diy blue teaming diy blue teaming
play

DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct - PowerPoint PPT Presentation

Apr 19, 2023 •317 likes •1.11k views

DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Security by obscurity (because sucker punches work, even though nobody wants to admit

  1. DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!)

  2. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Security by obscurity (because sucker punches work, even though nobody wants to admit it. "Hack Back" tricks - *TRY AT YOUR OWN RISK* Why buy the cow when you can have the milk for free?

  3. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work

  4. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Usually the purpose of 0day is to execute malware. If you stop that malware from executing you essentially mitigate the 0day.

  5. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work 0day (and it's often attached malware) tends to fail in the wild, like A LOT. When it does, it makes errors. If you can catch those errors in context, sometimes, you get to keep / analyse the malware AND THE 0DAY!

  6. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work tl;dr, make your environment unpredictable so that you spend less time threat hunting and more time seeing stuff actually being thrown at you! (aka: NOT GETTING PWNED)

  7. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Methods: Methods:

  8. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Methods: Methods:

  9. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Re order all the syscalls Re order all the syscalls Methods: Methods:

  10. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Methods: Methods:

  11. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work "Remove" your shell "Remove" your shell Methods: Methods:

  12. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Use unix noshell on every user and then point ssh to a binary that downloads a shell and runs it upon login "Remove" your shell "Remove" your shell Methods: Methods:

  13. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Use unix noshell on every user and then point ssh to a binary that downloads a shell and runs it upon login "Remove" your shell "Remove" your shell Actually remove bash from the box Methods: Methods:

  14. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Backdoor your own utilities... Backdoor your own utilities... Methods: Methods:

  15. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work SSH "dupe" setup... SSH "dupe" setup... Backdoor your own utilities... Backdoor your own utilities... SSH HTTPS Methods: Methods: https://github.com/stealth/sshttp

  16. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work SSH "dupe" setup... SSH "dupe" setup... Port 22 Backdoor your own utilities... Backdoor your own utilities... SSH HTTPS Methods: Methods: https://github.com/stealth/sshttp

  17. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work SSH "dupe" setup... SSH "dupe" setup... Port 22 Backdoor your own utilities... Backdoor your own utilities... Actual SSH Port 8443 Server SSH HTTPS Methods: Methods: https://github.com/stealth/sshttp

  18. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work GCC shouldn't be on boxes in prod GCC shouldn't be on boxes in prod anyway... anyway... Backdoor your own utilities... Backdoor your own utilities... Methods: Methods:

  19. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work GCC shouldn't be on boxes in prod GCC shouldn't be on boxes in prod anyway... anyway... replace GCC with a binary that never Backdoor your own utilities... Backdoor your own utilities... actually outputs the file to disk but DOES run it through virus total and give you alerts Methods: Methods:

  20. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Tripwire apps that modify the Tripwire apps that modify the filesystem filesystem Backdoor your own utilities... Backdoor your own utilities... Methods: Methods:

  21. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Tripwire apps that modify the Tripwire apps that modify the filesystem filesystem ln = cp If <arg1> == "core lib" { Backdoor your own utilities... Backdoor your own utilities... mv wtf_are_you_doing() } Methods: Methods:

  22. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Backdoor your own utilities... Backdoor your own utilities... Make uname "lie" Make uname "lie" Methods: Methods:

  23. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Modprobe Modprobe Backdoor your own utilities... Backdoor your own utilities... Methods: Methods:

  24. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Modprobe Modprobe Check that module contains this supper sekret squirl Backdoor your own utilities... Backdoor your own utilities... token that is in all my modules Methods: Methods:

  25. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Modprobe Modprobe Backdoor your own utilities... Backdoor your own utilities... "decrypt" binaries before loading Methods: Methods:

  26. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Modprobe Modprobe Rename modprobe to something else and Backdoor your own utilities... Backdoor your own utilities... make modprobe send a security alert Methods: Methods:

  27. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Break all the things! Break all the things! Backdoor your own utilities... Backdoor your own utilities... Methods: Methods:

  28. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Break all the things! Break all the things! Backdoor your own utilities... Backdoor your own utilities... ... and then alias all the things in the user prefs of legit admins Methods: Methods:

