SlideShare a Scribd company logo

2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation

Download as PPTX, PDF
Scott Sutherland
Scott Sutherland

This presentation provides an overview off common adversarial emulation approaches along with attack and detection trends. It should be interesting to penetration testers and professionals in security operations roles.

Technology
1 of 49
Adventures in Adversarial Emulation Common Approaches and Trends Q1 Meet Up
The Speaker Overview Name: Scott Sutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott- sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind
Overview • The Problem • The Goal • The Approach • The Difference • The Hunt • The Trends The Presentation Overview
The Problem
The Problem Companies spend millions on detective controls, but don’t know if they can detect common: • Indicators of active attack • Indicators of compromise • Indicators of data exfiltration The Problem
The Goal
Understand the company’s ability to identify and respond to common real-world threats Understand how to improve detective and preventative control capabilities Verify that third party service providers and products are detecting what they say they can The Goal
Service Overview: Approach The Approach
Service Overview: Approach 1. Inventory known controls 2. Emulate attacks 3. Monitor security events and alerts 4. Identify gaps in controls 5. Provide actionable feedback and recommendations 6. Provide Mitre style heat map The Approach: Summary
Service Overview: Approach Inventory Known Controls Interview key members of the security and incident response teams to inventory existing preventative controls, detective controls and detective control boundaries. Common control placement and boundaries include: • External network zones • Internal network zones • Wireless network zones • Email gateways, servers, and clients • Workstations and Servers • Network devices • Applications • Databases The Approach: Inventory Known Controls
Service Overview: Approach Emulate Attacks using common tools, techniques, and tactics used by real-world attackers in multiple variations of common attack kill chains across identified detection control boundaries • Threat agnostic • Many kill chain variations • Common tools • Common techniques • Common procedures • Mitre AT&TACK covers post exploitation pretty well The Approach: Emulate Attacks
Service Overview: Approach Monitor Security Events and Alerts in real-time with security teams: • External network zones • Internal network zones • Wireless network zones • Email gateway, servers, and Clients • Workstations and Servers • Network devices • Applications • Databases The Approach: Monitor Security Events
Service Overview: Approach Identify major gaps in detective and preventative controls by working security teams in real-time during the test to determine which security events: • Go completely undetected • Are logged • Trigger correlation rules • Trigger alerts • Trigger incident response The Approach: Identify Gaps
Service Overview: Identifying Gaps Provide actionable feedback that includes the information below so internal security teams can build better defensive capabilities: • Log sources • Generic indicators of attack and compromise • Generic SEIM correlation rules • Preventative control options • Mitigation options • Existing controls The Approach: Actionable Feedback
Service Overview: Identifying Gaps Below are some notes from the Chris Gates + Chris Nickerson presentation at Brew con. Great notes for internal teams! http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial- simulation-team-chris-gates-chris-nickerson • Create a charter • Provide metrics - readiness/resistance to ttp + Pretty charts • Build an attack simulation lab with all preventative and detective controls • Work through the Mitre ATT&CK techniques in the lab • Continuously validate prod controls • Work closely with the internal team • Establish rules of engagement, procedures, workflows with internal team • Estimate resources people, servers, crack box, vms, access to defensive tools • document sharing to store and share info The Approach: Notes from brucon
Service Overview: DeliverablesThe Approach: Notes from brucon Source: http://www.slideshare.net/chrisgates/building-a-successful-internal- adversarial-simulation-team-chris-gates-chris-nickerson
Service Overview: DeliverablesThe Approach: Notes from brucon 1. Gather threat intelligence about and threat attributes 2. Compare to capabilities map (preventative and detective) 3. Predict likelihood of successful attacks before they happen Source: http://www.slideshare.net/chrisgates/building-a-successful-internal- adversarial-simulation-team-chris-gates-chris-nickerson
Service Overview: DeliverablesThe Approach: Notes from brucon Source: http://www.slideshare.net/chrisgates/building-a-successful-internal- adversarial-simulation-team-chris-gates-chris-nickerson
Service Overview: Deliverables Source: http://www.slideshare.net/chrisgates/building-a-successful-internal- adversarial-simulation-team-chris-gates-chris-nickerson The Approach: Notes from brucon
http://www.slideshare.net/chrisgates/building-a- successful-internal-adversarial-simulation-team-chris- gates-chris-nickerson
Service Overview: Providing Guidance The Differences
