Agenda. Red Team Difference to a Pen Test Common RT Techniques Blue Team

Similar documents
Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection

Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection

Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store

Red vs. Blue: Modern Active Directory Attacks, Detection, and Protection Whitepaper

Microsoft. Jump Start. M11: Implementing Active Directory Domain Services

Michael Mayer-Gishyan NSA IT Consulting From Zero to Hero. Domain Admin in einem Tag

Pass-the-Hash II: Admin s Revenge. Skip Duckwall & Chris Campbell

Defcon 20 Owning One To Rule Them All. Dave DeSimone Manager, Information Security Fortune 1000

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

PowerShell for Penetration Testers

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

WATCHING THE WATCHDOG: PROTECTING KERBEROS AUTHENTICATION WITH NETWORK MONITORING

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Network Architecture & Active Directory Considerations for the PI System. Bryan Owen - OSIsoft Joel Langill - SCADAhacker

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes

WHY ATTACKER TOOLSETS DO WHAT THEY DO

TAKING SECURITY TESTING TO THE NEXT LEVEL 5 MAY 2014 STAN HEGT

Managing Local Administrator Passwords with LAPS 10/14/2015 PENN STATE SECURITY CONFERENCE

Penetration Testing Report Client: Business Solutions June 15 th 2015

Windows Server 2008/2012 Server Hardening

Investigating the Use of Virtual Servers to Improve the Restoration Process of an Active Directory Forest

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Backup and Restore of CONFIGURATION Object on Windows 2008

5 Steps to Advanced Threat Protection

Penetration Test Report

Internal Penetration Test

Post-Access Cyber Defense

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

All Information is derived from Mandiant consulting in a non-classified environment.

6425C - Windows Server 2008 R2 Active Directory Domain Services

CRYPTUS DIPLOMA IN IT SECURITY

RSA Security Anatomy of an Attack Lessons learned

Learn Ethical Hacking, Become a Pentester

Why You Need to Detect More Than PtH. Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

Active Directory backup and restore with Acronis Backup & Recovery 11. Technical white paper. o o. Applies to the following editions: Advanced Server

Windows Server 2012 / Windows 8 Audit Fundamentals

Securing Active Directory Presented by Michael Ivy

NASA Consolidated Active Directory Overview ( August 20, 2012 ) Les Chafin Infrastructure Engineering HPES

Defending Against Data Beaches: Internal Controls for Cybersecurity

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

Active Directory backup and restore with Acronis Backup & Recovery 10

Protecting Your Organisation from Targeted Cyber Intrusion

Exam : Installing and Configuring Windows Server 2012

Topics. ADSIEDIT in ADUC

PowerShell. It s time to own. David Kennedy (ReL1K) Josh Kelley (Winfang) Twitter: dave_rel1k

GFI White Paper PCI-DSS compliance and GFI Software products

Best Practices. Understanding BeyondTrust Patch Management

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Symantec NetBackup Blueprints

Computer Security: Principles and Practice

MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

R4: Configuring Windows Server 2008 Active Directory

Configuring Windows Server 2008 Active Directory

Quick Start Guide for VMware and Windows 7

Exploiting Transparent User Identification Systems

SQL Server Hardening

Directory Backup and Restore

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

Integrating LANGuardian with Active Directory

A brief Guide to checking your Group Policy Health

70-417: Upgrading Your Skills to MCSA Windows Server 2012

Hunting for Indicators of Compromise

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Windows Server 2003 Service Pack 1 (SP1) or later service packs Enhanced version of Ntdsutil.exe

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

Targeted attacks: Tools and techniques

Virtual Dashboard for VMware and Hyper-V

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

LockoutGuard v1.2 Documentation

What s New Guide. Active Administrator 6.0

qliqdirect Active Directory Guide

Best Practices for Auditing Changes in Active Directory WHITE PAPER

Industrial Security for Process Automation

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Thick Client Application Security

With Great Power comes Great Responsibility: Managing Privileged Users

User Guide. Version R91. English

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Pass-the-Hash. Solution Brief

Penetration Testing with Kali Linux

Course Duration: 80Hrs. Course Fee: INR (Certification Lab Exam Cost 2 Attempts)

Dell Spotlight on Active Directory Deployment Guide

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Kautilya: Teensy beyond shells

Malwarebytes Enterprise Edition Best Practices Guide Version March 2014

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Virtualization System Security

Guidance Regarding Skype and Other P2P VoIP Solutions

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

NovaBACKUP Virtual Dashboard

Transcription:

Red Teaming

Agenda Red Team Difference to a Pen Test Common RT Techniques Blue Team

Disclaimer Red Teaming is a contentious term with no set definition Conceptions vary and can be situated on a scale from those who employ the term interchangeably with pentesting to those who view it as a type of No holds barred /Carte Blanche security engagement

What is a Red Team test An extensive, goal orientated, crossdomain security assessment conducted on behalf of an organisation by a team of diverse security professionals who, for the duration of the engagement, seek to emulate the motivation, capability and visibility of an advanced adversary.

