- Видео 48
- Просмотров 107 756
Cyber Attack & Defense
США
Добавлен 10 май 2022
I take cyber security seriously, so I have dedicated this channel to teaching cyber security techniques. I want to teach both the attack and the defense using the purple team approach. The point is to illustrate the full gambit of an attack from the method to the detection and the forensics, if needed, to detect the attack. This approach means that if you are an offensive security pro you will learn defense and if you are defender you will learn the attack. My mission is to use the purple team approach to improve both red and blue team skills and contribute to the overall state of the cyber security industry by teaching people basic cyber security attacks and defense.
Adversaries Are Doing Stranger Things Part 1
This video supports my upcoming webcast with SANS titled Adversaries are Doing Stranger Things. This webcast will air on Thursday, 12 Sep 2024, at 1:00PM EDT. The video will show the first two phases of an attack just using the odd tools method. We will phish with MOTW Bypass, get a reverse shell via VBA, enumerate with net commands, bypass UAC, and install our custom Atera installer as a C2 mechanism. Once done, I will show the detection for all attack phases.
SANS Webcast
www.sans.org/webcasts/adversaries-doing-stranger-things/?Social&LinkedIn&Threat%20Hunting%20Webcast
Chapters
00:00 Introduction
01:42 Attack Path
02:50 MOTW Bypass
04:40 Reverse Shell
06:17 VBA Macro
07:30 Enumeration
09:27 UAC ...
SANS Webcast
www.sans.org/webcasts/adversaries-doing-stranger-things/?Social&LinkedIn&Threat%20Hunting%20Webcast
Chapters
00:00 Introduction
01:42 Attack Path
02:50 MOTW Bypass
04:40 Reverse Shell
06:17 VBA Macro
07:30 Enumeration
09:27 UAC ...
Просмотров: 412
Видео
Lets Go Around Defender with NativeDump
Просмотров 725Месяц назад
In this video, we will use native dump, the go variant, to bypass EDR and dump LSASS. We will do this with Defender enabled. We will also send the file off the box to another host for reading with Mimikatz. Check it out! NativeDump: github.com/ricardojoserf/NativeDump/tree/golang-flavour Go For Windows: go.dev/doc/install Chapters 00:00 Introduction 02:39 Ncat Listener Setup 04:08 Nativedump Us...
Hide And Seek With Active Directory: Secrets For Persistence and Deception
Просмотров 1,2 тыс.2 месяца назад
This video examines Active Directory access control entries (ACEs) to create persistence. We then turn this upside down to frustrate adversaries and penetration testers by stopping Bloodhound and Net commands from functioning. Check this out! Ace Up the Sleeve specterops.io/wp-content/uploads/sites/3/2022/06/an_ace_up_the_sleeve.pdf Forcing Replication github.com/edemilliere/ADSI/blob/master/In...
Windows Defender Got You Down? Try No-Defender!
Просмотров 1,6 тыс.3 месяца назад
In today's video, we bypass Windows Defender by loading a fake AV. We use the no-defender tool to completely bypass Windows Defender and run mimikatz. Take a look! No-Defender github.com/es3n1n/no-defender 00:00 Introduction 00:42 No-Defender 01:52 Defender Setup 02:49 Running No-Defender 03:09 Successfully Running Mimikatz 03:50 Outro
LSASS Dumping Using DFIR Tools
Просмотров 1,9 тыс.4 месяца назад
In today's video, I show a way to dump LSASS without dumping just the LSASS process. We are using DFIR tools to dump all of the memory, exfil the file created, and then dump the credentials of the box. This is a foolproof method and will get by almost every EDR solution. You will have to deal with a large file size, but in today's day and age, this isn't as big of a problem as it has been in th...
Group Policy Preferences Exploitation And Defense
Просмотров 5554 месяца назад
In today's video, we delve into the detection of unsecured credentials within Group Policy Preferences (GPP) files, focusing on mitigating the risks associated with GPPPassword attacks. We'll thoroughly examine the mechanics of this attack, uncover effective detection strategies, and introduce deceptive techniques to enhance our security measures further. Join me as we navigate through these cr...
Deceptive Cyber Tactics: Deceiving Responder
Просмотров 6264 месяца назад
I can't believe I am still talking about Responder in 2024, but it's still commonly used by adversaries and pen-testers. If you have already fixed this old problem, you can set a trap and deceive the adversary with fake credentials while detecting their presence in your network. Join me in taking a look at multiple ways to deceive and detect Responder. Responder github.com/lgandx/Responder Resp...
VBA Is Dead Long Live VBA
Просмотров 9296 месяцев назад
Watch as we demonstrate live how VBA macros can still be executed despite Microsoft's additional blocking and security measures. We will get a VBA macro by excel's controls and Windows Defender. Whether you're a cybersecurity enthusiast, an IT professional, or just curious about the capabilities of VBA macros, this video is a must-watch! (Note: This content is intended for educational purposes ...
