a b a bett etter mod er model f el for or pen t en test
play

A B A Bett etter Mod er Model f el for or Pen T en Test esting - PowerPoint PPT Presentation

Jan 25, 2024 •101 likes •395 views

Assu Assumed med Br Breac each: h: A B A Bett etter Mod er Model f el for or Pen T en Test esting ing Mike Saunders mike@redsiege.com @hardwaterhacker slides: redsiege.com/abm ABOUT ABOUT Mik Mike Principal Consultant - Red

  1. Assu Assumed med Br Breac each: h: A B A Bett etter Mod er Model f el for or Pen T en Test esting ing Mike Saunders mike@redsiege.com @hardwaterhacker slides: redsiege.com/abm

  2. ABOUT ABOUT Mik Mike Principal Consultant - Red Siege > 20 years IT > 12 years security kayaking / fishing / music / photography 2

  3. Pen T en Testing esting is is BR BROKEN OKEN Internal pen tests don't represent how attackers operate Starting inside the network (kali or otherwise) Noisy scans Lobbing exploits everywhere redsiege.com 3

  4. "I "I WANT WANT A A RED T RED TEAM" EAM" Most customers don't need a true red team Require a lot of time = expensive Requires maturity in IT org. Low return on investment compared to other test options redsiege.com 4

  5. ASS ASSUMED UMED WHA WHAT? T? Based on assumption endpoint is already compromised / org is breached What can an attacker do with this access redsiege.com 5

  6. AB AB - TW TWO( O(ish ish) ) MODELS MODELS Malicious User Compromised User Both use standard workstation image with representative users Preferably a recently terminated user DA is a tool, not a destination! redsiege.com 6

  7. Compr Compromised omised USE USER R - PATH TH A Simulate a user who clicked on a payload Execute a custom payload All ops take place over C2 framework Pivot to remote access with creds redsiege.com 7

  8. Compr Compromised omised USE USER R - PATH TH B Demonstrate impact of compromised user Operate on workstation Shipped laptop / VPN + RDP / on site Work with tools available on desktop or what can be loaded Initiate C2 if needed redsiege.com 8

  9. AV/EDR V/EDR - DISABLED? DISABLED? AV/EDR can be bypassed given time Is it worth client $$$ to spend time to bypass? Discuss goals with client @HackingLZ - Start with AV/EDR enabled, verify bypass or visibility of actions, then disable if needed redsiege.com 9

  10. MALICIOUS MALICIOUS USER USER Simulates employee who wants to steal / cause harm Shipped laptop / VPN + RDP / on site Testing starts on standard workstation Whatever tooling is available on workstation Standard AV/EDR config redsiege.com 10

  12. REAL REAL WORLD ORLD TACTICS CTICS https://www.fireeye.com/blog/threat-research/2019/04/finding-weaknesses- before-the-attackers-do.html Blog lays out likely real-world attack scenario Phishing Pivot to internal through remote access Targeted Kerberoasting => elevation of privilege Access high-value targets redsiege.com 12

  13. ASS ASSUMED UMED BREA BREACH CH TACTICS CTICS Simulate payload sent via email / SE Search out high value targets / data Kerberoasting => elevation of privilege Gather credentials Pivot to data Access high-value targets DA is a tool, not a destination! redsiege.com 13

  14. DOMAIN DOMAIN FR FRONTING ONTING Vendors are breaking traditional fronting model Some CDNs still work *.cloudfront.net / *.azureedge.net still works Build custom C2 profile https://github.com/bluescreenofjeff/ Malleable-C2-Randomizer redsiege.com 14

  15. INIT INITIAL IAL ACCESS CCESS Simulating phishing HTA is still effective https://github.com/trustedsec/unicorn https://github.com/danielbohannon/Invoke-Obfuscation https://github.com/samratashok/nishang/blob/master/Client/Out- HTA.ps1 https://github.com/nccgroup/demiguise redsiege.com 15

