tm blue team defenses - netspi blog · 2020-04-10 · common red team detective and preventative...
TRANSCRIPT
Create Phishing Payloads & Sites
Maintain Remote Access Without a C2 using common interfaces
Prepare Phishing A�acks from public resources
Send Phishing Emails to employee addresses
Deliver the Payloads to employee systems
Run the Payload Commands on employee systems
Escalate Local Privileges on employee systems
Exfiltrate Sensi�ve Data using common channels
Perform Lateral Movement between systems/networks
Maintain Local Persistence on employee systems
Obtain Command & Control Channel from employee systems
Perform Local Recon / Discovery on employee systems
Escalate Domain Privileges via common vectors
Perform Network Recon / Discovery on internal networks
Find and Access Sensi�ve Data in common data stores
Files
Malicious Links
Find Emails & Users Verify Emails & Users
LinkedIn.comData.com
Google.comBing.com
SMTPServerCmds
Malicious Links
Mass Mailing
Targeted Mailing
Spoofed InternalDomain
HackedAccount
Common Variations
DomainSimilar toCompany
Common Payload Command Types
Common Protocols TCP/UDP, v4/6 Data Handling
StolenAuthen�ca�on Tokens
Common Local Persistence Methods
PW / Pvt KeyPW Hash
Kerb Ticket
WindowsService
ScheduledTask
WMI Event
Trigger
File, Registry,& Applica�on
Autoruns
Code / FileModifica�on
DriverBIOS
Common ProtocolsEgress Ports
Steal AdminAuthen�ca�on Tokens Escalate to Root Domain
Delegated Privs Nested Groups
Exploits Kerberoast
GPO
Ac�ve DiscoveryPassiveRecon
SniffingPing &
PortScanning
Common local Targets
Cache & Logs
Users & Groups
OS, Domain,& NetworkInforma�on
Files &Registry
Locate Domain, Ent. & Forest Admins
Common Internet Facing Interfaces
Common Data TargetsCommon Data Stores
TraceRoute
SharedPassword
Share &Logon
Scanning
PasswordHash(PTH)
DB, SP & Mail SvrScanning
TwoFactor
CompressionEncoding
Encryp�on
PhysicalMedia
LAN &Wireless
USB & SD
CDDVD
Common &Uncommon
Ports
Standard &Custom
Protocols
Standard Code
C, C++, C#
Installed Apps
Services &Processes
C2 and Alterna�veChannels
Staged& not
Staged
Large & Small
Files
Common Methods
DB, App & VM
Servers
MaliciousFiles &
Embedding
Spoofed ExternalDomain
Website Components
PretextScenario
NA
E ndpoint� Deny / log VRY requests� Deny / log EXPN requests� Log RCPT commands executed
sequen�ally� Large numbers of HTTP NTLM
requests
Network� User awareness training� Track company’s point of
presence and employee exposure.
� Monitor domain expira�ons
Process
NA
� Email filters, thresholds, and spam rules
� Email source verifica�on� Blacklist checks� SPF record checks� Logs / SEIM / Alerts
� User awareness training� Incident response procedures
� Asset / config / patch mgmt.� An�-virus / HIDs / HIPs� Secure group policy� Mail client configura�ons� MS Office Security Se�ngs� Web browser configura�ons� Logs / SEIM / Alerts
� Email filters, thresholds, and spam rules
� Deny / log relay requests� Secure caching provider� Web filtering / white lis�ng� Authen�cated HTTP proxies� Logs / SEIM / Alerts
� User awareness training� Incident response procedures
� Asset / config / patch mgmt.� An�-virus / HIDs / HIPs� Secure group policy se�ngs� Applica�on white lis�ng� Least privilege enforcement� Logs / SEIM / Alerts
NA � User awareness training� Incident response procedures
� An�-virus / HIDs / HIPs� Secure group policy se�ngs� Applica�on white lis�ng� Least privilege enforcement� Logs / SEIM / Alerts� DEP / ASLR / SEH� Micro virtualizing / sandboxes
� Logs / SEIM / Alerts � Admin awareness training� Incident response procedures
� HIDs / HIPs� Host DLP� Large file upload detec�on � Mail client/server se�ngs� Logs / SEIM / Alerts
� Firewall Rules / Segmenta�on� Email Server Configura�on� Network DLP� Fix Up Protocols� Web Filtering / Auth Proxy� Canary Data Samples� Logs / SEIM / Alerts
� User awareness training� Incident response procedures
� Asset / config / patch mgmt.� An�-virus / HIDs / HIPs� Secure group policy se�ngs� Applica�on white lis�ng� Least privilege enforcement� Logs / SEIM / Alerts� Host-based Firewall
� Firewall Rules / Segmenta�on� NIDs / NIPs� Honey Pots� Tarpits� Canary networks, systems, & accounts� Logs / SEIM / Alerts
� Don’t use shared local accounts� Use a separate domain user and
