taking security a step further
play

Taking security a step further Red Team operations ME 2 Geek 20 - PowerPoint PPT Presentation

Nov 28, 2022 •218 likes •827 views

Taking security a step further Red Team operations ME 2 Geek 20 year of experience doing hacking Authored tools / articles / books / etc Speaker at conferences around the world Volunteer at OWASP Still getting the same thrill when

  1. Taking security a step further Red Team operations

  2. ME 2 Geek 20 year of experience doing hacking Authored tools / articles / books / etc Speaker at conferences around the world Volunteer at OWASP Still getting the same thrill when compromising a host CEO at SECFORCE

  3. SECFORCE 3 IT Security Consultancy – penetration testing Highly specialised in offensive security Teams located in London (UK) and Malta Penetration Testing Incident Response Red Team Testing Blockchain security

  4. 0 Agenda

  5. Agenda 5 1 Introduction 2 Why Red Teaming 3 How is a Red Team operation conducted 4 Questions and answers

  6. 1 Introduction

  7. 7

  8. Taking security a step further Red Team operations

  9. DEFENSIVE OFFENSIVE 9

  10. DEFENSIVE OFFENSIVE 10 AV and Firewall vendors Penetration Testing Blue Team, sysadmins, etc Red Team SIEM, IDS, IPS, etc. A lot more fun! :-)

  11. PENETRATION TESTING RED TEAM 11

  12. PENETRATION TESTING RED TEAM 12 Specific target – narrow scope Wider scope Aiming for full coverage of issues Stealth attack Stealth is not important Assess controls such as incident response, Assess the security controls such as patch monitoring, network sensors, user security management, password policies, access awareness, etc. control, etc Sophisticated attacks Longer engagements

  13. WHAT IS A RED TEAM OPERATION? 13 Assessment to identify the resilience of an organisation to highly sophisticated targeted attacks A team of attackers performs an attack to help the target organisation to identify weaknesses in their defensive mechanisms Some of these exercise may replicate attacks such as: Hacktivists Ransomware attacks State sponsored threat actors

  14. 2 Why Red Teaming?

  15. Why performing a Red Team assessment? 15

  16. Why performing a Red Team assessment? 16 How else would an organisation know their resilience? Regulatory compliance Assess security holistically, instead of in isolation Assess user security awareness Train a blue team

  17. 3 How is a Red Team conducted?

  18. 18

  19. 19

  20. INFRASTRUCTURE STAFF 20

  21. INFRASTRUCTURE STAFF 21 Identification of security holes Spear phishing attacks Critical issues affecting the perimeter Development systems? UAT? Etc. Misconfigurations, etc.

  22. OUTSIDE INSIDE 22

  23. OUTSIDE INSIDE 23 External reconnaissance Network awareness Assessment of the perimeter Persistence Identify target users for phishing Understanding the current security controls Identification of misconfigurations Goal: Network foothold Privilege escalation

  24. Tools 24 Cobalt Strike Empire Powershell (Microsoft’s Post -Exploitation Language ;-) ) PowerView, PowerUp, PowerSploit Custom scripts Living off the land WMI WinRM GPO Nmap and Nessus (only for external testing)

  25. Methodology 25 Detective work Design an attack Deliver the attack

  26. User Reconnaissance 26 Look for: emails, departments, files (metadata), user/domain names, password dumps, ex-employees.. Google-fu Social media The harvester Maltego FOCA Threat Intelligence

  27. Infrastructure Reconnaissance 27 Goal: Get a list of IP addresses / domain to target Google-fu Whois DNS bruteforce SSL certificates review Web crawling, etc.

  28. Infrastructure Assessment 28 Goal: Identification of RCE issues such as misconfigured Tomcat, SQLi, SMTP relays, shellshock, hearbleed, etc Nmap (common ports) Nessus Standard penetration testing tools Commonly conducted over VPN

  29. Phishing 29 Recon gave us emails, departments and ideas Profiling Prepare pretexts (domains, mail server, sites, etc) Delivery: Macros or Java usually but others exist (hta, js, sct files) Password protected zip files Payload: Cobalt Strike Beacon Spoofing? SPF + DKIM + mail relays Mail filters? MX records and NDR help!

