a b a bett etter mod er model f el for or pen t en test
play

A B A Bett etter Mod er Model f el for or Pen T en Test esting - PowerPoint PPT Presentation

Jan 25, 2024 •101 likes •395 views

Assu Assumed med Br Breac each: h: A B A Bett etter Mod er Model f el for or Pen T en Test esting ing Mike Saunders mike@redsiege.com @hardwaterhacker slides: redsiege.com/abm ABOUT ABOUT Mik Mike Principal Consultant - Red

  1. Assu Assumed med Br Breac each: h: A B A Bett etter Mod er Model f el for or Pen T en Test esting ing Mike Saunders mike@redsiege.com @hardwaterhacker slides: redsiege.com/abm

  2. ABOUT ABOUT Mik Mike Principal Consultant - Red Siege > 20 years IT > 12 years security kayaking / fishing / music / photography 2

  3. Pen T en Testing esting is is BR BROKEN OKEN Internal pen tests don't represent how attackers operate Starting inside the network (kali or otherwise) Noisy scans Lobbing exploits everywhere redsiege.com 3

  4. "I "I WANT WANT A A RED T RED TEAM" EAM" Most customers don't need a true red team Require a lot of time = expensive Requires maturity in IT org. Low return on investment compared to other test options redsiege.com 4

  5. ASS ASSUMED UMED WHA WHAT? T? Based on assumption endpoint is already compromised / org is breached What can an attacker do with this access redsiege.com 5

  6. AB AB - TW TWO( O(ish ish) ) MODELS MODELS Malicious User Compromised User Both use standard workstation image with representative users Preferably a recently terminated user DA is a tool, not a destination! redsiege.com 6

  7. Compr Compromised omised USE USER R - PATH TH A Simulate a user who clicked on a payload Execute a custom payload All ops take place over C2 framework Pivot to remote access with creds redsiege.com 7

  8. Compr Compromised omised USE USER R - PATH TH B Demonstrate impact of compromised user Operate on workstation Shipped laptop / VPN + RDP / on site Work with tools available on desktop or what can be loaded Initiate C2 if needed redsiege.com 8

  9. AV/EDR V/EDR - DISABLED? DISABLED? AV/EDR can be bypassed given time Is it worth client $$$ to spend time to bypass? Discuss goals with client @HackingLZ - Start with AV/EDR enabled, verify bypass or visibility of actions, then disable if needed redsiege.com 9

  10. MALICIOUS MALICIOUS USER USER Simulates employee who wants to steal / cause harm Shipped laptop / VPN + RDP / on site Testing starts on standard workstation Whatever tooling is available on workstation Standard AV/EDR config redsiege.com 10

  12. REAL REAL WORLD ORLD TACTICS CTICS https://www.fireeye.com/blog/threat-research/2019/04/finding-weaknesses- before-the-attackers-do.html Blog lays out likely real-world attack scenario Phishing Pivot to internal through remote access Targeted Kerberoasting => elevation of privilege Access high-value targets redsiege.com 12

  13. ASS ASSUMED UMED BREA BREACH CH TACTICS CTICS Simulate payload sent via email / SE Search out high value targets / data Kerberoasting => elevation of privilege Gather credentials Pivot to data Access high-value targets DA is a tool, not a destination! redsiege.com 13

  14. DOMAIN DOMAIN FR FRONTING ONTING Vendors are breaking traditional fronting model Some CDNs still work *.cloudfront.net / *.azureedge.net still works Build custom C2 profile https://github.com/bluescreenofjeff/ Malleable-C2-Randomizer redsiege.com 14

  15. INIT INITIAL IAL ACCESS CCESS Simulating phishing HTA is still effective https://github.com/trustedsec/unicorn https://github.com/danielbohannon/Invoke-Obfuscation https://github.com/samratashok/nishang/blob/master/Client/Out- HTA.ps1 https://github.com/nccgroup/demiguise redsiege.com 15

