This training class has been designed to present students with modern and emerging tools and techniques available for network data exfiltration, testing and bypassing DLP/IDS/IPS/FW systems, protocol tunneling, hiding, pivoting and generating malicious network events. This highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & technologies in real production environments will be easy, smooth and repeatable.
Using an available set of tools, the student will play one by one with well-prepared exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of a modern attacker’s behavior. Great content for SIEM / SOC team validation.
Hack In The Box 2018 - Dubai - Training Intro - Defensive Security / Leszek Mis
1. In & Out -
Network Data Exfiltration Techniques.
2. About me
● Principal Cyber Security Architect / Founder @ Defensive Security
● Offensive Security Certified Professional (OSCP)
● Red Hat Certified Architect/RHCSS/RHCX/Sec+
● Trainer / Speaker at BruCON, OWASP Appsec US, Flocon US, Confidence PL
● Area of interest:
○ Adversary Simulations and Post-Exploitation Red/Blue Actions
○ Threat Hunting and Incident Response
○ Behavioral / Statistic / ML network analysis → Features Extraction
○ Hardening of Linux / Web Application / Infrastructure
○ Penetration testing / OSINT / Security audits
○ Open Source Security Software
2
3. Training intro
● Purpose of the training:
○ Focus on specific adversary’s behaviors and artifacts instead of simple IOCs
○ Verification that security products and service providers are able to detect what
they claim to detect and what they write in the "Security Feature List"
○ Network security validation *at your environment* for:
■ Data Leakage Protection (DLP)
■ IDS/IPS
■ (Web) Firewall(-NG)
■ ML/DL/AI Sensors
■ Whitelist / blacklist rules
■ Forward Security Proxies
■ Log and netflow visibility
● General assumption of compromise → Adversary is already inside your network:
○ We (almost) don’t care about exploitation or recon process during the course
4. Training intro
● The training path is easy:
○ Run as many exfiltration and post-exploitation scenarios as possible
○ Learn, understand and map TTP’s to your network collectors
○ Chain adversary actions and combine offensive tools together
○ While running arsenal of offensive tactics and tools we keep thinking in blue!
5. Training intro
● ~340 slides
● ~50 dedicated hands-on lab exercises
● Random lab examples:
○ Bypassing whitelists and obfuscation tricks for Linux, cmd.exe and Powershell
○ Port forwarding over DNS tunnelling and transport layer customization
○ Generating custom staged and stageless payloads in different formats
○ LDAP attribute exfiltration and unreleased Remote DOS for FreeIPA
○ Generating HTTP traffic anomalies
○ SMB/WMI/*exec through popular cloud services
○ Punching holes in your NAT
○ Domain fronting and categorization bypassing
○ Browser pivoting and network scanning through client-side attacks
○ ATTACK Framework mapping and simulation automation
○ Generating custom network traffic directly from Python