Blue Team & Red Team Common Attack Kill Chain

Create Phishing Payloads & Sites  Maintain Remote Access  Without a C2  using common interfaces  Prepare Phishing  Attacks  from public resources  Send Phishing  Emails  to employee addresses  Deliver the  Payloads  to employee systems  Run the Payload  Commands  on employee systems  Escalate Local  Privileges  on employee systems  Exfiltrate  Sensitive Data  using common channels  Perform Lateral  Movement  between systems/networks  Maintain Local  Persistence  on employee systems  Obtain Command &  Control Channel  from employee systems  Perform Local  Recon / Discovery  on employee systems  Escalate Domain  Privileges  via common vectors  Perform Network  Recon / Discovery  on internal networks  Find and Access  Sensitive Data  in common data stores Files Malicious Links Find Emails & Users Verify Emails & Users LinkedIn.com Data.com Google.com Bing.com SMTP Server Cmds Malicious Links Mass Mailing Targeted Mailing Spoofed Internal Domain Hacked Account Common Variations Domain Similar to Company Common Payload Command Types Common Protocols TCP/UDP, v4/6 Data Handling Stolen Authentication Tokens Common Local Persistence Methods PW / Pvt Key PW Hash Kerb Ticket Windows Service Scheduled Task WMI Event Trigger File, Registry, & Application Autoruns Code / File Modification Driver BIOS Egress Ports Common Protocols Steal Admin Authentication Tokens Escalate to Root Domain Delegated Privs Nested Groups Exploits Kerberoast GPO Active Discovery Passive Recon Sniffing Ping & Port Scanning Common local Targets Cache & Logs Users & Groups OS, Domain, & Network Information Files & Registry Locate Domain, Ent. & Forest Admins Common Internet Facing Interfaces Common Data Stores Common Data Targets Trace Route Shared Password Share & Logon Scanning Password Hash (PTH) DB, SP & Mail Svr Scanning Two Factor Compression Encoding Encryption Physical Media LAN & Wireless USB & SD CD DVD Common & Uncommon Ports Standard & Custom Protocols Standard Code C, C++, C# Installed Apps Services & Processes C2 and Alternative Channels Staged & not Staged Large & Small Files Common Methods DB, App & VM Servers Malicious Files & Embedding Spoofed External Domain Website Components Pretext Scenario NA Endpoint  Deny / log VRY requests  Deny / log EXPN requests  Log RCPT commands executed sequentially  Large numbers of HTTP NTLM requests Network  User awareness training  Track company s point of presence and employee exposure.  Monitor domain expirations Process NA  Email filters, thresholds, and spam rules  Email source verification  Blacklist checks  SPF record checks  Logs / SEIM / Alerts  User awareness training  Incident response procedures  Asset / config / patch mgmt.  Anti-virus / HIDs / HIPs  Secure group policy  Mail client configurations  MS Office Security Settings  Web browser configurations  Logs / SEIM / Alerts  Email filters, thresholds, and spam rules  Deny / log relay requests  Secure caching provider  Web filtering / white listing  Authenticated HTTP proxies  Logs / SEIM / Alerts  User awareness training  Incident response procedures  Asset / config / patch mgmt.  Anti-virus / HIDs / HIPs  Secure group policy settings  Application white listing  Least privilege enforcement  Logs / SEIM / Alerts NA  User awareness training  Incident response procedures  Anti-virus / HIDs / HIPs  Secure group policy settings  Application white listing  Least privilege enforcement  Logs / SEIM / Alerts  DEP / ASLR / SEH  Micro virtualizing / sandboxes  Logs / SEIM / Alerts  Admin awareness training  Incident response procedures  HIDs / HIPs  Host DLP  Large file upload detection  Mail client/server settings  Logs / SEIM / Alerts  Firewall Rules / Segmentation  Email Server Configuration  Network DLP  Fix Up Protocols  Web Filtering / Auth Proxy  Canary Data Samples  Logs / SEIM / Alerts  User awareness training  Incident response procedures  Asset / config / patch mgmt.  Anti-virus / HIDs / HIPs  Secure group policy settings  Application white listing  Least privilege enforcement  Logs / SEIM / Alerts  Host-based Firewall  Firewall Rules / Segmentation  NIDs / NIPs  Honey Pots  Tarpits  Canary networks, systems, & accounts  Logs / SEIM / Alerts  Don t use shared local accounts  Use a separate domain user and server admin accounts  Maintain secure configs  Incident response procedures  Asset / config / patch mgmt.  