Scribd Logo
Upload

Welcome to Scribd!

  • NetSPI Scott Sutherland RedvsBlue v3.2

    Uploaded by

    Rodrigues Ricardo
    8 views1 page

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views1 page

    NetSPI Scott Sutherland RedvsBlue v3.2

    Uploaded by

    Rodrigues Ricardo

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    Introduc�on to common Brought to you by

    R ed T eam Attacks & TM

    B lue T eam Defens es


    Common Red Team Common Common Blue Team
    Attack Vectors and T echniques Attack K ill C hain Detective and P reventative C ontrols
    C ommon Variations RED BLUE E ndpoint Network Process
    Create Phishing TEAM TEAM
    Prepare Phishing
    Deny / log VRY requests User awareness training
    Find Emails & Users Verify Emails & Users Deny / log EXPN requests Track company’s point of
    Payloads & Sites Log RCPT commands executed presence and employee

    LinkedIn.com Google.com
    SMTP Send HTTP Office365 Create Buy A�acks NA sequen�ally
    Large numbers of HTTP NTLM
    exposure.
    Monitor domain expira�ons
    Server Test with OWA Content-Filter Expired
    Data.com Bing.com
    Cmds Emails NTLM MS APIs Excep�ons Domains from public resources requests

    Send Phishing
    Email filters, thresholds, and spam User awareness training
    Email Sources Email Targets Email Content rules Incident response procedures
    Email source verifica�on
    Spoofed Spoofed Domain
    Hacked Mass Targeted Pretext Malicious
    Malicious Emails NA Blacklist checks
    SPF record checks
    Internal External Similar to Files &
    Domain Domain Company
    Account Mailing Mailing Scenario Links
    Embedding to employee addresses Logs / SEIM / Alerts

    Deliver the
    Asset / config / patch mgmt. Email filters, thresholds, and spam User awareness training
    Malicious Links Website Components Files An�-virus / HIDs / HIPs rules Incident response procedures
    @ Secure group policy Deny / log relay requests

    Port Geo
    Phish Creden�al Java Applet
    Brower
    Browser Common Office Payloads Mail client configura�ons
    MS Office Security Se�ngs
    Secure caching provider
    Web filtering / white lis�ng
    Web Collec�on ClickOnce Add-On exec file Docs + Web browser configura�ons Authen�cated HTTP proxies
    Scan Locate Exploit
    Site Form HTA Exploit formats Macros to employee systems Logs / SEIM / Alerts Logs / SEIM / Alerts

    Common Payload Command Types Run the Payload Asset / config / patch mgmt.
    An�-virus / HIDs / HIPs

    Commands
    Secure group policy se�ngs User awareness training
    NA
    Commands Binaries Scripts Standard Assembly Byte Applica�on white lis�ng Incident response procedures
    Code Least privilege enforcement
    cmd, wmi, wrm, Executable, PS, VB, VBS, Code Code
    �p, net, etc Installer, Library JS, Bat C, C++, C# shellcode Java, .Net on employee systems Logs / SEIM / Alerts

    Asset / config / patch mgmt.


    Common Local Persistence Methods Maintain Local An�-virus / HIDs / HIPs
    Secure group policy se�ngs

    Persistence
    User awareness training
    Applica�on white lis�ng NA
    PW / Pvt Key File, Registry, WMI Incident response procedures
    Custom Windows Scheduled Code / File Driver Least privilege enforcement
    PW Hash & Applica�on Event Logs / SEIM / Alerts
    Providers Service Task Modifica�on BIOS
    Kerb Ticket Autoruns Trigger on employee systems FIM / WMI event triggers

    Egress Ports Common Protocols Common Types Obtain Command & Asset / config / patch mgmt.
    An�-virus / HIDs / HIPs
    Firewall Rules / Segmenta�on
    NIDs / NIPs

    Control Channel
    Secure group policy se�ngs Fix Up Protocols User awareness training
    DNS SSH FTP Torrent Bind Shell Applica�on white lis�ng Web Filtering / White Lis�ng Incident response procedures
    TCP IPv4 HTTP Least privilege enforcement Authen�cated HTTP Proxies
    ICMP Telnet NFS IM Beacon Reverse Shell
    UDP IPv6 HTTPS Logs / SEIM / Alerts Logs / SEIM / Alerts
    NTP Rlogin SMB SMTP Web Shell from employee systems

    An�-virus / HIDs / HIPs


    Weak Configura�ons Local Exploits Escalate Local Secure group policy se�ngs
    Applica�on white lis�ng

    Privileges
    Admin awareness training
    Least privilege enforcement Logs / SEIM / Alerts
    Weak Password Incident response procedures
    Insecure Insecure Insecure Insecure Excessive Logs / SEIM / Alerts
    or Password OS APP DEP / ASLR / SEH
    Service Schtask GPO Protocol Privilege
    Storage Method on employee systems Micro virtualizing / sandboxes

    Steal
    Common local Targets Perform Local Asset / config / patch mgmt.
    An�-virus / HIDs / HIPs
    Authen�ca�on Tokens
    Password /
    Password Kerberos OS, Domain,
    Users & Cache Services & Installed Files &
    Recon / Discovery Secure group policy se�ngs
    Applica�on white lis�ng
    Least privilege enforcement
    Logs / SEIM / Alerts
    Admin awareness training
    Incident response procedures
    Hash Ticket & Network
    Private Key
    (PTH) (PTT) Informa�on
    Groups & Logs Processes Apps Registry on employee systems Logs / SEIM / Alerts

    Passive Locate Domain, Ent.


