TM Blue Team Defenses - NetSPI Blog · 2020-04-10 · Common Red Team Detective and Preventative...

Create Phishing Payloads & Sites

Maintain Remote Access Without a C2 using common interfaces

Prepare Phishing A�acks from public resources

Send Phishing Emails to employee addresses

Deliver the Payloads to employee systems

Run the Payload Commands on employee systems

Escalate Local Privileges on employee systems

Exfiltrate Sensi�ve Data using common channels

Perform Lateral Movement between systems/networks

Maintain Local Persistence on employee systems

Obtain Command & Control Channel from employee systems

Perform Local Recon / Discovery on employee systems

Escalate Domain Privileges via common vectors

Perform Network Recon / Discovery on internal networks

Find and Access Sensi�ve Data in common data stores

Files

Malicious Links

Find Emails & Users Verify Emails & Users

LinkedIn.comData.com

Google.comBing.com

SMTPServerCmds

Malicious Links

Mass Mailing

Targeted Mailing

Spoofed InternalDomain

HackedAccount

Common Variations

DomainSimilar toCompany

Common Payload Command Types

Common Protocols TCP/UDP, v4/6 Data Handling

StolenAuthen�ca�on Tokens

Common Local Persistence Methods

PW / Pvt KeyPW Hash

Kerb Ticket

WindowsService

ScheduledTask

WMI Event

Trigger

File, Registry,& Applica�on

Autoruns

Code / FileModifica�on

DriverBIOS

Common ProtocolsEgress Ports

Steal AdminAuthen�ca�on Tokens Escalate to Root Domain

Delegated Privs Nested Groups

Exploits Kerberoast

GPO

Ac�ve DiscoveryPassiveRecon

SniffingPing &

PortScanning

Common local Targets

Cache & Logs

Users & Groups

OS, Domain,& NetworkInforma�on

Files &Registry

Locate Domain, Ent. & Forest Admins

Common Internet Facing Interfaces

Common Data TargetsCommon Data Stores

TraceRoute

SharedPassword

Share &Logon

Scanning

PasswordHash(PTH)

DB, SP & Mail SvrScanning

TwoFactor

CompressionEncoding

Encryp�on

PhysicalMedia

LAN &Wireless

USB & SD

CDDVD

Common &Uncommon

Ports

Standard &Custom

Protocols

Standard Code

C, C++, C#

Installed Apps

Services &Processes

C2 and Alterna�veChannels

Staged& not

Staged

Large & Small

Files

Common Methods

DB, App & VM

Servers

MaliciousFiles &

Embedding

Spoofed ExternalDomain

Website Components

PretextScenario

NA

E ndpoint� Deny / log VRY requests� Deny / log EXPN requests� Log RCPT commands executed

sequen�ally� Large numbers of HTTP NTLM

requests

Network� User awareness training� Track company’s point of

presence and employee exposure.

� Monitor domain expira�ons

Process

NA

� Email filters, thresholds, and spam rules

� Email source verifica�on� Blacklist checks� SPF record checks� Logs / SEIM / Alerts

� User awareness training� Incident response procedures

� Asset / config / patch mgmt.� An�-virus / HIDs / HIPs� Secure group policy� Mail client configura�ons� MS Office Security Se�ngs� Web browser configura�ons� Logs / SEIM / Alerts

� Email filters, thresholds, and spam rules

� Deny / log relay requests� Secure caching provider� Web filtering / white lis�ng� Authen�cated HTTP proxies� Logs / SEIM / Alerts


� Asset / config / patch mgmt.� An�-virus / HIDs / HIPs� Secure group policy se�ngs� Applica�on white lis�ng� Least privilege enforcement� Logs / SEIM / Alerts

NA � User awareness training� Incident response procedures

� An�-virus / HIDs / HIPs� Secure group policy se�ngs� Applica�on white lis�ng� Least privilege enforcement� Logs / SEIM / Alerts� DEP / ASLR / SEH� Micro virtualizing / sandboxes

� Logs / SEIM / Alerts � Admin awareness training� Incident response procedures

� HIDs / HIPs� Host DLP� Large file upload detec�on � Mail client/server se�ngs� Logs / SEIM / Alerts

� Firewall Rules / Segmenta�on� Email Server Configura�on� Network DLP� Fix Up Protocols� Web Filtering / Auth Proxy� Canary Data Samples� Logs / SEIM / Alerts


� Asset / config / patch mgmt.� An�-virus / HIDs / HIPs� Secure group policy se�ngs� Applica�on white lis�ng� Least privilege enforcement� Logs / SEIM / Alerts� Host-based Firewall

� Firewall Rules / Segmenta�on� NIDs / NIPs� Honey Pots� Tarpits� Canary networks, systems, & accounts� Logs / SEIM / Alerts