Service Overview: Providing GuidanceThe Difference: Service Goals Service Type Service Goals Network Vulnerability Assessment • Identify known and common configuration, patch, and code related vulnerabilities at the server and web application layers. • Meet compliance requirements. Network Penetration Test • Help company’s determine if identified vulnerabilities can be used to gain unauthorized access to protected networks, systems, application functionality, and sensitive data. • Identify known and common configuration, patch, and code related vulnerabilities at the network, server, and web application layers. • Meet compliance requirements. Network Red Team Testing • Attempt to gain unauthorized access to an environment using paths of least resistance without detection and maintain that access for a pre-determined period of time in order to test the Incident Response Team’s ability to identify and respond to threats. This often includes non-standard scoping with very specific system, application, and data targets. Threat Emulation • Emulate a specific threat and determine the ability to prevent, detect, and respond to it with in a specific environment. Defense Assessment • Help company’s obtain a more comprehensive understanding of they’re ability to identify and respond to real world threats and potential breach scenarios. Executing multiple variations of common attack workflows across detective control boundaries while working with internal security teams to identify detective control gaps and misconfigurations. • When blue team and red team members test a company’s environment together to build an understanding of their company’s ability to prevent, detect, and respond to real world threats at all layers of the organization. This requires much more collaboration and is broader in scope than a red team engagement. It is intended to test for the most common tools, techniques, and procedures used by attackers and malware. • Test capabilities of 3rd party service provider. The Differences: Service Goals
Service Overview: Providing Guidance The Value: Service Differences Service Type Identify Server Issues Identify Network Issues Identify Application Issues Determine Impact of Vulnerabilities Determine Ability to Detect Attacks Identify Missing Detective Controls Determine Incident Response Ability Vulnerability Assessment Yes No Partially No Partially No No Penetration Test Yes Yes Yes Yes Partially No No Red Team Test (Limited to Specific Scenarios) Partially Partially Partially Partially Partially Partially Partially Threat Emulation (Limited to Specific Threat) Partially Partially Partially Partially Partially Partially Partially Defense Assessments Yes Yes Yes Yes Yes Yes Yes The Differences: Service Objectives
Service Overview: Providing Guidance The Value: Service DifferencesBREAK TIME
Service Overview: Deliverables The Hunt
Service Overview: Deliverables Deliverables • Search for known common indicators of compromise on scale • Typically does not include EPP, HIDS, NIDS • PowerShell comes in handy for automation • Identify sample systems based on information stored in DNS and Active Directory • Gather information via WMI, PS Remoting, schedule task, and psexec (no agent) The Hunt: Threat Hunting Overview
Service Overview: Deliverables Deliverables • Get approval • Some tasks require local and domain administrator privileges • Just like scanning be aware of network boundaries and controls that may block access the sample of systems The Hunt: Don’t forget…
Service Overview: Deliverables Deliverables • Common hunting activities include targeting: - Files with known malware signatures - Windows services running unsigned binaries - Potentially malicious schedule tasks - Potentially malicious File and folder autoruns - Potentially malicious Registry autoruns - Potentially malicious SQL Server autoruns - Potentially malicious WMI providers and triggers - Web shells in internet facing web root folders - VPN or internet log in from strange geographic location or on off hours - Suspicious domain level events The Hunt: Common Targets
Service Overview: Deliverables The Trends
Service Overview: Deliverables Deliverables • Companies don’t know what controls they have and don’t have • Companies are missing major controls in critical network zones • Companies don’t configure controls correctly o No internal resources capable of configuring control o No vendor was paid to configure control • Managed service providers are not catching real attack TTPs • Controls implemented with vendor defaults that don’t detect most real attacks • No internal network logging • Logging, but no correlation • Alerting, but no response • No tracking of metrics over time • Disconnects between systems like AV to controllers o Completely unmanaged or don’t sync fast enough The Trends: General Trends
Service Overview: Deliverables Deliverables • Wireless network zones • External network zones • Internal network zones • Email gateways, servers, and clients • Windows Endpoints • Linux Endpoints • Web Applications • Databases The Trends: Control Boundaries
Service Overview: Deliverables Deliverables • No wireless attack detection (wireless or LAN) o Detection features not enabled o Detection features not available • WEP still used in manufacturing in warehouses and assembly lines • WPA2 PSK still used about 25% of the time • WEP and WPA2 PSK cracking o No detection • Evil twin attacks (attacking wireless endpoints) o No detection The Trends: Wireless Networks
Service Overview: Deliverables Deliverables • Minimal ability to detect scanning an attacks • WAFs are missing or misconfigured • OWASP top 10 vulnerabilities allow remote Access • User and email enumeration via public resources • Lots of internet facing interfaces that support single factor authentication that can be used for pivoting and dictionary attacks o VPN, Citrix, Terminal Services, VDI, Web applications The Trends: External Networks
Service Overview: Deliverables Deliverables • Port scan detection can be avoided in almost all networks using Nmap –T2 or below • Port / vulnerability scan detection occurs more via endpoint protection than via network IDS/IPS controls • Null sessions still yield user and computer lists The Trends: Internal Networks
Service Overview: Deliverables Deliverables • Almost no one detects network attacks: o NBNS MITM, LLMNR MITM, ARP MITM, VLAN tag spoof, Switch trunking, rogue DHCP, rogue PXE servers, unauthorized PXE downloads, etc • ARP spoofing is never going to die o Vendors are still creating devices that don’t support ARP spoof detection o Most companies don’t enabled the detection or prevention features when they do exist • PXE downloads have been more common o Download to VM + Mount HD + Backdoor for access o Domain deployment account password in sysprep files o Domain deployment account password parse from VM memory file o Domain credentials can then be used for to start domain escalation The Trends: Internal Networks