  16. INIT INITIAL IAL ACCESS CCESS Macros ClickOnce Executables https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ So many more… redsiege.com 16

  17. FINDING FINDING ACCOUNTS CCOUNTS Password spraying (Internal or External) OWA / O365 https://github.com/dafthack/MailSniper Domain accounts https://github.com/dafthack/DomainPasswordSpray redsiege.com 17

  18. KERB KERBER EROAST ASTING ING Traditional tools PowerView Invoke-Kerberoast https://raw.githubusercontent.com/fullmetalcache/tools/master/autokerb eroast_nomimi_stripped.ps1 Invoke-AutoKerberoast -Format hashcat redsiege.com 18

  19. KERB KERBER EROAST ASTING ING Ideally low & slow Target users in specific groups (PowerView) https://www.harmj0y.net/blog/powershell/kerberoasting-without- mimikatz/ Get-DomainUser -SPN & Get-DomainSPNTicket -SPN Random Delay https://adsecurity.org/?p=230 redsiege.com 19

  20. MINING MINING AD AD SharpHound via execute-assembly Research stealth options --NoSaveCache is your friend Hunt for creds in AD schema ADExplorer.exe -snapshot "" ad.snap -noconnectprompt https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad- explorer/ redsiege.com 20

  21. HUNT HUNTING ING GPP GPP CREDS CREDS GPP = XML config files stored in SYSVOL Store credentials for workstation local admin, mapping drives, etc. https://adsecurity.org/?p=2288 PowerSploit Get-GPPPassword PowerSploit PowerUp Get-CachedGPPPassword redsiege.com 21

  22. LA LATE TERAL RAL MO MOVEMENT VEMENT Find lateral movement to admin access with PowerView Test-AdminAccess -ComputerName Get-DomainComputer | Test-AdminAccess psexec wmic redsiege.com 22

  23. TRA TRAWLING WLING FILES/SHARES FILES/SHARES Elevated account creds (DA / sa / etc.) frequently found in files PowerShell PSReadLine Logs (ConsoleHost_history.txt) Source code & sensitive data PowerView Invoke-ShareFinder -CheckAccess Find-InterestingDomainShareFile Find-InterestingFile redsiege.com 23

  24. HUNT HUNTING ING SES SESSIONS SIONS Find files that can be used for lateral movement SSH private keys, RDP files, FileZilla / WinSCP saved passwords, etc. https://github.com/Arvanaghi/SessionGopher Invoke-SessionGopher -Thorough (local system) Invoke-SessionGopher -Target hostxyz -Thorough Invoke-SessionGopher -AllDomain -Thorough redsiege.com 24

  25. BY BYO O PO POWERSHE WERSHELL LL Code can be executed in ISE even if PS script execution is disabled Build custom PS environment https://github.com/fullmetalcache/PowerLine redsiege.com 25

  26. PR PROS OS & & CONS CONS Pro Better understanding of strengths & weaknesses Ability to model real-world TTPs Cons Limited time means we have to be noisier Not focused on vulns Non-representative accounts/workstations can negatively impact test redsiege.com 26

  27. SUMMAR SUMMARY Better way to prepare clients for attacks they're likely to face Requires maturity in client processes VA & pen test cycles before client is ready Work with client to get good accounts and workstations PowerShell & Cobalt Strike aren't the only way - these were just examples redsiege.com 27

  28. QUES QUESTION TIONS? Mike Saunders Principal Consultant mike@ redsiege .com @hardwaterhacker @RedSiegeInfoSec Slides: redsiege.com/abm redsiege.com 28

Recommend

BETTER BART BETTER BAY AREA BETT BETTER ER BAR ART T / / BETT BETTER ER BAY Y AREA AREA

BETTER BART BETTER BAY AREA BETT BETTER ER BAR ART T / / BETT BETTER ER BAY Y AREA AREA

BETTER BART BETTER BAY AREA BETT BETTER ER BAR ART T / / BETT BETTER ER BAY Y AREA AREA 2 2 BAR ART T SY SYSTE STEM THE THEN A N AND NO ND NOW The decision of the people to build a 3 -county Bay Area rapid transit system

