![]() Mainly handled with Windows Security Event Log on windows, an Event ID (EID) represents an action performed by application, host, ect… On the network. Multiple C2 can be used in a red team engagement Initial Access C2, Short Haul C2 & Long haul C2.Redirectors (TCP, DNS, HTTP, Serverless, RedWarden) can also be great to hide your real servers. ![]() ![]() Be careful of Categorisation, Maturity, Prevalence, Certificate CA signer for your domain.Encryption can be used such as SSL/TLS/mTLS to hide your traffic.Other protocols like Wireguard, DNS, DNS over HTTP/S (DoH) are very good too and offer many other possibilites to hide from defenders.: Avast Agent, Microsoft Teams, Wikipedia…) or simply hide some suspicious traces. Mosts known protocol for the communication is HTTP because it can be very malleable to mimic a real application/website comms. Domains and IPs accessed : Domain categorization, Cert information….Offensive Architectureīlue Teamers often looks at Network Indicators for suspicious network activity within systems with ETW ( Microsoft-Windows-Winsock-AFD, Microsoft-Windows-TCPIP…), Callbacks ( WskAcceptEvent, WskReceiveEvent…), IDS/IPS solutions, WAFs, corporate proxies… I recommand this talk “Quantify Your Hunt: Not Your Parents’ Red team - SANS Threat Hunting Summit 2018” if you want to learn more about hunting. Investigating the origin of those incidents (forensics traces, artifacts…).Responding to incidents (system isolation, account lockouts…).Monitoring unusual behaviour (IOCs, suspicious activity…).Hardening the environment (patching, logging…).process injection).Īs I said at the beginning it is also important to understand how a blue teamer can catch us, here is what a blue teamer often does : The Microsoft-Windows-Threat-Intelligence provider corresponds to ETWTI, an additional security feature that an EDR can subscribe to and identify malicious uses of APIs (e.g.Providers are sending events to session and everything goes to the consumer. ETW is one of the most important log sources for an EDR (e.g.PspCreateProcessNotifyRoutine for process creation, PspCreateThreadNotifyRoutine for thread creation or PspLoadImageNotifyRoutine for image loading) Kernel Callbacks - EDRs can subscribe to them in order to receive notifications about events (e.g. NtProtectVirtualMemory) in the AV or EDR DLL to monitor and intercept API calls UM Hooks - detour the execution flow of certain functions/syscalls (e.g.If we go a bit deeper in defenses used on windows environment we can see these : Pattern Matching: YARA, BeaconEye, Crowdstrike Falcon X, CAPA, SIGMA.Memory IOC Scanner: malfind, PE-sieve, Moneta, BeaconHunter, Hunt-Sleeping-Beacons, MalMemDetect.EDR & Monitoring Products: Elastic EDR, Cortex EDR/XDR, Sentinel One (S1) EDR, Crowdstrike EDR, SigmaHQ, Azure-Sentinel, Splunk, FalconForce, MDE.With a little bit of OSINT you can easily find out which security products are used by the company, who are the employees, ect… So you can adapt and opt for more optimal strategies. It’s important to know that OPSEC is a large term and depends of the situation, Blue Team (SIEM/IR), Equipment/Security Products, Environment, the vigilance of the employees/users of the company and of course, it will depends of YOU ! OPSEC in red team means mainly the fact to be more discreet, it implies to understand the methods used by the blue teamers to better anticipate them. The term OPSEC is first used in the U.S Army and then in cybersecurity.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |