The key to a good defense is understanding the offense. Grab your lasso and hop in the saddle because this talk will cover attack techniques that are regularly used to compromise networks and how they can be leveraged by the blue team to build a stronger defense. Forget vulnerability scanners, in this talk we cover issues they rarely catch, which include: Discovering unknown weaknesses externally and internally, weak passwords, in-memory credential theft and privilege abuse.
Learn how to discover, exploit and defend against those weaknesses using a number of free and/or open-source tools, as well as defense tips and the IOCs needed to tune your SIEM. Lastly, the MITRE ATT&CK framework will be introduced, so that you can utilize the same tactics on the entire gamut of known attack vectors.
2. 2
Who Am I
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• Hacker
• Pentester
• Consultant
• Build Hackers
• Love Open-Source
3. 3
Bad News
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
4. 4
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Make your network more secure, by understanding common
attack paths and how to defend against them.
5. 5
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
Make your network more secure, by understanding common
attack paths and how to defend against them.
6. 6
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
• GET PERMISSION FIRST!
Make your network more secure, by understanding common
attack paths and how to defend against them.
7. 7
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
• GET PERMISSION FIRST!
• Network Discovery
Make your network more secure, by understanding common
attack paths and how to defend against them.
8. 8
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
• GET PERMISSION FIRST!
• Network Discovery
• Attacking And Defending Against Password Issues
Make your network more secure, by understanding common
attack paths and how to defend against them.
9. 9
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
• GET PERMISSION FIRST!
• Network Discovery
• Attacking And Defending Against Password Issues
• Stealing Credentials From Memory
Make your network more secure, by understanding common
attack paths and how to defend against them.
10. 10
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
• GET PERMISSION FIRST!
• Network Discovery
• Attacking And Defending Against Password Issues
• Stealing Credentials From Memory
• Analyzing Active Directory Environments
Make your network more secure, by understanding common
attack paths and how to defend against them.
11. 11
Overview
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• This Talk Is Mostly High Level
• GET PERMISSION FIRST!
• Network Discovery
• Attacking And Defending Against Password Issues
• Stealing Credentials From Memory
• Analyzing Active Directory Environments
• Using The MITRE ATT@CK Framework To Go Further
Make your network more secure, by understanding common
attack paths and how to defend against them.
12. 12
Dealing With The Unknown: Locating Weakness
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Look For
13. 13
Dealing With The Unknown: Locating Weakness
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Look For
• Items That Do Not Belong On The Internet
• Citrix management consoles with default creds
14. 14
Dealing With The Unknown: Locating Weakness
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Look For
• Items That Do Not Belong On The Internet
• Citrix management consoles with default creds
• Default Or Non Existent Passwords
• No one should be able to login to all your cameras or printers with admin:admin
15. 15
Dealing With The Unknown: Locating Weakness
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Look For
• Items That Do Not Belong On The Internet
• Citrix management consoles with default creds
• Default Or Non Existent Passwords
• No one should be able to login to all your cameras or printers with admin:admin
• Items On Incorrect Network Segments
• Can you see the SQL ports for backend databases from the workstation network?
16. 16
Dealing With The Unknown: Locating Weakness
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Look For
• Items That Do Not Belong On The Internet
• Citrix management consoles with default creds
• Default Or Non Existent Passwords
• No one should be able to login to all your cameras or printers with admin:admin
• Items On Incorrect Network Segments
• Can you see the SQL ports for backend databases from the workstation network?
