Shopping Cart

No products in the cart.

Realistic End-to-End Attacks & Detective Controls

This webcast was originally published on May 29th, 2024.

In this video, Jeff McJunkin discusses the differences and nuances between penetration testing and red teaming, focusing on their respective roles in cybersecurity. He elaborates on the unique approaches and objectives of each, highlighting how they test organizational defenses differently. The discussion also covers common methods attackers use to breach systems, emphasizing the importance of robust defense strategies.

  • Penetration testing is defined as demonstrating business risks stemming from technical flaws or misconfigurations.
  • Attackers often target data and money, and breaches can occur with simple one-step processes if security is lax.
  • Effective cybersecurity involves understanding both the attack surface and the defenders, not just the defensive mechanisms.

Highlights

Full Video

Transcript

Jeff McJunkin

Hello, everyone. Welcome. My name is Jeff McJunkin, but more about that later because you’re not here for my bio. You’re here for actually enjoying something actionable for you to learn.

So, I’ll be watching chat as we go. Please. Let’s keep this interactive. it’s right in front of me as I present, so keep the questions and comments coming as we go.

The emoji reactions, the gifts, they’re perfect. All right, some definitions, right? Attacker, person attacking you, pen tester.

And now pen tester versus red team. Or we’ve already gotten into, some contention here. I like to define pen testing, demonstrating the business risk stemming from technical flaws or misconfigurations or features that weren’t anticipated that way, on in scope systems and try not to crash machines as we go.

Right? Pen tester versus red teamer gets, in the weeds a lot. But let’s say red teamer is more about testing the defenders, not the defenses, testing the watchers on the walls, not the castle walls themselves.

And then breach is just unauthorized access to data, right? Because attackers want your data, or some attackers want your data. Most attackers just want your money.

All right, so look, if there is a one step breach, if wget is start to finish the attack, what, was state of Minnesota, state of Missouri, had their k through twelve.

If you press f twelve, if you view the source, you see the Social Security numbers of all of the, folk involved there. I mean, there’s not much you can do about that breach if it’s one step to, wow, they have our data so public s three buckets.

There’s been plenty of those. There’s been plenty of exposed databases over the years, MongoDB and such. So know where that data is. F twelve is not a crime, as, the sticker came out about that, to view source.

So a lot of those, breaches in one step. This is why we tend to have the data inside our environment, because if the attacker can get to the data directly, if the goal data of theirs is directly accessible, if they can get it via wGet, your site, p I CSV, then there’s not a whole lot of time for your detection and response capabilities there.

So that’s not a great situation to be in. That’s why we have data inside the environment. That’s why attackers need to be inside the environment as well. But not everybody has access, so they need privileges as well.

Now, out of the history of Black Hills information security, I’m sure that, some folk have successfully fished their way in into a domain. Admin ran their payload directly and you could just skip the entire privilege escalation section of the pen test.

But that is unusual, right? But in terms of the ways into an environment for a non employee, somebody who doesn’t already have authorized access, there’s essentially five fundamental methods.

hat tipped Tim Malcolm Vetter, formerly, red team lead over at, Walmart, who had the original list. But essentially we have phishing, what we commonly think of, and there’s far more than just email based phishing, but we also have things like logging on VPN, VDI, remote desktop.

There’s also rogue devices here. You’ve got raspberry PI with the power over Ethernet, hat. And you can just plug that in to most enterprises that have power over Ethernet. And it’s one cable that now phones home and gives me access.

Sorry, VDI, being a virtual desktop environment, which is not too uncommon to be single factor authentication. Curious ask, what is Pii?

Privileged, personally identifiable information. So sensitive stuff. That’s what the Pii CSV was, a reference to there.

All right, so DHCP is the feature of Dropboxes, right? And yes, slides will be made available. In fact, Redliner, bit ly, Killfog.

It’s there. That is the exact slides I’m presenting from right now. All right, so the nice thing about exploitable public facing resources is it scales very nicely, right?

Mass scan pipe to end, map pipe to exploit py, swapping out the exploit of the day and the port in question.

That’s essentially how a lot of people get their first shells that they usually sell to initial access brokers. Technically, initial access broker is more like the eBay for shells.

So it’s the eBay sellers that are getting their shells via mass scan and Nmap and exploit py.

Now, phishing and logging on are somewhat targeted. You need to know where to log on. who to phish, right? For the record, if you’re doing phishing, anything other than email, you’re going to have a much higher response rate.

Email you have in most environments, pretty good logs of who got what emails, when from who, what subject, et cetera. You probably have filtering going on, you probably have scanning of attachments, et cetera.

Roswell mentions. Could we change the slides live? I can change the slides live at Roswell UK, but you cannot.

That’s kind of the point. All right, now, rogue devices, drop boxes. Look, I kind of hate pen tester rhythms, things that are more commonly done by pen testers than real world threat actors and drop boxes are normally in that area.

You do still see it every once in a while. Incorporate espionage. for the record, I did not put google, slides in scope for your CTF.

Spooner looking at you. All right. And then supply chain attacks. That’s a different game for different people. So nation states play that game.

see, slide download is failing in zoom. Yeah, there’s the link inside of discord. So join the discord and bit ly killfog. Pretty much all of my presentations are bit ly something, and there’s all of the links at the end of this presentation, so don’t worry too much.

All right, so here’s like, my thesis statement for life. bit ly did not say.

Did not say CTF. Matt, I’ll fix the link at the end. Please remind me. All right, here’s my thesis statement for infosec. At this point, once attackers get inside, it starts a timeline.

It will take attackers some amount of time to cause damage. Just like if you invite somebody into your building and they are wanting to cause damage, eventually they will cause damage.

Either, they’re gaining access to data that they shouldn’t have access to. Maybe by jimmying doors, maybe by finding stuff unattended, or maybe by setting the place on fire. Right. Our shit is always an option.

So is burning the place down via ransomware. Ransomware doesn’t. Doesn’t always have to be ransomware. It could just be data destruction. I digress. buying insiders, I mean, that’s still, the initial access was by one of those five.

It could be resold from there anyway. So once attackers get inside, it starts a timeline. That timeline depends on the preventive controls of the environment.

Detective controls are different. Detective controls are the timeline that starts with you as a defender, need to detect and respond, kicking out the adversary before they accomplish their goal.