  30. Phishing 30

  31. Phishing - profiling 31

  32. Phishing - profiling 32

  33. Phishing payload creation 33 We have a good understanding of the target Choose the angle of attack AV bypass Communication channels to C2 server

  34. AV evasion 34

  35. Delivery – office macro 35

  36. Delivery – Java Applet 36

  37. Command & Control 37 HTTP(S) Beacon is proxy aware but some proxies inflict pain :( DNS Beware of command output! Totally legit domains: static-jquery.com, msn-cdn.com, onedrive-live.co.uk Web filtering checks domain reputation based on age, etc Cobalt Strike Malleable C2

  38. Malleable C2 profile 38

  39. Gaining a network foothold! 39

  40. Gaining a network foothold! 40

  41. OUTSIDE INSIDE 41

  42. We are in! Now what? 42 Situational awareness whoami /groups process list + steal_token (explorer.exe) powershell $PSVersionTable.PSVersion net start | findstr -i "protect vir “ systeminfo | find "Boot Time“ echo %temp% & time /t Watch out for network monitoring Only be interactive when you need to sleep 10

  43. Wait! Let’s be safe! 43

  44. Persistence 44 We need to survive reboot Don’t want to phish again Persist on workstations, not servers Typical methods: Registry Scheduled tasks WMI (requires admin) VPN (requires creds)

  45. Persistence - Registry 45

  46. Persistence – Scheduled tasks 46

  47. Persistence – WMI 47

  48. Privilege escalation + lateral movement 48 They go hand in hand Priv esc goals Local Admin -> Domain Admin (of course) Domain User -> Domain User with access to target system Lateral movement goals Our box -> key workstation -> target system Our box -> box that leads to compromise of higher priv user Our box - > box that leads to box that leads to box… General goal: remain undetected

  49. Privilege escalation tactics 49 PowerUp GPP files Clear text passwords in files/scripts/shares Monitor users Inveigh / Responder General misconfigurations Abuse of common practices Users often have a low + high priv account

  50. Capturing password hashes 50

  51. Lateral movement tactics 51 User hunting Find more interesting users Find out where they are logged in Can we log in there? Steal their token/creds Repeat Tools for this include PowerView’s UserHunter Bloodhound

  52. Bloodhound 52

  53. Lateral movement tactics (continued) 53 SMB comms for pivoting Not psexec, use wmic/winrm dir c:\ is often enough to check privs runas /user:domain\user cmd Don’t portscan, query the domain - SPN scanning

  54. Lateral movement tactics (continued) 54 setspn -Q */* (query all SPNs) setspn -L <server/user> (query specific SPN) setspn – L MSSQLSvc

  55. Summary 55

  56. 56

  58. 4 Questions?

  59. Thank you! rodrigo.marcos@secforce.com

Recommend

WELCOME AND THANK YOU FOR TAKING THE FIRST STEP INTO THE WORLD OF SUPREMA COLOR BY FARMAVITA WE

WELCOME AND THANK YOU FOR TAKING THE FIRST STEP INTO THE WORLD OF SUPREMA COLOR BY FARMAVITA WE

WELCOME AND THANK YOU FOR TAKING THE FIRST STEP INTO THE WORLD OF SUPREMA COLOR BY FARMAVITA WE ARE REALLY EXCITED TO BRING TO YOU THIS PRODUCT WHICH IS ALREADY TAKING THE GLOBAL HAIR INDUSTRY BY STORM, TRENDING AS ONE OF THE MOST USED

256 views • 15 slides
0 Taking a macro-step r L T ( w t ) is the same as taking the N micro-steps N r

0 Taking a macro-step r L T ( w t ) is the same as taking the N micro-steps N r

Stochastic Gradient Descent Batch Gradient Descent Cook'T I encio P N r L T ( w ) = 1 n = 1 r ` n ( w ) . N 0 Taking a macro-step r L T ( w t ) is the same as taking the N micro-steps N r ` 1 ( w t ) , . . . , N r `

465 views • 12 slides
INTRODUCING THE NEXT STEP TO A BETTER QUALITY OF LIFE LIFEPHARM IS TAKING THE NEXT STEP

INTRODUCING THE NEXT STEP TO A BETTER QUALITY OF LIFE LIFEPHARM IS TAKING THE NEXT STEP

LAMININE OMEGA +++ DETAILS AND DYNAMICS ACCORDING TO THE CENTERS FOR DISEASE CONTROL AND PREVENTION (CDC ) About 21 million people in the 1 in 4 deaths in the About one-third of U.S. suffer from diabetes - U.S. are attributed to adults are

229 views • 20 slides
The acquisition of Grieg Newfoundland AS February 7, 2020 Grieg Seafood ASA Summary - taking the