472 views • 26 slides
Reacti ting ng flow modeling ng and applica cati tions ns in STAR-CCM+ Yongzhe gzhe Zhang,

Reacti ting ng flow modeling ng and applica cati tions ns in STAR-CCM+ Yongzhe gzhe Zhang,

Reacti ting ng flow modeling ng and applica cati tions ns in STAR-CCM+ Yongzhe gzhe Zhang, ng, CD CD-adapco pco LES: : Scaled d Combust ustor Bet etter er flow and mixing ng accurac racy Results lts in bett etter er predic

864 views • 60 slides
Reacti ting ng flow modeling ng and applica cati tions ns in STAR-CCM+ Yongzhe gzhe Zhang,

Reacti ting ng flow modeling ng and applica cati tions ns in STAR-CCM+ Yongzhe gzhe Zhang,

Reacti ting ng flow modeling ng and applica cati tions ns in STAR-CCM+ Yongzhe gzhe Zhang, ng, CD-adapco pco LES: : Scaled d Combust ustor Bet etter er flow and mixing ng accurac racy Results lts in bett etter er predic

604 views • 33 slides
Ann Marie Sullivan, MD Commissioner NY State OMH } BET ETTER ER HEA EATLH OF THE E

Ann Marie Sullivan, MD Commissioner NY State OMH } BET ETTER ER HEA EATLH OF THE E

Ann Marie Sullivan, MD Commissioner NY State OMH } BET ETTER ER HEA EATLH OF THE E POPULATION: Prevention and Maximizing Wellness } BET ETTER ER CARE E FOR EA EACH PATIEN ENT: Quality Care focused on patient choice, engagement,

305 views • 9 slides
DEMONSTRATIONS: AN UPDATE NOVEMBER 12, 2013 PRESENTATION D E N N I S B E C K E R , M P C A / E

DEMONSTRATIONS: AN UPDATE NOVEMBER 12, 2013 PRESENTATION D E N N I S B E C K E R , M P C A / E

EQUIVALENT OR BETTER DISPERSION DEMONSTRATIONS: AN UPDATE NOVEMBER 12, 2013 PRESENTATION D E N N I S B E C K E R , M P C A / E A O D / R E A M EQUIVALENT OR BETTER DISPERSION What is is Equiv uivalen alent t or r Bett etter er Disp

329 views • 20 slides
EMC TEST REPORT DIRECTORY A) Documentation Directory 2 Test Standards 3 Address of the test

EMC TEST REPORT DIRECTORY A) Documentation Directory 2 Test Standards 3 Address of the test

EMC TEST REPORT CE TEST REPORT Report Number : ETLE080619.495 Report issue date : July 21, 2008 Model / Serial No. : HWC-640 / NONE Multiple Model Name : HWC-630, HWC-650, HWC-660, HWC-680 Product Type : Hot & Cold Water Purifier

522 views • 35 slides
EMC TEST REPORT DIRECTORY A) Documentation Directory 2 Test Standards 3 Address of the test

EMC TEST REPORT DIRECTORY A) Documentation Directory 2 Test Standards 3 Address of the test

EMC TEST REPORT CE TEST REPORT Report Number : ETLE070516.328 Report issue date : June 27, 2007 Model / Serial No. : ROMEO III / NONE Multiple Model Name : W2-360H, W2-340H, W2-300H, W2-310H Product Type : POU Water Cooler Applicant

612 views • 36 slides
Wednesday, July 2, 2014 4:15pm-5:15pm EDT Agenda Model Test Project Narrative Reminders:

Wednesday, July 2, 2014 4:15pm-5:15pm EDT Agenda Model Test Project Narrative Reminders:

State Innovation Models Initiative Round 2 Webinar: Model Test Proposal Format Requirements, the Population Health Plan Portion of the Model Test Proposal, and the Population Health Plan Deliverable of the Model Test Project Period