  29. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work One app to rule them all! One app to rule them all! Backdoor your own utilities... Backdoor your own utilities... aka: "the initramfs trick" Methods: Methods:

  30. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Methods: Methods:

  31. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Get full crash dumps Get full crash dumps https://support.microsoft.com/en-us/help/927069/how-to-generate-a- complete-crash-dump-file-or-a-kernel-crash-dump-file Methods: Methods:

  32. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Rename the Powershell exe (just like the bash trick but Rename the Powershell exe (just like the bash trick but for windows) for windows) Methods: Methods:

  33. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Over-the-shoulder transcription Over-the-shoulder transcription https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell- the-blue-team/ Methods: Methods:

  34. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Over-the-shoulder transcription Over-the-shoulder transcription Methods: Methods:

  35. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Over-the-shoulder transcription Over-the-shoulder transcription Methods: Methods:

  36. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Hook OpenProcess() to look for well targeted Hook OpenProcess() to look for well targeted applications applications Methods: Methods:

  37. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Hook OpenProcess() to look for well targeted Hook OpenProcess() to look for well targeted applications applications Notepad Calc Explorer Methods: Methods:

  38. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Backdoor reg edit Backdoor reg edit Methods: Methods:

  39. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Backdoor reg edit Backdoor reg edit Who’s using it and why? What is being edited? (key on specific reg keys like appinitdll, etc) Methods: Methods:

  40. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Auto pe-sive dll Auto pe-sive dll Methods: Methods:

  41. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Auto pe-sive dll Auto pe-sive dll @hasherezade Methods: Methods:

  42. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Auto pe-sive dll Auto pe-sive dll @hasherezade Methods: Methods:

  43. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Methods: Methods:

  44. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Fake SMB Fake SMB Methods: Methods:

  45. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Little Snitch / Micro Snitch (or lulu Little Snitch / Micro Snitch (or lulu if ya have to) if ya have to) Methods: Methods:

  46. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work https://github.com/kai5263499/osx-security-awesome#hardening Methods: Methods:

  47. DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Methods: ... misc Methods: ... misc

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Welcome Parents! Forest Lake Area Middle School Benefits of Teaming Small Learning

Welcome Parents! Forest Lake Area Middle School Benefits of Teaming Small Learning

Welcome Parents! Forest Lake Area Middle School Benefits of Teaming Small Learning Environments Close Personal Relationships Team-Based Activities New Concept This Year...Teams! Blue Team Counselor: Brooke Johnson Green Team

468 views • 20 slides
Small Business Teaming Arrangements Devon E. Hewitt Partner, Protorae Law PLLC 8075 Leesburg

Small Business Teaming Arrangements Devon E. Hewitt Partner, Protorae Law PLLC 8075 Leesburg

Small Business Teaming Arrangements Devon E. Hewitt Partner, Protorae Law PLLC 8075 Leesburg Pike, Suite 760 Tysons, VA 22182 703.942.6746 dhewitt@protoraelaw.com Types of (Federal) Teaming Arrangements Prime/Sub Teaming Joint

95 views • 6 slides
Teaming: ing: Two or more companies coming together to pursue and fulfill a government

Teaming: ing: Two or more companies coming together to pursue and fulfill a government

Teaming: ing: Two or more companies coming together to pursue and fulfill a government project Each company keeps their separate identity The companies enter into a formal teaming agreement (a form a partnership agreement

556 views • 55 slides
Teaming of Conventional Submarines and XLUUV W. H. Wehner 1 , Dr. C. Fruehling 2 , Dr. B. Lehmann 3

Teaming of Conventional Submarines and XLUUV W. H. Wehner 1 , Dr. C. Fruehling 2 , Dr. B. Lehmann 3

UDT 2020 Teaming of Conventional Submarines and XLUUV / Extra-Large Unmanned Platforms UDT Extended Abstract Teaming of Conventional Submarines and XLUUV W. H. Wehner 1 , Dr. C. Fruehling 2 , Dr. B. Lehmann 3 , Dr. T. Wiegang 4 , N. Paul 5 1 Head

218 views • 5 slides
Slide Handouts: Teaming Take Action Welcome to Module 4: Lesson 3. S trategies for S

Slide Handouts: Teaming Take Action Welcome to Module 4: Lesson 3. S trategies for S