Service Overview: Deliverables Deliverables Network Isolation Bypasses • Direct access to services in isolated environment directly or though trusted hosts o Identify trusted hosts via logon events • Use management systems to execute commands o Group Policy, patch, and configuration management systems • Jump hosted are on the user domain and have accessible non-two factor management ports open • VLAN hopping • Switch Trunking The Trends: Internal Networks
Service Overview: Deliverables Deliverables • Companies seem to have three goals - Test click rates / user awareness over time - Test technical controls - Inject FUD for budget procurement The Trends: Email Attacks – General
Service Overview: Deliverables Deliverables • Service providers – missing some known evil attachments, doing some test execution of links, html • Servers- not blocking evil attachments • Client – allowing execution of untrusted clickonce and java apps • Office – people like to allow macro, those who don’t often let users change the setting in security center The Trends: Email Attacks – General
Service Overview: Deliverables Deliverables Payloads - Links • Direct links to executable files • Links to uncategorized and untrusted sites/IPs Payloads - Phishing Sites • Untrusted ClickOnce allowed • Untrusted Java applets allowed • Capturing password is handy when there are so many single factor interfaces exposed to the internet • Considering looking into XSRF to execute command on web apps already opening in insecure browsers - anyone done that? The Trends: Email Attacks – Payloads
Service Overview: Deliverables Deliverables Payloads – Images in HTML emails • Determine physical location of individuals • Determine firewall egress rules • Determine allowed file attachments – work about 60% Payloads – Executable File Attachments • Only a handful typically get through, but Office Macros still work a lot • User’s often have rights to disable office security features • Interesting that .application ClickOnce apps seem to make it through. • Shortcut files + UNC path injection – not tested yet • Working on basic toolkit for testing links and executable file types… The Trends: Email Attacks – Payloads
Service Overview: Deliverables Deliverables Payloads – Executable Files Note: This is purple teamy… 1. Send hundreds of executable file types as attachments 2. Parse inbox on client to determine which ones make it through service provider, server, and client 3. Cross reference extensions with application file extension associations on their gold build 4. Create proof on concept payloads to illustrate risk The Trends: Email Attacks – Payloads
Service Overview: Deliverables The Trends: Email Attacks
Service Overview: Deliverables Deliverables - Missing and broken two-factor - Missing hard drive encryption - Missing and disabled endpoint protection on servers - Missing ability to detect common persistence methods o File, Registry, Application, and Database autoruns o Windows Services o Windows Tasks o WMI triggers and providers o Log in from unexpected country o Log in during unexpected time The Trends: Windows Endpoints
Service Overview: Deliverables Deliverables • 80% of companies can a Domain Admin being added • Most companies are blind to almost everything else • SPNs are very useful for server and user targeting • Active session scanning can be useful for user targeting (DC, File, Citrix, and Exchange servers yield the best immediate results) • Bloodhound can be very useful if you have enough time to map escalation paths • Kerberoasting, and ASREPRoast are very used for domain escalation • Password dumping, DCSync, ntds.dit via Invoke-Ninjacopy.ps1, NTDSUTIL, VSSADMIN • Group Policy modifications • Net logon script modifications • Sysvol DACL modifications • User and computer object DACL modifications • Delegation of privileges – password reset, replication etc • Group policy passwords are disabled in most environments, but some companies forget to clean up the XML files and the passwords are still valid • SID history works in most environments to escalate from child to parent domain • Lots of user and domain admin password sharing • Lots of domain admins sharing password between domains The Trends: Windows Domains
Service Overview: Deliverables Deliverables Linux Endpoints - No centralized detection capabilities - Sudo configuration issues - World readable/writable daemons and cron scripts - Common issues like heartbleed and shellshock - Excessive share privileges - NFS mountable as root, grab keys, and authenticate - SMB writable to everyone - FTP writable by anonymous (web roots are the best) - Shared NAS between servers for lateral movement via home directories The Trends: Linux Endpoints
Service Overview: Deliverables Deliverables • SQL Injection • XML entity injection • Upload functionality • Application publishing platforms like tomcat, jboss, etc • Database and domain credentials are stored everywhere o In code o In web.config o In application.config o Connection string cheat sheet https://gist.github.com/nullbind/91c573b0e27682733f97d4e6e ebe36f8 • Code repository auditing can usually be bypassed once you have system on the box and can run as the service account The Trends: Web Applications
Service Overview: Deliverables Deliverables • Common platforms include SQL Server, Oracle, MySQL and Db2 • Almost no companies audit beyond failed login attempts • Database teams seem to identify failed login attempts more than AD or response teams on average • Excessive privileges allow normal domain users rights to login • Lots of vendor defaults and unsupported versions • Escalation via weak passwords, UNC path injection, shared service accounts, and database links The Trends: Databases
Service Overview: Deliverables Deliverables • Servers and DCs with direct access to the internet! • Tons of options in most environments without detection: o TCP Ports 100% Authenticated outbound on 80/443, reflection through trusted sites, and unauthenticated outbound on various ports (21, 22, 23, 25, 53,110) o UDP Ports 50% o ICMP Tunnel 50% o DNS Tunnel 80% o SMTP Tunnel 100% o Skype Tunnel 100% The Trends: Data Exfiltration & C2
Service Overview: Deliverables The Questions?