The acquisition of Grieg Newfoundland AS February 7, 2020 Grieg Seafood ASA Summary - taking the

The acquisition of Grieg Newfoundland AS February 7, 2020 Grieg Seafood ASA Summary - taking the next step on our growth journey 1. In line with 2025 strategy: A significant step towards GSF stated ambitions of 150 000 tonnes of harvest and

407 views • 13 slides
Quick guide Step 1: Purchasing a RSFirewall! membership Step 2: Download RSFirewall! Step 3:

Quick guide Step 1: Purchasing a RSFirewall! membership Step 2: Download RSFirewall! Step 3:

Quick guide Step 1: Purchasing a RSFirewall! membership Step 2: Download RSFirewall! Step 3: Installing RSFirewall! Step 4: Scan the Joomla! installation 4.1 Run the System Check 4.2 Fix the security vulnerabilities 4.2.1 Joomla! And

279 views • 17 slides
Setting up an Security Operations Center (SOC) A step by step approach Abdul Rahman Mohamed

Setting up an Security Operations Center (SOC) A step by step approach Abdul Rahman Mohamed

Ministry of Science, People First, Performance Now Technology and Innovation Setting up an Security Operations Center (SOC) A step by step approach Abdul Rahman Mohamed Abdul Rahman Mohamed VP, IT Strategy, Risk &amp; Delivery Group IT,

906 views • 34 slides
Orchestrating Security Tooling With AWS Step Functions 1 Background Jules Denardou Justin

Orchestrating Security Tooling With AWS Step Functions 1 Background Jules Denardou Justin

Orchestrating Security Tooling With AWS Step Functions 1 Background Jules Denardou Justin Massey @Pod_Sec @jmassey09 @JulesDT @th3r3p0 Security Engineers at Datadog Product Security team Improve security of product without

1.2k views • 84 slides
min { a i , a j } max { a i , a j } P j P j P i P i P i P j Step 1 Step 2 Step 3 Figure 9.1 A

min { a i , a j } max { a i , a j } P j P j P i P i P i P j Step 1 Step 2 Step 3 Figure 9.1 A

a i a j a i , a j a j , a i min { a i , a j } max { a i , a j } P j P j P i P i P i P j Step 1 Step 2 Step 3 Figure 9.1 A parallel compare-exchange operation. Processes P i and P j send their elements to each other. Process P i keeps min { a i ,

372 views • 22 slides
Step 1 Step 2 Step 3 Step 4 Step 5 Preparation of a sketch Submission of birth map of all

Step 1 Step 2 Step 3 Step 4 Step 5 Preparation of a sketch Submission of birth map of all

Step 1 Step 2 Step 3 Step 4 Step 5 Preparation of a sketch Submission of birth map of all customary information forms to Preparation and adoption of Convening and submission Submission of Application Ste land owned by ILG obtain

1.23k views • 4 slides
Using RtI for SLD eligibility: Using RtI for SLD eligibility: Step by step procedures Step by

Using RtI for SLD eligibility: Using RtI for SLD eligibility: Step by step procedures Step by

Using RtI for SLD eligibility: Using RtI for SLD eligibility: Step by step procedures Step by step procedures Webster Groves School District 2009 Response to Intervention (RtI) is a comprehensive early detection and prevention strategy

688 views • 23 slides
Taking Taking Taking Taking Aspiration and Aspiration and Aspiration and Aspiration and

Taking Taking Taking Taking Aspiration and Aspiration and Aspiration and Aspiration and

Michael B Arthur Taking Taking Taking Taking Aspiration and Aspiration and Aspiration and Aspiration and Possibility into Possibility into Possibility into Possibility into Emeritus Professor, Suffolk University, Boston, USA Career

921 views • 30 slides
f able : Estimation of marginal effects with transformed covariates Taking Margins a step further

f able : Estimation of marginal effects with transformed covariates Taking Margins a step further

f able : Estimation of marginal effects with transformed covariates Taking Margins a step further Rios-Avila, Fernando 1 1 friosavi@levy.org Levy Economics Institute Stata Conference, July 2020 Rios-Avila (Levy) f able Stata 2020 1 / 24

264 views • 24 slides
f able : Estimation of marginal effects with transformed covariates Taking Margins a step further

f able : Estimation of marginal effects with transformed covariates Taking Margins a step further

f able : Estimation of marginal effects with transformed covariates Taking Margins a step further Rios-Avila, Fernando 1 1 friosavi@levy.org Levy Economics Institute UK Stata Conference, September 2020 Rios-Avila (Levy) f able Stata 2020 1 /