  16. INIT INITIAL IAL ACCESS CCESS Macros ClickOnce Executables https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ So many more… redsiege.com 16

  17. FINDING FINDING ACCOUNTS CCOUNTS Password spraying (Internal or External) OWA / O365 https://github.com/dafthack/MailSniper Domain accounts https://github.com/dafthack/DomainPasswordSpray redsiege.com 17

  18. KERB KERBER EROAST ASTING ING Traditional tools PowerView Invoke-Kerberoast https://raw.githubusercontent.com/fullmetalcache/tools/master/autokerb eroast_nomimi_stripped.ps1 Invoke-AutoKerberoast -Format hashcat redsiege.com 18

  19. KERB KERBER EROAST ASTING ING Ideally low & slow Target users in specific groups (PowerView) https://www.harmj0y.net/blog/powershell/kerberoasting-without- mimikatz/ Get-DomainUser -SPN & Get-DomainSPNTicket -SPN Random Delay https://adsecurity.org/?p=230 redsiege.com 19

  20. MINING MINING AD AD SharpHound via execute-assembly Research stealth options --NoSaveCache is your friend Hunt for creds in AD schema ADExplorer.exe -snapshot "" ad.snap -noconnectprompt https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad- explorer/ redsiege.com 20

  21. HUNT HUNTING ING GPP GPP CREDS CREDS GPP = XML config files stored in SYSVOL Store credentials for workstation local admin, mapping drives, etc. https://adsecurity.org/?p=2288 PowerSploit Get-GPPPassword PowerSploit PowerUp Get-CachedGPPPassword redsiege.com 21

  22. LA LATE TERAL RAL MO MOVEMENT VEMENT Find lateral movement to admin access with PowerView Test-AdminAccess -ComputerName Get-DomainComputer | Test-AdminAccess psexec wmic redsiege.com 22

  23. TRA TRAWLING WLING FILES/SHARES FILES/SHARES Elevated account creds (DA / sa / etc.) frequently found in files PowerShell PSReadLine Logs (ConsoleHost_history.txt) Source code & sensitive data PowerView Invoke-ShareFinder -CheckAccess Find-InterestingDomainShareFile Find-InterestingFile redsiege.com 23

  24. HUNT HUNTING ING SES SESSIONS SIONS Find files that can be used for lateral movement SSH private keys, RDP files, FileZilla / WinSCP saved passwords, etc. https://github.com/Arvanaghi/SessionGopher Invoke-SessionGopher -Thorough (local system) Invoke-SessionGopher -Target hostxyz -Thorough Invoke-SessionGopher -AllDomain -Thorough redsiege.com 24

  25. BY BYO O PO POWERSHE WERSHELL LL Code can be executed in ISE even if PS script execution is disabled Build custom PS environment https://github.com/fullmetalcache/PowerLine redsiege.com 25

  26. PR PROS OS & & CONS CONS Pro Better understanding of strengths & weaknesses Ability to model real-world TTPs Cons Limited time means we have to be noisier Not focused on vulns Non-representative accounts/workstations can negatively impact test redsiege.com 26

  27. SUMMAR SUMMARY Better way to prepare clients for attacks they're likely to face Requires maturity in client processes VA & pen test cycles before client is ready Work with client to get good accounts and workstations PowerShell & Cobalt Strike aren't the only way - these were just examples redsiege.com 27

  28. QUES QUESTION TIONS? Mike Saunders Principal Consultant mike@ redsiege .com @hardwaterhacker @RedSiegeInfoSec Slides: redsiege.com/abm redsiege.com 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BETTER BART BETTER BAY AREA BETT BETTER ER BAR ART T / / BETT BETTER ER BAY Y AREA AREA

BETTER BART BETTER BAY AREA BETT BETTER ER BAR ART T / / BETT BETTER ER BAY Y AREA AREA

BETTER BART BETTER BAY AREA BETT BETTER ER BAR ART T / / BETT BETTER ER BAY Y AREA AREA 2 2 BAR ART T SY SYSTE STEM THE THEN A N AND NO ND NOW The decision of the people to build a 3 -county Bay Area rapid transit system