So if you have a short lap as a defender to detect and respond, and the attacker has a long lap, then you’re fine this time.

But if the opposite is true, if maybe you had a shift change, security operations center changed hands. Maybe. 09:00 a.m. to 05:00 p.m. monday through Friday, you have a great security operations center.

And outside of those hours, you contract with a company that will send you emails saying, we saw an alert, please respond. And they do nothing else other than, oops, that added some time to your lap, as it were.

And there are plenty of real, world breaches, let alone reports via the DFIR report. that point out attackers gaining access to target environment from first shell to domain wide ransomware in a very short amount of time, an hour or less is not entirely uncommon, and that’s why we call a breach.

So I say you have three things to do as a defender. One, hey, stop coming from the future, coffee stain. All right. Defenders have three objectives.

Therefore, what attackers get in less often. If you think of this as, your response time. So we have the graph here of the time to detect and respond, and this is the prevalence.

Unless there’s a good reason to think otherwise, I assume everything is a bell curve. And let’s say your average response time is 1 hour. Well, sometimes you’re going to have a bad day, and it’s going to take you longer than an hour to respond.

So if attackers are getting in constantly, even if you have really good detection and response timeline, eventually, in d and d terminology, you’re going to roll a natural one critical failure.

Somebody’s going to market as a false positive, somebody’s going to have a bad day, et cetera. So we want to let attackers get in our environment less often. How do we do that?

Well, how many methods do you have a remote support? In all honesty, inside your environment, how many ways do you have access to gain control of somebody else’s machine for it support.

Do you already use, what’s all the remote management software out there? Right. Do you already use, let’s see, software, blah, blah, blah, blah, blah.

Teamviewer, do you already use Connectwise, do you already use, gosh, why am I blanking on one other name? Anydesk. That’s the one. if you already.

Yeah, thank you. Anydesk tends to be the one most commonly abused by threat actors, and I had to double check teamviewers, my go to example. But anydesk is actually more commonly used by real world threat actors.

Bomgar. Sure. How many of those do you use? Rust desk is a great example because it’s self hosted. It’s great for attackers, too.

I’ve known places that have more than five ways in, said Pastor. Yes, and that means it’s easier to blend into the noise when there’s so much noise inside that environment.

So consolidate to one method, remove the others, and monitor for the others. It doesn’t matter that you uninstalled the Anydesk client because it could be run as a limited user monitor for its use inside your environment, just like, I know, John is a big fan of install ad blockers.

It’s great for security, because you’re going to have a lot less noise on your web application firewalls, your logs, of outbound traffic that way.

External attack surface, there’s only so much, services that you expose to the outside world, and exchange is just too much attack surface.

nowadays I’m coming from a sysadmin. I used to be an actual exchange admin. And you can’t hate something until you understand it so thoroughly.

Matt, I’ll have to answer that question at the end of finding attackers. Sorry, that one’s a big one. All right then, how many methods do your users have of executing code? Because plenty of them are enabled by default.

Just because it’s enabled by default doesn’t mean it’s a good idea to have out there, right? Office macros can be enabled by default. One of my favorite go to examples is quick assist, a built in Microsoft signed binary that allows you to enter six characters you get from someone and have them take control of your screen.

No new binary, outbound HTTPs traffic to something dot Microsoft.com. right. You’re probably not going to notice it, frankly.

So you want to lower the time to detect and respond because this is one of my favorite analogies for the right audience, and the audio is probably not going to go through. And I do not blame Ryan.

Please do not blame Ryan in the chat, everyone. Right now, please do not blame Ryan. That we want to lower the time to detect and respond to attackers by adding some of these detective controls.

Oh, no. So in some people have probably done this. Where you’re playing Mario m Kart with friends, you have a split screen going on, so you’re sharing a tv and you hear a very distinct sound.

There’s actually audio for this, but it’s not going through. And you hear that from another room. And there is nothing like the dropping feeling in your stomach of your so called friends who started a round of Mario kart without you.

I’m sure that some people watching right now just, have this visceral feeling of like, no, grab me the controller right now. I need this.

Right. This is your time as a defender. Always when attackers inside your environment, you are not immediately aware that they are racing towards their finished.

Right now personal story behind this. We see your disc. Oh, we see that, yeah. For whatever reason, Ryan’s choosing to highlight, discord him.

I m don’t have the truth of. I don’t have the, There you go. So there’s the da da da da. And your racers or your attackers are racing on ahead and you’re just sitting there just waiting.

This is every time for you as a defender when the attacker is inside your environment. Roswell. Yes, yes, yes. Thank you. Detection time plus reaction time needs to be less than the attacker’s time to win.

If it’s greater than the attacker’s time to win, then you have lost. And they always get a head start. It might be 1 minute for the logs to be sent, 30 seconds for your, soc analyst to notice the alert, finish their sip of coffee and say, oh, I need to take remediation action.

But far more commonly it’s, oh, we noticed our detective control is ransomware was deployed. You don’t get credit for that one. All right.

It’s one of my favorite analogies ever. All right, so we also want to make it take longer for attackers to win because if the attacker can win in a very short amount of time, you’re boned.

If attackers can go from first shell to domain wide ransomware in less than an hour, as an example, then you need to focus on that first because you need to buy yourself time for your detection and response capabilities because you will not be able to reliably detect and respond in less than an hour.

Right? So rephrase it. If attacker can get in easily, if they can get in in many ways and gain access to data quickly, it doesn’t matter how good your SoC is, it doesn’t matter how good your ips is, it doesn’t matter how good your, I don’t know, velociraptor or Lima Charlie or whichever response capabilities are, because you won’t be able to play whack a mole fast enough.

We think of a well defended environment as this. The attacker starts and there’s amazed. They don’t know where to go. And there’s plenty of monitoring going on. They don’t know what’s going to happen next.

Whereas far more commonly it’s more like what we see coming up momentarily. So let me change my share because I’m bad at demo preps.

So here we have deadwood.com business directory, and I like to scroll through and see for any given conference, like, hey, what’s happening nearby?

And one of the ones I scrolled by was Deadwood digital dynamics. Like, okay, that sounds like infoseci. Yeah, try f twelve. Maybe their bi is directly visible.

