Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
DIY Blue TeamingDIY Blue Teaming(Keeping attackers out, with duct tape and chewing gum!)
DIY Blue TeamingDIY Blue Teaming
Ways to make malware not workSecurity by obscurity (because sucker punches work,even though nobody wants to admit it."Hack Back" tricks - *TRY AT YOUR OWN RISK*Why buy the cow when you can have the milk forfree?
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Usually the purpose of 0day is to executemalware. If you stop that malware from
executing you essentially mitigate the 0day.
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
0day (and it's often attached malware) tendsto fail in the wild, like A LOT. When it does, itmakes errors. If you can catch those errors in
context, sometimes, you get to keep /analyse the malware AND THE 0DAY!
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
tl;dr, make your environment unpredictableso that you spend less time threat huntingand more time seeing stuff actually being
thrown at you! (aka: NOT GETTING PWNED)
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Re order all the syscallsRe order all the syscalls
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
"Remove" your shell"Remove" your shell
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
"Remove" your shell"Remove" your shell
Use unix noshell on every user and thenpoint ssh to a binary that downloads a shell
and runs it upon login
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
"Remove" your shell"Remove" your shell
Actually remove bash from the box
Use unix noshell on every user and thenpoint ssh to a binary that downloads a shell
and runs it upon login
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
SSH "dupe" setup...SSH "dupe" setup...
https://github.com/stealth/sshttpSSH HTTPS
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
SSH "dupe" setup...SSH "dupe" setup...
https://github.com/stealth/sshttp
Port 22
SSH HTTPS
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
SSH "dupe" setup...SSH "dupe" setup...
https://github.com/stealth/sshttp
Port 22
Port 8443 Actual SSHServer
SSH HTTPS
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
GCC shouldn't be on boxes in prodGCC shouldn't be on boxes in prodanyway...anyway...
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
GCC shouldn't be on boxes in prodGCC shouldn't be on boxes in prodanyway...anyway...
replace GCC with a binary that neveractually outputs the file to disk but DOES
run it through virus total and give you alerts
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
Tripwire apps that modify theTripwire apps that modify thefilesystemfilesystem
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
Tripwire apps that modify theTripwire apps that modify thefilesystemfilesystem
cpmvln = If == "core lib" { wtf_are_you_doing()}
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities... Make uname "lie"Make uname "lie"
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
ModprobeModprobe
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
ModprobeModprobe
Check that module containsthis supper sekret squirl
token that is in all mymodules
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
ModprobeModprobe
"decrypt" binaries before loading
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
ModprobeModprobe
Rename modprobe to something else andmake modprobe send a security alert
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
Break all the things!Break all the things!
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
Break all the things!Break all the things!
... and then alias all the thingsin the user prefs of legit
admins
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
One app to rule them all!One app to rule them all!
aka: "the initramfs trick"
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Get full crash dumpsGet full crash dumps
https://support.microsoft.com/en-us/help/927069/how-to-generate-a-complete-crash-dump-file-or-a-kernel-crash-dump-file
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Rename the Powershell exe (just like the bash trick butRename the Powershell exe (just like the bash trick butfor windows)for windows)
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Over-the-shoulder transcriptionOver-the-shoulder transcription
https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Over-the-shoulder transcriptionOver-the-shoulder transcription
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Over-the-shoulder transcriptionOver-the-shoulder transcription
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Hook OpenProcess() to look for well targetedHook OpenProcess() to look for well targetedapplicationsapplications
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Hook OpenProcess() to look for well targetedHook OpenProcess() to look for well targetedapplicationsapplications
NotepadCalcExplorer
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor reg edit Backdoor reg edit
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Backdoor reg edit Backdoor reg edit
Who’s using it and why?What is being edited? (key on specific reg keys likeappinitdll, etc)
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Auto pe-sive dllAuto pe-sive dll
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Auto pe-sive dllAuto pe-sive dll
@hasherezade
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Auto pe-sive dllAuto pe-sive dll
@hasherezade
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Fake SMBFake SMB
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
Little Snitch / Micro Snitch (or luluLittle Snitch / Micro Snitch (or luluif ya have to)if ya have to)
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods:Methods:
https://github.com/kai5263499/osx-security-awesome#hardening
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Methods: ... miscMethods: ... misc
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Open SMB share that nobody has a reason to accessOpen SMB share that nobody has a reason to access
(hint, Metasploit SMB link :))
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
Canary usersCanary users
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
“Honey tokens”“Honey tokens”
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
“Honey tokens”“Honey tokens”
Fake AWS tokens
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
“Honey tokens”“Honey tokens”
Fake AWS tokens Fake github accounts withpoisoned source and or
credz
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
“Honey tokens”“Honey tokens”
Fake AWS tokens
Browser automatedphishing "clickers"
(bonus points for fake 2fa)
Fake github accounts withpoisoned source and or
credz
DIY Blue TeamingDIY Blue TeamingWays to make malware not work
“Honey tokens”“Honey tokens”
Fake AWS tokens
Browser automatedphishing "clickers"
(bonus points for fake 2fa)
Browser automatedphishing "clickers"
(bonus points for fake 2fa)
Fake github accounts withpoisoned source and or
credz
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Randomly generate "deny" messages in robots.txtRandomly generate "deny" messages in robots.txt
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Randomly generate "deny" messages in robots.txtRandomly generate "deny" messages in robots.txt
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
TCP/redirect + stuff you actually use + mandatory time delayTCP/redirect + stuff you actually use + mandatory time delay
==
VERY frustrated attackersVERY frustrated attackers
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think you're hunting them!