RPMs | Module 4 Teaming and Collaboration Take Action Slide Notes Slide Handouts: Teaming Take Action Welcome to Module 4: Lesson 3. S trategies for S uccessful Partnerships Page 1 of 21 RPMs | Module 4 Teaming and Collaboration

395 views • 21 slides
Blue A Sketch Model Review Blue A Blue A Smooth Passenger Bag Be Gone Talker Blue A

Blue A Sketch Model Review Blue A Blue A Smooth Passenger Bag Be Gone Talker Blue A

Blue A Sketch Model Review Blue A Blue A Smooth Passenger Bag Be Gone Talker Blue A SMOOTH TALKER Blue A !!!! Users 515,000 children in America with ASD who communicate verbally Design Blue A Fastening

246 views • 10 slides
Teaming Up for Software Development Lus Soares Departamento de Informtica Universidade do

Teaming Up for Software Development Lus Soares Departamento de Informtica Universidade do

Teaming Up for Software Development Lus Soares Departamento de Informtica Universidade do Minho Engenharia de Aplicaes Lus Soares Teaming Up for Software Development Introduction Agenda In the end of the session the attendee

416 views • 28 slides
Green Blue Blue Blue Red Red Text visualization Why use text in visualization? Instant

Green Blue Blue Blue Red Red Text visualization Why use text in visualization? Instant

Web-pages Email Green Blue Blue Blue Red Red Text visualization Why use text in visualization? Instant messages Digitized books, articles Lucas Rizoli CPSC 533C, November 2006 2 3 4 Fast Text can be a dense representation New York

576 views • 3 slides
Abuses and misuses of AI: prevention vs reaction Red Teaming in the AI world Cristian Canton

Abuses and misuses of AI: prevention vs reaction Red Teaming in the AI world Cristian Canton

Abuses and misuses of AI: prevention vs reaction Red Teaming in the AI world Cristian Canton Ferrer Research Manager (AI Red Team @ Facebook) Abuses and misuses of AI: prevention vs reaction Red Teaming in the AI world ...with Manipulated

983 views • 79 slides
2020 Blue's Tour August 2020 We would like to Welcome you on behalf of Blue Cross and Blue Shield

2020 Blue's Tour August 2020 We would like to Welcome you on behalf of Blue Cross and Blue Shield

2020 Blue's Tour August 2020 We would like to Welcome you on behalf of Blue Cross and Blue Shield of Kansas to the 2020 Blue's Tour! We are glad you could all join us virtually today! I am Jessica Moore, Education and Communication Coordinator

290 views • 26 slides
Interven'ons for Idea'on Impact of framing, teaming, and tools

Interven'ons for Idea'on Impact of framing, teaming, and tools

Interven'ons for Idea'on Impact of framing, teaming, and tools on high school students design fixa'on Eli M. Silk &amp; Shanna R. Daly University

197 views • 16 slides
RC Claim Assist Kelly Hayes Blue Cross / Blue Care Network Provider Outreach Blue Cross Blue

RC Claim Assist Kelly Hayes Blue Cross / Blue Care Network Provider Outreach Blue Cross Blue

RC Claim Assist Kelly Hayes Blue Cross / Blue Care Network Provider Outreach Blue Cross Blue Shield of Michigan and Blue Care Network are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association. RC Claim

423 views • 7 slides
MITREATT&amp;CK FOR RED TEAMING ABOUT ME Niklas Srkaari @ukk1sec Red Teamer

MITREATT&amp;CK FOR RED TEAMING ABOUT ME Niklas Srkaari @ukk1sec Red Teamer

MITREATT&amp;CK FOR RED TEAMING ABOUT ME Niklas Srkaari @ukk1sec Red Teamer (Senior Security Consultant) @ F-Secure MITREATT&amp;CK Knowledge base of adversary tactics, techniques and procedures (TTPs) Develop skills for

778 views • 33 slides
Overview ew Overview of Corporate Philanthropy Overview of Florida Blue Corporate and Foundation

Overview ew Overview of Corporate Philanthropy Overview of Florida Blue Corporate and Foundation

L ESSONS L EARNED FROM A C ORPORATE D ONOR Susan B. Towler Florida Blue October 21, 2015 Orange Park, FL Blue Cross and Blue Shield of Florida Foundation is an Independent Licensee of the Blue Cross and Blue Shield Association. Overview ew

