- Advanced Threat Analytics
- API Security Tasks
- Atomic Red Team
- Detection of Computer Domain Joins
- Detection of User Creation / Modification
- Event Log Analysis
- Device Guard
- General Configuration
- LAPS
- Layered Architecture
- Mitigate Kerberoast
- Mitigate Skeleton Key
- Mitigate Trust Attack
- Named Pipes
- Privileged Administrative Workstations
- Protected Users Group
- Red Forest
- Sniffing SSH Sessions
- Threat Hunting with Shodan
- Wireshark
- YARA
- yarGen
| Name | Description | URL |
|---|---|---|
| APT Simulator | A toolset to make a system look as if it was the victim of an APT attack | https://github.com/NextronSystems/APTSimulator |
| Azure Hunter | A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365. | https://github.com/darkquasar/AzureHunter |
| BlueHound | BlueHound is an open-source tool that helps blue teams pinpoint the security issues that actually matter. | https://github.com/zeronetworks/BlueHound |
| Blue Team Notes | You didn't think I'd go and leave the blue team out, right? | https://github.com/Purp1eW0lf/Blue-Team-Notes |
| C2IntelFeeds | Automatically created C2 Feeds | https://github.com/drb-ra/C2IntelFeeds |
| Canary Tokens | Generate canary tokens | https://canarytokens.org/generate |
| CrowdSec | Open-source and participative IPS able to analyze visitor behavior & provide an adapted response to all kinds of attacks. | https://github.com/crowdsecurity/crowdsec |
| CyberDefender | A blue team training platform. | https://cyberdefenders.org |
| Cyber Threat Intelligence | Real-Time Threat Monitoring. | https://start.me/p/wMrA5z/cyber-threat-intelligence?s=09 |
| Fenrir | Simple Bash IOC Scanner | https://github.com/Neo23x0/Fenrir |
| Forest Druid | Stop chasing AD attack paths. Focus on your Tier 0 perimeter. | https://www.purple-knight.com/forest-druid |
| GitMonitor | One way to continuously monitor sensitive information that could be exposed on Github. | https://github.com/Talkaboutcybersecurity/GitMonitor |
| HoneyCreds | HoneyCreds network credential injection to detect responder and other network poisoners. | https://github.com/Ben0xA/HoneyCreds |
| Laurel | Transform Linux Audit logs for SIEM usage | https://github.com/threathunters-io/laurel |
| Loki | Loki - Simple IOC and Incident Response Scanner | https://github.com/Neo23x0/Loki |
| Monkey365 | Monkey365 provides a tool for security consultants to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews. | https://github.com/silverhack/monkey365 |
| packetSifter | PacketSifter is a tool/script that is designed to aid analysts in sifting through a packet capture (pcap) to find noteworthy traffic. Packetsifter accepts a pcap as an argument and outputs several files. | https://github.com/packetsifter/packetsifterTool |
| PersistenceSniper | Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. | https://github.com/last-byte/PersistenceSniper |
| PlumHound | Bloodhound for Blue and Purple Teams | https://github.com/PlumHound/PlumHound |
| Purple Knight | #1 Active Directory security assessment community tool | https://www.purple-knight.com |
| Ransomware Simulator | Ransomware simulator written in Golang | https://github.com/NextronSystems/ransomware-simulator |
| SaaS Attack Techniques | Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown | https://github.com/pushsecurity/saas-attacks |
| SIGMA | Generic Signature Format for SIEM Systems | https://github.com/SigmaHQ/sigma |
| Simple Email Reputation | EmailRep Alpha Risk API | https://emailrep.io |
| Slack Watchman | Slack enumeration and exposed secrets detection tool | https://github.com/PaperMtn/slack-watchman |
| sshgit | Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories. | https://github.com/eth0izzle/shhgit |
| STACS | Static Token And Credential Scanner | https://github.com/stacscan/stacs |
| TheHive | TheHive: a Scalable, Open Source and Free Security Incident Response Platform | https://github.com/TheHive-Project/TheHive |
| ThePhish | ThePhish: an automated phishing email analysis tool | https://github.com/emalderson/ThePhish |
| Thinkst Canary | Canary Tokens | https://canary.tools |
| ThreatIntel-Reports | Raw data from Threat Intelligence Reports with automatic reports collection and keyword search across thousands of reports | https://github.com/mthcht/ThreatIntel-Reports |
| Wazuh | Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads. | https://github.com/wazuh/wazuh |
| YARA | The pattern matching swiss knife | https://github.com/VirusTotal/yara |
| yarGen | yarGen is a generator for YARA rules | https://github.com/Neo23x0/yarGen |
- Traffic for DCs is mirrored to ATA Sensors (or installed on dc as service), activity profile is build
- Collects 4776 (credential validation of a user) to detect replay attacks, detects behavioral anomalies
- Detects: account enumeration, netsession enumeration, Brute Force, exposed cleartext credentials, honey tokens, unusual protocols, credential attacks (pth,ptt,ticket replay)
- Will NOT detect non existent users for golden ticket
- Detects DCSync, but not DCShadow
Shoutout to Tara Janca from We Hack Purple!