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think you're hunting them!
Step 1: Go get some "Blacklists"
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think you're hunting them!
Step 2: Write some "software" that gathersinformation about a host....
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think you're hunting them!
Step 3: Build some honey hosts on 1 or 2 DMZsin your IP space that look like the systems you"found"
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think you're hunting them!
Step 4: Go back to the "bad person" forum andsay "Hay! I found some more, add theseblocks!"
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think you're hunting them!
1. Register (fbi|cia|fsb|nsa)..com2. Skin it with a web based honey pot that looks
like a lawful interception portal
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think you're hunting them!
1. Register (fbi|cia|fsb|nsa)..com2. Skin it with a web based honey pot that looks
like a lawful interception portal
DIY Blue TeamingDIY Blue Teaming
"Hack – back" tricks "Hack – back" tricks
DIY Blue TeamingDIY Blue Teaming
"Hack – back" tricks "Hack – back" tricks
PasswordBackup.autoexec.zipPasswordBackup.autoexec.zip
DIY Blue TeamingDIY Blue Teaming
"Hack – back" tricks "Hack – back" tricks
BeEF hooks in "honey" web app accountsBeEF hooks in "honey" web app accounts
DIY Blue TeamingDIY Blue Teaming
"Hack – back" tricks "Hack – back" tricks
Solicit shells in your own org...Solicit shells in your own org...
DIY Blue TeamingDIY Blue Teaming
"Hack – back" tricks "Hack – back" tricks
Distribute disinformation about your org..Distribute disinformation about your org..
DIY Blue TeamingDIY Blue Teaming
Why buy the cow when you can have theWhy buy the cow when you can have themilk for free?milk for free?
DIY Blue TeamingDIY Blue Teaming
Why buy the cow when you can have the milk for free?Why buy the cow when you can have the milk for free?
VirtualBox+
VirusTotal+
https://github.com/elazarl/goproxy------------------------------------------------------
DIY FireEye :)
DIY Blue TeamingDIY Blue Teaming
Why buy the cow when you can have the milk for free?Why buy the cow when you can have the milk for free?
VirtualBox+
VirusTotal+
https://github.com/elazarl/goproxy------------------------------------------------------
DIY FireEye :)
DIY Blue TeamingDIY Blue Teaming
Why buy the cow when you can have the milk for free?Why buy the cow when you can have the milk for free?
ELK + (LVM * Dropbox) = FTW!!!
DIY Blue TeamingDIY Blue Teaming
Why buy the cow when you can have the milk for free?Why buy the cow when you can have the milk for free?
https://www.reddit.com/r/Splunk/comments/2jwiso/10g_free_splunk_dev_license/
https://www.reddit.com/r/Splunk/comments/2jwiso/10g_free_splunk_dev_license/
DIY Blue TeamingDIY Blue Teaming
Why buy the cow when you can have the milk for free?Why buy the cow when you can have the milk for free?
Appscan is written in .NET.... :)
DIY Blue TeamingDIY Blue Teaming
DIY Blue TeamingDIY Blue Teaming