Book Image

Cybersecurity Attacks – Red Team Strategies

By : Johann Rehberger
Book Image

Cybersecurity Attacks – Red Team Strategies

By: Johann Rehberger

Overview of this book

It's now more important than ever for organizations to be ready to detect and respond to security events and breaches. Preventive measures alone are not enough for dealing with adversaries. A well-rounded prevention, detection, and response program is required. This book will guide you through the stages of building a red team program, including strategies and homefield advantage opportunities to boost security. The book starts by guiding you through establishing, managing, and measuring a red team program, including effective ways for sharing results and findings to raise awareness. Gradually, you'll learn about progressive operations such as cryptocurrency mining, focused privacy testing, targeting telemetry, and even blue team tooling. Later, you'll discover knowledge graphs and how to build them, then become well-versed with basic to advanced techniques related to hunting for credentials, and learn to automate Microsoft Office and browsers to your advantage. Finally, you'll get to grips with protecting assets using decoys, auditing, and alerting with examples for major operating systems. By the end of this book, you'll have learned how to build, manage, and measure a red team program effectively and be well-versed with the fundamental operational techniques required to enhance your existing skills.

Related Content you might be interested in

Current Title:

Small book image
Cybersecurity Attacks – Red Team Strategies
Johann Rehberger
Mar, 2020 | 524 pages
Small book image
Adversarial Tradecraft in Cybersecurity
Dan Borges
Jun, 2021 | 246 pages
Small book image
Purple Team Strategies
Simon Thoores | David Routin | Samuel Rossier
Jun, 2022 | 450 pages
Small book image
Cybersecurity Blue Team Strategies
Nikolaos Thymianis | Kunal Sehgal
Feb, 2023 | 208 pages
Table of Contents (17 chapters)
Preface
Preface
A note about terminology
Who this book is for
What this book covers?
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Reviews
Disclaimer
1
Section 1: Embracing the Red
Section 1: Embracing the Red
Free Chapter
2
Chapter 1: Establishing an Offensive Security Program
Chapter 1: Establishing an Offensive Security Program
Defining the mission – the devil's advocate
Getting leadership support
Locating a red team in the organization chart
The road ahead for offensive security
Providing different services to the organization
Additional responsibilities of the offensive program
Training and education of the offensive security team
Policies – principles, rules, and standards
Rules of engagement
Standard operating procedure
Modeling the adversary
Anatomy of a breach
Modes of execution – surgical or carpet bombing
Environment and office space
Summary
Questions
3
Chapter 2: Managing an Offensive Security Team
Chapter 2: Managing an Offensive Security Team
Understanding the rhythm of the business and planning Red Team operations
Managing and assessing the team
Management by walking around
Managing your leadership team
Managing yourself
Handling logistics, meetings, and staying on track
Growing as a team
Leading and inspiring the team
For the best results – let them loose!
Leveraging homefield advantage
Disrupting the purple team
Summary
Questions
4
Chapter 3: Measuring an Offensive Security Program
Chapter 3: Measuring an Offensive Security Program
Understanding the illusion of control
The road to maturity
Threats – trees and graphs
Defining metrics and KPIs
Test Maturity Model integration (TMMi ®)and red teaming
MITRE ATT&CK™ Matrix
Remembering what red teaming is about
Summary
Questions
5
Chapter 4: Progressive Red Teaming Operations
Chapter 4: Progressive Red Teaming Operations
Exploring varieties of cyber operational engagements
Cryptocurrency mining
Red teaming for privacy
Red teaming the red team
Targeting the blue team
Leveraging the blue team's endpoint protection as C2
Social media and targeted advertising
Targeting telemetry collection to manipulate feature development
Attacking artificial intelligence and machine learning
Operation Vigilante – using the red team to fix things
Emulating real-world advanced persistent threats (APTs)
Performing tabletop exercises
Summary
Questions
6
Section 2: Tactics and Techniques
Section 2: Tactics and Techniques
7
Chapter 5: Situational Awareness – Mapping Out the Homefield Using Graph Databases
Chapter 5: Situational Awareness – Mapping Out the Homefield Using Graph Databases
Understanding attack and knowledge graphs
Graph database basics
Building the homefield graph using Neo4j
Exploring the Neo4j browser
Creating and querying information
Summary
Questions
8
Chapter 6: Building a Comprehensive Knowledge Graph
Chapter 6: Building a Comprehensive Knowledge Graph
Technical requirements
Case study – the fictional Shadow Bunny corporation
Mapping out the cloud!
Importing cloud assets
Loading CSV data into the graph database
Adding more data to the knowledge graph
Augmenting an existing graph or building one from scratch?
Summary
Questions
9
Chapter 7: Hunting for Credentials
Chapter 7: Hunting for Credentials
Technical requirements
Clear text credentials and how to find them
Leveraging indexing techniques to find credentials
Hunting for ciphertext and hashes
Summary
Questions
10
Chapter 8: Advanced Credential Hunting
Chapter 8: Advanced Credential Hunting
Technical requirements
Understanding the Pass the Cookie technique
Credentials in process memory
Abusing logging and tracing to steal credentials and access tokens
Windows Credential Manager and macOS Keychain
Using optical character recognition to find sensitive information in images
Exploiting the default credentials of local admin accounts
Phishing attacks and credential dialog spoofing
Performing password spray attacks
Summary
Questions
11
Chapter 9: Powerful Automation
Chapter 9: Powerful Automation
Technical requirements
Understanding COM automation on Windows
Achieving objectives by automating Microsoft Office
Automating and remote controlling web browsers as an adversarial technique
Summary
Questions
12
Chapter 10: Protecting the Pen Tester
Chapter 10: Protecting the Pen Tester
Technical requirements
Locking down your machines (shields up)
Improving documentation with custom Hacker Shell prompts
Monitoring and alerting for logins and login attempts
Summary
Questions
13
Chapter 11: Traps, Deceptions, and Honeypots
Chapter 11: Traps, Deceptions, and Honeypots
Technical requirements
Actively defending pen testing assets
Understanding and using Windows Audit ACLs
Notifications for file audit events on Windows
Building a Homefield Sentinel – a basic Windows Service for defending hosts
Monitoring access to honeypot files on Linux
Alerting for suspicious file access on macOS
Summary
Questions
14
Chapter 12: Blue Team Tactics for the Red Team
Chapter 12: Blue Team Tactics for the Red Team
Understanding centralized monitoring solutions that blue teams leverage
Using osquery to gain insights and protect pen testing assets
Leveraging Filebeat, Elasticsearch, and Kibana
Summary
Questions
15
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
16
Another Book You May Enjoy
Another Book You May Enjoy
Leave a review - let other readers know what you think

Abusing logging and tracing to steal credentials and access tokens

For debugging and monitoring purposes, applications and services emit logs and traces. This enables privileged users on the machine to get more insights into the inner workings of an application during runtime. Windows has a powerful tracing infrastructure called Event Tracing for Windows (ETW). Tracing is often a form of logging that is more technical in nature compared to functional logging. It's often used by engineers to debug the execution flow of a program or to perform performance analysis.

There are tools out of the box in Windows to interact with ETW, and they allow us to start traces, collect data, and stop them, such as wevtutil and logman.

Let's dive into a detailed example using logman, which allows us to manage event tracing sessions. Run the following command to see what providers are available:

logman query providers

This lists all the providers that can emit events. On my machine...

Previous Section
End of Section 5
Next Section