Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Hack In The Box 2018 - Dubai - Training Intro - Defensive Security / Leszek Mis

239 vues

Publié le

This training class has been designed to present students with modern and emerging tools and techniques available for network data exfiltration, testing and bypassing DLP/IDS/IPS/FW systems, protocol tunneling, hiding, pivoting and generating malicious network events. This highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & technologies in real production environments will be easy, smooth and repeatable.

Using an available set of tools, the student will play one by one with well-prepared exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of a modern attacker’s behavior. Great content for SIEM / SOC team validation.

Publié dans : Formation
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Hack In The Box 2018 - Dubai - Training Intro - Defensive Security / Leszek Mis

  1. 1. In & Out - Network Data Exfiltration Techniques.
  2. 2. About me ● Principal Cyber Security Architect / Founder @ Defensive Security ● Offensive Security Certified Professional (OSCP) ● Red Hat Certified Architect/RHCSS/RHCX/Sec+ ● Trainer / Speaker at BruCON, OWASP Appsec US, Flocon US, Confidence PL ● Area of interest: ○ Adversary Simulations and Post-Exploitation Red/Blue Actions ○ Threat Hunting and Incident Response ○ Behavioral / Statistic / ML network analysis → Features Extraction ○ Hardening of Linux / Web Application / Infrastructure ○ Penetration testing / OSINT / Security audits ○ Open Source Security Software 2
  3. 3. Training intro ● Purpose of the training: ○ Focus on specific adversary’s behaviors and artifacts instead of simple IOCs ○ Verification that security products and service providers are able to detect what they claim to detect and what they write in the "Security Feature List" ○ Network security validation *at your environment* for: ■ Data Leakage Protection (DLP) ■ IDS/IPS ■ (Web) Firewall(-NG) ■ ML/DL/AI Sensors ■ Whitelist / blacklist rules ■ Forward Security Proxies ■ Log and netflow visibility ● General assumption of compromise → Adversary is already inside your network: ○ We (almost) don’t care about exploitation or recon process during the course
  4. 4. Training intro ● The training path is easy: ○ Run as many exfiltration and post-exploitation scenarios as possible ○ Learn, understand and map TTP’s to your network collectors ○ Chain adversary actions and combine offensive tools together ○ While running arsenal of offensive tactics and tools we keep thinking in blue!
  5. 5. Training intro ● ~340 slides ● ~50 dedicated hands-on lab exercises ● Random lab examples: ○ Bypassing whitelists and obfuscation tricks for Linux, cmd.exe and Powershell ○ Port forwarding over DNS tunnelling and transport layer customization ○ Generating custom staged and stageless payloads in different formats ○ LDAP attribute exfiltration and unreleased Remote DOS for FreeIPA ○ Generating HTTP traffic anomalies ○ SMB/WMI/*exec through popular cloud services ○ Punching holes in your NAT ○ Domain fronting and categorization bypassing ○ Browser pivoting and network scanning through client-side attacks ○ ATTACK Framework mapping and simulation automation ○ Generating custom network traffic directly from Python
  6. 6. Training intro ● The combo of: ○ Impacket, Pyexfil, Scapy, Metasploit / Meterpreter, Veil framework, Sharpshooter, Shellter, Proxychains, Posh C2, dns2tcp, Pupy, tcpreplay, Suricata, BRO IDS, sg1, nmap, DET, Xfltreat, pytbull, Wireshark, tcpdump, hping, Fruity C2, tuna, RATTE, Powersploit, Empire Framework, Nishang, corkscrew, Egress-assess, pivoter, Hydra, Wondjina, Trevor C2, WSC2, sqlmap, BeeF Framework, Twittor, torify, TheFatRat, cloakify, WMIsploit, certutil, SSH, ngrep, nping, iptables, Merlin C2, udp2raw, Volatility Framework, NativePayload_IP6DNS, dnsmasq, thc-flood, knockd, dnstwist, yersinia, DNSexfiltrator, SMBmap, testssl, Firebolt, Dumpster fire, APT simulator, Cuckoo, icmptunnel, transmission, ngrok and many more.
  7. 7. See you soon in Dubai! leszek.mis@defensive-security.com