- List all APIs (create an inventory)
- Put them behind a gateway
- Throttling and resource quotas
- Logging, monitoring and alerting
- Block all unused HTTP methods
- Use a service mesh for communication management
- Implement standards for your organisation / API definition documents
- Strict Linting
- Authenticate THEN authorize
- Avoid verbose error messages
- Decommission old or unused versions of APIs
- Do all the same secure coding practices you normally do; input validation using approved lists, parameterized queries, bounds checking, etc.
PC C:\> PowerShell -ExecutionPolicy bypass
PC C:\> Import-Module "C:\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
PC C:\> $PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\AtomicRedTeam\atomics"}
PC C:\> help Invoke-AtomicTest
PC C:\> Invoke-AtomicTest T1127 -ShowDetailsBrief
PC C:\> Invoke-AtomicTest T1127 -ShowDetails
PC C:\> Invoke-AtomicTest T1127 -CheckPrereqs
PC C:\> Invoke-AtomicTest T1127 -GetPrereqs
PC C:\> Invoke-AtomicTest T1053.005 -ShowDetailsBrief
PC C:\> Invoke-AtomicTest T1053.005 -TestNumbers 1,2
PC C:\> schtasks /tn T1053_005_OnLogonPC C:\> ls C:\AtomicRedTeam\atomics | Where-Object Name -Match "T1566.001|T1203|T1059.003|T1083|T1082|T1016|T1049|T1007|T1087.001"
PC C:\> 'T1566.001','T1059.003','T1083','T1082','T1016','T1049','T1007','T1087.001' | ForEach-Object {echo "Enumerating $_"; Invoke-AtomicTest $_ -ShowDetailsBrief }
PC C:\> 'T1566.001','T1059.003','T1083','T1082','T1016','T1049','T1007','T1087.001' | ForEach-Object {echo "Enumerating $_"; Invoke-AtomicTest $_ -CheckPrereqs }
PC C:\> Invoke-AtomicTest T1059.003-3PC C:\> Invoke-AtomicTest T1547.001 -CheckPrereqs
PC C:\> Invoke-AtomicTest T1547.001 -TestNumbers 2PC C:\> cat T1136.001/T1136.001.yaml
PC C:\> Invoke-AtomicTest T1136.001 -TestNumbers 3
PC C:\> net user
PC C:\> Invoke-AtomicTest T1136.001 -TestNumbers 3 -PromptForInputArgs
PC C:\> net user
PC C:\> Invoke-AtomicTest T1136.001 -TestNumbers 3 -PromptForInputArgs -CleanupPC C:\> Start-AtomicGuiPS C:\> Get-ADComputer -filter * -properties whencreated | Select Name,@{n="Owner";e={(Get-acl "ad:\$($_.distinguishedname)").owner}},whencreated PS C:\> Get-ADUser -Filter {((Enabled -eq $True) -and (Created -gt "Monday, April 10, 2023 00:00:00 AM"))} -Property Created, LastLogonDate | select SamAccountName, Name, Created | Sort-Object Created| Event ID | Description | Importance for Defenders | Example MITRA ATT&CK Technique |
|---|---|---|---|
| 1102 | Security Log cleared | May indicate an attacker is attempting to cover their tracks by clearing the security log (e.g., security log cleared after an unauthorized admin logon) | T1070 - Indicator Removal on Host |
| 4624 | Successful account Logon | Helps identify unauthorized or suspicious logon attempts, and track user activity on the network (e.g., logons during off-hours from unusual hosts) | T1078 - Valid Accounts |
| 4625 | Failed account Logon | Indicates potential brute-force attacks or unauthorized attempts to access a system (e.g., multiple failed logons from a single source in a short time) | T1110 - Brute Force |
| 4648 | Logon attempt with explicit credentials | May suggest credential theft or improper use of accounts (e.g., an attacker creates a new token for an account after compromising cleartext credentials) | T1134 - Access Token Manipulation |
| 4662 | An operation was performed on an object | Helps track access to critical objects in Active Directory, which could indicate unauthorized activity (e.g., an attacker performs a DCSync attack by performing replication from an unusual host) | T1003 - OS Credential Dumping |
| 4663 | Access to an object was requested | Monitors attempts to perform specific actions on sensitive objects like files, processes, and registry keys, which could indicate unauthorized access (e.g., an attacker attempts to read a file or folder which has been specifically configured for auditing) | T1530 - Data from Local System |
