The key to a good defense is understanding the offense. Grab your lasso and hop in the saddle because this talk will cover attack techniques that are regularly used to compromise networks and how they can be leveraged by the blue team to build a stronger defense. Forget vulnerability scanners, in this talk we cover issues they rarely catch, which include: Discovering unknown weaknesses externally and internally, weak passwords, in-memory credential theft and privilege abuse. Learn how to discover, exploit and defend against those weaknesses using a number of free and/or open-source tools, as well as defense tips and the IOCs needed to tune your SIEM. Lastly, the MITRE ATT&CK framework will be introduced, so that you can utilize the same tactics on the entire gamut of known attack vectors.

1. 1
Wrangle Your Defense Using Offensive Tactics
By: Matt Dunn

2. 2
Who Am I
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• Hacker
• Pentester
• Consultant
• Build Hackers
• Love Open-Source

3. 3
Bad News
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S

4. 4
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Make your network more secure, by understanding common
attack paths and how to defend against them.

5. 5
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
Make your network more secure, by understanding common
attack paths and how to defend against them.

6. 6
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
• GET PERMISSION FIRST!
Make your network more secure, by understanding common
attack paths and how to defend against them.

7. 7
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
• GET PERMISSION FIRST!
• Network Discovery
Make your network more secure, by understanding common
attack paths and how to defend against them.

8. 8
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
• GET PERMISSION FIRST!
• Network Discovery
• Attacking And Defending Against Password Issues
Make your network more secure, by understanding common
attack paths and how to defend against them.

9. 9
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
• GET PERMISSION FIRST!
• Network Discovery
• Attacking And Defending Against Password Issues
• Stealing Credentials From Memory
Make your network more secure, by understanding common
attack paths and how to defend against them.

10. 10
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
• GET PERMISSION FIRST!
• Network Discovery
• Attacking And Defending Against Password Issues
• Stealing Credentials From Memory
• Analyzing Active Directory Environments
Make your network more secure, by understanding common
attack paths and how to defend against them.

11. 11
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
• GET PERMISSION FIRST!
• Network Discovery
• Attacking And Defending Against Password Issues
• Stealing Credentials From Memory
• Analyzing Active Directory Environments
• Using The MITRE ATT@CK Framework To Go Further
Make your network more secure, by understanding common
attack paths and how to defend against them.

12. 12
Dealing With The Unknown: Locating Weakness
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Look For

13. 13
Dealing With The Unknown: Locating Weakness
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Look For
• Items That Do Not Belong On The Internet
• Citrix management consoles with default creds

14. 14
Dealing With The Unknown: Locating Weakness
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Look For
• Items That Do Not Belong On The Internet
• Citrix management consoles with default creds
• Default Or Non Existent Passwords
• No one should be able to login to all your cameras or printers with admin:admin

15. 15
Dealing With The Unknown: Locating Weakness
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Look For
• Items That Do Not Belong On The Internet
• Citrix management consoles with default creds
• Default Or Non Existent Passwords
• No one should be able to login to all your cameras or printers with admin:admin
• Items On Incorrect Network Segments
• Can you see the SQL ports for backend databases from the workstation network?

16. 16
Dealing With The Unknown: Locating Weakness
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Look For
• Items That Do Not Belong On The Internet
• Citrix management consoles with default creds
• Default Or Non Existent Passwords
• No one should be able to login to all your cameras or printers with admin:admin
• Items On Incorrect Network Segments
• Can you see the SQL ports for backend databases from the workstation network?
• Anything That Looks Really Old
• Sometimes the IT graveyard is the corporate network

17. 17
Dealing With The Unknown: Discovery
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
How To Find Things

18. 18
Dealing With The Unknown: Discovery
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• Port Scanner
• Support for Windows, Linux, OSX and Unix
Nmap

19. 19
Dealing With The Unknown: Discovery
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Simple Nmap Scan

20. 20
Dealing With The Unknown: Discovery
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Nmap Documentation
• Too Many Options To Cover In This Talk
• https://nmap.org/book/
• Youtube, Google, Blogs To Find More