• Anything That Looks Really Old
• Sometimes the IT graveyard is the corporate network
17. 17
Dealing With The Unknown: Discovery
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
How To Find Things
18. 18
Dealing With The Unknown: Discovery
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• Port Scanner
• Support for Windows, Linux, OSX and Unix
Nmap
19. 19
Dealing With The Unknown: Discovery
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Simple Nmap Scan
20. 20
Dealing With The Unknown: Discovery
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Nmap Documentation
• Too Many Options To Cover In This Talk
• https://nmap.org/book/
• Youtube, Google, Blogs To Find More
21. 21
Dealing With The Unknown: Discovery
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
EyeWitness
• Linux Tool (Officially Supported On Kali And Debian)
• Screenshots HTTP/HTTPS
• Quickly Visualize Web Interfaces On A Network
• Security cameras
• Portal logins
• VPN logins
22. 22
Dealing With The Unknown: Discovery
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
EyeWitness – Report
23. 23
Dealing With The Unknown: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Utilizing What Is Discovered
• Regularly Perform Discovery To Find Gaps
• Fix The Gaps
24. 24
Weak Passwords: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Weak Passwords
Passwords that are default, easily guessed or easily cracked.
25. 25
Weak Passwords: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Common Types of Weak Passwords
• Default Passwords
• admin:admin
• root:toor
26. 26
Weak Passwords: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Common Types of Weak Passwords
• Default Passwords
• admin:admin
• root:toor
• Easy To Guess Passwords
• Fall2019!
• Companyname1
27. 27
Weak Passwords: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Common Types of Weak Passwords
• Default Passwords
• admin:admin
• root:toor
• Easy To Guess Passwords
• Fall2019!
• Companyname1
• Password Reuse
• Local admin passwords
• Same password used across service accounts
• Etc.
28. 28
Weak Passwords: Why They Matter
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Why Should We Care About Weak Passwords?
• So what Michael is stupid and has the password Bsides2019, he is just a basic user
29. 29
Weak Passwords: Why They Matter
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Why Should We Care About Weak Passwords?
• So what Michael is stupid and has the password Bsides2019, he is just a basic user
• Attackers only need one weak link to move into a network
30. 30
Weak Passwords: Why They Matter
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Why Should We Care About Weak Passwords?
• So what Michael is stupid and has the password Bsides2019, he is just a basic user
• Attackers only need one weak link to move into a network
• It often isn’t difficult to move from a basic user up the ladder
31. 31
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Password Guessing/Spraying
• Testing commonly used passwords against a user, or list of users, at a slow rate (Avoid Lockouts)
32. 32
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Password Guessing/Spraying
• Testing commonly used passwords against a user, or list of users, at a slow rate (Avoid Lockouts)
• Standard password complexity settings do not prevent the use of easy to guess passwords
33. 33
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Password Guessing - Tools
• BurpSuite (Free version has speed limitations)
34. 34
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Password Guessing - Tools
• BurpSuite (Free version has speed limitations)
• Spraycharles (Open-source, web based logins)
• https://github.com/Tw1sm/spraycharles
35. 35
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Password Guessing - Tools
• BurpSuite (Free version has speed limitations)
• Spraycharles (Open-source, web based logins)
• https://github.com/Tw1sm/spraycharles
• DomainPasswordSpray (Open-source, Windows networks)
• https://github.com/dafthack/DomainPasswordSpray
36. 36
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Do With The Passwords?
• Log Into Things
• Email
• Helpdesk Ticketing System
• Create ticket, attach Excel file with malware in it
• VPN
37. 37
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Do With The Passwords?