It’s not quite that easy, unfortunately for Deadwood digital dynamics. But you can get to their website pretty quickly. Dead with digital dynamics.com dot heck, while I’m at it, at this point, once I have an email address, I’m pretty darn close because an email address, has a domain name associated.

We had deadwooddigitaldynamics.com comma visible in the dropdown f twelve would give that for me. Now I could look for that inside of, breach data.

So let me use fancy, grep, sparkling grep, rip grep to search for lines that begin with watch out, I’m going to regex live lines that begin with any number of characters that aren’t the at sign.

The plus means any number of not the [email protected] followed by the colon character and save that to extracted DDD txt.

Now, out of my combination of mini breaches file. Now, combination of many breaches is publicly available.

Combination of many breaches publicly available. 1.4 billion credentials in email address, colon password, form.

There’s lots of other breach data out there, but I’ll start with this. In fact, it’s like a 40 gig file. It will take a little bit to, search through. So this is one that I’ve pre canned.

I already have extracted Deadwood digital dynamics. And there were five results for Deadwood digital Dynamics. Wade, mentions no one knows Regex.

You just google it for 30 minutes. Now. Yes, the number of times you’ve used regular expressions is the same number of times that you’ve learned regular expressions because remember, nothing like, well, I’m pretty sure quotes matter and I think other characters matter too.

Anyway, so now I have some credentials. Well, at this point, can I just like go to Shodan and find out if there are services available for deadwooddigitaldynamics.com?

and yeah, I did some googling. I didn’t bring that one live, sorry, had some other stuff going on. And remote dot deadwood digitaldynamics.com exists. And it turns out the preview from Shodan doesn’t always show it, but it can.

Here’s like searching for Outlook web access, but you also see port 33, not pod, port 3389 can show a preview of, the RDP console.

And sometimes the preview of the RDP console can actually show a username. And let’s say for digital dynamics we get the username, visible, just like administrators visible here.

And some others have some others visible. So at that point we’re really damn close to access. We have single factor authentication, remote desktop exposed Internet, and we have credentials.

I have a service and I have credentials. Let us stuff those credentials. Let’s do that via, well, remote desktop destroying the fog of war.

Remote Deadwood digital dynamics. Now, let’s play the very fancy game of copy and paste a password variation of Black Hills for Sam.

Okay? And then double clicky black Hills dollar sign. Oh.

Deadwood digital dynamics. So, single factor authentication backed by active directory exposed to public Internet is my favorite thing to search for.

Absolutely. As a pen tester, on the external side, we see the super fancy logo we got going on here. If I bring up the super elite hacks or Windows key.

Sorry, what I meant to say is, watch out, because what I’m about to do is what we call a pro gamer move. Windows key e.

We see that. Yes, there’s the c drive, but there’s also this client data drive. Yeah, RDP, not a great thing to expose the Internet. Now, Damian, fair warning, a lot of people expose, RDP via the web gateway.

It’s essentially port 443 instead of 3289, but it’s still RDP. So you see more RDP web gateways than you do 3389 directly, but it’s still RDP.

Anyway, so client data, we see some information here. Now, there’s an option with remote desktop to connect client devices, redirect options, redirect my client’s c drive so I can just drag and drop to my c drive.

how I exfill data commonly on pen tests that, but I could also, browse to it. Which one of these folders looks the most interesting?

Should I do a poll? Inside of discord?

Won’t chat. GPT work passwords. I mean, all of it. That’s fair. Client password sounds pretty good, though.

Oh, oh, no, it says, do not share. I mean, I might be subject to some NDA for Deadwood digital dynamics, but I can’t.

Yeah, now, everyone else has a good point that files like these, if they were a honey pot trap, are, a fantastic honey pot trap. There could be a trap in the file itself that tries to access some web resource, like a canary token that I’ll mention shortly that could phone home.

You could also have an alert based on the access of the file itself if someone attempts to gain a read handle against this file. Yeah, canary tokens are amazing, but if attackers don’t think there are Canary tokens inside your environment, they will happily jump on this one.

And I can’t click fast enough, right? Sure. Somebody else has it open, I don’t care, because now we see. Oh, Deadwood Digital Dynamics is a, managed service provider for Deadwood area.

So we see Deadwood theater that has tickets. Dot de adtheater.com. dot. Here’s a username, here’s a password we have. Wow. They rotate their passwords frequently.

Now, this is where we get into, wait, does this count as supply chain attack? Because we have a managed service provider that we’ve hacked that has passwords to other organizations.

And yes, this is exactly how you define supply chain. ATT and Ck. Right, ATT and CK one. Managed service provider. They give you access to a whole bunch of others. All of those local mom and pop, it outsourcing shops, managed service providers.

This third party breach would be a doozy. Grumpy Vader cat says, and I would agree. Grumpy vader cat. Right. So what do we do at this point? Well, I could grab this data in many ways.

Certainly I could copy here. Let me show the fancy copy, right click copy, then go back to my own c drive and, I don’t know, put it in a folder called exfil paste.

That works. And it’s the same port, 3389. Right. There’s other ways. There’s sites like, yeah, it wouldn’t make the news.

It’s hard for organizations to know that it was because of Deadwood digital dynamics. They just know that they got poned right. And there are plenty of sites like file IO, upload files.

Okay, how about client passwords? Uploading. Cool. Here’s your download link. And now I can share it with the world. Oops, I was supposed to ransom for that instead.

Right? Data exfiltration happens real quick. It doesn’t have to be a complicated attack. Yeah, a lot of ransomware groups use their own sites, that they upload to so they can, so that they can choose to have people pay before they allow it.

some ransomware groups use the specific software r clone, which is legitimate tool used for, backups as well. All right, so step up from the folks who use pen and paper ledger.

Nothing like keeping all that sensitive data in a spreadsheet. Look, Excel is the world’s most popular password manager. Changed my mind. Anyway, let’s get back to our actual slides.

All right, so this is more common environment instead of, oh, it’s a super protected environment. Oh, it’s so difficult to get to the target. It’s more like, oh, I landed on my first endpoint and there’s a pile of gold right there.

I wonder if I should just go pick up a pile of gold and nice thing about the digital world, and like physicals, it’s really easy to duplicate. the biggest problem with exfiling data is.

Oh, no. They only have 200 megabits of upload bandwidth. I have absolutely exfiltrated terabytes of information before at essentially their entire upload bandwidth because organizations have exactly one detective control by default.