    Perform Network
    HIDs / HIPs
    Firewall rules / segmenta�on
    Ac�ve Discovery Logs / SEIM / Alerts
    NIDs / NIPs
    Recon & Forest Admins Canaries
    Recon / Discovery
    Honey pots Admin awareness training
    - Local & Domain User Accounts
    Ping & DNS & Share & DB, SP & Remote Tarpits Incident response procedures
    Trace Domain - Domain Computer Accounts
    Port ADS Logon Sessions Canary networks, systems, & accounts
    Sniffing Mail Svr - Local and Network Files
    Route
    Scanning Queries Scanning Scanning
    GPOs & SPN
    & Processes on internal networks File Audi�ng
    Logs / SEIM / Alerts

    Stolen Asset / config / patch mgmt.

    Authen�ca�on Tokens
    Common Methods Perform Lateral An�-virus / HIDs / HIPs
    Secure group policy se�ngs
    Firewall Rules / Segmenta�on
    NIDs / NIPs
    Don’t use shared local accounts
    Use a separate domain user and

    Movement
    Honey Pots
    Applica�on white lis�ng server admin accounts
    Password Kerberos DB, App Remote Tarpits
    Password / MGMT Windows Sched File GPO, Least privilege enforcement Maintain secure configs
    Canary networks, systems, & accounts
    Hash Ticket & VM Exploit, Logs / SEIM / Alerts Incident response procedures
    Private Key Services Service Task Share SCCM
    (PTH) (PTT) Servers Physical between systems/networks Host-based Firewall
    Logs / SEIM / Alerts

    Steal Admin A�ack


    Escalate Domain
    Asset / config / patch mgmt.
    Firewall Rules / Segmenta�on
    Escalate to Root Domain An�-virus / HIDs / HIPs
    NIDs / NIPs
    Don’t use shared local accounts
    Authen�ca�on Tokens DCs Secure group policy se�ngs Use a separate domain user and
    Privileges
    Honey Pots
    Applica�on white lis�ng server admin accounts
    Password Kerberos Exploits, Domain Exploits Tarpits
    Password / Shared Delegated Privs Least privilege enforcement Maintain secure configs
    Hash Ticket Kerberoast Trusts & Kerberoast Canary networks, systems, & accounts
    Logs / SEIM / Alerts Incident response procedures
    Private Key
    (PTH) (PTT) & GPP
    Password Nested Groups
    SID History GPO via common vectors Host-based Firewall
    Logs / SEIM / Alerts

    Least Privilege Enforcement


    Common Data Stores Common Data Targets Find and Access Two-Factor Authen�ca�on
    Data Encryp�on and Secure Key
    Firewall Rules / Segmenta�on
    NIDs / NIPs
    User awareness training
    Incident response procedures
    Honey Pots

    Mail File Database Code


    PII
    IP & Financial
    Insider Sensi�ve Data Management
    File, Applica�on, and Database
    Tarpits
    Canary networks, systems, & accounts
    Manage keys securely
    Consolidate and isolate sensi�ve
    PHI Trading Audi�ng data stores
    Servers Servers Servers Repositories Research Data
    CHD Info in common data stores Host DLP / Logs / SEIM / Alerts
    Logs / SEIM / Alerts

    Common Protocols Physical


    Exfiltrate
    Firewall Rules / Segmenta�on
    Data Handling HIDs / HIPs Email Server Configura�on
    TCP/UDP, v4/6 Media Host DLP Network DLP

    Sensi�ve Data
    User awareness training
    Large file upload detec�on Fix Up Protocols
    Common & Standard & C2 and Staged Large Compression Incident response procedures
    LAN & USB CD Mail client/server se�ngs Web Filtering / Auth Proxy
    Wireless Uncommon Custom Alterna�ve & not & Small Encoding Logs / SEIM / Alerts Canary Data Samples
    & SD DVD using common channels
    Ports Protocols Channels Staged Files Encryp�on Logs / SEIM / Alerts

    Stolen Two Common Internet Facing


    Authen�ca�on Tokens Factor Interfaces
    Maintain Remote Access Enforce Two-factor authen�ca�on on
    all external interfaces
    Firewall rules / segmenta�on
    NIDs / NIPs Admin awareness training

    Without a C2
    Limit Terminal Service, Citrix, and
    Canary networks, systems, Incident response procedures
    Password Kerberos Private Key RDP Office365 VDE access to specific groups during
    Password / Web Web Based applica�ons, and accounts Enforce strong account policies
    specific hours
    Hash Ticket Token Seed VPN SSH Azure Logged events / SEIM / alerts
    Private Key Shells Citrix & TS using common interfaces Geo / IP limi�ng
    (PTH) (PTT) Skeleton Key VDE AWS

    Author: Sco� Sutherland, NetSPI 2016


    Version: 3.2

    You might also like