Being Grateful at Heilderburg

Recently while in the bar of the Crown Plaza in Heidelberg for the Troopers conference I became aware of the number of how grateful I should be for what I have in this industry. For what I’m grateful for is not technical or recognition but of the group of people in the industry, I have the honor to call friends.

I would like to share some of them in this blog post. While coming back from dinner at Heidelberg JD also known as @SadProcessor send me a DM that several of our friends are at the hotel bar and even so I don't drink I should come down and hang out. I was jet lag but had not seen many of them in months so I said to myself “Why not” so I went down.

Read More

Operating Offensively Against Sysmon

Sysmon is a tool written by Mark Russinovich that I have covered in multiple blog post and even wrote a PowerShell module called Posh-Sysmon to help with the generation of configuration files for it. Its main purpose is for the tracking of potentially malicious activity on individual hosts and it is based on the same technology as Procmon. It differs from other Sysinternals tools in that Sysmon is actually installed on the host and saves its information in to the Windows Eventlog so it is easier to be able to collect the information with the use of SIEM (Security Information and Event Management) tools. 

 Sysmon has the capability to log information for:

  • Process Creation and Termination

  • Process changing a file creation time.

  • Network Connection

  • Driver Load

  • Image Load

  • CreateRemoteThread

  • Raw Access Read of a file

  • A process opens another process memory

  • File Creation

  • Registry Events

  • Pipe Events

  • WMI Permanent Events 

Read More

Rebuilding My Playbook .. Knowledge Base

I find myself in the situation where I lost my personal playbook by user error. I accidentally deleted the VM where I ran xWiki where it was kept and did not realized the mistake until days later. Even if painful to rebuild it is a good opportunity to think on how to better organize it and put it in a more flexible format.  

I Initially called my collection of techniques as playbook, but in reality they where not one. It was simply a collection from which I wold pull depending on the situation and as reference when writing presentations, blog posts and reports. To me a playbook is a collections of plays, each play composing of multiple steps that would vary depending environment and purpose. So the term playbook really did not fit. As I rebuild now I have decided to call it a Knowledge Base. By calling it a Knowledge Base this gives me the advantage to properly later build a real playbook where I can cover small samples of multiple steps and tools together that I can pull in to planning in to the different stages using the PACE (stands for Primary Alternate Contingency Emergency) principal where it makes sense. 

If you have ever taken the OSCP Exam from OffensiveSecurity you have learned the importance of having a knowledge base with the right information. You also learn as you progress through the material and labs to build and hopefully not fail on the first try.

Read More

Operational Look at Sysinternals Sysmon 6.20 Update

Sysmon has been a game changer for many organizations allowing their teams to fine tune their detection of malicious activity when combined with tools that aggregate and correlate events.  

A new version of Symon was recently released. Version 6.20 fixes bugs and adds new features. Some the of the note worthy changes for me are:

  • Enhancements in WMI Logging. 
  • Ability to change driver name. 
  • Ability to change service name and service executable name.
Read More

Some Comments and Thoughts on Tradecraft

I have been writing a series on the new Windows Defender Exploit Guard features on Attack Surface Reduction where I cover my research on it. I'm researching the controls to add the information in to my personal playbook. Surprisingly in conversations with some Red Teamers I know they dismissed the information as it is a Blue/Defense technology. These comments surprised me and I would like to share why it surprised me.

Let me start by saying that this is only an opinion. The steps and tradecraft for me would vary on level of skill of the defenders, scope, time and rule of engagements. This is blog post is only for me to share my though process and opinions on this area.

When it comes to attack and defense, red and blue, attack simulation. However, you want to call it in its essence it is an adversarial process, it is one team or person against another. Sometimes it can be a attacker against a defender or it can even be the attacker against a vendor research team that adds new features or modifies existing one. But it is one person trying to outwit another. So, if you are an attacker why are you not studying about defenses and mitigations?

What is the purpose of a red team or pentester? For me it is to show alternate ways of thinking and exercise the current controls in place to show areas of improvement to mitigate risks. To be able to do this knowledge on how systems works, how different lack of controls or misconfigured ones can have a negative impact for a given customer environment is of the upmost importance.

When it comes to the tradecraft one applies it will depend on the red team exercise you are conducting. If you are performing a simulation of a specific threat with blue your TTPs will be dictated by the threat intelligence you have on the adversary you are simulating to test the controls.

Knowledge of one’s tools, the opponent, his tools and how each implements them and uses them determines the actions. As Sun Tzu said:

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Read More