Scribd Logo
Upload

Welcome to Scribd!

  • Attacks Defence PDF 1662563695

    Uploaded by

    Alexandre OS
    25 views1 page
    The document outlines common red team attack vectors such as phishing emails with malicious payloads designed to gain access to employee systems, and blue team defensive controls like user awareness training, email filters, and monitoring of suspicious activity on endpoints and networks to detect and prevent such attacks. It also describes common techniques used at various stages of an attack kill chain from conducting reconnaissance to establishing long-term persistence on compromised systems.

    Original Description:

    Original Title

    Attacks_Defence_pdf_1662563695

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document outlines common red team attack vectors such as phishing emails with malicious payloads designed to gain access to employee systems, and blue team defensive controls like user awareness training, email filters, and monitoring of suspicious activity on endpoints and networks to detect and prevent such attacks. It also describes common techniques used at various stages of an attack kill chain from conducting reconnaissance to establishing long-term persistence on compromised systems.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    25 views1 page

    Attacks Defence PDF 1662563695

    Uploaded by

    Alexandre OS
    The document outlines common red team attack vectors such as phishing emails with malicious payloads designed to gain access to employee systems, and blue team defensive controls like user awareness training, email filters, and monitoring of suspicious activity on endpoints and networks to detect and prevent such attacks. It also describes common techniques used at various stages of an attack kill chain from conducting reconnaissance to establishing long-term persistence on compromised systems.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    Introduc�on to common

    R ed T eam Attacks &


    B lue T eam Defens es
    Common Red Team Common Common Blue Team
    Attack Vectors and T echniques Attack K ill C hain Detective and P reventative C ontrols
    C ommon Variations E ndpoint Network Process
    Create Phishing
    Prepare Phishing
    Deny / log VRY requests User awareness training
    Find Emails & Users Verify Emails & Users Deny / log EXPN requests Track company’s point of
    Payloads & Sites Log RCPT commands executed presence and employee

    LinkedIn.com Google.com
    SMTP Send Office365 A�acks NA sequen�ally
    Large numbers of HTTP NTLM
    exposure.
    Monitor domain expira�ons
    Server Test OWA
    Data.com Bing.com
    Cmds Emails MS APIs from public resources requests

    Send Phishing
    Email filters, thresholds, and spam User awareness training
    Email Sources Email Targets Email Content rules Incident response procedures
    Email source verifica�on
    Spoofed Spoofed Domain
    Hacked Mass Targeted Pretext Malicious
    Malicious Emails NA Blacklist checks
    SPF record checks
    Internal External Similar to Files &
    Domain Domain Company
    Account Mailing Mailing Scenario Links
    Embedding to employee addresses Logs / SEIM / Alerts

    Deliver the
    Asset / config / patch mgmt. Email filters, thresholds, and spam User awareness training
    Malicious Links Website Components Files An�-virus / HIDs / HIPs rules Incident response procedures
    @ Secure group policy Deny / log relay requests

    Port Geo
    Phish Creden�al Java Applet
    Brower
    Browser Common Office Payloads Mail client configura�ons
    MS Office Security Se�ngs
    Secure caching provider
    Web filtering / white lis�ng
    Web Collec�on ClickOnce Add-On exec file Docs + Web browser configura�ons Authen�cated HTTP proxies
    Scan Locate Exploit
    Site Form HTA Exploit formats Macros to employee systems Logs / SEIM / Alerts Logs / SEIM / Alerts

    Common Payload Command Types Run the Payload Asset / config / patch mgmt.
    An�-virus / HIDs / HIPs

    Commands
    Secure group policy se�ngs User awareness training
    NA
    Commands Binaries Scripts Standard Assembly Byte Applica�on white lis�ng Incident response procedures
    Code Least privilege enforcement
    cmd, wmi, wrm, Executable, PS, VB, VBS, Code Code
    �p, net, etc Installer, Library JS, Bat C, C++, C# shellcode Java, .Net on employee systems Logs / SEIM / Alerts

    Asset / config / patch mgmt.


    Common Local Persistence Methods Maintain Local An�-virus / HIDs / HIPs
    Secure group policy se�ngs

    Persistence
    User awareness training
    Applica�on white lis�ng NA
    PW / Pvt Key File, Registry, WMI Incident response procedures
    Custom Windows Scheduled Code / File Driver Least privilege enforcement
    PW Hash & Applica�on Event Logs / SEIM / Alerts
    Providers Service Task Modifica�on BIOS
    Kerb Ticket Autoruns Trigger on employee systems FIM / WMI event triggers

    Egress Ports Common Protocols Common Types Obtain Command & Asset / config / patch mgmt.
    An�-virus / HIDs / HIPs
    Firewall Rules / Segmenta�on
    NIDs / NIPs

    Control Channel
    Secure group policy se�ngs Fix Up Protocols User awareness training
    DNS SSH FTP Torrent Bind Shell Applica�on white lis�ng Web Filtering / White Lis�ng Incident response procedures
    TCP IPv4 HTTP Least privilege enforcement Authen�cated HTTP Proxies
    ICMP Telnet NFS IM Beacon Reverse Shell
    UDP IPv6 HTTPS Logs / SEIM / Alerts Logs / SEIM / Alerts
    NTP Rlogin SMB SMTP Web Shell from employee systems

    An�-virus / HIDs / HIPs


    Weak Configura�ons Local Exploits Escalate Local Secure group policy se�ngs
    Applica�on white lis�ng