471 views • 26 slides
Reacti ting ng flow modeling ng and applica cati tions ns in STAR-CCM+ Yongzhe gzhe Zhang,

Reacti ting ng flow modeling ng and applica cati tions ns in STAR-CCM+ Yongzhe gzhe Zhang,

Reacti ting ng flow modeling ng and applica cati tions ns in STAR-CCM+ Yongzhe gzhe Zhang, ng, CD CD-adapco pco LES: : Scaled d Combust ustor Bet etter er flow and mixing ng accurac racy Results lts in bett etter er predic

864 views • 60 slides
Reacti ting ng flow modeling ng and applica cati tions ns in STAR-CCM+ Yongzhe gzhe Zhang,

Reacti ting ng flow modeling ng and applica cati tions ns in STAR-CCM+ Yongzhe gzhe Zhang,

Reacti ting ng flow modeling ng and applica cati tions ns in STAR-CCM+ Yongzhe gzhe Zhang, ng, CD-adapco pco LES: : Scaled d Combust ustor Bet etter er flow and mixing ng accurac racy Results lts in bett etter er predic

604 views • 33 slides
Ann Marie Sullivan, MD Commissioner NY State OMH } BET ETTER ER HEA EATLH OF THE E

Ann Marie Sullivan, MD Commissioner NY State OMH } BET ETTER ER HEA EATLH OF THE E

Ann Marie Sullivan, MD Commissioner NY State OMH } BET ETTER ER HEA EATLH OF THE E POPULATION: Prevention and Maximizing Wellness } BET ETTER ER CARE E FOR EA EACH PATIEN ENT: Quality Care focused on patient choice, engagement,

305 views • 9 slides
DEMONSTRATIONS: AN UPDATE NOVEMBER 12, 2013 PRESENTATION D E N N I S B E C K E R , M P C A / E

DEMONSTRATIONS: AN UPDATE NOVEMBER 12, 2013 PRESENTATION D E N N I S B E C K E R , M P C A / E

EQUIVALENT OR BETTER DISPERSION DEMONSTRATIONS: AN UPDATE NOVEMBER 12, 2013 PRESENTATION D E N N I S B E C K E R , M P C A / E A O D / R E A M EQUIVALENT OR BETTER DISPERSION What is is Equiv uivalen alent t or r Bett etter er Disp

329 views • 20 slides
EMC TEST REPORT DIRECTORY A) Documentation Directory 2 Test Standards 3 Address of the test

EMC TEST REPORT DIRECTORY A) Documentation Directory 2 Test Standards 3 Address of the test

EMC TEST REPORT CE TEST REPORT Report Number : ETLE080619.495 Report issue date : July 21, 2008 Model / Serial No. : HWC-640 / NONE Multiple Model Name : HWC-630, HWC-650, HWC-660, HWC-680 Product Type : Hot & Cold Water Purifier

522 views • 35 slides
EMC TEST REPORT DIRECTORY A) Documentation Directory 2 Test Standards 3 Address of the test

EMC TEST REPORT DIRECTORY A) Documentation Directory 2 Test Standards 3 Address of the test

EMC TEST REPORT CE TEST REPORT Report Number : ETLE070516.328 Report issue date : June 27, 2007 Model / Serial No. : ROMEO III / NONE Multiple Model Name : W2-360H, W2-340H, W2-300H, W2-310H Product Type : POU Water Cooler Applicant

612 views • 36 slides
Wednesday, July 2, 2014 4:15pm-5:15pm EDT Agenda Model Test Project Narrative Reminders:

Wednesday, July 2, 2014 4:15pm-5:15pm EDT Agenda Model Test Project Narrative Reminders:

State Innovation Models Initiative Round 2 Webinar: Model Test Proposal Format Requirements, the Population Health Plan Portion of the Model Test Proposal, and the Population Health Plan Deliverable of the Model Test Project Period