| 4670 | Permissions on an object were changed | Helps detect potential tampering with sensitive files or unauthorized privilege escalation (e.g., a low-privileged user modifying permissions on a sensitive file to gain access) | T1222 - File Permissions Modification |
| 4672 | Administrator privileges assigned to a new Logon | Helps detect privilege escalation and unauthorized admin account usage (e.g., a standard user suddenly granted admin rights without a change request) | T1078 - Valid Accounts |
| 4698 | A scheduled task was created | Helps detect malicious scheduled task creation and could indicate persistence, privilege escalation, or lateral movement (e.g., an attacker creates a scheduled task that runs a beacon periodically) | T1053 - Scheduled Task/Job |
| 4719 | Attempt to perform a group policy modification | An authorized or unauthorized user tried to perform a group policy modification. | TA0005-Defense Evasion |
| 4720 | New user account created | Monitors for unauthorized account creation or potential insider threats (e.g., a new account created outside of normal business hours without HR approval) | T1136 - Create Account |
| 4724 | An attempt was made to reset an account's password | Monitors for unauthorized password resets, which could indicate account takeover (e.g., an attacker resetting the password of a high-privileged account) | T1098 - Account Manipulation |
| 4728 | Member added to a security-enabled global group | Tracks changes to important security groups, which could indicate unauthorized privilege escalation (e.g., an attacker adds a user to the "Domain Admins" group) | T1098 - Account Manipulation |
| 4729 | Member was removed from a global security group | A member got removed from a global security group which an attacker could do to clear indicators of compromise. | TA0005-Defense Evasion |
| 4732 | Member added to a security-enabled Local group | Monitors changes to local security groups, which could suggest unauthorized access or privilege escalation (e.g., an attacker adds a user to the "Administrators" local group) | T1098 - Account Manipulation |
| 4739 | Domain policy change | An attacker could use changes in domain policies for persistence. | TA0005-Defense Evasion |
| 4756 | Member added to a universal security group | High risk domain group membership change. | TA0003-Persistence |
| 4757 | A member was removed from a security-enabled universal group. | An attacker could try to remove his indicators of compromise or lock specific users out and distrupt access. | TA0005-Defense Evasion |
| 4768 | A Kerberos authentication ticket was requested (TGT Request) | Monitors initial authentication requests to track user logons, and helps identify potential abuse of the Kerberos protocol (e.g., an attacker compromises the NTLM hash of a privileged account and performs an overpass-the-hash attack which requests a TGT from an unusual host) | T1558 - Steal or Forge Kerberos Tickets |
| 4769 | A Kerberos service ticket was requested | Monitors for potential Kerberoasting attacks or other suspicious activities targeting the Kerberos protocol (e.g., a sudden increase in requests for unique services from a single user) | T1558 - Steal or Forge Kerberos Tickets |
| 4776 | The domain controller attempted to validate the credentials | Helps identify failed or successful attempts to validate credentials against the domain controller, which could indicate unauthorized access or suspicious authentication activity (e.g., an unusual number of failed validations from a single IP address) | T1110 - Brute Force |
| 7045 | New service installed | Monitors for potential malicious services being installed, indicating lateral movement or persistence (e.g., a remote access tool installed as a service on multiple machines) | T1543 - Create or Modify System Process |
Requires enabled audit policy.
