Professional Documents
Culture Documents
NetSPI Scott Sutherland RedvsBlue v3.2
NetSPI Scott Sutherland RedvsBlue v3.2
LinkedIn.com Google.com
SMTP Send HTTP Office365 Create Buy A�acks NA sequen�ally
Large numbers of HTTP NTLM
exposure.
Monitor domain expira�ons
Server Test with OWA Content-Filter Expired
Data.com Bing.com
Cmds Emails NTLM MS APIs Excep�ons Domains from public resources requests
Send Phishing
Email filters, thresholds, and spam User awareness training
Email Sources Email Targets Email Content rules Incident response procedures
Email source verifica�on
Spoofed Spoofed Domain
Hacked Mass Targeted Pretext Malicious
Malicious Emails NA Blacklist checks
SPF record checks
Internal External Similar to Files &
Domain Domain Company
Account Mailing Mailing Scenario Links
Embedding to employee addresses Logs / SEIM / Alerts
Deliver the
Asset / config / patch mgmt. Email filters, thresholds, and spam User awareness training
Malicious Links Website Components Files An�-virus / HIDs / HIPs rules Incident response procedures
@ Secure group policy Deny / log relay requests
Port Geo
Phish Creden�al Java Applet
Brower
Browser Common Office Payloads Mail client configura�ons
MS Office Security Se�ngs
Secure caching provider
Web filtering / white lis�ng
Web Collec�on ClickOnce Add-On exec file Docs + Web browser configura�ons Authen�cated HTTP proxies
Scan Locate Exploit
Site Form HTA Exploit formats Macros to employee systems Logs / SEIM / Alerts Logs / SEIM / Alerts
Common Payload Command Types Run the Payload Asset / config / patch mgmt.
An�-virus / HIDs / HIPs
Commands
Secure group policy se�ngs User awareness training
NA
Commands Binaries Scripts Standard Assembly Byte Applica�on white lis�ng Incident response procedures
Code Least privilege enforcement
cmd, wmi, wrm, Executable, PS, VB, VBS, Code Code
�p, net, etc Installer, Library JS, Bat C, C++, C# shellcode Java, .Net on employee systems Logs / SEIM / Alerts
Persistence
User awareness training
Applica�on white lis�ng NA
PW / Pvt Key File, Registry, WMI Incident response procedures
Custom Windows Scheduled Code / File Driver Least privilege enforcement
PW Hash & Applica�on Event Logs / SEIM / Alerts
Providers Service Task Modifica�on BIOS
Kerb Ticket Autoruns Trigger on employee systems FIM / WMI event triggers
Egress Ports Common Protocols Common Types Obtain Command & Asset / config / patch mgmt.
An�-virus / HIDs / HIPs
Firewall Rules / Segmenta�on
NIDs / NIPs
Control Channel
Secure group policy se�ngs Fix Up Protocols User awareness training
DNS SSH FTP Torrent Bind Shell Applica�on white lis�ng Web Filtering / White Lis�ng Incident response procedures
TCP IPv4 HTTP Least privilege enforcement Authen�cated HTTP Proxies
ICMP Telnet NFS IM Beacon Reverse Shell
UDP IPv6 HTTPS Logs / SEIM / Alerts Logs / SEIM / Alerts
NTP Rlogin SMB SMTP Web Shell from employee systems
Privileges
Admin awareness training
Least privilege enforcement Logs / SEIM / Alerts
Weak Password Incident response procedures
Insecure Insecure Insecure Insecure Excessive Logs / SEIM / Alerts
or Password OS APP DEP / ASLR / SEH
Service Schtask GPO Protocol Privilege
Storage Method on employee systems Micro virtualizing / sandboxes
Steal
Common local Targets Perform Local Asset / config / patch mgmt.
An�-virus / HIDs / HIPs
Authen�ca�on Tokens
Password /
Password Kerberos OS, Domain,
Users & Cache Services & Installed Files &
Recon / Discovery Secure group policy se�ngs
Applica�on white lis�ng
Least privilege enforcement
Logs / SEIM / Alerts
Admin awareness training
Incident response procedures
Hash Ticket & Network
Private Key
(PTH) (PTT) Informa�on
Groups & Logs Processes Apps Registry on employee systems Logs / SEIM / Alerts
Authen�ca�on Tokens
Common Methods Perform Lateral An�-virus / HIDs / HIPs
Secure group policy se�ngs
Firewall Rules / Segmenta�on
NIDs / NIPs
Don’t use shared local accounts
Use a separate domain user and
Movement
Honey Pots
Applica�on white lis�ng server admin accounts
Password Kerberos DB, App Remote Tarpits
Password / MGMT Windows Sched File GPO, Least privilege enforcement Maintain secure configs
Canary networks, systems, & accounts
Hash Ticket & VM Exploit, Logs / SEIM / Alerts Incident response procedures
Private Key Services Service Task Share SCCM
(PTH) (PTT) Servers Physical between systems/networks Host-based Firewall
Logs / SEIM / Alerts
Sensi�ve Data
User awareness training
Large file upload detec�on Fix Up Protocols
Common & Standard & C2 and Staged Large Compression Incident response procedures
LAN & USB CD Mail client/server se�ngs Web Filtering / Auth Proxy
Wireless Uncommon Custom Alterna�ve & not & Small Encoding Logs / SEIM / Alerts Canary Data Samples
& SD DVD using common channels
Ports Protocols Channels Staged Files Encryp�on Logs / SEIM / Alerts
Without a C2
Limit Terminal Service, Citrix, and
Canary networks, systems, Incident response procedures
Password Kerberos Private Key RDP Office365 VDE access to specific groups during
Password / Web Web Based applica�ons, and accounts Enforce strong account policies
specific hours
Hash Ticket Token Seed VPN SSH Azure Logged events / SEIM / alerts
Private Key Shells Citrix & TS using common interfaces Geo / IP limi�ng
(PTH) (PTT) Skeleton Key VDE AWS