21. 21
Dealing With The Unknown: Discovery
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
EyeWitness
• Linux Tool (Officially Supported On Kali And Debian)
• Screenshots HTTP/HTTPS
• Quickly Visualize Web Interfaces On A Network
• Security cameras
• Portal logins
• VPN logins

22. 22
Dealing With The Unknown: Discovery
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
EyeWitness – Report

23. 23
Dealing With The Unknown: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Utilizing What Is Discovered
• Regularly Perform Discovery To Find Gaps
• Fix The Gaps

24. 24
Weak Passwords: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Weak Passwords
Passwords that are default, easily guessed or easily cracked.

25. 25
Weak Passwords: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Common Types of Weak Passwords
• Default Passwords
• admin:admin
• root:toor

26. 26
Weak Passwords: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Common Types of Weak Passwords
• Default Passwords
• admin:admin
• root:toor
• Easy To Guess Passwords
• Fall2019!
• Companyname1

27. 27
Weak Passwords: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Common Types of Weak Passwords
• Default Passwords
• admin:admin
• root:toor
• Easy To Guess Passwords
• Fall2019!
• Companyname1
• Password Reuse
• Local admin passwords
• Same password used across service accounts
• Etc.

28. 28
Weak Passwords: Why They Matter
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Why Should We Care About Weak Passwords?
• So what Michael is stupid and has the password Bsides2019, he is just a basic user

29. 29
Weak Passwords: Why They Matter
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Why Should We Care About Weak Passwords?
• So what Michael is stupid and has the password Bsides2019, he is just a basic user
• Attackers only need one weak link to move into a network

30. 30
Weak Passwords: Why They Matter
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Why Should We Care About Weak Passwords?
• So what Michael is stupid and has the password Bsides2019, he is just a basic user
• Attackers only need one weak link to move into a network
• It often isn’t difficult to move from a basic user up the ladder

31. 31
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Password Guessing/Spraying
• Testing commonly used passwords against a user, or list of users, at a slow rate (Avoid Lockouts)

32. 32
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Password Guessing/Spraying
• Testing commonly used passwords against a user, or list of users, at a slow rate (Avoid Lockouts)
• Standard password complexity settings do not prevent the use of easy to guess passwords

33. 33
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Password Guessing - Tools
• BurpSuite (Free version has speed limitations)

34. 34
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Password Guessing - Tools
• BurpSuite (Free version has speed limitations)
• Spraycharles (Open-source, web based logins)
• https://github.com/Tw1sm/spraycharles

35. 35
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Password Guessing - Tools
• BurpSuite (Free version has speed limitations)
• Spraycharles (Open-source, web based logins)
• https://github.com/Tw1sm/spraycharles
• DomainPasswordSpray (Open-source, Windows networks)
• https://github.com/dafthack/DomainPasswordSpray

36. 36
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Do With The Passwords?
• Log Into Things
• Email
• Helpdesk Ticketing System
• Create ticket, attach Excel file with malware in it
• VPN

37. 37
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Do With The Passwords?
• Log Into Things
• Email
• Helpdesk Ticketing System
• Create ticket, attach Excel file with malware in it
• VPN
• CrackMapExec
• Utilize passwords and hashes to authenticate to systems
and perform actions

38. 38
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
CrackMapExec Example

39. 39
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
CrackMapExec Example – Checking For Local Admin Access
Valid Password Found

40. 40
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
CrackMapExec Example – Checking For Local Admin Access
Valid Password Found
Valid Password Local Admin Account Disabled

41. 41
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
CrackMapExec Example – Checking For Local Admin Access
Valid Password Found
Valid Password Local Admin Account Disabled
Invalid Password

42. 42
Weak Passwords: Blue Team
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against Weak Passwords