4662: Operation was performed on an object
5136: directory service object was modified
4670: permissions on an object were changed| Event ID | Attack | Description |
|---|---|---|
| 4662, 4738, 5136, 4769 | Set an SPN for the user and perform a kerberoast attack. | Setting a user's SPN results in a 4738, 4662 and 5136 for the target account. A subsequent 4769 captures the kerberoasting event. |
| 4662, 4738, 5136, 4768 | Disable pre-authentication and capture a user's TGT with an AS-REP roast attack. | Disabling pre-authentication results in a 4738 and 5136 for the target account. A subsequent 4768 captures the AS-REP roasting attack. |
| 4662, 5136, 4768 | Perform a shadow credential attack which sets the user object msDS-KeyCredentialLink property. | Setting mDS-KeyCredentialLink results in a 4662 and 5136 for the target account. A subsequent 4768 with pre-authentication type 16 and credential information is generated. |
| 4724, 4738 | Change the user's password | Changing a user's password results in a 4724 and 4738 for the target account. |
4657: Audit creating/Change of HKLM:\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehaviour4624: Account Logon
4634: Account Logoff
4672: Admin Logon (should be monitored on the dc)PC C:\> Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 |Format-List -Property *4769: A Kerberos ticket as requested, Filter: Name != krbtgt, does not end with $, not machine@domain, Failure code is 0x0 (success), ticket encryption is 0x17 (rc4-hmac)4657: Audit/creation of HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages7045: A Service was installed in the system.
4673: Sensitive Privilege user (requires audit privileges)
4611: Trusted logon process has been registered with the Local Security Authority (requires audit privileges)PC C:\> Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*"}Detect hidden Windows Services via Access Control Lists (ACLs)
https://github.com/gtworek/PSBits/blob/master/Services/Get-ServiceDenyACEs.ps1
$keys = Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Services\"
foreach ($key in $keys)
{
if (Test-Path ($key.pspath+"\Security"))
{
$sd = (Get-ItemProperty -Path ($key.pspath+"\Security") -Name "Security" -ErrorAction SilentlyContinue).Security
if ($sd -eq $null)
{
continue
}
$o = New-Object -typename System.Security.AccessControl.FileSecurity
$o.SetSecurityDescriptorBinaryForm($sd)
$sddl = $o.Sddl
$sddl1 = $sddl.Replace('(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)','') #common deny ACE, not suspicious at all
if ($sddl1.Contains('(D;'))
{
Write-Host $key.PSChildName ' ' $sddl
}
}
}- Hardens against malware
- Run trusted code only, enforced in Kernel and Userspace (CCI, UMCI, KMCI)
- UEFI SEcure Boot protects bios and firmware
- Limit login of DAs to DCs only
- Never run a service with DA privileges
- Check out temporary group memberships (Can have TTL)
- Disable account delegation for sensitive accounts (in ad usersettings)
Centralized password storage with periodic randomization, stored in computer objects in fields mc-mcsAdmPwd (cleartext), ms-mcs-AdmPwdExperiationTime.
- Tier0: Domain Admins/Enterprise Admins
- Tier1: Significant Resource Access
- Tier2: Administrator for Workstations / Support etc.
Use strong passwords and manage service accounts.