• Log Into Things
• Email
• Helpdesk Ticketing System
• Create ticket, attach Excel file with malware in it
• VPN
• CrackMapExec
• Utilize passwords and hashes to authenticate to systems
and perform actions
38. 38
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
CrackMapExec Example
39. 39
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
CrackMapExec Example – Checking For Local Admin Access
Valid Password Found
40. 40
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
CrackMapExec Example – Checking For Local Admin Access
Valid Password Found
Valid Password Local Admin Account Disabled
41. 41
Weak Passwords: Attacking Weak Passwords
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
CrackMapExec Example – Checking For Local Admin Access
Valid Password Found
Valid Password Local Admin Account Disabled
Invalid Password
42. 42
Weak Passwords: Blue Team
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against Weak Passwords
43. 43
Weak Passwords: Blue Team
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Evaluate Your Passwords First
• DSInternals – https://github.com/MichaelGrafnetter/DSInternals
• Open-source PowerShell module
• Contains password auditing feature that does not require
cracking passwords
• Test-PasswordQuality
• https://github.com/MichaelGrafnetter/DSInternals/blob/master/Docum
entation/PowerShell/Test-PasswordQuality.md#test-passwordquality
44. 44
Weak Passwords: Blue Team
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
DSInternals Example:
45. 45
Weak Passwords: Blue Team
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Block Bad Passwords
• Password Filters
• CredDefense (Open-source)
• https://github.com/CredDefense/CredDefense
• Anixis (Paid)
• https://anixis.com/products/ppe/
• Nfront (Paid)
• https://nfrontsecurity.com/products/nfront-password-filter/
46. 46
Weak Passwords: Blue Team
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Stop The Reuse Of Local Admin Passwords
• Microsoft Laps - https://www.microsoft.com/en-us/download/details.aspx?id=46899
• Microsoft’s free solution to deploying and managing unique local admin
passwords
47. 47
Weak Passwords: IOCs
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Detection
48. 48
Weak Passwords: IOCs
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Watch For
• Windows Event ID 4625 “Logon failure”
• Monitor for high numbers of these (threshold will vary from org to org)
49. 49
Weak Passwords: IOCs
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Watch For
• Windows Event ID 4625 “Logon failure”
• Monitor for high numbers of these (threshold will vary from org to org)
• Windows Event ID 4771 “Kerberos pre-authentication failed”
• ID 4625 only covers SMB logins
• If we guess passwords using the LDAP service on a Domain Controller
that triggers event ID 4771
50. 50
Weak Passwords: IOCs
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Watch For
• Windows Event ID 4625 “Logon failure”
• Monitor for high numbers of these (threshold will vary from org to org)
• Windows Event ID 4771 “Kerberos pre-authentication failed”
• ID 4625 only covers SMB logins
• If we guess passwords using the LDAP service on a Domain Controller
that triggers event ID 4771
• Consider Also Watching Successes
• Have the ability to track if any successful guesses were obtained
51. 51
Weak Passwords: IOCs
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Watch For
• Windows Event ID 4625 “Logon failure”
• Monitor for high numbers of these (threshold will vary from org to org)
• Windows Event ID 4771 “Kerberos pre-authentication failed”
• ID 4625 only covers SMB logins
• If we guess passwords using the LDAP service on a Domain Controller
that triggers event ID 4771
• Consider Also Watching Successes
• Have the ability to track if any successful guesses were obtained
• Make Sure You Have All The Logs You Need
• Often some systems my not be forwarding all the logs needed to
determine the source of an attack
• For instance, if the attacker is hitting the VPN, the Domain Controller logs
won’t necessarily tell you what IP the attacker is coming from
52. 52
Weak Passwords: IOCs
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
What To Watch For
• Windows Event ID 4625 “Logon failure”
• Monitor for high numbers of these (threshold will vary from org to org)
• Windows Event ID 4771 “Kerberos pre-authentication failed”
• ID 4625 only covers SMB logins
• If we guess passwords using the LDAP service on a Domain Controller
that triggers event ID 4771
• Consider Also Watching Successes
• Have the ability to track if any successful guesses were obtained
• Make Sure You Have All The Logs You Need
• Often some systems my not be forwarding all the logs needed to
determine the source of an attack
• For instance, if the attacker is hitting the VPN, the Domain Controller logs