494 views • 20 slides
Water Hub @ NEST Bastian Etter, Anita Wittmer, Barbara J. Ward, Kai M. Udert, Linda Strande, Tove

Water Hub @ NEST Bastian Etter, Anita Wittmer, Barbara J. Ward, Kai M. Udert, Linda Strande, Tove

A living lab to test innovative wastewater treatment Water Hub @ NEST Bastian Etter, Anita Wittmer, Barbara J. Ward, Kai M. Udert, Linda Strande, Tove A. Larsen, Eberhard Morgenroth Image: Roman Keller Image: Gramazio Kohler Architects Image:

425 views • 15 slides
Model-Based Testing (ISTQB Chapter 4) Arie van Deursen 1 4.1 ISTQB Test Design Test Scripts

Model-Based Testing (ISTQB Chapter 4) Arie van Deursen 1 4.1 ISTQB Test Design Test Scripts

Model-Based Testing (ISTQB Chapter 4) Arie van Deursen 1 4.1 ISTQB Test Design Test Scripts Test Basis 4.1.2: Test Analysis 4.1.4: Test Implementation Test Selected Test Cases Test Conditions Conditions 4.1.3: Test Design 2 Test

1.18k views • 38 slides
TEST REPORT DIRECTORY Pages A) Documentation Directory 2 Test Standards 3 Address of the

TEST REPORT DIRECTORY Pages A) Documentation Directory 2 Test Standards 3 Address of the

TEST REPORT TEST REPORT Report Number : ETLE090324.03 Report issue date: May 26, 2009 Model / Serial No. : W2-360 / NONE Multiple Model Name : W2-340, W2-360H, W2-310H Product Type : Hot & Cold Water Purifier System Brand Name :

641 views • 37 slides
Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from

Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from

Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from SysML Models Jrg Brauer and Jan Peleska Verified Systems International GmbH support@verified.de Space Tech Expo Europe 2015-11-19 Motivation

499 views • 26 slides
THE HUMAN CAPITAL WILL WILL A ACC CCEL ELERA ERATE TE MO MORE AND RE AND BETT BETTER

THE HUMAN CAPITAL WILL WILL A ACC CCEL ELERA ERATE TE MO MORE AND RE AND BETT BETTER

THE HUMAN CAPITAL WILL WILL A ACC CCEL ELERA ERATE TE MO MORE AND RE AND BETT BETTER ER INVEST INVESTMENT MENTS S IN IN P PEOPL EOPLE E GL GLOB OBALL ALLY 1. Human 1. an Capital tal Index dex (HCI) I): Make the case

268 views • 16 slides
Bett Correa IT Manager at Verizon Twitter: @betterworkinc Podcast: Architecturecast.net

Bett Correa IT Manager at Verizon Twitter: @betterworkinc Podcast: Architecturecast.net

Software Architecture Decision Making Techniques Bett Correa IT Manager at Verizon Twitter: @betterworkinc Podcast: Architecturecast.net Overview Context Philosophies Actions Psychologies Summary Course Objectives

581 views • 33 slides
Engineering Best Practices Test, test, test, and test some more; test as you go Start from a

Engineering Best Practices Test, test, test, and test some more; test as you go Start from a

Engineering Best Practices Test, test, test, and test some more; test as you go Start from a known working state, take small steps Make things visible (gdb, printf, logic analyzer) Methodical, systematic approach. Form hypotheses and perform

755 views • 38 slides
Code4Thought How F.A.T. (or F.Acc.T) is your ML Model? Quality in the era of Software 2.0 Test

Code4Thought How F.A.T. (or F.Acc.T) is your ML Model? Quality in the era of Software 2.0 Test

Code4Thought How F.A.T. (or F.Acc.T) is your ML Model? Quality in the era of Software 2.0 Test 18/06/2020 Yiannis Kanellopoulos Technology as part of history Test What keeps us at night Our team has spent the better part of two decades