Goal Orientated Typical Red Team Objectives: Access an internal network Obtain Intellectual Property Harvest Customer Contact Lists Compromise Customer Payment Information Take down a distributed service to directly impact uptime, violate SLAs with customers, and revenue stream

Cross Domain

Team Based Generalist All rounder Computer Security Specialists Exploit Development, Reverse Engineering, Bug Hunting Social Engineer Skilled manipulator, quick thinker. Confident face-to-face as well as on the phone Physical Security Specialist Lock Picking, RFID, tailgating, social engineering, physically fit, calm under pressure Researcher OSINT

Adversary Emulation Threat intelligence Threat actors Nation state Organised Crime Syndicate Hacktivists Insiders

Extensive Length of the engagement Attack surface

Pen Test Vs Red Team Test Penetration Test Conducted by individuals and small teams Vulnerability Enumeration Narrow Attack Surface Threat Actor Neutral Red Team Test Collaborative, team-based engagements Goal Based/Asset Orientated Wide Attack Surface Adversary Modelling Limited use of Threat Intelligence Utilises Threat Intelligence Assignment length (<=3 weeks) Testing occurs over extended periods (<=12 months)

How does it works? Scope & Proposal Information Gathering Initial Breach Persistence Access Later Movement Report

What is Blue Team A proactive defending team who aim to protect the logical and physical perimeter, the corporate asset and promptly respond to attacks conducted by external or internal enemies. Detection Reaction

Common RT Techniques AV Evasion SPN scanning Group Policy Preferences Volume Shadow Copy Golden Ticket

Antivirus Evasion Veil-Evasion Shellter The Backdoor Factory Sidestep

PowerShell Dave Kennedy: Bash for Windows Available by default in supported Windows versions v2: Win 7 / Win 2k8R2 v3: Win 8 / Win 2012 v4: Win 8.1 / Win 2012R2 Provides access to WMI & COM Leverages.Net Framework Microsoft binary = whitelisted Download & run code in memory Download & run code in memory

PowerShell PowerSploit PowerUp PowerShell-AD-Recon Nishang Empire

SPN Scanning Nmap -> noisy, easy to detect Active Directory Service Principal Name Description A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. LDAP queries to DCs -> stealthy, difficult to detect Format: SPN = serviceclass / hostname [ : port] [ / servicename] serviceclass = alphanum servicename = alphanum

SPN Scanning SQL servers, instances, ports, etc. MSSQLSvc/adsmsSQLAP01:1433 Exchange exchangemdb/adsmsexcas01 RDP TERMSERV/adsmsEXCAS01 WSMan/WinRM/PS Remoting WSMAN/adsmsEXCAS01 Hyper-V Host Microsoft Virtual Console Service/adsmsHV01 VMWare VCenter STS/adsmsVC01 SPN Directory: http://social.technet.microsoft.com/wiki/contents/articles/717.serviceprincipal-names-spns-setspn-syntax-setspn-exe.aspx

Group Policy Preferences The private key is publicly available on MSDN

Group Policy Preferences \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\ Search for Groups.xml

Dump Domain Admin Cain Able Metasploit smart_hashdump domain_hashdump Active Directory Replication Volume Shadow Copy

Volume Shadow Copy Locate ntds.dit reg.exe query hklm\system\currentcontrolset\services\ntds\parameters Check the space dir C:\Windows\NTDS\ntds.dit fsutil volume diskfree c: Check if VSS is running sc.exe query VSS sc.exe start VSS Create a copy with ntdsutil ntdsutil is not in Windows 2003, use vssadmin instead

Volume Shadow Copy List snapshots ntdsutil snapshot "activate instance NTDS" "list all" quit quit Create snapshot ntdsutil snapshot "activate instance NTDS" create "list all" quit quit Mount snaposhot ntdsutil snapshot "list all" "mount 2" quit quit Download ntds.dit Copy SYSTEM registry hive reg.exe save HKLM\SYSTEM c:\system.save

Volume Shadow Copy Clean up ntdsutil snapshot "list all" "unmount 2" "delete 1" "list all" quit quit Stop VSS sc.exe stop VSS Profit python /usr/share/doc/pythonimpacket/examples/secretsdump.py -system system.save -ntds ntds.dit LOCAL

Golden Ticket Requires KRBTGT pw hash / service account pw hash. Forged TGT (Golden Ticket) bypasses all user restrictions. Create anywhere & use on any computer on the network. No elevated rights required to create/use. Impersonate existing user. Invent a fictional user with elevated rights. Spoof access without changing group membership User password changes have no impact on forged ticket!

KRBTGT KRBTGT account: disabled and not visible. Sign/encrypt AD Kerberos tickets Pwd set when domain created & (almost) never changes Password changes when DFL -> 2008 (or newer). Current & Previous Password valid for Kerberos tickets KRBTGT password exposed? Requires changing twice!

Blue Team: PSN Scanning Detection Difficult Mitigation Limit Service Account rights/permissions Use complex password Use (Group) Managed Service Accounts

Blue Team: GPP Detection XML Permission Denied Checks Place xml file in SYSVOL & set Everyone:Deny Audit Access Denied errors GPO doesn t exist, no legit reason for access Mitigation Use LAPS for automatic local admin password change Install KB2962486 on every computer used to manage GPOs Delete existing GPP xml files in SYSVOL containing passwords

Blue Team: Credential Theft Detection Difficult Golden events may have one of these issues: The Account Domain field is blank when it should contain DOMAIN. The Account Domain field is DOMAIN FQDN when it should contain DOMAIN. Mitigation Use complex password Protect DC backups & storage Admins only logon to specific systems

Blue Team: MS14-068 Detection IDS Signature for Kerberos AS-REQ & TGS-REQ both containing Include PAC: False Mitigation Patch servers with KB3011780 before running DCPromo patch the server build. Check patch status before running DCPromo

Blue Team: Recommendation Disable PowerShell Regular patching Install Honey Pot Network Segregation Use jump hosts Monitor Event Logs Use complex password

Thank You

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information