Sql Server Hacking: Master The Basics!
Просмотров 1,3 тыс.7 месяцев назад
In today's video, we delve into the vulnerabilities of Microsoft SQL Server, specifically focusing on the xp_cmdshell and xp_dirtree extended stored procedures. 👨💻 What You'll Learn: An overview of xp_cmdshell and xp_dirtree: We start with a brief explanation of what these stored procedures are and their intended purposes in SQL Server. Identifying Vulnerabilities: We explore how xp_cmdshell c...
Kerberoasting: The Art Of Cyber Deception
Просмотров 6019 месяцев назад
In this video, I will touch on the topic of cyber deception. I will show you how to set a trap for adversaries who try to use Kerberoasting to escalate privileges. Since known threat groups use this technique, you can slow them down and catch them if they try it in your environment. Adversaries use deception to get our users to do things. We can use it to catch them in the act. SetSPN Example U...
Certipy and ADCSync attacks against Active Directory Certificate Services
Просмотров 2,7 тыс.10 месяцев назад
In this video, I show how to attack Active Directory Certificate Services. I will first show you how to use Certipy to attack ADCS with the ESC1 vulnerability in a certificate template. I will then show you how to use ADCSync (While mispronouncing the tool's name about 50 times) to sync credentials out of AD using ADCS certificates. Reference Links Certified Pre-Owned posts.specterops.io/certif...
Microsoft Dev Tunnels for C2, Persistance and RDP Redirection
Просмотров 1,8 тыс.11 месяцев назад
In this video, we dive into how to use Dev Tunnels for Remote Desktop Protocol (RDP) Redirection over the Internet. Dev Tunnels can be used to redirect any local port to another host over the internet. Much like SSH tunneling this process can use a simple executable to redirect remote access through a firewall. In a typical environment every host is allowed to reach Microsoft websites, TLS is a...
Red Team Tips: How To Use Powershell Kerberos For Kerberos Abuse
Просмотров 1,7 тыс.Год назад
This quick tutorial explores PowerShell Kerberos scripts that allow you to dump and inject Kerberos tickets between hosts. These scripts currently slip by every EDR I have tested. If you have been fighting with getting mimikatz and Rubeus past EDR, this may help. Subscribe now and boost your pentesting skills. #PowerShell #Kerberos #cybersecurity PowerShellKerberos: github.com/MzHmO/PowershellK...
RedTeam Tips: Exploiting Cisco Anyconnect CVE-2023-20178
Просмотров 2 тыс.Год назад
"Explore a step-by-step demonstration of the recent CVE-2023-20178, a privilege escalation vulnerability in Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. We delve into how a low-privileged, authenticated, local attacker could exploit this vulnerability to gain SYSTEM privileges. We'll highlight the improper permissions assigned to a t...
Stolen Signed Drivers: The Privilege Escalation Threat You Need To Know About.
Просмотров 725Год назад
In this enlightening video, we dive deep into the realm of privilege escalation, uncovering the hidden dangers associated with stolen signed drivers. Join us as we explore the powerful tools-MISP, Elastic SIEM, and loldrivers.io-that can help you detect and mitigate this critical security threat. In this video, we showcase the indispensable role of MISP, a leading threat intelligence platform, ...