    Privileges
    Admin awareness training
    Least privilege enforcement Logs / SEIM / Alerts
    Weak Password Incident response procedures
    Insecure Insecure Insecure Insecure Excessive Logs / SEIM / Alerts
    or Password OS APP DEP / ASLR / SEH
    Service Schtask GPO Protocol Privilege
    Storage Method on employee systems Micro virtualizing / sandboxes

    Steal
    Common local Targets Perform Local Asset / config / patch mgmt.
    An�-virus / HIDs / HIPs
    Authen�ca�on Tokens
    Password /
    Password Kerberos OS, Domain,
    Users & Cache Services & Installed Files &
    Recon / Discovery Secure group policy se�ngs
    Applica�on white lis�ng
    Least privilege enforcement
    Logs / SEIM / Alerts
    Admin awareness training
    Incident response procedures
    Hash Ticket & Network
    Private Key
    (PTH) (PTT) Informa�on
    Groups & Logs Processes Apps Registry on employee systems Logs / SEIM / Alerts

    Passive Locate Domain, Ent.


    Perform Network
    HIDs / HIPs
    Firewall rules / segmenta�on
    Ac�ve Discovery Logs / SEIM / Alerts
    NIDs / NIPs
    Recon & Forest Admins Canaries
    Recon / Discovery
    Honey pots Admin awareness training
    - Local & Domain User Accounts
    Ping & DNS & Share & DB, SP & Remote Tarpits Incident response procedures
    Trace Domain - Domain Computer Accounts
    Port ADS Logon Sessions Canary networks, systems, & accounts
    Sniffing Mail Svr - Local and Network Files
    Route
    Scanning Queries Scanning Scanning
    GPOs & SPN
    & Processes on internal networks File Audi�ng
    Logs / SEIM / Alerts

    Stolen Asset / config / patch mgmt.

    Authen�ca�on Tokens
    Common Methods Perform Lateral An�-virus / HIDs / HIPs
    Secure group policy se�ngs
    Firewall Rules / Segmenta�on
    NIDs / NIPs
    Don’t use shared local accounts
    Use a separate domain user and
    Web
    Movement
    Honey Pots
    Applica�on white lis�ng server admin accounts
    Password Kerberos ShellsDB, App Remote Tarpits
    Password / MGMT Windows Sched File GPO, Least privilege enforcement Maintain secure configs
    Canary networks, systems, & accounts
    Hash Ticket & VM Exploit, Logs / SEIM / Alerts Incident response procedures
    Private Key Services Service Task Share SCCM
    (PTH) (PTT) Servers Physical between systems/networks Host-based Firewall
    Logs / SEIM / Alerts

    Steal Admin A�ack


    Escalate Domain
    Asset / config / patch mgmt.
    Firewall Rules / Segmenta�on
    Escalate to Root Domain An�-virus / HIDs / HIPs
    NIDs / NIPs
    Don’t use shared local accounts
    Authen�ca�on Tokens DCs Secure group policy se�ngs Use a separate domain user and
    Privileges
    Honey Pots
    Applica�on white lis�ng server admin accounts
    Password Kerberos Exploits, Domain Exploits Tarpits
    Password / Shared Delegated Privs Least privilege enforcement Maintain secure configs
    Hash Ticket Kerberoast Trusts & Kerberoast Canary networks, systems, & accounts
    Logs / SEIM / Alerts Incident response procedures
    Private Key
    (PTH) (PTT) & GPP
    Password Nested Groups
    SID History GPO via common vectors Host-based Firewall
    Logs / SEIM / Alerts

    Least Privilege Enforcement


    Common Data Stores Common Data Targets Find and Access Two-Factor Authen�ca�on
    Data Encryp�on and Secure Key
    Firewall Rules / Segmenta�on
    NIDs / NIPs
    User awareness training
    Incident response procedures
    Honey Pots

    Mail File Database Code


    PII
    IP & Financial
    Insider Sensi�ve Data Management
    File, Applica�on, and Database
    Tarpits
    Canary networks, systems, & accounts
    Manage keys securely
    Consolidate and isolate sensi�ve
    PHI Trading Audi�ng data stores
    Servers Servers Servers Repositories Research Data
    CHD Info in common data stores Host DLP / Logs / SEIM / Alerts
    Logs / SEIM / Alerts

    Common Protocols Physical


    Exfiltrate
    Firewall Rules / Segmenta�on
    Data Handling HIDs / HIPs Email Server Configura�on
    TCP/UDP, v4/6 Media Host DLP Network DLP

    Sensi�ve Data
    User awareness training
    Large file upload detec�on Fix Up Protocols
    Common & Standard & C2 and Staged Large Compression Incident response procedures
    LAN & USB CD Mail client/server se�ngs Web Filtering / Auth Proxy
    Wireless Uncommon Custom Alterna�ve & not & Small Encoding Logs / SEIM / Alerts Canary Data Samples
    & SD DVD using common channels
    Ports Protocols Channels Staged Files Encryp�on Logs / SEIM / Alerts

    Stolen Two Common Internet Facing


    Authen�ca�on Tokens Factor Interfaces
    Maintain Remote Access Enforce Two-factor authen�ca�on on
    all external interfaces
    Firewall rules / segmenta�on
    NIDs / NIPs Admin awareness training

    Without a C2
    Limit Terminal Service, Citrix, and
    Canary networks, systems, Incident response procedures
    Password Kerberos Private Key RDP Office365 VDE access to specific groups during
    Password / Web Based applica�ons, and accounts Enforce strong account policies
    specific hours
    Hash Ticket Token Seed VPN SSH Azure Logged events / SEIM / alerts
    Private Key Citrix & TS using common interfaces Geo / IP limi�ng
    (PTH) (PTT) Skeleton Key VDE AWS

    You might also like