Recommended

2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
Scott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
Scott Sutherland
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland
 

Recommended

2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
Scott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
Scott Sutherland
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerBeyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
NetSPI
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
Scott Sutherland
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
Jerome Smith
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder
 
Introduction To Windows Power Shell
Introduction To Windows Power ShellIntroduction To Windows Power Shell
Introduction To Windows Power Shell
Microsoft TechNet
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
EnclaveSecurity
 
The Play Framework at LinkedIn
The Play Framework at LinkedInThe Play Framework at LinkedIn
The Play Framework at LinkedIn
Yevgeniy Brikman
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
In Memory Database In Action by Tanel Poder and Kerry Osborne
In Memory Database In Action by Tanel Poder and Kerry OsborneIn Memory Database In Action by Tanel Poder and Kerry Osborne
In Memory Database In Action by Tanel Poder and Kerry Osborne
Enkitec
 
Why Play Framework is fast
Why Play Framework is fastWhy Play Framework is fast
Why Play Framework is fast
Legacy Typesafe (now Lightbend)
 
Advanced Oracle Troubleshooting
Advanced Oracle TroubleshootingAdvanced Oracle Troubleshooting
Advanced Oracle Troubleshooting
Hector Martinez
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
zznate
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 

More Related Content

What's hot

Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
Jerome Smith
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
EnclaveSecurity
 
The Play Framework at LinkedIn
The Play Framework at LinkedInThe Play Framework at LinkedIn
The Play Framework at LinkedIn
Yevgeniy Brikman
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 

What's hot (20)

Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerBeyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
 
Introduction To Windows Power Shell
Introduction To Windows Power ShellIntroduction To Windows Power Shell
Introduction To Windows Power Shell
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
The Play Framework at LinkedIn
The Play Framework at LinkedInThe Play Framework at LinkedIn
The Play Framework at LinkedIn
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
In Memory Database In Action by Tanel Poder and Kerry Osborne
In Memory Database In Action by Tanel Poder and Kerry OsborneIn Memory Database In Action by Tanel Poder and Kerry Osborne
In Memory Database In Action by Tanel Poder and Kerry Osborne
 
Why Play Framework is fast
Why Play Framework is fastWhy Play Framework is fast
Why Play Framework is fast
 
Advanced Oracle Troubleshooting
Advanced Oracle TroubleshootingAdvanced Oracle Troubleshooting
Advanced Oracle Troubleshooting
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 