494 views • 20 slides
Water Hub @ NEST Bastian Etter, Anita Wittmer, Barbara J. Ward, Kai M. Udert, Linda Strande, Tove

Water Hub @ NEST Bastian Etter, Anita Wittmer, Barbara J. Ward, Kai M. Udert, Linda Strande, Tove

A living lab to test innovative wastewater treatment Water Hub @ NEST Bastian Etter, Anita Wittmer, Barbara J. Ward, Kai M. Udert, Linda Strande, Tove A. Larsen, Eberhard Morgenroth Image: Roman Keller Image: Gramazio Kohler Architects Image:

425 views • 15 slides
Model-Based Testing (ISTQB Chapter 4) Arie van Deursen 1 4.1 ISTQB Test Design Test Scripts

Model-Based Testing (ISTQB Chapter 4) Arie van Deursen 1 4.1 ISTQB Test Design Test Scripts

Model-Based Testing (ISTQB Chapter 4) Arie van Deursen 1 4.1 ISTQB Test Design Test Scripts Test Basis 4.1.2: Test Analysis 4.1.4: Test Implementation Test Selected Test Cases Test Conditions Conditions 4.1.3: Test Design 2 Test

1.18k views • 38 slides
TEST REPORT DIRECTORY Pages A) Documentation Directory 2 Test Standards 3 Address of the

TEST REPORT DIRECTORY Pages A) Documentation Directory 2 Test Standards 3 Address of the

TEST REPORT TEST REPORT Report Number : ETLE090324.03 Report issue date: May 26, 2009 Model / Serial No. : W2-360 / NONE Multiple Model Name : W2-340, W2-360H, W2-310H Product Type : Hot & Cold Water Purifier System Brand Name :

641 views • 37 slides
Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from

Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from

Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from SysML Models Jrg Brauer and Jan Peleska Verified Systems International GmbH support@verified.de Space Tech Expo Europe 2015-11-19 Motivation

499 views • 26 slides
THE HUMAN CAPITAL WILL WILL A ACC CCEL ELERA ERATE TE MO MORE AND RE AND BETT BETTER

THE HUMAN CAPITAL WILL WILL A ACC CCEL ELERA ERATE TE MO MORE AND RE AND BETT BETTER

THE HUMAN CAPITAL WILL WILL A ACC CCEL ELERA ERATE TE MO MORE AND RE AND BETT BETTER ER INVEST INVESTMENT MENTS S IN IN P PEOPL EOPLE E GL GLOB OBALL ALLY 1. Human 1. an Capital tal Index dex (HCI) I): Make the case

268 views • 16 slides
Bett Correa IT Manager at Verizon Twitter: @betterworkinc Podcast: Architecturecast.net

Bett Correa IT Manager at Verizon Twitter: @betterworkinc Podcast: Architecturecast.net

Software Architecture Decision Making Techniques Bett Correa IT Manager at Verizon Twitter: @betterworkinc Podcast: Architecturecast.net Overview Context Philosophies Actions Psychologies Summary Course Objectives

581 views • 33 slides
Engineering Best Practices Test, test, test, and test some more; test as you go Start from a

Engineering Best Practices Test, test, test, and test some more; test as you go Start from a

Engineering Best Practices Test, test, test, and test some more; test as you go Start from a known working state, take small steps Make things visible (gdb, printf, logic analyzer) Methodical, systematic approach. Form hypotheses and perform

755 views • 38 slides
Code4Thought How F.A.T. (or F.Acc.T) is your ML Model? Quality in the era of Software 2.0 Test

Code4Thought How F.A.T. (or F.Acc.T) is your ML Model? Quality in the era of Software 2.0 Test

Code4Thought How F.A.T. (or F.Acc.T) is your ML Model? Quality in the era of Software 2.0 Test 18/06/2020 Yiannis Kanellopoulos Technology as part of history Test What keeps us at night Our team has spent the better part of two decades

676 views • 25 slides
Review:$$ Model$Selec5on$ Training$vs.$Test$errors$ Polynomial$regression$