676 views • 25 slides
ADVANCED DATABASE SYSTEMS Server-side Logic Execution @ Andy_Pavlo // 15- 721 // Spring 2019

ADVANCED DATABASE SYSTEMS Server-side Logic Execution @ Andy_Pavlo // 15- 721 // Spring 2019

Lect ure # 16 ADVANCED DATABASE SYSTEMS Server-side Logic Execution @ Andy_Pavlo // 15- 721 // Spring 2019 CMU 15-721 (Spring 2019) 2 Background UDF In-lining Working on Large Software Projects CMU 15-721 (Spring 2019) 3 O BSERVATIO N

936 views • 60 slides
Web-based Attacks on Local IoT Devices Gunes Acar Danny Huang Frank Li Arvind Narayanan

Web-based Attacks on Local IoT Devices Gunes Acar Danny Huang Frank Li Arvind Narayanan

Web-based Attacks on Local IoT Devices Gunes Acar Danny Huang Frank Li Arvind Narayanan Nick Feamster 1 2 3 How to reach local IoT devices? Public devices (e.g., port forwarding) Local malware Web attacks ( this paper ) 4 How to

894 views • 51 slides
More Than a Query Language: SQL in the 21 st Century @MarkusWinand @ModernSQL

More Than a Query Language: SQL in the 21 st Century @MarkusWinand @ModernSQL

More Than a Query Language: SQL in the 21 st Century @MarkusWinand @ModernSQL http://www.almaden.ibm.com/cs/people/chamberlin/sequel-1974.pdf More Than a Query Language: SQL in the 21 st Century @MarkusWinand @ModernSQL

1.46k views • 145 slides
Unsupervised Discovery of Object Landmarks as Structural Representations Yuting Zhang 1 , Yijie

Unsupervised Discovery of Object Landmarks as Structural Representations Yuting Zhang 1 , Yijie

Unsupervised Discovery of Object Landmarks as Structural Representations Yuting Zhang 1 , Yijie Guo 1 , Yixin Jin 1 , Yijun Luo 1 , Zhiyuan He 1 , Honglak Lee 1,2 1 University of Michigan, Ann Arbor 2 Google Brain Structural representations of

1k views • 71 slides
List Decoding of Universal Polar Codes Boaz Shuval and Ido Tal 1/15 Overview Universal

List Decoding of Universal Polar Codes Boaz Shuval and Ido Tal 1/15 Overview Universal

List Decoding of Universal Polar Codes Boaz Shuval and Ido Tal 1/15 Overview Universal polarization: memoryless setting: o S as glu & Wang, ISIT 2011 settings with memory: Shuval & Tal, ISIT 2019 Error

689 views • 53 slides
Assessments Streets Reconstruction Unit Assessment 50% of the Actual Project Cost or 2019

Assessments Streets Reconstruction Unit Assessment 50% of the Actual Project Cost or 2019

Assessments Streets Reconstruction Unit Assessment 50% of the Actual Project Cost or 2019 Typical Lot Fee Schedule $5,350.00 per unit Curb and Gutter Replace Unit Assessment 50% of Actual Project Cost or 2019 Typical Lot Fee

294 views • 14 slides
Vegetation Lateral Selection Methodology Comparison (1) Lateral selection vs. (2) Substation

Vegetation Lateral Selection Methodology Comparison (1) Lateral selection vs. (2) Substation

Vegetation Lateral Selection Methodology Comparison (1) Lateral selection vs. (2) Substation holistic selection Both methodologies leverage sigma level (z-Score) performance of laterals (weighted function) Accounts for last-trim date to

106 views • 9 slides
Similarity is crucial to cognition General (often implicit) hypothesis: similar stimulus in

Similarity is crucial to cognition General (often implicit) hypothesis: similar stimulus in

Similarity is crucial to cognition General (often implicit) hypothesis: similar stimulus in similar context similar response Similarity is crucial to cognition General (often implicit) hypothesis: similar stimulus in similar context similar

1.03k views • 64 slides

More recommend