884 views • 23 slides
Taking Silhouettes one step further iPods+iTunes Here are just a few versions

Taking Silhouettes one step further iPods+iTunes Here are just a few versions

Taking Silhouettes one step further iPods+iTunes Here are just a few versions https://www.youtube.com/watch?v=NlHUz99l-eo https://www.youtube.com/watch?v=iNQ5pEK-P0w https://www.youtube.com/watch?v=B6fbrjCX_5k

635 views • 9 slides
o o o o Step 1:

o o o o Step 1:

o o o o Step 1: Bachelor of Laws (Western Sydney School of Law) Step 2: Professional Legal Training (College of Law et ors) Step 3: Admission to the Supreme

366 views • 14 slides
Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD.,

Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD.,

Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD., DTM&amp;H., MCTM. Surveillance and Investigation Section Bureau of Epidemiology, Department of Disease Control Ministry of Public Health, Thailand

1.27k views • 83 slides
Step by step guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3:

Step by step guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3:

Step by step guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3: Installing RSBlog! 3.1 Installing the component 3.2 Installing a new language file Step 4: Import plugins (optional) 4.1 Import Joomla! articles

889 views • 67 slides
Quick guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3:

Quick guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3:

Quick guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3: Installing RSEvents! Step 4: Configure RSEvents! Step 5: Add user permissions Step 6: Create event categories Step 7: Create event locations Step 8:

627 views • 35 slides
Social Security Retirement Planning 2019 Presented by: Charo Boyd Public Affairs Specialist

Social Security Retirement Planning 2019 Presented by: Charo Boyd Public Affairs Specialist

Social Security Retirement Planning 2019 Presented by: Charo Boyd Public Affairs Specialist Social Security my Social Security Registration Step 1: Visit socialsecurity.gov and select my Social Security Step 2: Select Create An

524 views • 13 slides
FROM XML TO RDF STEP BY STEP: APPROACHES FOR LEVERAGING

FROM XML TO RDF STEP BY STEP: APPROACHES FOR LEVERAGING

Co-funded by the Horizon 2020 Framework Programme of the European Union Grant Agreement Number 644771 FROM XML TO RDF STEP BY STEP: APPROACHES

613 views • 26 slides
FIRST DAY OF SCHOOL STEP BY STEP DIRECTION TO GETTING LOGGED ONTO YOUR FIRST DAY OF 7TH OR 8TH

FIRST DAY OF SCHOOL STEP BY STEP DIRECTION TO GETTING LOGGED ONTO YOUR FIRST DAY OF 7TH OR 8TH

FIRST DAY OF SCHOOL STEP BY STEP DIRECTION TO GETTING LOGGED ONTO YOUR FIRST DAY OF 7TH OR 8TH GRADE AUGUST 10,2020 IS A MINIMUM DAY STUDENTS WILL LOG 7:45AM - ONTO THEIR 12:27PM CLASSES AND ENGAGE WITH THEIR TEACHERS AND PEERS STEP 1:

276 views • 6 slides
Small step and Auto Zhuoran Liu May 30th Difference between small step and big step The big

Small step and Auto Zhuoran Liu May 30th Difference between small step and big step The big

Type Theory and Coq Small step and Auto Zhuoran Liu May 30th Difference between small step and big step The big step specify how a given expression can be evaluated to its final value. The style is simple and natural for many purposes and is

196 views • 19 slides
THE SOCIAL SECURITY (SCOTLAND ) BILL 2017 The Bill represents the next step in building a new

THE SOCIAL SECURITY (SCOTLAND ) BILL 2017 The Bill represents the next step in building a new

THE SOCIAL SECURITY (SCOTLAND ) BILL 2017 The Bill represents the next step in building a new Scottish social security system. It will be delivered alongside work to set up a new Scottish social security agency. THE BILL The Bill will

327 views • 21 slides
Step by step guide Step 1: Purchasing a RSTickets!Pro membership Step 2: Downloading

Step by step guide Step 1: Purchasing a RSTickets!Pro membership Step 2: Downloading

Step by step guide Step 1: Purchasing a RSTickets!Pro membership Step 2: Downloading RSTickets!Pro 2.1 Downloading the component 2.2 Downloading the plugins/modules 2.3 Downloading additional language packs Step 3: Installing RSTickets!Pro

548 views • 44 slides

More recommend