Review:$$ Model$Selec5on$ Training$vs.$Test$errors$ Polynomial$regression$

Review:$$ Model$Selec5on$ Training$vs.$Test$errors$ Polynomial$regression$ Model$complexity:$Degree$of$polynomial$ Is$larger$always$be^er?$ Test$ Error$ Train$ Model$complexity$ Model$Selec5on$Criterion$

404 views • 14 slides
Researc arch h For or A Be Bett tter r Life fe NAFCs Approach to Urban Indigenous

Researc arch h For or A Be Bett tter r Life fe NAFCs Approach to Urban Indigenous

Researc arch h For or A Be Bett tter r Life fe NAFCs Approach to Urban Indigenous Research Prese senters: nters: Jennifer Rankin, UPIP Program Manager Shady Hafez, Research Advisor 1 According to the 2016 Census, more then

194 views • 16 slides
The profile or vapers and how e-cigarettes should be regulated Jean-Franois ETTER,

The profile or vapers and how e-cigarettes should be regulated Jean-Franois ETTER,

The profile or vapers and how e-cigarettes should be regulated Jean-Franois ETTER, PhD Associate Professor Faculty of Medicine University of Geneva Switzerland University of California Webcast October 3, 2013

507 views • 35 slides
Township of Upper Providence A R A ROAD OAD MAP AP T TO O BET ETTER ER COM COMMUNI NITY

Township of Upper Providence A R A ROAD OAD MAP AP T TO O BET ETTER ER COM COMMUNI NITY

Township of Upper Providence A R A ROAD OAD MAP AP T TO O BET ETTER ER COM COMMUNI NITY PROT OTECT ECTION ON Section 607. Duties of Supervisors. -The board of supervisors shall: (1) Be charged with the general governance of the

579 views • 18 slides
Use the present ntation on planni nning ng tem emplate e to make e bet etter er present

Use the present ntation on planni nning ng tem emplate e to make e bet etter er present

Use the present ntation on planni nning ng tem emplate e to make e bet etter er present ntations ons Quinten Edward Williams Five Ws and How: Questions to answer when designing a presentation Who is being presented to? What are

443 views • 9 slides
H OW C AN G OAL -B ASED A SSESSMENT L EAD TO B ETTER E DUCATIONAL P RACTICES ?: F OCUSING ON

H OW C AN G OAL -B ASED A SSESSMENT L EAD TO B ETTER E DUCATIONAL P RACTICES ?: F OCUSING ON

A SIA -P ACIFIC E DUCATION A SSESSMENT C ONFERENCE 2013 H OW C AN G OAL -B ASED A SSESSMENT L EAD TO B ETTER E DUCATIONAL P RACTICES ?: F OCUSING ON P ERFORMANCE A SSESSMENT IN J APAN 12-13 S EPTEMBER , 2013 K ANAE NISHIOKA, P H .D., A

855 views • 62 slides
Applied Statistics Lecturer: Serena Arima Introduction Binary model Example Fit Test

Applied Statistics Lecturer: Serena Arima Introduction Binary model Example Fit Test

Introduction Binary model Example Fit Test Applied Statistics Lecturer: Serena Arima Introduction Binary model Example Fit Test Introduction Until now: 1 Linear regression model; 2 Analysis of Variance model (ANOVA); 3 Analysis of

831 views • 55 slides
T7 5/16/2002 11:30:00 AM W RITING B ETTER D EFECT R EPORTS Kelly Whitmill IBM International

T7 5/16/2002 11:30:00 AM W RITING B ETTER D EFECT R EPORTS Kelly Whitmill IBM International

P R E S E N T A T I O N BIO PRESENTATION SUPPLEMENTAL MATERIALS T7 5/16/2002 11:30:00 AM W RITING B ETTER D EFECT R EPORTS Kelly Whitmill IBM International Conference On Software Testing Analysis & Review May 13- May 17, 2002 Orlando,

708 views • 40 slides

More recommend