43. 43
Weak Passwords: Blue Team
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Evaluate Your Passwords First
• DSInternals – https://github.com/MichaelGrafnetter/DSInternals
• Open-source PowerShell module
• Contains password auditing feature that does not require
cracking passwords
• Test-PasswordQuality
• https://github.com/MichaelGrafnetter/DSInternals/blob/master/Docum
entation/PowerShell/Test-PasswordQuality.md#test-passwordquality

44. 44
Weak Passwords: Blue Team
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
DSInternals Example:

45. 45
Weak Passwords: Blue Team
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Block Bad Passwords
• Password Filters
• CredDefense (Open-source)
• https://github.com/CredDefense/CredDefense
• Anixis (Paid)
• https://anixis.com/products/ppe/
• Nfront (Paid)
• https://nfrontsecurity.com/products/nfront-password-filter/

46. 46
Weak Passwords: Blue Team
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Stop The Reuse Of Local Admin Passwords
• Microsoft Laps - https://www.microsoft.com/en-us/download/details.aspx?id=46899
• Microsoft’s free solution to deploying and managing unique local admin
passwords

47. 47
Weak Passwords: IOCs
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Detection

48. 48
Weak Passwords: IOCs
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Watch For
• Windows Event ID 4625 “Logon failure”
• Monitor for high numbers of these (threshold will vary from org to org)

49. 49
Weak Passwords: IOCs
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Watch For
• Windows Event ID 4625 “Logon failure”
• Monitor for high numbers of these (threshold will vary from org to org)
• Windows Event ID 4771 “Kerberos pre-authentication failed”
• ID 4625 only covers SMB logins
• If we guess passwords using the LDAP service on a Domain Controller
that triggers event ID 4771

50. 50
Weak Passwords: IOCs
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Watch For
• Windows Event ID 4625 “Logon failure”
• Monitor for high numbers of these (threshold will vary from org to org)
• Windows Event ID 4771 “Kerberos pre-authentication failed”
• ID 4625 only covers SMB logins
• If we guess passwords using the LDAP service on a Domain Controller
that triggers event ID 4771
• Consider Also Watching Successes
• Have the ability to track if any successful guesses were obtained

51. 51
Weak Passwords: IOCs
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Watch For
• Windows Event ID 4625 “Logon failure”
• Monitor for high numbers of these (threshold will vary from org to org)
• Windows Event ID 4771 “Kerberos pre-authentication failed”
• ID 4625 only covers SMB logins
• If we guess passwords using the LDAP service on a Domain Controller
that triggers event ID 4771
• Consider Also Watching Successes
• Have the ability to track if any successful guesses were obtained
• Make Sure You Have All The Logs You Need
• Often some systems my not be forwarding all the logs needed to
determine the source of an attack
• For instance, if the attacker is hitting the VPN, the Domain Controller logs
won’t necessarily tell you what IP the attacker is coming from

52. 52
Weak Passwords: IOCs
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Watch For
• Windows Event ID 4625 “Logon failure”
• Monitor for high numbers of these (threshold will vary from org to org)
• Windows Event ID 4771 “Kerberos pre-authentication failed”
• ID 4625 only covers SMB logins
• If we guess passwords using the LDAP service on a Domain Controller
that triggers event ID 4771
• Consider Also Watching Successes
• Have the ability to track if any successful guesses were obtained
• Make Sure You Have All The Logs You Need
• Often some systems my not be forwarding all the logs needed to
determine the source of an attack
• For instance, if the attacker is hitting the VPN, the Domain Controller logs
won’t necessarily tell you what IP the attacker is coming from
• Failed Login Attempts On Service Accounts Or Honey Accounts

53. 53
In-Memory Credential Theft: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Getting Deeper Access

54. 54
In-Memory Credential Theft: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Stealing Credentials From Memory
• Systems often hold passwords and/or hashes in-memory

55. 55
In-Memory Credential Theft: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Stealing Credentials From Memory
• Systems often hold passwords and/or hashes in-memory
• Credentials in-memory can be stolen using tools such as Mimikatz

