Red Teaming for Blue Teamers: a Practical Approach Using Open Source Tools
Total Page:16
File Type:pdf, Size:1020Kb
SESSION ID: LAB4-W10 Red Teaming for Blue Teamers: A Practical Approach Using Open Source Tools Travis Smith Manager, Security Content and Research Tripwire, Inc @MrTrav #RSAC #RSAC Agenda 14:00-14:10 – Access Learning Lab Virtual Environment 14:10-15:00 – Run Through Red Team Activities 15:00-16:00 – Run Through Blue Team Activities #RSAC Accessing the Lab https://tripwire.me/vhX X will be you’re specific student number on your desk Password: rsalearninglab OS Credentials: rsa/learninglab OS Hostname: host-X OS IP Address: 10.0.0.X 3 #RSAC Log Into SkyTap https://tripwire.me/vh1 rsalearninglab #RSAC Launch Victim Host Console Username: rsa Password: learninglab #RSAC #RSAC Today’s Red Team Toolset #RSAC Today’s Blue Team Toolset Elastic Stack Windows Sysmon Kibana Beats Elasticsearch @SwiftOnSecurity #RSAC Disable Windows Defender* Start Menu > Settings > Update & Security Click Windows Security on left side menu Click Virus & threat protection Click Manage settings Turn Off: – Real-time protection – Cloud-delivered protection #RSAC Red Team Exercise #1 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md #RSAC Red Team Exercise #1 Launch Event Viewer, confirm it launches #RSAC Red Team Exercise #1 Run atomic command – reg add hkcu\software\classes\mscfile\shell\open\command /ve /d ”C:\Windows\System32\cmd.exe” /f #RSAC Red Team Exercise #1 Launch Event Viewer, confirm CMD.exe launches Launch other executables from here: • notepad • calc • whoami • ping #RSAC Red Team Exercise #2 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1015/T1015.md #RSAC Red Team Exercise #2 Launch Sticky Keys (Hit Shift key 5+ times) Click No #RSAC Red Team Exercise #2 – Easier Procedure Launch CMD.EXE as administrator reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f #RSAC Red Team Exercise #2 Launch Sticky Keys (Hit Shift key 5+ times) Launch other executables from here: • notepad • calc • whoami • ping Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Exfiltration Impact Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token ManipulationAccess Token ManipulationAccount Manipulation Account Discovery AppleScript Audio Capture CommonlyControl Used Port Automated Exfiltration Account Access Removal Exploit Public-Facing Application Window Application Deployment Communication Through Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Discovery Software Automated Collection Removable Media Data Compressed Data Destruction #RSAC Browser Bookmark Component Object Model External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Discovery and Distributed COM Clipboard Data Connection Proxy Data Encrypted Data Encrypted for Impact Bypass User Account Exploitation of Remote Data from Information Custom Command and Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Control Credential Dumping Domain Trust Discovery Services Repositories Control Protocol Data Transfer Size Limits Defacement Replication Through Component Object Model Credentials from Web File and Directory Custom Cryptographic Exfiltration Over Alternative Removable Media and Distributed COM AppInit DLLs Application Shimming Clear Command History Browsers Discovery Internal Spearphishing Data from Local System Protocol Protocol Disk Content Wipe Bypass User Account Data from Network Shared Exfiltration Over Command Spearphishing Attachment Control Panel Items Application Shimming Control CMSTP Credentials in Files Network Service Scanning Logon Scripts Drive Data Encoding and Control Channel Disk Structure Wipe DLL Search Order Data from Removable Exfiltration Over Other Spearphishing Link Dynamic Data Exchange Authentication Package Hijacking Code Signing Credentials in Registry Network Share Discovery Pass the Hash Media Data Obfuscation Network Medium Endpoint Denial of Service Exploitation for Credential Exfiltration Over Physical Spearphishing via Service Execution through API BITS Jobs Dylib Hijacking Compile After Delivery Access Network Sniffing Pass the Ticket Data Staged Domain Fronting Medium Firmware Corruption Execution through Module Elevated Execution with Domain Generation Supply Chain CompromiseLoad Bootkit Prompt Compiled HTML File Forced Authentication Password Policy DiscoveryRemote Desktop Protocol Email Collection Algorithms Scheduled Transfer Inhibit System Recovery Exploitation for Client Peripheral Device Trusted Relationship Execution Browser Extensions Emond Component Firmware Hooking Discovery Remote File Copy Input Capture Fallback Channels Network