41=> 2 8
  • 29. Discovery(30) • Account Discovery • Application Window Discovery • Browser Bookmark Discovery • Cloud Infrastructure Discovery • Cloud Service Dashboard • Cloud Service Discovery • Cloud Storage Object Discovery • Container and Resource Discovery • Debugger Evasion • Domain Trust Discovery • File and Directory Discovery • Group Policy Discovery • Network Service Discovery • Network Share Discovery • Network Sniffing • Password Policy Discovery • Peripheral Device Discovery • Permission Groups Discovery • Process Discovery • Query Registry 2 9
  • 30. Discovery(30) • Remote System Discovery • Software Discovery • System Information Discovery • System Location Discovery • System Network Configuration Discovery • System Network Connections Discovery • System Owner/User Discovery • System Service Discovery • System Time Discovery • Virtualization/Sandbox Evasion 3 0
  • 32. Discovery-APT Groups • APT28=> • Lazarus=> • APT41=> 3 2
  • 33. Lateral Movement(9) • Exploitation of Remote Services • Internal Spearphishing • Lateral Tool Transfer • Remote Service Session Hijacking • Remote Services • Replication Through Removable Media • Software Deployment Tools • Taint Shared Content • Use Alternate Authentication Material 3 3
  • 34. Lateral Movement-TOOLS • Mimikatz • PSexec • WMIOPS • CrackMapEXEC • Infection Monkey 3 4
  • 35. Lateral Movement-APT Groups • APT28=> • Lazarus=> • APT41=> 3 5
  • 36. Collection(17) • Adversary-in-the-Middle • Archive Collected Data • Audio Capture • Automated Collection • Browser Session Hijacking • Clipboard Data • Data from Cloud Storage Object • Data from Configuration Repository • Data from Information Repositories • Data from Local System • Data from Network Shared Drive • Data from Removable Media • Data Staged • Email Collection • Input Capture • Screen Capture • Video Capture 3 6
  • 38. Collection-APT Groups • APT28=> • Lazarus=> • APT41=> 3 8
  • 39. C2(16) • Application Layer Protocol • Communication Through Removable Media • Data Encoding • Data Obfuscation • Dynamic Resolution • Encrypted Channel • Fallback Channels • Ingress Tool Transfer • Multi-Stage Channels • Non-Application Layer Protocol • Non-Standard Port • Protocol Tunneling • Proxy • Remote Access Software • Traffic Signaling • Web Service 3 9
  • 40. C2-TOOLS • Covenant • Pupy • Empire • Merlin • POshC2 4 0
  • 41. C2-APT Groups • APT28=> • Lazarus=> • APT41=> 4 1
  • 42. Exfiltration(9) • Automated Exfiltration • Data Transfer Size Limits • Exfiltration Over Alternative Protocol • Exfiltration Over C2 Channel • Exfiltration Over Other Network Medium • Exfiltration Over Physical Medium • Exfiltration Over Web Service • Scheduled Transfer • Transfer Data to Cloud Account 4 2
  • 44. Exfiltration-APT Groups • APT28=> • Lazarus=> • APT41=> 4 4
  • 45. Impacts(13) • Account Access Removal • Data Destruction • Data Encrypted for Impact • Data Manipulation • Defacement • Disk Wipe • Endpoint Denial of Service • Firmware Corruption • Inhibit System Recovery • Network Denial of Service • Resource Hijacking • Service Stop • System Shutdown/Reboot 4 5
  • 46. Impacts-TOOLS • Slows • Low Orbit Lon Cannon(LOIC) • Ransomware 4 6
  • 47. Impacts-APT Groups • APT28=> • Lazarus=> • APT41=> 4 7
  • 48. Result • Security Breach • Damage Ransomware • Damage Data Leak • Damage Ics Network • Damage Denial Of Service 4 8
  • 49. 4 9