56. 56
In-Memory Credential Theft: Examples
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Stealing Credentials From Memory – Examples
Windows 7
• Wdigest enabled by default
• Stores clear text credentials

57. 57
In-Memory Credential Theft: Examples
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Stealing Credentials From Memory – Examples
Windows 10
• Wdigest disabled by default
• Hashes

58. 58
In-Memory Credential Theft: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against Mimikatz
• Disable The SeDebugPrivilege Via Group Policy
• Mimikatz requires SeDebugPrivilege for many actions
• Configure and push a policy that contains no users or groups

59. 59
In-Memory Credential Theft: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against Mimikatz
• Disable The SeDebugPrivilege Via Group Policy
• Mimikatz requires SeDebugPrivilege for many actions
• Configure and push a policy that contains no users or groups
• Disable WDigest In The Registry
• PowerShell example
• Set-ItemProperty -Force -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest" -
Name "UseLogonCredential" -Value “0“

60. 60
In-Memory Credential Theft: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against Mimikatz
• Disable The SeDebugPrivilege Via Group Policy
• Mimikatz requires SeDebugPrivilege for many actions
• Configure and push a policy that contains no users or groups
• Disable WDigest In The Registry
• PowerShell example
• Set-ItemProperty -Force -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest" -
Name "UseLogonCredential" -Value “0“
• Use CredentialGuard
• Protects LSA process
• Will cause problems for NTLMv1, MS-CHAPv2, Digest and CredSSP authentication
• Check for the usage of these protocols in any Single-Sign-On (SSO) solutions to
avoid problems

61. 61
In-Memory Credential Theft: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against Mimikatz
• Disable The SeDebugPrivilege Via Group Policy
• Mimikatz requires SeDebugPrivilege for many actions
• Configure and push a policy that contains no users or groups
• Disable WDigest In The Registry
• PowerShell example
• Set-ItemProperty -Force -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest" -
Name "UseLogonCredential" -Value “0“
• Use CredentialGuard
• Protects LSA process
• Will cause problems for NTLMv1, MS-CHAPv2, Digest and CredSSP authentication
• Check for the usage of these protocols in any Single-Sign-On (SSO) solutions to
avoid problems
• Protect LSASS.exe Using An EDR Solution
• Many EDR solutions have the ability to block processes from accessing LSASS.exe

62. 62
In-Memory Credential Theft: Detection
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Detecting Mimikatz
• Security Event ID
• 4688
• Often attackers do not customize Mimikatz fully, leaving common
commands behind
• Be on the look out for things like Mimikatz.exe, sekurlsa,
sekurlsa::logonpasswords, lsass.exe and etc. in this event ID
• Sysmon Event ID
• 1
• The same items listed above can also be found in Sysmon Event ID 1
• Yara Rules
• Included in code repo
• https://github.com/gentilkiwi/mimikatz

63. 63
Privilege Abuse: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Get Credentials > Understand What You Have

64. 64
Privilege Abuse: BloodHound
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
BloodHound
• One of the best ways for attackers and defenders
to understand an Active Directory environment

65. 65
Privilege Abuse: BloodHound
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
BloodHound
• One of the best ways for attackers and defenders
to understand an Active Directory environment
• Windows and Linux Support

66. 66
Privilege Abuse: BloodHound
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
BloodHound
• One of the best ways for attackers and defenders
to understand an Active Directory environment
• Windows and Linux Support
• Run collector as any domain user

67. 67
Privilege Abuse: BloodHound
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
BloodHound
• One of the best ways for attackers and defenders
to understand an Active Directory environment
• Windows and Linux Support
• Run collector as any domain user
• Points out possible privilege escalation paths

68. 68
Privilege Abuse: BloodHound
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
BloodHound
• One of the best ways for attackers and defenders
to understand an Active Directory environment
• Windows and Linux Support
• Run collector as any domain user
• Points out possible privilege escalation paths
• Helps identify gaps in least privilege

69. 69
Privilege Abuse: BloodHound
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
BloodHound – Example:

70. 70
Privilege Abuse: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against BloodHound And AD Enumeration:
• Provide User Permissions On A Least Privilege Model
• The helpdesk doesn’t need domain admin to
troubleshoot laptops

71. 71
Privilege Abuse: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against BloodHound And AD Enumeration:
• Provide User Permissions On A Least Privilege Model
• The helpdesk doesn’t need domain admin to
troubleshoot laptops
• Use Bloodhound To Find And Break Weak Links

72. 72
Privilege Abuse: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against BloodHound And AD Enumeration:
• Provide User Permissions On A Least Privilege Model
• The helpdesk doesn’t need domain admin to
troubleshoot laptops
• Use Bloodhound To Find And Break Weak Links
• Detect Bloodhound By Creating Honey Tokens
• http://www.stuffithoughtiknew.com/2019/02/detecting-
bloodhound.html

73. 73
Privilege Abuse: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against BloodHound And AD Enumeration:
• Provide User Permissions On A Least Privilege Model
• The helpdesk doesn’t need domain admin to
troubleshoot laptops
• Use Bloodhound To Find And Break Weak Links
• Detect Bloodhound By Creating Honey Tokens
• http://www.stuffithoughtiknew.com/2019/02/detecting-
bloodhound.html
• Break Bloodhound Using Adsecurity.Org Tips
• https://adsecurity.org/wp-content/uploads/2019/09/2019-
DerbyCon-ActiveDirectorySecurity-
BeyondTheEasyButton-Metcalf.pdf

74. 74
Privilege Abuse: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against BloodHound And AD Enumeration:
• Provide User Permissions On A Least Privilege Model
• The helpdesk doesn’t need domain admin to
troubleshoot laptops
• Use Bloodhound To Find And Break Weak Links
• Detect Bloodhound By Creating Honey Tokens
• http://www.stuffithoughtiknew.com/2019/02/detecting-
bloodhound.html
• Break Bloodhound Using Adsecurity.Org Tips
• https://adsecurity.org/wp-content/uploads/2019/09/2019-
DerbyCon-ActiveDirectorySecurity-
BeyondTheEasyButton-Metcalf.pdf
• PingCastle
• AD Security Tool
• https://www.pingcastle.com/

75. 75
Go Further
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S

76. 76
Go Further
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• I’ve only covered a small number of security
concerns

77. 77
Go Further
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• I’ve only covered a small number of security
concerns
• Be proactive and go beyond blinky boxes

78. 78
Go Further
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• I’ve only covered a small number of security
concerns
• Be proactive and go beyond blinky boxes
• Use MITRE ATT&CK to evaluate and measure your
defense

79. 79
Go Further: MITRE ATT&CK
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S

80. 80
Go Further: MITRE ATT&CK
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Using MITRE ATT&CK:
• Focus on common attacks for your industry
segment first

81. 81
Go Further: MITRE ATT&CK
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Using MITRE ATT&CK:
• Focus on common attacks for your industry
segment first
• Can you?
• Prevent a technique
• Detect a technique

82. 82
Go Further: MITRE ATT&CK
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Using MITRE ATT&CK:
• Focus on common attacks for your industry
segment first
• Can you?
• Prevent a technique
• Detect a technique
• Fix prevention and detection where lacking

83. 83
Go Further: MITRE ATT&CK
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Using MITRE ATT&CK:
• Focus on common attacks for your industry
segment first
• Can you?
• Prevent a technique
• Detect a technique
• Fix prevention and detection where lacking
• Consider purple teaming

84. 84
Thank You For Listening!
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S

85. 85
Keep In Touch
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
How To Contact Me
• Email: mdunn@schneiderdowns.com
• Twitter: @MattThePlanet

86. 86
References
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5
• https://adsecurity.org/?page_id=1821
• https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-
guard/credential-guard-how-it-works
• https://adsecurity.org/wp-content/uploads/2019/09/2019-DerbyCon-ActiveDirectorySecurity-
BeyondTheEasyButton-Metcalf.pdf