Anti-virus / HIDs / HIPs  Secure group policy settings  Application white listing  Least privilege enforcement  Logs / SEIM / Alerts  FIM / WMI event triggers NA  User awareness training  Incident response procedures  Asset / config / patch mgmt.  Anti-virus / HIDs / HIPs  Secure group policy settings  Application white listing  Least privilege enforcement  Logs / SEIM / Alerts  Firewall Rules / Segmentation  NIDs / NIPs  Fix Up Protocols  Web Filtering / White Listing  Authenticated HTTP Proxies  Logs / SEIM / Alerts  User awareness training  Incident response procedures  Asset / config / patch mgmt.  Anti-virus / HIDs / HIPs  Secure group policy settings  Application white listing  Least privilege enforcement  Logs / SEIM / Alerts  Logs / SEIM / Alerts  Admin awareness training  Incident response procedures  Asset / config / patch mgmt.  Anti-virus / HIDs / HIPs  Secure group policy settings  Application white listing  Least privilege enforcement  Logs / SEIM / Alerts  Host-based Firewall  Firewall Rules / Segmentation  NIDs / NIPs  Honey Pots  Tarpits  Canary networks, systems, & accounts  Logs / SEIM / Alerts  Don t use shared local accounts  Use a separate domain user and server admin accounts  Maintain secure configs  Incident response procedures  HIDs / HIPs  Logs / SEIM / Alerts  Canaries  - Local & Domain User Accounts  - Domain Computer Accounts  - Local and Network Files  File Auditing  Firewall rules / segmentation  NIDs / NIPs  Honey pots  Tarpits  Canary networks, systems, & accounts  Logs / SEIM / Alerts  Admin awareness training  Incident response procedures  Enforce Two-factor authentication on all external interfaces  Limit Terminal Service, Citrix, and VDE access to specific groups during specific hours  Geo / IP limiting  Firewall rules / segmentation  NIDs / NIPs  Canary networks, systems, applications, and accounts  Logged events / SEIM / alerts  Admin awareness training  Incident response procedures  Enforce strong account policies  Least Privilege Enforcement  Two-Factor Authentication  Data Encryption and Secure Key Management  File, Application, and Database Auditing  Host DLP / Logs / SEIM / Alerts  Firewall Rules / Segmentation  NIDs / NIPs  Honey Pots  Tarpits  Canary networks, systems, & accounts  Logs / SEIM / Alerts  User awareness training  Incident response procedures  Manage keys securely  Consolidate and isolate sensitive data stores Attack Vectors and Techniques Common Red Team  Detective and Preventative Controls Common Blue Team  Brought to you by Red Team Attacks Introduction to common Email Sources Email Targets Email Content Custom Providers IPv4 IPv6 TCP UDP HTTP HTTPS DNS ICMP NTP FTP NFS SMB SSH Telnet Rlogin Torrent IM SMTP Common Types Bind Shell Reverse Shell Web Shell Beacon Binaries Executable, Installer, Library Scripts PS, VB, VBS, JS, Bat Commands cmd, wmi, wrm, ftp, net, etc Weak Configurations Insecure Service Insecure GPO Weak Password or Password Storage Method Excessive Privilege Geo Locate Phish Web Site Port Scan Credential Collection Form Java Applet ClickOnce HTA Brower Exploit Browser Add-On Exploit Common exec file formats Office Docs + Macros DNS & ADS Queries Domain GPOs & SPN Remote Sessions & Processes Windows Service Sched Task MGMT Services File Share Kerberos Ticket (PTT) Password / Private Key GPO, SCCM Financial Data IP & Research File Servers Database Servers Mail Servers Code Repositories Insider Trading Info Web Based Citrix & TS RDP SSH VDE Office365 Azure AWS VPN Private Key Token Seed Skeleton Key PII PHI CHD Send Test Emails Office365 OWA MS APIs Insecure Schtask Local Exploits Insecure Protocol Attack Kill Chain Common Password Hash (PTH) Kerberos Ticket (PTT) Password / Private Key Domain Trusts & SID History Stolen Authentication Tokens Password Hash (PTH) Kerberos Ticket (PTT) Password / Private Key Steal Authentication Tokens Password Hash (PTH) Kerberos Ticket (PTT) Password / Private Key Assembly Code shellcode Byte Code Java, .Net OS APP Remote Exploit, Physical @ Attack DCs Exploits, Kerberoast & GPP Author: Scott Sutherland, NetSPI 2016 Version: 3.2 BLUE TEAM RED TEAM Blue Team Defenses & HTTP with NTLM Create Content-Filter Exceptions Buy Expired Domains Web Shells
https://blog.netspi.com/wp-content/uploads/2016/10/NetSPI_Scott_Sutherland_RedvsBlue_v3.2.pdf
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s