Let me say that again. Organizations have exactly one detective control by default. If you break production, if you break something that causes them to profit, if you break some part of normal, workflow for regular employees, then people might notice.

Pastor asks, wouldn’t someone notice the bandwidth spike? Not unless someone’s examining the bandwidth’s usage during that normal time.

Unless you add a specific detective control for it, then no.

All right, so far, more commonly, organizations have one detective control. And yes, just to be clear, Deadwood Digital Dynamics is a fake company.

The data that was on screen, including the breach data, is also fake. It is not real data, even though a couple of the names might be, they’re generated by a large language model.

Of course, they might actually be some Deadwood companies, but it’s all fake. All fake. It was an illusion, just different than a magic trick.

Anyway, the website logo also came from dolly, so password guessing. Password guessing is huge. Yes, it’s targeted, but just barely.

I need usernames, passwords and a place to stuff them to. Sometimes there’s more entropy in the usernames than there are in the passwords, but the usernames are often a variation of the human name, and there’s only so many human names out there, and you tend to reveal those human names to the outside world already.

There’s also, many ways to enumerate, usernames. teams enumeration usernames. There’s a wonderful link I want to share from, Nick’s geek teams, team strat.

not m that I’m flailing live to get it. This was about user present him. That one. Oh, man. I got the slowdown warning.

Ryan, give me your powers. Never let me be slow. And anti cast cheat. Teamstracker is a good repo for this. This is more about who’s in and out of the office. But Nikseek also has some stuff about, finding, out what usernames exist or not.

It’s pretty powerful stuff. Anyway, usernames are not that difficult to get passwords. There’s only so many passwords out there. And look, I have a whole other presentation bit. Ly cred stuffing on credential stuffing.

So if you want to know more, there you go. There’s also a prior, wild west hack and fest presentation. So just so no exploits were used.

And I love this quote. It, was a couple years ago. I asked John Strand, he’s a cult leader that is rather famous for also owning an information security firm.

he said out of their last 100 pen tests, he reads every report going out. Two of them required exploitation to accomplish the goals of the pen test.

The transfer you requested has been deleted. Oh wait, did someone already mark it as sensitive or something? That’s hilarious.

Well, I mean, I could put it somewhere else as well. But I guess this is why we use our own exfil sites. It may have something for if it has passwords in it, the name or something do not share.

I don’t know. Or somebody here clicked on. Don’t let it be out there. Anyway, now here’s the super fancy venn diagram. I like venn diagrams quite a bit.

First we have all software outer circle. Now, not all vulnerabilities get a CVE. Not all CVE’s are defined the same way. shout out to Microsoft who uses a different definition of CVE than everyone, everywhere.

To everyone in the world, vulnerability means the CVE. The CVE is the flaw. To Microsoft, the CVE means the patch that fixes the flaw. That’s what the CVE is for.

So if a single patch fixes multiple flaws, then things get confusing, right. annoyingly, Linux is now starting to pull CVE’s for every patch regardless of if it’s security related or not.

So there are flaws with CVE’s themselves. Anyway, it’s a vanishingly small percentage of CVE’s that will ever be exploited. There’s a wonderful spreadsheet from Google, project zero, that they update periodically of known exploited software.

O day in the wild. Essentially this means before there was a patch available, which granted there are exploits made for software, that has a patch available, but this is a good starting point.

And out of the year 2023 we had over 32,000 CVE’s or 38,000 CVE’s issued, but there were 31 known exploited CVE’s in the year 2023.

Mathematically, I hope you’ll agree that’s just one of those is a smaller numbers, right? This graph is, this Venn diagram is not to scale because it’s a tiny, tiny percentage of known vulnerable software that will ever be exploited.

one question in the chat, what was my favorite thing to search for in reconnaissance? single factor authentication backed by active directory exposed to the public Internet.

That’s my favorite thing to search for, Gleb and Kurt are talking about RDP with multifactor. Unless you’ve specifically audited your organization for where do we expose single factor?

My assumption, and I haven’t been wrong thus far, is that every organization exposes single factors somehow, not just via RDP. Right. If you have exchange the outside world, then exchange supports, SMTP authentication via NTLM, single factor authentication, username and password hash.

Outlook web app here, let’s not crime live, but let’s go back to, outlook web app via shodan.

We have, no title, colon or HTTP title. Can I get the link to watch this later when back work decides to slow down? Yeah, the link will be shared.

Has that triggered any alarms? Yeah, not at all. Do I exfiltrate data via, DNS? Not normally. Okay, so let’s pick on penelon solicitors, ie and mail clinton, did they take it there?

Well, fine, I’ll pick on somebody else. Willmorepatterson exchange. Wilmorespatterson.edu there you go. That’s the one.

That’s the one I’d like to access, please. And we have Owa Outlook web app m all right, last attempt before I give up, but it’ll amuse me greatly if we get it working.

SMTp rosindustries Outlook web app all right, for everyone who has outlook for your organization or exchange for your organization, please do the following.

Go to your outlook web app page. You may have multi factor on it. This organization does not, sorry, rosIndustries.com dot please change the URL from OWA.

Remove the OWA where you probably have multi factor maybe and change it to EWS as an exchange web services. One of my favorite findings, see this pop up right here?

This is called HTTP basic authentication. It is the username and password base 64 encoded. If slash EWS is exposed to the outside world, you have single factor authentication backed by active directory exposed to the public Internet in an easy way.

You can’t enable multifactor AWS. Amusingly, Black Hills has, some blogs about exactly this. So please, wherever you have your own here.

One, go to your exchange outlook web app. Two, change Owa to EWS. Three, check for this pop up.

And if you see it, that’s a finding, right? And the resolution, by the way, is mostly to disable exchange web services, the endpoint of the URL being exposed to the outside world because it’s single factor authentication backed by ad exposed to public Internet and honestly start working towards killing exchange.

I hate to say it but it’s important. All right, let’s go back to our actual slides. Did I miss questions as we come in? People mentioned graph runner.

Graph runner is awesome. But that’s, for Microsoft 365, not exchange. All right, there’s the o day in the wild. And look, sometimes the attacks can happen real damn quick.

Now, it’s really common that threat actors use some built in binaries to find out some information early on. People always joke about red teamers running whoami exe.

It’s because they don’t know which user ran their binary system info lists the patches that are available. Ip config.

Let’s go. one more slide or a couple others we see. Quser net nl test is one of my favorites, right? How many people have ever used nl test before?

Ever? Anybody here ever used nl test in your life? Scroll, scroll, scroll. Nope, nope, nope, nope, nope, nope, nope, nope, nope, nope.

Never heard of it. Nope, nope, nope, nope, nope, nope, nope. It is one of the most common first commands for attackers to run inside an environment. Why? Because it, lists the active directory domain you’re connected to and the domain controllers by name and the domain controller’s ip addresses.

Curt is an active directory admin, so yes, but outside of that, it’s a wonderful detective control for regular, environments to have.

Hey, did someone run nl test? Is nl test malicious itself? Absolutely not. But is it a good thing to search for? Yeah. So to do the appropriate meme, right?

Why, is it when something happens, always one of you three, somebody runs nl test system info or net commands, right? And you could tell that I like Venn diagrams because you have some binaries that you already run internally, right?

Maybe use task list, maybe you like ping. There are some commands that attackers run, some commands you run as well. Powershell CMD. Net IP config. But there are some things that attackers tend to run more commonly than you ver host name hey, where am I running?

Hey, what domain am I connected to? Who am I? Anyway, one of my favorite examples, I highlighted this before and, I presented this before as well. Net one exe.

Net one is a copy of net exe. Has anybody here ever run net one exe before in your life? Another poll for Discord Ranger is it because you’re doing offensive stuff?

Never ever, never ever. Not as a blue teamer, some garbage vendor tools now myth. It may have been called automatically by a vendor tool as a child.

Process something, something, win two k compatibility. But yeah, I am right. I’m running it right now, says Ed, because he said I shouldn’t. So the net one is one of my favorite examples of a tradecraft, trade off.

By running it, you are less likely to tip off the defenders that you’re running net exe. But if they, if defenders are looking for net one exe, then it’s really damn obvious, right?

Organizations have one detective control by default. That control is, did you break production? If you could bottle that up, you can find a lot of, attackers that way.

Unfortunately, there’s more than attackers do as well. We need to add other detective controls. One of my favorites to search for to start with is canary tokens.

I love me some canary tokens. Canarytokens.org. share the link here and you can select one of many types of tokens.

Sensitive command token. You just choose an email address, a, command to monitor. And, nltest exe was run on this device.

Create my canary token. It gives you a reg file. You can run this via, you can run this via group policy. Group policy import.

It’s a reg key. Nl test still works just fine. For the record, it just now it does a DNS request. It’s DNSC. Two, really, to canary tokens to say, hey, this unique string, dot canarytokens.org or whichever domain it uses.

And they say, oh, hey, just so Nl test was run. It’s a token, so it does just alerts you. Doesn’t matter what sim you have, doesn’t matter what scene you have, doesn’t matter what fancy, email addresses, it just sends an email.

Can you install this on one machine? If anybody that’s not Kurt can install this on anybody but not Kurt’s machine, you’d be a heck of a lot better.

They’ll happily sit there for days and years carrying tokens are awesome. And yes, if you don’t want it to phone home to, red, Canary, who’s behind carry tokens, then you can set up your own carry token server.

Let’s be honest, that’s one more box you have to keep running. I’d rather just use theirs. But you do you anyway. I love canary tokens. Look, if you send 17,000 alerts for logon failure on the outside world, but you’re not monitoring those logs.

My adversary is not the ids. The ids doesn’t stop me. The ids just notices that I did something bad. I’ve screwed up. I’ve had, I’ve had DC, one right that I ran meterpreter exe.

I essentially upload to DC one sysvol meterpreter exe. Right, and it was flagged as malicious and removed.

Oops. But no, sorry, thinks Canary. Yeah, Red Canary was great too. and it was flagged and removed, but nobody responded.

AV logs are some of the best logs to set really damn high fidelity alerts on. So shortly thereafter, I uploaded to DC one sysfall, not, meterpreter exe, which was not flagged as malicious, because this time I remember to do some encoding, which is coming up quite shortly in San security.

580 later today, actually. Anyway, meterpreter, one exe also works. Yeah, unskip slides.

Ok, so here’s another thesis statement, a takeaway for you. If an attacker can get in easily and gain access to data quickly, it doesn’t matter how good your detection response capabilities are, they will get in and then they will gain access data.

It will happen. Let me rephrase that more succinctly. If attackers can both get in and win in less than an hour, you’re boned.

Fix that, have them get in less often and make it take longer than an hour for them to win. Would you like to know more about that? I have a whole other presentation bit ly top attacks on slowing down attackers link in the, discord, and I have more at the end.

So when attacker gets in, it starts two races. But yeah, prevention is ideal, but detection is a must. It’s an old tired phrase, how about prevention is ideal, but it’s also impossible.

100% prevention is impossible. So we need to minimize the incidents, but then we need early detection and quick response. Right?

So, canary tokens. Can you test a canary token on your own personal machine today? Make sure it works? Understand it. It’s a registry key, you can look at it, it’s a plain text file.

Can you do that today? Could you talk, with one coworker tomorrow about deploying on one machine, one canary token? It can go to your work email address at first.

Could you deploy more of them? Can you get it scheduled to deploy more of them? Doesn’t have to be everyone. Start with somewhere. Yes, we’re talking about a lot of steps here, but keep walking.

I have a whole other presentation bit ly findingattackers. If I get the link right. I have to fix the short link anyway.

and we want to make sure attackers can’t win quickly. That’s the bit ly topattacks. Look through your mapped file shares. Hey, how much data do you have in slack? How much did you have in sharepoint?

How much data do you have in teams that people can access as any domain user effectively or entre id user? All right, so we are at what, 47 after?

This is the link with all of the links. I will just share all of this inside of discord as well.

So you have one fewer click for you. But I’m here for questions for ten plus minutes.

I’m going to take a long awkward drink of water.

Zach Hill

Hey Jeff, fantastic job today man. You were killing it with all the questions and everything too.

Jeff McJunkin

Yeah, I’m trying to keep it interactive but let’s see, Juan asks what are your top five detections? canary tokens for sensitive commands is one of my absolute favorite go to’s.

because those you can deploy your average enterprise endpoint, your average desktop is the most common machine for attackers to gain access to add in anything available externally like your exchange server or.

Sorry but we’ve had a lot of bad days of VPN and firewalls as well. Oh, hi deb. Hi friend. how often do I have Sysmon deployed? Oh man, I love sysmon so much.

I did a whole thing on this recently but Sysmon modular is awesome. I’m just going to dump links at you because I don’t have time for the full presentation on it. Sysmon modular is how you configure Sysmon enough for now.

then there is by hayabusa, the team on GitHub also has Yamato security has repository for enabled Windows log settings.

There we go. This essentially is a batch file that is very fancy about how to enable a bunch of built in Windows logs. Because defaulting to 1 logs is crap.

You can enable a whole bunch more to be a heck of a lot better off with just the built in Windows event logs. And then there is Windows event forwarding. But the absolute best way to start is via systas.

Logging made easy. Logging made easy walks you through Windows event forwarding and sysmod installation to one Windows event forwarder server.

And then the Windows event forwarder server has winlogbeat that sends to an elk server. I feel like about half the audience got scared when I said an elk server. They say install docker and we’ll take care of the rest.

Run this docker container and we got it for you. It’s wonderful. Please please please.

Zach Hill

Logging made easy like for real, as you’re talking about all this, you’re making all of this extremely easy and accessible for everybody and I love it.

It’s fantastic, man.

Jeff McJunkin

Did you keep things actionable? Go ahead.

Megan Lucia

Did you see the question? could you use Burp when trying to log into this site and catch the request?

Jeff McJunkin

yes, absolutely. Burp is one of the many tools you could use for that password guessing. It wouldn’t help you with retrieving, passwords because you were the one that has to provide that password so you could monitor your own traffic outbound, where I guessed username Jeff and password Zach is the best exclamation point.

But that’s the only. I already had that password. So it is one of the many tools that you could use for the password guessing. But there’s plenty of tools for that. Hydra ligba, n crack.

There’s plenty of tools. Let’s see.

Megan Lucia

Do you have your own YouTube channel?

Jeff McJunkin

I do not. okay, I present a fair bit for black Hill stuff, anti siphon stuff. I have a decent number of. I mean, the presentations at this slide, are all online and available.

Technically. I have a YouTube channel that has like four presentations or something like that.

Megan Lucia

in Shodan, what is the way to look up ip addresses via, in CID. In Cidr?

Jeff McJunkin

Oh, you can do IP. So, fun fact. there is, on the sans Pentest blog, there is Shodan searching.

There we go. Josh Wright and I did a blog post years, ago for the holiday hack challenge on, shodan search usage, because they don’t make the.

The search operator is very obvious. So I think I wrote this and Josh did the final editing and posted it there. So that’s a good start. But yeah, you can do. Net, ip is one specific ip.

So, net, you can do the site notation. So thank you. Extreme paperclip.

Zach Hill

Jeff, I really appreciate you being on here. And just from the audience’s response, more than likely, of course, like, always interested in having you back, but I really want to hear from the audience, like, what would you all want to see from Jeff, if he came back?

It was based off what you saw today. I’m really curious to see because especially at the end m there. Like, I felt like you were providing so much value there. I don’t know if you’d come back, talk more about all those resources.

Cause that seems like such a great, like, intro to a lot of this.

Jeff McJunkin

there was the, comment earlier about, bit ly fighting attacker. It’s bit ly detecting attackers. I had the wrong link earlier in the presentation. so one, I can edit that finding attackers, and two, I think that’s the presentation I want to revamp next.

So that might be a good one to have first live on anticasts. Might be a good spot for it because I want to revamp this presentation.

Zach Hill

You tell me when you’re ready, sir.

Megan Lucia

Yes.

Zach Hill

And we’ll make it happen.

Megan Lucia

Yes, absolutely.

Jeff McJunkin

For sure.

Zach Hill

Absolutely. No, we appreciate it. Everybody like, everybody loves you, man. Great, dude. I love it.

Jeff McJunkin

Good number of participants, too. We got 500 plus. Yeah, that doesn’t count. Like the YouTube and is it twitch as well? I forget.

Zach Hill

Just YouTube and LinkedIn.

Megan Lucia

Yeah, YouTube.

Jeff McJunkin

Oh, LinkedIn as well. Hello, LinkedIn. Hello, YouTube. Hello, zoom.

Megan Lucia

restream will come in.

Jeff McJunkin

and I. Oh, vagabond asks. Most companies now are using single sign on, right. Main things to look for as defense and offense. Yes.

Microsoft is correct that 100% of the Fortune 500 use active directory. On prem, we say, oh, yes, we’re moving to the cloud. No, we’re moving to the cloud as well.

On prem, ad is going away in the exact same sense that IPV four is going away because we’re going to finish the IPV six migration. I 100% mean that it is not going away on premise, will not die.

So yes, they’re single sign on, but it all comes back to some on prem technologies. And if you’re domain admin, here’s another thesis statement. If I am domain admin, I can gain access to anything, any of your employees access.

Oh, but it’s behind an air gap. Oh, but it’s a, different authentication system. Yeah, but somebody shared an ssh key. Someone has it on their domain joined machine. Oh, it’s up in the cloud.

Well, find where on Prem is syncing to ad, the Azure entre id connect sync server and steal those credentials. It can happen.

ad fs full connie mentions is one of my absolute things to search for. inurl. There you go. Let’s get a bonus little finding for you. One of my favorite Google searches by far, shared inside of, discord.

Search for anything that has this, link IDP initiated sign on essentially exposes a dropdown list of every service that uses entre id azure ad to the outside world.

If this were a bug bounty for this organization, which is the VA, it should be eligible.

Zach Hill

That is crazy.

Jeff McJunkin

Yeah, I love adfs. As a pen tester, I hate it so much. as a defender, because it’s a web server, it’s like is fronting active directory.

That’s it.

Zach Hill

You have my mind blown right now. Yeah, I love the gif in the chat because I’m like, that’s crazy. I want to hear more from you about, why you think on premise as ad is staying forever, just like ipv four.

Jeff McJunkin

Sure. So unless. So, let’s talk about zero, trust. Zero trust, mostly now is just a vendor phrase that means nothing.

It means whatever the vendor wants to tell you, just like AI, all the things. Right. but, zero trust should mean that there is no special network where the source IP matters.