Denial of Service Change Default File Exploitation for Privilege Component Object Model Permission Groups Valid Accounts Graphical User Interface Association Escalation Hijacking Input Capture Discovery Remote Services Man in the Browser Multi-hop Proxy Resource Hijacking Extra Window Memory Replication Through InstallUtil Component Firmware Injection Connection Proxy Input Prompt Process Discovery Removable Media Screen Capture Multi-Stage Channels Runtime Data Manipulation Component Object Model File System Permissions Launchctl Hijacking Weakness Control Panel Items Kerberoasting Query Registry Shared Webroot Video Capture Multiband Communication Service Stop Local Job Scheduling Create Account Hooking DCShadow Keychain Remote System DiscoverySSH Hijacking Multilayer Encryption Stored Data Manipulation DLL Search Order Image File Execution Deobfuscate/Decode Files LLMNR/NBT-NS PoisoningSecurity Software LSASS Driver Hijacking Options Injection or Information and Relay Discovery Taint Shared Content Port Knocking System Shutdown/Reboot Transmitted Data Mshta Dylib Hijacking Launch Daemon Disabling Security Tools Network Sniffing Software Discovery Third-party Software Remote Access Tools Manipulation DLL Search Order System Information PowerShell Emond New Service Hijacking Password Filter DLL Discovery Windows Admin Shares Remote File Copy System Network Windows Remote Standard Application Layer Regsvcs/Regasm External Remote Services Parent PID Spoofing DLL Side-Loading Private Keys Configuration Discovery Management Protocol File System Permissions System Network Standard Cryptographic Regsvr32 Weakness Path Interception Execution Guardrails Securityd Memory Connections Discovery Protocol Hidden Files and Exploitation for Defense System Owner/User Standard Non-Application Rundll32 Directories Plist Modification Evasion Steal Web Session CookieDiscovery Layer Protocol Extra Window Memory Two-Factor Authentication Scheduled Task Hooking Port Monitors Injection Interception System Service Discovery Uncommonly Used Port File and Directory Scripting Hypervisor PowerShell Profile Permissions Modification System Time Discovery Web Service Image File Execution Virtualization/Sandbox Service Execution Options Injection Process Injection File Deletion Evasion Signed Binary Proxy Kernel Modules and Execution Extensions Scheduled Task File System Logical Offsets Signed Script Proxy Service Registry Execution Launch Agent Permissions Weakness Gatekeeper Bypass Source Launch Daemon Setuid and Setgid Group Policy Modification Hidden Files and Space after Filename Launchctl SID-History Injection Directories Third-party Software LC_LOAD_DYLIB Addition Startup Items Hidden Users Trap Local Job Scheduling Sudo Hidden Window Trusted Developer Utilities Login Item Sudo Caching HISTCONTROL Image File Execution User Execution Logon Scripts Valid Accounts Options Injection Windows Management Instrumentation LSASS Driver Web Shell Indicator Blocking Windows Remote Indicator Removal from Management Modify Existing Service Tools XSL Script Processing Netsh Helper DLL Indicator Removal on Host Indirect Command New Service Execution Office Application Startup Install Root Certificate Path Interception InstallUtil Available Atomics Plist Modification Launchctl Port Knocking LC_MAIN Hijacking Port Monitors Masquerading PowerShell Profile Modify Registry Rc.common Mshta Network Share Connection Re-opened Applications Removal Redundant Access NTFS File Attributes Registry Run Keys / Obfuscated Files or Startup Folder Information Scheduled Task Parent PID Spoofing Screensaver Plist Modification Security Support Provider Port Knocking Server Software Component Process Doppelgänging Service Registry Permissions Weakness Process Hollowing Setuid and Setgid Process Injection Shortcut Modification Redundant Access SIP and Trust Provider Hijacking Regsvcs/Regasm Startup Items Regsvr32 System Firmware Rootkit Systemd Service Rundll32 Time Providers Scripting Signed Binary Proxy Trap Execution Signed Script Proxy Valid Accounts Execution SIP and Trust Provider Web Shell Hijacking Windows Management SubscriptionInstrumentation Event Software Packing Winlogon Helper DLL Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing #RSAC Red Team Exercise #3 #RSAC Red Team Exercise #3 #RSAC Red Team Exercise #3 #RSAC Red Team Exercise #3 TACTIC | TECHNIQUE #RSAC Red Team Exercise #3 #RSAC Red Team Exercise #3 http://10.0.0.222:8888 admin/admin #RSAC Red Team Exercise #3 Plugins > sandcat Windows (PowerShell) #RSAC Red Team Exercise #3 Plugins > sandcat Windows (Powershell) #RSAC Red Team Exercise #3