won’t necessarily tell you what IP the attacker is coming from
• Failed Login Attempts On Service Accounts Or Honey Accounts
53. 53
In-Memory Credential Theft: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Getting Deeper Access
54. 54
In-Memory Credential Theft: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Stealing Credentials From Memory
• Systems often hold passwords and/or hashes in-memory
55. 55
In-Memory Credential Theft: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Stealing Credentials From Memory
• Systems often hold passwords and/or hashes in-memory
• Credentials in-memory can be stolen using tools such as Mimikatz
56. 56
In-Memory Credential Theft: Examples
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Stealing Credentials From Memory – Examples
Windows 7
• Wdigest enabled by default
• Stores clear text credentials
57. 57
In-Memory Credential Theft: Examples
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Stealing Credentials From Memory – Examples
Windows 10
• Wdigest disabled by default
• Hashes
58. 58
In-Memory Credential Theft: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against Mimikatz
• Disable The SeDebugPrivilege Via Group Policy
• Mimikatz requires SeDebugPrivilege for many actions
• Configure and push a policy that contains no users or groups
59. 59
In-Memory Credential Theft: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against Mimikatz
• Disable The SeDebugPrivilege Via Group Policy
• Mimikatz requires SeDebugPrivilege for many actions
• Configure and push a policy that contains no users or groups
• Disable WDigest In The Registry
• PowerShell example
• Set-ItemProperty -Force -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest" -
Name "UseLogonCredential" -Value “0“
60. 60
In-Memory Credential Theft: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against Mimikatz
• Disable The SeDebugPrivilege Via Group Policy
• Mimikatz requires SeDebugPrivilege for many actions
• Configure and push a policy that contains no users or groups
• Disable WDigest In The Registry
• PowerShell example
• Set-ItemProperty -Force -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest" -
Name "UseLogonCredential" -Value “0“
• Use CredentialGuard
• Protects LSA process
• Will cause problems for NTLMv1, MS-CHAPv2, Digest and CredSSP authentication
• Check for the usage of these protocols in any Single-Sign-On (SSO) solutions to
avoid problems
61. 61
In-Memory Credential Theft: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against Mimikatz
• Disable The SeDebugPrivilege Via Group Policy
• Mimikatz requires SeDebugPrivilege for many actions
• Configure and push a policy that contains no users or groups
• Disable WDigest In The Registry
• PowerShell example
• Set-ItemProperty -Force -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest" -
Name "UseLogonCredential" -Value “0“
• Use CredentialGuard
• Protects LSA process
• Will cause problems for NTLMv1, MS-CHAPv2, Digest and CredSSP authentication
• Check for the usage of these protocols in any Single-Sign-On (SSO) solutions to
avoid problems
• Protect LSASS.exe Using An EDR Solution
• Many EDR solutions have the ability to block processes from accessing LSASS.exe
62. 62
In-Memory Credential Theft: Detection
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Detecting Mimikatz
• Security Event ID
• 4688
• Often attackers do not customize Mimikatz fully, leaving common
commands behind
• Be on the look out for things like Mimikatz.exe, sekurlsa,
sekurlsa::logonpasswords, lsass.exe and etc. in this event ID
• Sysmon Event ID
• 1
• The same items listed above can also be found in Sysmon Event ID 1
• Yara Rules
• Included in code repo
• https://github.com/gentilkiwi/mimikatz
63. 63
Privilege Abuse: Intro
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Get Credentials > Understand What You Have
64. 64
Privilege Abuse: BloodHound
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
BloodHound
• One of the best ways for attackers and defenders
to understand an Active Directory environment
65. 65
Privilege Abuse: BloodHound
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
BloodHound
• One of the best ways for attackers and defenders
to understand an Active Directory environment
• Windows and Linux Support
66. 66
Privilege Abuse: BloodHound
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
BloodHound
• One of the best ways for attackers and defenders
to understand an Active Directory environment
• Windows and Linux Support
• Run collector as any domain user
67. 67
Privilege Abuse: BloodHound
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
BloodHound
• One of the best ways for attackers and defenders
to understand an Active Directory environment
• Windows and Linux Support
• Run collector as any domain user
• Points out possible privilege escalation paths