Viewers also liked

2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
عرض مكونات الحاسب
عرض مكونات الحاسبعرض مكونات الحاسب
عرض مكونات الحاسب
gueste902d
 

Viewers also liked (15)

2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Databases
DatabasesDatabases
Databases
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
 
Regulators
RegulatorsRegulators
Regulators
 
المعتمد بن عباد
المعتمد بن عبادالمعتمد بن عباد
المعتمد بن عباد
 
Effect of Membrane Switch Construction on Metal Domes
Effect of Membrane Switch Construction on Metal DomesEffect of Membrane Switch Construction on Metal Domes
Effect of Membrane Switch Construction on Metal Domes
 
W1 m1-u3 cas+ls
W1 m1-u3 cas+lsW1 m1-u3 cas+ls
W1 m1-u3 cas+ls
 
Led high bay light tf7 a series
Led high bay light tf7 a seriesLed high bay light tf7 a series
Led high bay light tf7 a series
 
Flyer mkb innovatie top 100 2017
Flyer mkb innovatie top 100 2017Flyer mkb innovatie top 100 2017
Flyer mkb innovatie top 100 2017
 
عرض مكونات الحاسب
عرض مكونات الحاسبعرض مكونات الحاسب
عرض مكونات الحاسب
 
Dna of a customer
Dna of a customerDna of a customer
Dna of a customer
 
Developing a business model
Developing a business modelDeveloping a business model
Developing a business model
 
MOOCs and Open Education in Africa
MOOCs and Open Education in AfricaMOOCs and Open Education in Africa
MOOCs and Open Education in Africa
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 

Similar to 2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation

Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKGrow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
MITRE ATT&CK
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program
Tripwire
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
Claranet UK
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Government Technology and Services Coalition
 
Network Penetration Testing Service
Network Penetration Testing ServiceNetwork Penetration Testing Service
Network Penetration Testing Service
Sense Learner Technologies Pvt Ltd
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 

Similar to 2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation (20)

2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
 
Penentration testing
Penentration testingPenentration testing
Penentration testing
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKGrow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisLuncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
Penetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityPenetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber Security
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
 
Network Penetration Testing Service
Network Penetration Testing ServiceNetwork Penetration Testing Service
Network Penetration Testing Service
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
 

More from Scott Sutherland

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 

More from Scott Sutherland (9)