Red Team Tips: May 5th 2023 AMSI Killer AMSI Patch
Просмотров 1,2 тыс.Год назад
Red Team Tips: May 5th 2023 AMSI Killer AMSI Patch
Abusing IT Management Tools to Create C2
Просмотров 1,1 тыс.Год назад
Abusing IT Management Tools to Create C2
Exploiting Outlook CVE-2023-23397 to Relay Credentials
Просмотров 3,1 тыс.Год назад
Exploiting Outlook CVE-2023-23397 to Relay Credentials
Red Team Tips: Kerberos Diamond Ticket
Просмотров 1,5 тыс.Год назад
Red Team Tips: Kerberos Diamond Ticket
Red Team Tips: Amsi Patch to Bypass Windows Defender
Просмотров 2,3 тыс.Год назад
Red Team Tips: Amsi Patch to Bypass Windows Defender
Red Team Tips: SSH Tunneling Shenanigans
Просмотров 1,2 тыс.Год назад
Red Team Tips: SSH Tunneling Shenanigans
Red Team Tips: Updated PaloAlto XDR Bypass
Просмотров 5 тыс.Год назад
Red Team Tips: Updated PaloAlto XDR Bypass
Red Team Tips February 1st: OPSEC Safe Active Directory Enumeration with SilentHound
Просмотров 1,5 тыс.Год назад
Red Team Tips February 1st: OPSEC Safe Active Directory Enumeration with SilentHound
Multi-Factor Authentication Phishing Setup Part 3: EvilGoPhish Setup
Просмотров 14 тыс.Год назад
Multi-Factor Authentication Phishing Setup Part 3: EvilGoPhish Setup
Red Team Tips January 16th (Dumping LSASS the Kamikaze way)
Просмотров 2 тыс.Год назад
Red Team Tips January 16th (Dumping LSASS the Kamikaze way)
Multi-Factor Authentication Phishing Setup Part 2: Domain Authentication
Просмотров 3,5 тыс.Год назад
Multi-Factor Authentication Phishing Setup Part 2: Domain Authentication
Multi-Factor Authentication Phishing Setup Part 1: Picking an Effective Domain
Просмотров 4,7 тыс.Год назад
Multi-Factor Authentication Phishing Setup Part 1: Picking an Effective Domain
Red Team Tips January 1st 2023 (New AMSI Bypass)
Просмотров 2,5 тыс.Год назад
Red Team Tips January 1st 2023 (New AMSI Bypass)
Getting Executables into Memory (Going Fileless)
Просмотров 2,4 тыс.Год назад
Getting Executables into Memory (Going Fileless)
First off, all your videos are awesome. You mention in this one that there are a lot of things you can do with the DC system hash, including dcsync. I watched your other video that you recommended in other comments but didn't see a way to utilize these hashes. Could you do a quick video on using these or point to a good reference that explains please?
What I meant was you can relay that hash and then setup dcsync. Check out any of the relaying videos for how that works.
S TIER CONTENT
Thanks!
This is art. Do you have any advice on office macros in terms of obfuscation like the one you used? Thanks.
You can start with github.com/sevagas/macro_pack. Then edit from there.
Next part?
Coming Next Week!
brian with the bangers as always
Thanks for watching!
This is cool, I love it
Thank you very much for your content, I am really enjoying the way you convey the information and the fact that you make the extra step of showing how to detect these common techniques and toolsets is very eye-opening. A question(or clarification) about detecting Pass-The-Cert attack. The fields of the event we need to effectively detect this attack are the event code, the certificate issuer name and the account name of a user? Additionally, I think we can catch this attack from the Ticket options field revealing the tool used. Thank you again for your effort creating such content of high quality
Correct the fields you need are the event code 4768, the fact that the certificate issuer name exists means its certificate based authentication. You might be able to look in the options of event id 4778 to find the tool but that isn’t always accurate.
nice
excellent rundown! keep them coming!
Thanks! Will do. Anything in particular you want to see?
Can you share your experience with the protected process concept RunAsPPl , even Native Dump cant work with it
Ah RunAsPPL is only a good step where you can’t use credential guard. It can be defeated with rogue drivers. Mimikatz has a feature to unprotect a process by using !processprotect this does require the mimidrv.sys. If you cripple Defender or other EDR protected processes can be reversed.
Another banger, starting out in pentesting/redteaming and ur really helping my methodology man. God bless you
Glad my content is helping. Thanks for watching!
Allways the BEST!!!!
Thank you! Glad you like it.
could u do a video on coff loader using it to do a threadless injectio and bypassing defender dont know if itll get flagged but was curious to see how itll pan out
Last time I tried coff loader it got caught but sure. I can give it a shot.
@@CyberAttackDefense ya give it a shot i wanted to see how itll work
Could you make a video on the updated version
Yeah sure can.
Very fun stuff. My IPv6 Relay attacks stopped working though. Reports that LDAP authentication failed and ldap protocol not found. It also fails when I specify - smb2support What could be the issue? My command looks something like: Python 3 ntlmrelayx.py -6 -t ldaps//192.168.19.150 -wh fakewpad.domain.local -l loot_folder This used to work but not anymore. I've disabled SMB signing and my DC LDAP policy is "none"
I never relay with LDAP so I'm not sure. Try relaying to ADCS or to the domain controller with a proxy.
loved that meme LOL
Cool, I had same idea two week ago before watch this video and talked to a sysadmin, they were like: "are you saying we need to manually move X users from Y OUs which applied Z group policy into a OU just to stop them from reading LDAP?"
Yep it’s kind of hard to explain to sysadmins. I have had to show many of them.
Can you use any part of this technique to hide just one or two users among several others for persistence?
Yes you can. You just have to set the ACE right on the object.
I'm glad I watched this. What privileges did you need to run that .exe and successfully dump lsass? Steps up to that would be flagged easily. Our soc would also see that being run and notify the client.
You would need to escalate to local admin level or a level that can install software. Saying your SOC would see this unless your running application allow listing or have SIEM rules in place isn’t a given. You should test this scenario.
Thanks!