Everything is exposed to the outside world. We authenticate every request. It’s almost all via web native protocols. If you have a special subnet, if you have boxes that have SMB directly between each other, that’s the opposite of zero trust.

And organizations are not in any reasonable way making their way towards that. For larger organizations. Look, there are no broad, sweeping statements that will always apply.

There will be organizations that do get rid of their on prem ad entirely, but it’s a vanishingly small percentage. Large enough organizations, the organizational momentum will keep them having on prem effectively forever.

And yeah, there are plenty of organizations where by fiat, they can’t have cloud things. Andy rightly mentions.

Megan Lucia

Any open source tools security for kubernetes monitoring.

Jeff McJunkin

so there is, Kubernetes J. Beale, who has a few pirates.

That’s a more on the offensive side because for the defensive side of container, it’s mostly, Gosh, I have a wonderful segue for this one.

Devsecops, state of, datadog. There’s a stream coming up for Datadog, state of devsecops because they had a wonderful report that came out about, well, devsecopsy things, and there’s a quote from a guy about it.

And I’ll be on their webcast coming up. So that’s one of the questions, into that presentation coming up here shortly.

Megan Lucia

I lobbed that one up, and I didn’t even mean to look at that.

Jeff McJunkin

let’s, let’s see, webcast. It’s coming up in a few weeks. I forget. There you go. Live stream. You can register now.

Megan Lucia

Yes. Andrew is great. I love Andrew over there.

Jeff McJunkin

Oh, yeah, yeah. He also teaches Francis. Yeah, cloud security. He also lives like, 3 miles from me and was my best man. Like, that’s awesome.

Zach Hill

That’s so crazy.

Megan Lucia

That’s so cool. I love Andrew.

Jeff McJunkin

Let’s see, we got a couple minutes left. I don’t have a hard stop at the top of the hour, but any last questions?

Megan Lucia

there is one that’s, what’s a good resource for canary command setup?

Jeff McJunkin

don’t worry too much. the existing command works already. It effectively launches powershell. That just makes a DNS request to a unique, subdomain of canary tokens and then the command works as normal.

So don’t worry too much. As long as that box can make a DNS request, the binary still works as normal. It just also sends you an alert. So don’t worry that much.

With that said, yes, go to canary tokens. Try in your own environment for a bit on a lab box first. But don’t worry too much, make sure that it works.

Make sure how to trigger it. and if you don’t already have a way to find out what binaries are running inside your environment, that is a problem to solve.

You effectively cannot win as a defender unless what binaries are running inside your environment. Sysmod can help you with this logging made easy can help you with this.

The links I’ve already shared, the enable windows log settings by Yamato security adds some additional logging, because the detailed audit logs, I think detailed process audit logs is the name of the non default logs by Microsoft that are built into Windows.

Even if you don’t allow, sysmon in your environment, which if you don’t allow Sysmon, fun fact, Sysmon is my absolute favorite EDR and it doesn’t have an r.

It’s not endpoint detection and response, it’s just endpoint detection. It’s still my favorite EDR because you can customize it yourself to your own organization as opposed to just taking the known bad signatures from the vendor.

And it’s essentially swearing fealty to some vendor and hoping that they’ll take care of you. But they don’t actually have a real financial incentive to help you that much. Yeah, Sysmon event one is awesome for new process was started.

That way you could find out what binaries are run inside your environment and then look at the DFIR report, which I’ve already mentioned, but thedfirreport.com comma look through a few of those, find out what binaries are run inside of your are run by threat actors recently like Nltest Exe, and if you don’t run it, add a detective control for it.

It won’t trigger by anybody other than attackers. So you’re good to go. Is there a sysmon equivalent for Linux? Yes, it’s called Sysmon. It’s available for Linux as well. Recently, how, many orgs have I seen deployed Sysmon during my pentest journey.

a handful and I’ll be biased. It’s because I’m also a sysadmin that have helped organizations deploy sysmon that I then pen tested. So I have enabled defenses against me.

But that’s pen test and defense are two sides of the same coin. My goal is to improve security of the organization. Defense’s underlying goal is to prove security of the organization. It’s the same goal.

We have different ways of going about it, but it’s the same goal.

Zach Hill

Love it. Man. You are on top of it too. You’re hitting the questions before we can even help you out here.

Megan Lucia

I know, I was trying to keep up.

Jeff McJunkin

There’s a few chats to work with, for sure.

Zach Hill

Do you still have a few more minutes to answer questions or.

Jeff McJunkin

Yeah, I could do. I could do. Yeah, probably three more minutes.

Zach Hill

do you have any good resources for setting up a new company and how they should do things? Not on prem use, azure, use Google, something else.

Jeff McJunkin

so anywhere you can entirely remove attack surface like it’s just not available anymore, you’re in a much better spot. So if you’re talking about a company that mostly exists online, that, essentially everything’s behind a, web browser, then you could do a hell of a lot worse than Yubikeys with NFC or the security token equivalent from Google on, Chromebooks, because you don’t have the opportunity to run local binaries that attack surface just isn’t there.

And, security keys on all of the accounts. That would imply Google, for email as well, for entre id. You can do multifactor as well, but it’s really nice to reduce the endpoint attack surface entirely.

My favorite EDR older gamer was sysmon, despite it just being ed. Not that ed.

Zach Hill

Chubb says. Great presentation, Jeff. They work in a small it shop for a college. There’s eight of us there. they’re the only dedicated person, to infosec, and they like to receive more training, and they’re interested in sans courses.

Training, but they’re pricey. Do you have any resources you might recommend?

Jeff McJunkin

Yes, the best cheat code on the sans side is sans.org work study. The work study program, where instead of being full price, which is a, point of contention at times, you pay $2,500.

And that way it also comes with, the on demand bundle and your GI certification.

So if you look at your effective hourly rate of being a facilitator in the physical classroom, it is friggin amazing.

Megan Lucia

You, mentioned VPN as an attack vector. Can you provide any source to read on VPN breach ipsec?

Jeff McJunkin

Yeah, I see that, Joseph. so yes, oftentimes it’s literally just like Cisco VPN.

what’s the HTTPs, any connect? That’s the one. It’s just like we did before with exchange web services. It’s username, password and post. So swap in whatever tool you want and test.

it’s not quite the same. I gave RDP as the access here because it’s one of the few where you get direct code execution. I wasn’t admin on that box, but I didn’t have to be. But VPN, you have network access, so there’s all sorts of things you can do because you’ve already authenticated as one user.

