DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct - - PowerPoint PPT Presentation

DIY Blue Teaming DIY Blue Teaming

(Keeping attackers out, with duct tape and chewing gum!)

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work Security by obscurity (because sucker punches work, even though nobody wants to admit it. "Hack Back" tricks - *TRY AT YOUR OWN RISK* Why buy the cow when you can have the milk for free?

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Usually the purpose of 0day is to execute

• malware. If you stop that malware from

executing you essentially mitigate the 0day.

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

0day (and it's often attached malware) tends to fail in the wild, like A LOT. When it does, it makes errors. If you can catch those errors in context, sometimes, you get to keep / analyse the malware AND THE 0DAY!

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

tl;dr, make your environment unpredictable so that you spend less time threat hunting and more time seeing stuff actually being thrown at you! (aka: NOT GETTING PWNED)

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods:

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods:

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Re order all the syscalls Re order all the syscalls

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods:

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: "Remove" your shell "Remove" your shell

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: "Remove" your shell "Remove" your shell

Use unix noshell on every user and then point ssh to a binary that downloads a shell and runs it upon login

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: "Remove" your shell "Remove" your shell

Actually remove bash from the box Use unix noshell on every user and then point ssh to a binary that downloads a shell and runs it upon login

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities...

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... SSH "dupe" setup... SSH "dupe" setup...

https://github.com/stealth/sshttp SSH HTTPS

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... SSH "dupe" setup... SSH "dupe" setup...

https://github.com/stealth/sshttp Port 22 SSH HTTPS

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... SSH "dupe" setup... SSH "dupe" setup...

https://github.com/stealth/sshttp Port 22 Port 8443 Actual SSH Server SSH HTTPS

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... GCC shouldn't be on boxes in prod GCC shouldn't be on boxes in prod anyway... anyway...

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... GCC shouldn't be on boxes in prod GCC shouldn't be on boxes in prod anyway... anyway...

replace GCC with a binary that never actually outputs the file to disk but DOES run it through virus total and give you alerts

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... Tripwire apps that modify the Tripwire apps that modify the filesystem filesystem

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... Tripwire apps that modify the Tripwire apps that modify the filesystem filesystem

cp mv ln = If <arg1> == "core lib" { wtf_are_you_doing() }

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... Make uname "lie" Make uname "lie"

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... Modprobe Modprobe

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... Modprobe Modprobe

Check that module contains this supper sekret squirl token that is in all my modules

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... Modprobe Modprobe

"decrypt" binaries before loading

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... Modprobe Modprobe

Rename modprobe to something else and make modprobe send a security alert

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... Break all the things! Break all the things!

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... Break all the things! Break all the things!

... and then alias all the things in the user prefs of legit admins

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor your own utilities... Backdoor your own utilities... One app to rule them all! One app to rule them all!

aka: "the initramfs trick"

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods:

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Get full crash dumps Get full crash dumps

https://support.microsoft.com/en-us/help/927069/how-to-generate-a- complete-crash-dump-file-or-a-kernel-crash-dump-file

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Rename the Powershell exe (just like the bash trick but Rename the Powershell exe (just like the bash trick but for windows) for windows)

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Over-the-shoulder transcription Over-the-shoulder transcription

https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell- the-blue-team/

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Over-the-shoulder transcription Over-the-shoulder transcription

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Over-the-shoulder transcription Over-the-shoulder transcription

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Hook OpenProcess() to look for well targeted Hook OpenProcess() to look for well targeted applications applications

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Hook OpenProcess() to look for well targeted Hook OpenProcess() to look for well targeted applications applications

Notepad Calc Explorer

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor reg edit Backdoor reg edit

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Backdoor reg edit Backdoor reg edit

Who’s using it and why? What is being edited? (key on specific reg keys like appinitdll, etc)

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Auto pe-sive dll Auto pe-sive dll

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Auto pe-sive dll Auto pe-sive dll

@hasherezade

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Auto pe-sive dll Auto pe-sive dll

@hasherezade

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods:

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Fake SMB Fake SMB

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods: Little Snitch / Micro Snitch (or lulu Little Snitch / Micro Snitch (or lulu if ya have to) if ya have to)

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: Methods:

https://github.com/kai5263499/osx-security-awesome#hardening

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Methods: ... misc Methods: ... misc

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Open SMB share that nobody has a reason to access Open SMB share that nobody has a reason to access

(hint, Metasploit SMB link :))

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

Canary users Canary users

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

“Honey tokens” “Honey tokens”

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

“Honey tokens” “Honey tokens”

Fake AWS tokens

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

“Honey tokens” “Honey tokens”

Fake AWS tokens Fake github accounts with poisoned source and or credz

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

“Honey tokens” “Honey tokens”

Fake AWS tokens Browser automated phishing "clickers" (bonus points for fake 2fa) Fake github accounts with poisoned source and or credz