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation

  • 1. Adventures in Adversarial Emulation Common Approaches and Trends Q1 Meet Up
  • 2. The Speaker Overview Name: Scott Sutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott- sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind
  • 3. Overview • The Problem • The Goal • The Approach • The Difference • The Hunt • The Trends The Presentation Overview
  • 5. The Problem Companies spend millions on detective controls, but don’t know if they can detect common: • Indicators of active attack • Indicators of compromise • Indicators of data exfiltration The Problem
  • 7. Understand the company’s ability to identify and respond to common real-world threats Understand how to improve detective and preventative control capabilities Verify that third party service providers and products are detecting what they say they can The Goal
  • 9. Service Overview: Approach 1. Inventory known controls 2. Emulate attacks 3. Monitor security events and alerts 4. Identify gaps in controls 5. Provide actionable feedback and recommendations 6. Provide Mitre style heat map The Approach: Summary
  • 10. Service Overview: Approach Inventory Known Controls Interview key members of the security and incident response teams to inventory existing preventative controls, detective controls and detective control boundaries. Common control placement and boundaries include: • External network zones • Internal network zones • Wireless network zones • Email gateways, servers, and clients • Workstations and Servers • Network devices • Applications • Databases The Approach: Inventory Known Controls
  • 11. Service Overview: Approach Emulate Attacks using common tools, techniques, and tactics used by real-world attackers in multiple variations of common attack kill chains across identified detection control boundaries • Threat agnostic • Many kill chain variations • Common tools • Common techniques • Common procedures • Mitre AT&TACK covers post exploitation pretty well The Approach: Emulate Attacks
  • 12. Service Overview: Approach Monitor Security Events and Alerts in real-time with security teams: • External network zones • Internal network zones • Wireless network zones • Email gateway, servers, and Clients • Workstations and Servers • Network devices • Applications • Databases The Approach: Monitor Security Events
  • 13. Service Overview: Approach Identify major gaps in detective and preventative controls by working security teams in real-time during the test to determine which security events: • Go completely undetected • Are logged • Trigger correlation rules • Trigger alerts • Trigger incident response The Approach: Identify Gaps
  • 14. Service Overview: Identifying Gaps Provide actionable feedback that includes the information below so internal security teams can build better defensive capabilities: • Log sources • Generic indicators of attack and compromise • Generic SEIM correlation rules • Preventative control options • Mitigation options • Existing controls The Approach: Actionable Feedback
  • 15. Service Overview: Identifying Gaps Below are some notes from the Chris Gates + Chris Nickerson presentation at Brew con. Great notes for internal teams! http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial- simulation-team-chris-gates-chris-nickerson • Create a charter • Provide metrics - readiness/resistance to ttp + Pretty charts • Build an attack simulation lab with all preventative and detective controls • Work through the Mitre ATT&CK techniques in the lab • Continuously validate prod controls • Work closely with the internal team • Establish rules of engagement, procedures, workflows with internal team • Estimate resources people, servers, crack box, vms, access to defensive tools • document sharing to store and share info The Approach: Notes from brucon
  • 16. Service Overview: DeliverablesThe Approach: Notes from brucon Source: http://www.slideshare.net/chrisgates/building-a-successful-internal- adversarial-simulation-team-chris-gates-chris-nickerson
  • 17. Service Overview: DeliverablesThe Approach: Notes from brucon 1. Gather threat intelligence about and threat attributes 2. Compare to capabilities map (preventative and detective) 3. Predict likelihood of successful attacks before they happen Source: http://www.slideshare.net/chrisgates/building-a-successful-internal- adversarial-simulation-team-chris-gates-chris-nickerson
  • 18. Service Overview: DeliverablesThe Approach: Notes from brucon Source: http://www.slideshare.net/chrisgates/building-a-successful-internal- adversarial-simulation-team-chris-gates-chris-nickerson
  • 19. Service Overview: Deliverables Source: http://www.slideshare.net/chrisgates/building-a-successful-internal- adversarial-simulation-team-chris-gates-chris-nickerson The Approach: Notes from brucon
  • 21. Service Overview: Providing Guidance The Differences
  • 22. Service Overview: Providing GuidanceThe Difference: Service Goals Service Type Service Goals Network Vulnerability Assessment • Identify known and common configuration, patch, and code related vulnerabilities at the server and web application layers. • Meet compliance requirements. Network Penetration Test • Help company’s determine if identified vulnerabilities can be used to gain unauthorized access to protected networks, systems, application functionality, and sensitive data. • Identify known and common configuration, patch, and code related vulnerabilities at the network, server, and web application layers. • Meet compliance requirements. Network Red Team Testing • Attempt to gain unauthorized access to an environment using paths of least resistance without detection and maintain that access for a pre-determined period of time in order to test the Incident Response Team’s ability to identify and respond to threats. This often includes non-standard scoping with very specific system, application, and data targets. Threat Emulation • Emulate a specific threat and determine the ability to prevent, detect, and respond to it with in a specific environment. Defense Assessment • Help company’s obtain a more comprehensive understanding of they’re ability to identify and respond to real world threats and potential breach scenarios. Executing multiple variations of common attack workflows across detective control boundaries while working with internal security teams to identify detective control gaps and misconfigurations. • When blue team and red team members test a company’s environment together to build an understanding of their company’s ability to prevent, detect, and respond to real world threats at all layers of the organization. This requires much more collaboration and is broader in scope than a red team engagement. It is intended to test for the most common tools, techniques, and procedures used by attackers and malware. • Test capabilities of 3rd party service provider. The Differences: Service Goals