Your welcome! Thanks for watching!
hello! sorry if this is a dumb question but do i have to be really good with programming to understand/do all of this? i found your channel and i thought it was awesome, but i feel like im missing a lot of foundational knowledge to understand fully. i know i could google it but i feel like it'd be better if i asked, sorry to bother you
Nope programming isn’t required. General knowledge of Windows and Linux is helpful but this channel shows simple tradecraft. I’m not writing code often for anything here.
Thanks!!
and this kali box is ad joined correct? i have an ad joined win10 system runnung virtual box and trying to use certipy on the vm instance and am gaving issues
No the kali box is not AD joined
@@CyberAttackDefense ok, i must be messing up, certi.py keeps saying my creds are not valid but are. thanks for commenting back
Nice video! Just a tip, you should use the PNG feature for BobTheSmuggler. I added that functionality to evade multiple firewalls & DLPs. Hope you like the tool😊
Wow, this is cool. Thank you for sharing
Thanks for watching!
Thank you for your videos. We learned a lot from you, sir.
Glad you enjoy them. Thanks for watching!
Thanks 🙏❤️
You're welcome 😊
Can u make a video on how to create phishlists in a convenient way cuz i didn't understand from the main source.
great thanks!
hi. can you make video which firewall software good for windows? how defeat any online working virus without antivirus
You are really good at what you do
As it stands, Python for Excel is supposed to only run on the cloud, so I'm not sure how it can be exploited, but time will tell.
Yeah no idea on how this plays out. I think we will be talking about VBA for a long time.
So are the subdomains in the gophish setup supposed to match the subdomains in the evilginx phishlet?
Yes typically you want them to match.
can you please re-upload the project ? it not available anymore
Microsoft took it down. If I re-upload they will just take it down. I can give you a private copy of the repo. DM me on twitter/X
@@CyberAttackDefense thank you so much : just reply on you twitter post, sorry i don't have a premium account to send you a DM
How to uninstall it ? Can anybody help me out?
-disable on the install
Thanks for showing how easy it is to use Coercer. Outside of patching, do you have any recommendations for mitigating this attack?
Turn off services that are not needed like print spooler. Ensure ADCS does not support NTLM and make sure service accounts are using extremely long passwords.
Why do we need to bypass the uac? To run no defender does it require admin right?
If your an admin you could work around it. UAC will prompt in some situations and yes you need to be an admin.
how to bypass applocker
The Lolbas project is your friend for applocker bypass. Msbuild is one of my favorite methods.
Nice one. Too bad you have to be an admin 😅
Yeah true. I can still see many cases where you could get admin and still need this technique.
I appreciate your content bro ❤️🫡, Thanks for sharing such great tips. I Think your next should be PPLkillers and the concept of protected process
Thanks for the idea! Let me see what I can do.
@@CyberAttackDefense this would be a nice to know!
Great video. Any tests against other commercial EDRs? Is it only defender oriented?
I haven't tested against commercial EDRs. It's using the windows API so it certainly could work. I just haven't tried it yet.
Then how to bypass credential guard?
So you can’t really bypass credential guard. There are some other methods but the closest I have seen was what Oliver Lyak did here. research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22
@@CyberAttackDefense thanks for sharing!
This is a great share. I am using it and dumped the RAM, and from it the SAM hashes using volatility3. However, it would be more useful to get the actual NTLM hashes of the AD users, and this is not in the LSA secrets method from volatility3. I thought, that maybe if I carved out somehow the process data from the Lsass.exe that is in the RAM dump it would be possible to analyze it with mimikatz minidump locally. But it just fails. Am I doing something that makes no sense?
The hashes from volatility are the ntlm hashes. You can crack or pass them.
thank you for the reply@@CyberAttackDefense. I get the local user hashes from the volatility3 plugin windows.hashdump and mimikatz returns also the NT hashes of the AD users in the same host. So I was wondering if it is possible to convert the output from Winpmem and use it on mimikatz offline. I know the DA NTLM hash is there, and then just need to pass it to end the test
@@franciscog7110 You can dump the process with volatility and run mimikatz against it. Did you try using memdump? or if you have an older version of volatility there is a mimikatz plugin.
seems patched, what do u think? I got this error when I try execute the attack System.Runtime.InteropServices.COMException (0x80070721): A security package specific error occurred
this no longer works, right?
Yes this still works
Fantastic! Bravo
Great video !!! Unfortunately Microsoft requirements for Credential Guard are pretty "heavy". For example it will work only on windows Enterprise edition.
Very true! This is the reason many orgs didn’t implement this control. Implement where possible.
Was that from a low-priv user??
No this is assuming admin. Find an escalation path first.
Okay, i see...the goal here is being quiet and stealthy!! Thank you
This was amazing and I will be using this lol thank you!
As always. This channel is gold. Thanks!