DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!)
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Security by obscurity (because sucker punches work, even though nobody wants to admit it. "Hack Back" tricks - *TRY AT YOUR OWN RISK* Why buy the cow when you can have the milk for free?
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Usually the purpose of 0day is to execute malware. If you stop that malware from executing you essentially mitigate the 0day.
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work 0day (and it's often attached malware) tends to fail in the wild, like A LOT. When it does, it makes errors. If you can catch those errors in context, sometimes, you get to keep / analyse the malware AND THE 0DAY!
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work tl;dr, make your environment unpredictable so that you spend less time threat hunting and more time seeing stuff actually being thrown at you! (aka: NOT GETTING PWNED)
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Re order all the syscalls Re order all the syscalls Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work "Remove" your shell "Remove" your shell Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Use unix noshell on every user and then point ssh to a binary that downloads a shell and runs it upon login "Remove" your shell "Remove" your shell Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Use unix noshell on every user and then point ssh to a binary that downloads a shell and runs it upon login "Remove" your shell "Remove" your shell Actually remove bash from the box Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Backdoor your own utilities... Backdoor your own utilities... Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work SSH "dupe" setup... SSH "dupe" setup... Backdoor your own utilities... Backdoor your own utilities... SSH HTTPS Methods: Methods: https://github.com/stealth/sshttp
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work SSH "dupe" setup... SSH "dupe" setup... Port 22 Backdoor your own utilities... Backdoor your own utilities... SSH HTTPS Methods: Methods: https://github.com/stealth/sshttp
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work SSH "dupe" setup... SSH "dupe" setup... Port 22 Backdoor your own utilities... Backdoor your own utilities... Actual SSH Port 8443 Server SSH HTTPS Methods: Methods: https://github.com/stealth/sshttp
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work GCC shouldn't be on boxes in prod GCC shouldn't be on boxes in prod anyway... anyway... Backdoor your own utilities... Backdoor your own utilities... Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work GCC shouldn't be on boxes in prod GCC shouldn't be on boxes in prod anyway... anyway... replace GCC with a binary that never Backdoor your own utilities... Backdoor your own utilities... actually outputs the file to disk but DOES run it through virus total and give you alerts Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Tripwire apps that modify the Tripwire apps that modify the filesystem filesystem Backdoor your own utilities... Backdoor your own utilities... Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Tripwire apps that modify the Tripwire apps that modify the filesystem filesystem ln = cp If <arg1> == "core lib" { Backdoor your own utilities... Backdoor your own utilities... mv wtf_are_you_doing() } Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Backdoor your own utilities... Backdoor your own utilities... Make uname "lie" Make uname "lie" Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Modprobe Modprobe Backdoor your own utilities... Backdoor your own utilities... Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Modprobe Modprobe Check that module contains this supper sekret squirl Backdoor your own utilities... Backdoor your own utilities... token that is in all my modules Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Modprobe Modprobe Backdoor your own utilities... Backdoor your own utilities... "decrypt" binaries before loading Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Modprobe Modprobe Rename modprobe to something else and Backdoor your own utilities... Backdoor your own utilities... make modprobe send a security alert Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Break all the things! Break all the things! Backdoor your own utilities... Backdoor your own utilities... Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Break all the things! Break all the things! Backdoor your own utilities... Backdoor your own utilities... ... and then alias all the things in the user prefs of legit admins Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work One app to rule them all! One app to rule them all! Backdoor your own utilities... Backdoor your own utilities... aka: "the initramfs trick" Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Get full crash dumps Get full crash dumps https://support.microsoft.com/en-us/help/927069/how-to-generate-a- complete-crash-dump-file-or-a-kernel-crash-dump-file Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Rename the Powershell exe (just like the bash trick but Rename the Powershell exe (just like the bash trick but for windows) for windows) Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Over-the-shoulder transcription Over-the-shoulder transcription https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell- the-blue-team/ Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Over-the-shoulder transcription Over-the-shoulder transcription Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Over-the-shoulder transcription Over-the-shoulder transcription Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Hook OpenProcess() to look for well targeted Hook OpenProcess() to look for well targeted applications applications Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Hook OpenProcess() to look for well targeted Hook OpenProcess() to look for well targeted applications applications Notepad Calc Explorer Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Backdoor reg edit Backdoor reg edit Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Backdoor reg edit Backdoor reg edit Who’s using it and why? What is being edited? (key on specific reg keys like appinitdll, etc) Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Auto pe-sive dll Auto pe-sive dll Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Auto pe-sive dll Auto pe-sive dll @hasherezade Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Auto pe-sive dll Auto pe-sive dll @hasherezade Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Fake SMB Fake SMB Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Little Snitch / Micro Snitch (or lulu Little Snitch / Micro Snitch (or lulu if ya have to) if ya have to) Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work https://github.com/kai5263499/osx-security-awesome#hardening Methods: Methods:
DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Methods: ... misc Methods: ... misc
Recommend
More recommend