PC C:\> New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\ -Name RunAsPPL -Value 1 -VerbosePC C:\> Get-WinEvent -FilterHashtable @{Logname='System';ID=12} | ?{$_.message -like "*protected process*"}- Enable SID Filtering
- Enable Selective Authentication (access between forests not automated)
| Named Pipe | Name | Description |
|---|---|---|
| \PIPE\svcctl | Service Control Manager (SCM) | Manages system services remotely, allowing control over starting, stopping, and configuring services. Attackers may use this to manipulate services for persistence or remote command execution. |
| \PIPE\samr | Security Account Manager (SAM) | Provides access to the SAM database, which stores user credentials. Often used by attackers to enumerate accounts or retrieve password hashes. |
| \PIPE\netlogon | Netlogon Service | Used for authentication and domain trust operations. Attackers can exploit it to perform pass-the-hash attacks or gain unauthorized domain access. |
| \PIPE\lsarpc | Local Security Authority Remote Procedure Call (LSARPC) | Grants access to security policies and account privileges. Attackers might use this pipe to gather information on security configurations and user privileges. |
| \PIPE\atsvc | AT Service / Task Scheduler | Facilitates remote task scheduling, often abused by attackers to execute commands on a remote system at specified times. Commonly used for persistence, lateral movement, and privilege escalation. |
| \PIPE\eventlog | Event Log Service | Manages event logging. Attackers may interact with this to clear or manipulate event logs to hide their tracks after malicious actions. |
| \PIPE\spoolss | Print Spooler Service | Manages print jobs. Historically vulnerable (e.g., PrintNightmare), making it a target for remote code execution and lateral movement. |
| \PIPE\wmi | Windows Management Instrumentation (WMI) | Provides an interface for querying and managing system configurations. Attackers use WMI for remote system management, often for enumeration or remote command execution. |
| \PIPE\browser | Browser Service | Supports network browsing and domain controller location services. Attackers may use it to identify network hosts and domains. |
| \PIPE\msrpc | Microsoft RPC Endpoint Mapper | Acts as a gateway for RPC-based services. The pipe provides access to various RPC services, making it a high-value target for attackers to gain access to multiple functions. |
5c:00:50:00:49:00:50:00:455c:00: The Unicode encoding for the character \ (backslash).
50:00: The Unicode encoding for the character P.
49:00: The Unicode encoding for the character I.
50:00: The Unicode encoding for the character P.
45:00: The Unicode encoding for the character E.Use hardened workstation for performing sensitive task.
- Cannot use CredSSP & Wdigest (no more cleartext creds)
- NTLM Hash not cached
- Kerberos does not use DES or RC4
- Requires at least server 2008, need to test impact, no offline sign-on (no caching), useless for computers and service accounts
- ESAE Enhanced Security Admin Environment
- Dedicated administrative forest for managing critical assets (forests are security boundaries)
$ strace -e trace=read -p <PID> 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; doneHTTP/1.1 404 Not Found Date: GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive X-Served-By: Strict-Transport-Security: max-age=31536000; includeSubDomains ssl.jarm:"2ad2ad0002ad2ad00042d42d00000023f2ae7180b8a0816654f2296c007d93" ssl:"Kubernetes Ingress Controller Fake Certificate"ip.addr == <RHOST> // shows all packets involving the specific IP address
tcp.port == <RPORT> // shows only port XYZ
dns // isolates DNS traffic
http.request.uir contains "login" // find HTTP requests with "login" in the URL
ntlmssp.auth.username // shows used usernames
dcerpc.opnum == 0 // shows when the eventlog got cleared
frame contains 5c:00:50:00:49:00:50:00:45 // shows frames with a named pipes
smb2.filename contains ".exe" // smb filtering on .exe files- AND (
&&):ip.addr == <RHOST> && tcp.port == <RPORT> - OR (
||):HTTP || FTP - NOT (
!):!arp
$ sudo apt-get install automake libtool make gcc pkg-config$ sudo apt-get install flex bison$ ./bootstrap.sh$ ./configure$ make$ sudo make install$ make check$ ./configure --enable-magic$ yara /PATH/TO/yarGen/yarGen-0.23.4/yargen_rules.yar /PATH/TO/BINARY/<BINARY> -s <BINARY> /PATH/TO/BINARY/<BINARY>$ mkdir yarGen$ cd yarGen/$ wget https://github.com/Neo23x0/yarGen/archive/refs/tags/0.23.4.zip$ unzip 0.23.4.zip$ cd yarGen-0.23.4/$ python3 -m venv venv$ source venv/bin/activate$ pip3 install -r requirements.txt$ python3 yarGen.py --update$ mkdir sample$ cp rusty-recon-bot sample/$ python3 yarGen.py -a "<AUTHOR>" -r "<NAME>" -m sample/