� Don’t use shared local accounts� Use a separate domain user and

server admin accounts� Maintain secure configs� Incident response procedures

� Asset / config / patch mgmt.� An�-virus / HIDs / HIPs� Secure group policy se�ngs� Applica�on white lis�ng� Least privilege enforcement� Logs / SEIM / Alerts� FIM / WMI event triggers

NA � User awareness training� Incident response procedures


� Firewall Rules / Segmenta�on� NIDs / NIPs� Fix Up Protocols� Web Filtering / White Lis�ng� Authen�cated HTTP Proxies� Logs / SEIM / Alerts



� Logs / SEIM / Alerts � Admin awareness training� Incident response procedures

� Asset / config / patch mgmt.� An�-virus / HIDs / HIPs� Secure group policy se�ngs� Applica�on white lis�ng� Least privilege enforcement� Logs / SEIM / Alerts� Host-based Firewall


� Don’t use shared local accounts� Use a separate domain user and

server admin accounts� Maintain secure configs� Incident response procedures

� HIDs / HIPs� Logs / SEIM / Alerts� Canaries - Local & Domain User Accounts - Domain Computer Accounts - Local and Network Files � File Audi�ng

� Firewall rules / segmenta�on� NIDs / NIPs� Honey pots� Tarpits� Canary networks, systems, & accounts� Logs / SEIM / Alerts

� Admin awareness training� Incident response procedures

� Enforce Two-factor authen�ca�on on all external interfaces

� Limit Terminal Service, Citrix, and VDE access to specific groups during specific hours

� Geo / IP limi�ng

� Firewall rules / segmenta�on� NIDs / NIPs� Canary networks, systems,

applica�ons, and accounts� Logged events / SEIM / alerts

� Admin awareness training� Incident response procedures� Enforce strong account policies

� Least Privilege Enforcement� Two-Factor Authen�ca�on� Data Encryp�on and Secure Key

Management� File, Applica�on, and Database

Audi�ng� Host DLP / Logs / SEIM / Alerts


� User awareness training� Incident response procedures� Manage keys securely� Consolidate and isolate sensi�ve

data stores

Attack Vectors and T echniquesCommon Red Team

Detective and P reventative C ontrolsCommon Blue Team

Brought to you by

R ed Team AttacksIntroduc�on to common

Email ContentEmail Sources Email Targets

CustomProviders

IPv4IPv6

TCP UDP

HTTPHTTPS

DNS ICMPNTP

FTPNFSSMB

SSHTelnetRlogin

TorrentIM

SMTP

Common Types

Bind ShellReverse Shell

Web ShellBeacon

BinariesExecutable,

Installer, Library

ScriptsPS, VB, VBS,

JS, Bat

Commandscmd, wmi, wrm, �p, net, etc

Weak Configura�ons

InsecureService

InsecureGPO

Weak Password or Password

Storage Method

ExcessivePrivilege

GeoLocate

PhishWebSite

PortScan

Creden�alCollec�on

Form

Java Applet ClickOnce

HTA

Brower Exploit

BrowserAdd-On Exploit

Commonexec file formats

OfficeDocs +Macros

DNS &ADS

Queries

Domain GPOs & SPN

Remote Sessions

& Processes

WindowsService

SchedTask

MGMTServices

FileShare

KerberosTicket(PTT)

Password /Private Key

GPO, SCCM

Financial Data

IP & Research

FileServers

DatabaseServers

MailServers

Code Repositories

InsiderTrading

Info

Web BasedCitrix & TS

RDPSSHVDE

Office365Azure AWS

VPNPrivate KeyToken SeedSkeleton Key

PIIPHICHD

SendTest

Emails

Office365OWA

MS APIs

InsecureSchtask

Local Exploits

InsecureProtocol

Attack K ill C hainCommon

PasswordHash(PTH)

KerberosTicket(PTT)


Domain Trusts &

SID History

StolenAuthen�ca�on Tokens

PasswordHash(PTH)

KerberosTicket(PTT)


StealAuthen�ca�on Tokens

PasswordHash(PTH)

KerberosTicket(PTT)


AssemblyCode

shellcode

Byte Code

Java, .Net

APPOS

RemoteExploit,Physical

@

A�ackDCs

Exploits, Kerberoast

& GPP

Author: Sco� Sutherland, NetSPI 2016 Version: 3.2

BLUE TEAM

RED TEAM

B lue T eam Defens es&

HTTP with

NTLM

Create Content-Filter

Excep�ons

Buy Expired

Domains

WebShells

TM

TM Blue Team Defenses - NetSPI Blog · 2020-04-10 · Common Red Team Detective and Preventative...

Documents

Transcript of TM Blue Team Defenses - NetSPI Blog · 2020-04-10 · Common Red Team Detective and Preventative...