DIY Blue Teaming DIY Blue Teaming

Ways to make malware not work

“Honey tokens” “Honey tokens”

Fake AWS tokens Browser automated phishing "clickers" (bonus points for fake 2fa) Browser automated phishing "clickers" (bonus points for fake 2fa) Fake github accounts with poisoned source and or credz

DIY Blue Teaming DIY Blue Teaming

Security by obscurity Security by obscurity

DIY Blue Teaming DIY Blue Teaming

Security by obscurity Security by obscurity

Randomly generate "deny" messages in robots.txt Randomly generate "deny" messages in robots.txt

DIY Blue Teaming DIY Blue Teaming

Security by obscurity Security by obscurity

Randomly generate "deny" messages in robots.txt Randomly generate "deny" messages in robots.txt

DIY Blue Teaming DIY Blue Teaming

Security by obscurity Security by obscurity

TCP/redirect + stuff you actually use + mandatory time delay TCP/redirect + stuff you actually use + mandatory time delay = VERY frustrated attackers VERY frustrated attackers

DIY Blue Teaming DIY Blue Teaming

Security by obscurity Security by obscurity

Make bad actors think you're hunting them! Make bad actors think you're hunting them!

DIY Blue Teaming DIY Blue Teaming

Security by obscurity Security by obscurity

Make bad actors think you're hunting them! Make bad actors think you're hunting them!

Step 1: Go get some "Blacklists"

DIY Blue Teaming DIY Blue Teaming

Security by obscurity Security by obscurity

Make bad actors think you're hunting them! Make bad actors think you're hunting them!

Step 2: Write some "software" that gathers information about a host....

DIY Blue Teaming DIY Blue Teaming

Security by obscurity Security by obscurity

Make bad actors think you're hunting them! Make bad actors think you're hunting them!

Step 3: Build some honey hosts on 1 or 2 DMZs in your IP space that look like the systems you "found"

DIY Blue Teaming DIY Blue Teaming

Security by obscurity Security by obscurity

Make bad actors think you're hunting them! Make bad actors think you're hunting them!

Step 4: Go back to the "bad person" forum and say "Hay! I found some more, add these blocks!"

DIY Blue Teaming DIY Blue Teaming

Security by obscurity Security by obscurity

Make bad actors think you're hunting them! Make bad actors think you're hunting them!

• 1. Register (fbi|cia|fsb|nsa).<yourOrgName>.com
• 2. Skin it with a web based honey pot that looks

like a lawful interception portal

DIY Blue Teaming DIY Blue Teaming

Security by obscurity Security by obscurity

Make bad actors think you're hunting them! Make bad actors think you're hunting them!

• 1. Register (fbi|cia|fsb|nsa).<yourOrgName>.com
• 2. Skin it with a web based honey pot that looks

like a lawful interception portal

DIY Blue Teaming DIY Blue Teaming

"Hack – back" tricks "Hack – back" tricks

DIY Blue Teaming DIY Blue Teaming

"Hack – back" tricks "Hack – back" tricks

PasswordBackup.autoexec.zip PasswordBackup.autoexec.zip

DIY Blue Teaming DIY Blue Teaming

"Hack – back" tricks "Hack – back" tricks

BeEF hooks in "honey" web app accounts BeEF hooks in "honey" web app accounts

DIY Blue Teaming DIY Blue Teaming

"Hack – back" tricks "Hack – back" tricks

Solicit shells in your own org... Solicit shells in your own org...

DIY Blue Teaming DIY Blue Teaming

"Hack – back" tricks "Hack – back" tricks

Distribute disinformation about your org.. Distribute disinformation about your org..

DIY Blue Teaming DIY Blue Teaming

Why buy the cow when you can have the Why buy the cow when you can have the milk for free? milk for free?

DIY Blue Teaming DIY Blue Teaming

Why buy the cow when you can have the milk for free? Why buy the cow when you can have the milk for free?

VirtualBox + VirusTotal + https://github.com/elazarl/goproxy

• DIY FireEye :)

DIY Blue Teaming DIY Blue Teaming

Why buy the cow when you can have the milk for free? Why buy the cow when you can have the milk for free?

VirtualBox + VirusTotal + https://github.com/elazarl/goproxy

• DIY FireEye :)

DIY Blue Teaming DIY Blue Teaming

Why buy the cow when you can have the milk for free? Why buy the cow when you can have the milk for free?

ELK + (LVM * Dropbox) = FTW!!!

DIY Blue Teaming DIY Blue Teaming

Why buy the cow when you can have the milk for free? Why buy the cow when you can have the milk for free?

https://www.reddit.com/r/Splunk/commen ts/2jwiso/10g_free_splunk_dev_license/

DIY Blue Teaming DIY Blue Teaming

Why buy the cow when you can have the milk for free? Why buy the cow when you can have the milk for free?

Appscan is written in .NET .... :)

DIY Blue Teaming DIY Blue Teaming

DIY Blue Teaming DIY Blue Teaming