68. 68
Privilege Abuse: BloodHound
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
BloodHound
• One of the best ways for attackers and defenders
to understand an Active Directory environment
• Windows and Linux Support
• Run collector as any domain user
• Points out possible privilege escalation paths
• Helps identify gaps in least privilege
69. 69
Privilege Abuse: BloodHound
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
BloodHound – Example:
70. 70
Privilege Abuse: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against BloodHound And AD Enumeration:
• Provide User Permissions On A Least Privilege Model
• The helpdesk doesn’t need domain admin to
troubleshoot laptops
71. 71
Privilege Abuse: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against BloodHound And AD Enumeration:
• Provide User Permissions On A Least Privilege Model
• The helpdesk doesn’t need domain admin to
troubleshoot laptops
• Use Bloodhound To Find And Break Weak Links
72. 72
Privilege Abuse: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against BloodHound And AD Enumeration:
• Provide User Permissions On A Least Privilege Model
• The helpdesk doesn’t need domain admin to
troubleshoot laptops
• Use Bloodhound To Find And Break Weak Links
• Detect Bloodhound By Creating Honey Tokens
• http://www.stuffithoughtiknew.com/2019/02/detecting-
bloodhound.html
73. 73
Privilege Abuse: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against BloodHound And AD Enumeration:
• Provide User Permissions On A Least Privilege Model
• The helpdesk doesn’t need domain admin to
troubleshoot laptops
• Use Bloodhound To Find And Break Weak Links
• Detect Bloodhound By Creating Honey Tokens
• http://www.stuffithoughtiknew.com/2019/02/detecting-
bloodhound.html
• Break Bloodhound Using Adsecurity.Org Tips
• https://adsecurity.org/wp-content/uploads/2019/09/2019-
DerbyCon-ActiveDirectorySecurity-
BeyondTheEasyButton-Metcalf.pdf
74. 74
Privilege Abuse: Defense
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Defending Against BloodHound And AD Enumeration:
• Provide User Permissions On A Least Privilege Model
• The helpdesk doesn’t need domain admin to
troubleshoot laptops
• Use Bloodhound To Find And Break Weak Links
• Detect Bloodhound By Creating Honey Tokens
• http://www.stuffithoughtiknew.com/2019/02/detecting-
bloodhound.html
• Break Bloodhound Using Adsecurity.Org Tips
• https://adsecurity.org/wp-content/uploads/2019/09/2019-
DerbyCon-ActiveDirectorySecurity-
BeyondTheEasyButton-Metcalf.pdf
• PingCastle
• AD Security Tool
• https://www.pingcastle.com/
75. 75
Go Further
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
76. 76
Go Further
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• I’ve only covered a small number of security
concerns
77. 77
Go Further
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• I’ve only covered a small number of security
concerns
• Be proactive and go beyond blinky boxes
78. 78
Go Further
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• I’ve only covered a small number of security
concerns
• Be proactive and go beyond blinky boxes
• Use MITRE ATT&CK to evaluate and measure your
defense
79. 79
Go Further: MITRE ATT&CK
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
80. 80
Go Further: MITRE ATT&CK
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Using MITRE ATT&CK:
• Focus on common attacks for your industry
segment first
81. 81
Go Further: MITRE ATT&CK
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Using MITRE ATT&CK:
• Focus on common attacks for your industry
segment first
• Can you?
• Prevent a technique
• Detect a technique
82. 82
Go Further: MITRE ATT&CK
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Using MITRE ATT&CK:
• Focus on common attacks for your industry
segment first
• Can you?
• Prevent a technique
• Detect a technique
• Fix prevention and detection where lacking
83. 83
Go Further: MITRE ATT&CK
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
Using MITRE ATT&CK:
• Focus on common attacks for your industry
segment first
• Can you?
• Prevent a technique
• Detect a technique
• Fix prevention and detection where lacking
• Consider purple teaming
84. 84
Thank You For Listening!
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
85. 85
Keep In Touch
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
How To Contact Me
• Email: mdunn@schneiderdowns.com
• Twitter: @MattThePlanet
86. 86
References
W R A N G L E Y O U R D E F E N S E U S I N G O F F E N S I V E TA C T I C S
• https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5
• https://adsecurity.org/?page_id=1821
• https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-
guard/credential-guard-how-it-works
• https://adsecurity.org/wp-content/uploads/2019/09/2019-DerbyCon-ActiveDirectorySecurity-
BeyondTheEasyButton-Metcalf.pdf