  • 23. Service Overview: Providing Guidance The Value: Service Differences Service Type Identify Server Issues Identify Network Issues Identify Application Issues Determine Impact of Vulnerabilities Determine Ability to Detect Attacks Identify Missing Detective Controls Determine Incident Response Ability Vulnerability Assessment Yes No Partially No Partially No No Penetration Test Yes Yes Yes Yes Partially No No Red Team Test (Limited to Specific Scenarios) Partially Partially Partially Partially Partially Partially Partially Threat Emulation (Limited to Specific Threat) Partially Partially Partially Partially Partially Partially Partially Defense Assessments Yes Yes Yes Yes Yes Yes Yes The Differences: Service Objectives
  • 24. Service Overview: Providing Guidance The Value: Service DifferencesBREAK TIME
  • 26. Service Overview: Deliverables Deliverables • Search for known common indicators of compromise on scale • Typically does not include EPP, HIDS, NIDS • PowerShell comes in handy for automation • Identify sample systems based on information stored in DNS and Active Directory • Gather information via WMI, PS Remoting, schedule task, and psexec (no agent) The Hunt: Threat Hunting Overview
  • 27. Service Overview: Deliverables Deliverables • Get approval • Some tasks require local and domain administrator privileges • Just like scanning be aware of network boundaries and controls that may block access the sample of systems The Hunt: Don’t forget…
  • 28. Service Overview: Deliverables Deliverables • Common hunting activities include targeting: - Files with known malware signatures - Windows services running unsigned binaries - Potentially malicious schedule tasks - Potentially malicious File and folder autoruns - Potentially malicious Registry autoruns - Potentially malicious SQL Server autoruns - Potentially malicious WMI providers and triggers - Web shells in internet facing web root folders - VPN or internet log in from strange geographic location or on off hours - Suspicious domain level events The Hunt: Common Targets
  • 30. Service Overview: Deliverables Deliverables • Companies don’t know what controls they have and don’t have • Companies are missing major controls in critical network zones • Companies don’t configure controls correctly o No internal resources capable of configuring control o No vendor was paid to configure control • Managed service providers are not catching real attack TTPs • Controls implemented with vendor defaults that don’t detect most real attacks • No internal network logging • Logging, but no correlation • Alerting, but no response • No tracking of metrics over time • Disconnects between systems like AV to controllers o Completely unmanaged or don’t sync fast enough The Trends: General Trends
  • 31. Service Overview: Deliverables Deliverables • Wireless network zones • External network zones • Internal network zones • Email gateways, servers, and clients • Windows Endpoints • Linux Endpoints • Web Applications • Databases The Trends: Control Boundaries
  • 32. Service Overview: Deliverables Deliverables • No wireless attack detection (wireless or LAN) o Detection features not enabled o Detection features not available • WEP still used in manufacturing in warehouses and assembly lines • WPA2 PSK still used about 25% of the time • WEP and WPA2 PSK cracking o No detection • Evil twin attacks (attacking wireless endpoints) o No detection The Trends: Wireless Networks
  • 33. Service Overview: Deliverables Deliverables • Minimal ability to detect scanning an attacks • WAFs are missing or misconfigured • OWASP top 10 vulnerabilities allow remote Access • User and email enumeration via public resources • Lots of internet facing interfaces that support single factor authentication that can be used for pivoting and dictionary attacks o VPN, Citrix, Terminal Services, VDI, Web applications The Trends: External Networks
  • 34. Service Overview: Deliverables Deliverables • Port scan detection can be avoided in almost all networks using Nmap –T2 or below • Port / vulnerability scan detection occurs more via endpoint protection than via network IDS/IPS controls • Null sessions still yield user and computer lists The Trends: Internal Networks
  • 35. Service Overview: Deliverables Deliverables • Almost no one detects network attacks: o NBNS MITM, LLMNR MITM, ARP MITM, VLAN tag spoof, Switch trunking, rogue DHCP, rogue PXE servers, unauthorized PXE downloads, etc • ARP spoofing is never going to die o Vendors are still creating devices that don’t support ARP spoof detection o Most companies don’t enabled the detection or prevention features when they do exist • PXE downloads have been more common o Download to VM + Mount HD + Backdoor for access o Domain deployment account password in sysprep files o Domain deployment account password parse from VM memory file o Domain credentials can then be used for to start domain escalation The Trends: Internal Networks