So you can see the domain controller. You could run things like ad explorer and sharp hound and all the other pen tester tricks. And as a reminder, there’s more on that at bit ly topattacks for those pen tester tricks.

Megan Lucia

I don’t know if you saw this question. Any advice on solutions for post compromise along the lines of cyber triage or thor light?

Jeff McJunkin

Where is that one?

Megan Lucia

It’s in, open.

Jeff McJunkin

Oh, so I’m not familiar with, cyber triage or thor light. host breach remediation and making damn sure that you have kicked out the attacker is hard.

one of my favorite resources to get started, is Sean Metcalf’s sneaky, ad tricks to get you started on some of the ideas of how attackers can stay inside of environments.

did you add that to answered or dismissed it?

Megan Lucia

Dismissed. Yeah. So they answered it live.

Jeff McJunkin

That’s fine. I’ll share that link inside of discord. and there are many and I’ll find it. Sean isn’t great about always updating these posts with all of it. So if you search for sneaky persistence at his website, you’ll find more that aren’t even listed there.

I still have the slow mode on.

Zach Hill

Sorry. Capping. You.

Jeff McJunkin

Like Nextron? I do like Thor. Yara scanned inside your environment. I’m also a fan of velociraptor. and there is a friend hunting with velociraptor class happening at Wild west hack and festival this October.

Coming from Eric Capuano and Whitney champion, whose last name may have changed because they got married last weekend.

yeah.

Megan Lucia

Did not know that. That’s awesome.

Zach Hill

That’s cool.

Megan Lucia

Yeah, and people that are looking for, training. We will have training on the after the summit. So we’ll post a link to the after summit training classes that we’re going to have.

But we also have a pretty, pretty big on demand catalog as well, and some other live, more live classes coming up.

Jeff McJunkin

Yeah, some of their classes are not available on demand. I know the threat hunting one isn’t. I sat that one last year. So let me give my firm endorsement of. Eric and Whitney did a wonderful job with that class.

I think they were a little scared when they’re like, wait, Jeff registered? Jeff’s fine. Jeff can be a student too. Jeff won’t, jeff won’t raise his hand every 3 seconds. It’s fine.

Megan Lucia

I’m sure you would add so much lively discussion to the class.

Zach Hill

Right?

Jeff McJunkin

I was the token attacker in the room. Right?

Megan Lucia

The plant.

Jeff McJunkin

Yeah.

Zach Hill

Yeah. so as Megan mentioned, we do have our incident response summit coming up in June. So if you all haven’t checked that out yet, I put a link in the chat. I would encourage you to join us for that. It’s a free summit, so we’ll have talks all day, surrounding incident response.

I’m very excited for it. And of course those following two days after the summit, we’ll have some training there as well. Very excited for that. Next week we have Michael Allen coming up on the anticast where he’s going to talk about forging fake news and spawning flawless fisheries.

Megan Lucia

Wow, that’s a mouthful.

Zach Hill

Right? And I wasn’t sure I was going to get all out. Nailed it.

Megan Lucia

Nailed it.

Jeff McJunkin

This is one of my, so I very rarely have the energy to watch an entire hour long presentation, via YouTube.

And this is one of the times that I absolutely was just enthralled the entire time watching from start to finish. I’m pretty sure it was this link, I’m sharing inside of discord now, because start to finish, he goes through an entire incident, response from, hey, we got the report of something somebody saw, something fishy to.

We now know where the attack, how the attacker got in, where they spread laterally to, all of the searches involved with philosoraptor. it’s a really damn good teaser to get you started with philosoraptor.

The class also has how to deploy it, which is great.

Megan Lucia

Really quick. what was the logging made? Easy link. So I can put it in zoom.

Jeff McJunkin

Yes, it is here.

Zach Hill

Awesome.

Jeff McJunkin

I put it in discord.

Megan Lucia

Okay, sweet.

Jeff McJunkin

You can save it from the screen, but yeah, it’s in discord right now.

Megan Lucia

Sweet.

Zach Hill

Thank you, sir.

Megan Lucia

Thank you.

Jeff McJunkin

Absolutely.

Zach Hill

Yeah, we appreciate you being here with us today and, definitely going to be reaching out to have you back. No, people would love to see you.

Jeff McJunkin

Elise mentions no discord there. Yeah, the links will be shared, elsewhere as well on the resources page, so don’t worry too much.

Megan Lucia

I let at least know that, you can go back and watch your recording, and maybe join later from.

Jeff McJunkin

Home, for all this might be the easiest way.

Megan Lucia

Yeah.

Jeff McJunkin

All right, I have to run away. All right. Thank you all for letting me join today.

Zach Hill

Yeah, thank you very much for being m here. Appreciate you. Be sure if you guys are interested, you have any questions for us at anti siphon, regards to training or anything related, to your cybersecurity journey, we are going to be doing our breakout room, so you can join us in our breakout room.

If you have, or if you’re logged in with the zoom m application, you should see a link there at the bottom for a breakout room. You can join us there, ask us questions. I’ll be jumping in that room here in just a minute, but please be sure, sure to stay tuned for, next week where we’ll have, Michael Allen back.

And please be sure to check out our incident response summit coming up, in June. So thank you. Yeah, absolutely.

Jeff McJunkin

My very last plug. Hi, everyone. as of about a week and a half ago, I also turned in the latest version of sans security 560. I am now the lead author of sans security 560 on the sans side.

Megan Lucia

Wow, so you’re the new dread pirate Roberts?

Jeff McJunkin

Yes. I am not the original dread pirate Roberts, but I am a dread pirate Roberts. so if I may appease my overlords, I will share one link.

But yes.

Zach Hill

Thank you, sir.

Jeff McJunkin

I have to run away. Thank you all so much and have a wonderful day, everyone. If you all have a webinar for attendees button.

Zach Hill

Oh, no, don’t do that.

Jeff McJunkin

Yeah, I’m going to groot it right now. All right, goodbye, everyone.

Megan Lucia

Bye, Jeff.

Zach Hill

All right, if y’all are interested in our breakout room, I’m going to head there now and I will see you there. Otherwise, you all have a great day and thanks for joining us.