server admin accounts� Maintain secure configs� Incident response procedures
� Asset / config / patch mgmt.� An�-virus / HIDs / HIPs� Secure group policy se�ngs� Applica�on white lis�ng� Least privilege enforcement� Logs / SEIM / Alerts� FIM / WMI event triggers
NA � User awareness training� Incident response procedures
� Asset / config / patch mgmt.� An�-virus / HIDs / HIPs� Secure group policy se�ngs� Applica�on white lis�ng� Least privilege enforcement� Logs / SEIM / Alerts
� Firewall Rules / Segmenta�on� NIDs / NIPs� Fix Up Protocols� Web Filtering / White Lis�ng� Authen�cated HTTP Proxies� Logs / SEIM / Alerts
� User awareness training� Incident response procedures
� Asset / config / patch mgmt.� An�-virus / HIDs / HIPs� Secure group policy se�ngs� Applica�on white lis�ng� Least privilege enforcement� Logs / SEIM / Alerts
� Logs / SEIM / Alerts � Admin awareness training� Incident response procedures
� Asset / config / patch mgmt.� An�-virus / HIDs / HIPs� Secure group policy se�ngs� Applica�on white lis�ng� Least privilege enforcement� Logs / SEIM / Alerts� Host-based Firewall
� Firewall Rules / Segmenta�on� NIDs / NIPs� Honey Pots� Tarpits� Canary networks, systems, & accounts� Logs / SEIM / Alerts
� Don’t use shared local accounts� Use a separate domain user and
server admin accounts� Maintain secure configs� Incident response procedures
� HIDs / HIPs� Logs / SEIM / Alerts� Canaries - Local & Domain User Accounts - Domain Computer Accounts - Local and Network Files � File Audi�ng
� Firewall rules / segmenta�on� NIDs / NIPs� Honey pots� Tarpits� Canary networks, systems, & accounts� Logs / SEIM / Alerts
� Admin awareness training� Incident response procedures
� Enforce Two-factor authen�ca�on on all external interfaces
� Limit Terminal Service, Citrix, and VDE access to specific groups during specific hours
� Geo / IP limi�ng
� Firewall rules / segmenta�on� NIDs / NIPs� Canary networks, systems,
applica�ons, and accounts� Logged events / SEIM / alerts
� Admin awareness training� Incident response procedures� Enforce strong account policies
� Least Privilege Enforcement� Two-Factor Authen�ca�on� Data Encryp�on and Secure Key
Management� File, Applica�on, and Database
Audi�ng� Host DLP / Logs / SEIM / Alerts
� Firewall Rules / Segmenta�on� NIDs / NIPs� Honey Pots� Tarpits� Canary networks, systems, & accounts� Logs / SEIM / Alerts
� User awareness training� Incident response procedures� Manage keys securely� Consolidate and isolate sensi�ve
data stores
Attack Vectors and T echniquesCommon Red Team
Detective and P reventative C ontrolsCommon Blue Team
Brought to you by
R ed Team AttacksIntroduc�on to common
Email ContentEmail Sources Email Targets
CustomProviders
IPv4IPv6
TCP UDP
HTTPHTTPS
DNS ICMPNTP
FTPNFSSMB
SSHTelnetRlogin
TorrentIM
SMTP
Common Types
Bind ShellReverse Shell
Web ShellBeacon
BinariesExecutable,
Installer, Library
ScriptsPS, VB, VBS,
JS, Bat
Commandscmd, wmi, wrm, �p, net, etc
Weak Configura�ons
InsecureService
InsecureGPO
Weak Password or Password
Storage Method
ExcessivePrivilege
GeoLocate
PhishWebSite
PortScan
Creden�alCollec�on
Form
Java Applet ClickOnce
HTA
Brower Exploit
BrowserAdd-On Exploit
Commonexec file formats
OfficeDocs +Macros
DNS &ADS
Queries
Domain GPOs & SPN
Remote Sessions
& Processes
WindowsService
SchedTask
MGMTServices
FileShare
KerberosTicket(PTT)
Password /Private Key
GPO, SCCM
Financial Data
IP & Research
FileServers
DatabaseServers
MailServers
Code Repositories
InsiderTrading
Info
Web BasedCitrix & TS
RDPSSHVDE
Office365Azure AWS
VPNPrivate KeyToken SeedSkeleton Key
PIIPHICHD
SendTest
Emails
Office365OWA
MS APIs
InsecureSchtask
Local Exploits
InsecureProtocol
Attack K ill C hainCommon
PasswordHash(PTH)
KerberosTicket(PTT)
Password /Private Key
Domain Trusts &
SID History
StolenAuthen�ca�on Tokens
PasswordHash(PTH)
KerberosTicket(PTT)
Password /Private Key
StealAuthen�ca�on Tokens
PasswordHash(PTH)
KerberosTicket(PTT)
Password /Private Key
AssemblyCode
shellcode
Byte Code
Java, .Net
APPOS
RemoteExploit,Physical
@
A�ackDCs
Exploits, Kerberoast
& GPP
Author: Sco� Sutherland, NetSPI 2016 Version: 3.2
BLUE TEAM
RED TEAM
B lue T eam Defens es&
HTTP with
NTLM
Create Content-Filter
Excep�ons
Buy Expired
Domains
WebShells
TM