  • 36. Service Overview: Deliverables Deliverables Network Isolation Bypasses • Direct access to services in isolated environment directly or though trusted hosts o Identify trusted hosts via logon events • Use management systems to execute commands o Group Policy, patch, and configuration management systems • Jump hosted are on the user domain and have accessible non-two factor management ports open • VLAN hopping • Switch Trunking The Trends: Internal Networks
  • 37. Service Overview: Deliverables Deliverables • Companies seem to have three goals - Test click rates / user awareness over time - Test technical controls - Inject FUD for budget procurement The Trends: Email Attacks – General
  • 38. Service Overview: Deliverables Deliverables • Service providers – missing some known evil attachments, doing some test execution of links, html • Servers- not blocking evil attachments • Client – allowing execution of untrusted clickonce and java apps • Office – people like to allow macro, those who don’t often let users change the setting in security center The Trends: Email Attacks – General
  • 39. Service Overview: Deliverables Deliverables Payloads - Links • Direct links to executable files • Links to uncategorized and untrusted sites/IPs Payloads - Phishing Sites • Untrusted ClickOnce allowed • Untrusted Java applets allowed • Capturing password is handy when there are so many single factor interfaces exposed to the internet • Considering looking into XSRF to execute command on web apps already opening in insecure browsers - anyone done that? The Trends: Email Attacks – Payloads
  • 40. Service Overview: Deliverables Deliverables Payloads – Images in HTML emails • Determine physical location of individuals • Determine firewall egress rules • Determine allowed file attachments – work about 60% Payloads – Executable File Attachments • Only a handful typically get through, but Office Macros still work a lot • User’s often have rights to disable office security features • Interesting that .application ClickOnce apps seem to make it through. • Shortcut files + UNC path injection – not tested yet • Working on basic toolkit for testing links and executable file types… The Trends: Email Attacks – Payloads
  • 41. Service Overview: Deliverables Deliverables Payloads – Executable Files Note: This is purple teamy… 1. Send hundreds of executable file types as attachments 2. Parse inbox on client to determine which ones make it through service provider, server, and client 3. Cross reference extensions with application file extension associations on their gold build 4. Create proof on concept payloads to illustrate risk The Trends: Email Attacks – Payloads
  • 42. Service Overview: Deliverables The Trends: Email Attacks
  • 43. Service Overview: Deliverables Deliverables - Missing and broken two-factor - Missing hard drive encryption - Missing and disabled endpoint protection on servers - Missing ability to detect common persistence methods o File, Registry, Application, and Database autoruns o Windows Services o Windows Tasks o WMI triggers and providers o Log in from unexpected country o Log in during unexpected time The Trends: Windows Endpoints
  • 44. Service Overview: Deliverables Deliverables • 80% of companies can a Domain Admin being added • Most companies are blind to almost everything else • SPNs are very useful for server and user targeting • Active session scanning can be useful for user targeting (DC, File, Citrix, and Exchange servers yield the best immediate results) • Bloodhound can be very useful if you have enough time to map escalation paths • Kerberoasting, and ASREPRoast are very used for domain escalation • Password dumping, DCSync, ntds.dit via Invoke-Ninjacopy.ps1, NTDSUTIL, VSSADMIN • Group Policy modifications • Net logon script modifications • Sysvol DACL modifications • User and computer object DACL modifications • Delegation of privileges – password reset, replication etc • Group policy passwords are disabled in most environments, but some companies forget to clean up the XML files and the passwords are still valid • SID history works in most environments to escalate from child to parent domain • Lots of user and domain admin password sharing • Lots of domain admins sharing password between domains The Trends: Windows Domains
  • 45. Service Overview: Deliverables Deliverables Linux Endpoints - No centralized detection capabilities - Sudo configuration issues - World readable/writable daemons and cron scripts - Common issues like heartbleed and shellshock - Excessive share privileges - NFS mountable as root, grab keys, and authenticate - SMB writable to everyone - FTP writable by anonymous (web roots are the best) - Shared NAS between servers for lateral movement via home directories The Trends: Linux Endpoints
  • 46. Service Overview: Deliverables Deliverables • SQL Injection • XML entity injection • Upload functionality • Application publishing platforms like tomcat, jboss, etc • Database and domain credentials are stored everywhere o In code o In web.config o In application.config o Connection string cheat sheet https://gist.github.com/nullbind/91c573b0e27682733f97d4e6e ebe36f8 • Code repository auditing can usually be bypassed once you have system on the box and can run as the service account The Trends: Web Applications
  • 47. Service Overview: Deliverables Deliverables • Common platforms include SQL Server, Oracle, MySQL and Db2 • Almost no companies audit beyond failed login attempts • Database teams seem to identify failed login attempts more than AD or response teams on average • Excessive privileges allow normal domain users rights to login • Lots of vendor defaults and unsupported versions • Escalation via weak passwords, UNC path injection, shared service accounts, and database links The Trends: Databases
  • 48. Service Overview: Deliverables Deliverables • Servers and DCs with direct access to the internet! • Tons of options in most environments without detection: o TCP Ports 100% Authenticated outbound on 80/443, reflection through trusted sites, and unauthenticated outbound on various ports (21, 22, 23, 25, 53,110) o UDP Ports 50% o ICMP Tunnel 50% o DNS Tunnel 80% o SMTP Tunnel 100% o Skype Tunnel 100% The Trends: Data Exfiltration & C2