422 views • 16 slides
The New Cooling Unit Generation Blue e+ 1 Die neue Khlgerte-Generation Blue e+ The Blue e+

The New Cooling Unit Generation Blue e+ 1 Die neue Khlgerte-Generation Blue e+ The Blue e+

The New Cooling Unit Generation Blue e+ 1 Die neue Khlgerte-Generation Blue e+ The Blue e+ cooling unit series the ultimate in efficiency. 2 The new Cooling Unit Generation Blue e+ Enclosure Climate Control Sensitive electronic

319 views • 27 slides
BLUE COMMUNITIES What is a Blue Community? The Blue Communities Project encourages municipalities

BLUE COMMUNITIES What is a Blue Community? The Blue Communities Project encourages municipalities

BLUE COMMUNITIES What is a Blue Community? The Blue Communities Project encourages municipalities and Indigenous communities to adopt a water commons framework by: 1. recognizing water and sanitation as human rights 2. banning bottled water in

183 views • 15 slides
FDM curriculum group moderated by Frank Neven Questions / issues FDM topics for non-DB

FDM curriculum group moderated by Frank Neven Questions / issues FDM topics for non-DB

FDM curriculum group moderated by Frank Neven Questions / issues FDM topics for non-DB courses intro DB course graduate FDM course FDM book educate &amp; attract FDM in non-DB course TCS: from reg exps to RPQs DBs

452 views • 9 slides
Information warfare The term information warfare refers to peace time activities

Information warfare The term information warfare refers to peace time activities

Information warfare The term information warfare refers to peace time activities psychological operations (psyop) cyber war/net war In wartime the term is Command, Control, Communications, Intelligence, Sensors Warfare(C3ISW)

287 views • 13 slides
Project 4 Multi-Core Network Honeypot LL/SC - Important for mutex locking/unlocking - Crucial

Project 4 Multi-Core Network Honeypot LL/SC - Important for mutex locking/unlocking - Crucial

Project 4 Multi-Core Network Honeypot LL/SC - Important for mutex locking/unlocking - Crucial for synchronized data-structures - Up to 32 cores in PA4 LL/SC Syntax LL a, off(b): loads M[b + off] into register a SC c, off(d):

289 views • 18 slides
Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon 12 Ramin Sadre 1 SIGCOMM-WTMC, 20th August 2018 1 Institute of Information and Communication Technologies, Electronics and Applied Mathematics

561 views • 17 slides
Internet measurements at complexnetworks.fr Guillaume Valadon - http://valadon.complexnetworks.fr

Internet measurements at complexnetworks.fr Guillaume Valadon - http://valadon.complexnetworks.fr

Internet measurements at complexnetworks.fr Guillaume Valadon - http://valadon.complexnetworks.fr LIP6 (CNRS - UPMC) Complex Networks team http://complexnetworks.fr The team http://complexnetworks.fr : plots &amp; videos 4 permanent

899 views • 44 slides
Empirical Studies in Cybersecurity: Some Challenges Michel Cukier Adding Science to

Empirical Studies in Cybersecurity: Some Challenges Michel Cukier Adding Science to

Empirical Studies in Cybersecurity: Some Challenges Michel Cukier Adding Science to Cybersecurity Empirical studies are needed to add science to cybersecurity Challenges: Security metrics are lacking Security data are not

661 views • 37 slides
Big Data Analytics, Human Data Interaction, and the Databox Richard Mortier Cambridge

Big Data Analytics, Human Data Interaction, and the Databox Richard Mortier Cambridge

Big Data Analytics, Human Data Interaction, and the Databox Richard Mortier Cambridge University Computer Laboratory Networks &amp; Operating Systems SRG, Computer Laboratory Outline Part I Part II We are all data subjects,

1.25k views • 46 slides
1 Models for Translucent Objects Models for Translucent Objects Models for Translucent Objects

1 Models for Translucent Objects Models for Translucent Objects Models for Translucent Objects

Translucent Objects Translucent Objects Realistic Materials Realistic Materials Translucent Materials light is scattered through the object incident illumination smoothed due to diffuse scattering inside media Inhomogeneous

524 views • 5 slides

More recommend