-
DIY Blue TeamingDIY Blue Teaming(Keeping attackers out, with
duct tape and chewing gum!)
-
DIY Blue TeamingDIY Blue Teaming
Ways to make malware not workSecurity by obscurity (because
sucker punches work,even though nobody wants to admit it."Hack
Back" tricks - *TRY AT YOUR OWN RISK*Why buy the cow when you can
have the milk forfree?
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Usually the purpose of 0day is to executemalware. If you stop
that malware from
executing you essentially mitigate the 0day.
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
0day (and it's often attached malware) tendsto fail in the wild,
like A LOT. When it does, itmakes errors. If you can catch those
errors in
context, sometimes, you get to keep /analyse the malware AND THE
0DAY!
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
tl;dr, make your environment unpredictableso that you spend less
time threat huntingand more time seeing stuff actually being
thrown at you! (aka: NOT GETTING PWNED)
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Re order all the syscallsRe order all the syscalls
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
"Remove" your shell"Remove" your shell
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
"Remove" your shell"Remove" your shell
Use unix noshell on every user and thenpoint ssh to a binary
that downloads a shell
and runs it upon login
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
"Remove" your shell"Remove" your shell
Actually remove bash from the box
Use unix noshell on every user and thenpoint ssh to a binary
that downloads a shell
and runs it upon login
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
SSH "dupe" setup...SSH "dupe" setup...
https://github.com/stealth/sshttpSSH HTTPS
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
SSH "dupe" setup...SSH "dupe" setup...
https://github.com/stealth/sshttp
Port 22
SSH HTTPS
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
SSH "dupe" setup...SSH "dupe" setup...
https://github.com/stealth/sshttp
Port 22
Port 8443 Actual SSHServer
SSH HTTPS
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
GCC shouldn't be on boxes in prodGCC shouldn't be on boxes in
prodanyway...anyway...
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
GCC shouldn't be on boxes in prodGCC shouldn't be on boxes in
prodanyway...anyway...
replace GCC with a binary that neveractually outputs the file to
disk but DOES
run it through virus total and give you alerts
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
Tripwire apps that modify theTripwire apps that modify
thefilesystemfilesystem
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
Tripwire apps that modify theTripwire apps that modify
thefilesystemfilesystem
cpmvln = If == "core lib" {
wtf_are_you_doing()}
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
Make uname "lie"Make uname "lie"
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
ModprobeModprobe
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
ModprobeModprobe
Check that module containsthis supper sekret squirl
token that is in all mymodules
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
ModprobeModprobe
"decrypt" binaries before loading
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
ModprobeModprobe
Rename modprobe to something else andmake modprobe send a
security alert
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
Break all the things!Break all the things!
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
Break all the things!Break all the things!
... and then alias all the thingsin the user prefs of legit
admins
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor your own utilities...Backdoor your own utilities...
One app to rule them all!One app to rule them all!
aka: "the initramfs trick"
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Get full crash dumpsGet full crash dumps
https://support.microsoft.com/en-us/help/927069/how-to-generate-a-complete-crash-dump-file-or-a-kernel-crash-dump-file
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Rename the Powershell exe (just like the bash trick butRename
the Powershell exe (just like the bash trick butfor windows)for
windows)
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Over-the-shoulder transcriptionOver-the-shoulder
transcription
https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Over-the-shoulder transcriptionOver-the-shoulder
transcription
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Over-the-shoulder transcriptionOver-the-shoulder
transcription
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Hook OpenProcess() to look for well targetedHook OpenProcess()
to look for well targetedapplicationsapplications
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Hook OpenProcess() to look for well targetedHook OpenProcess()
to look for well targetedapplicationsapplications
NotepadCalcExplorer
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor reg edit Backdoor reg edit
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Backdoor reg edit Backdoor reg edit
Who’s using it and why?What is being edited? (key on specific
reg keys likeappinitdll, etc)
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Auto pe-sive dllAuto pe-sive dll
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Auto pe-sive dllAuto pe-sive dll
@hasherezade
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Auto pe-sive dllAuto pe-sive dll
@hasherezade
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Fake SMBFake SMB
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
Little Snitch / Micro Snitch (or luluLittle Snitch / Micro
Snitch (or luluif ya have to)if ya have to)
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods:Methods:
https://github.com/kai5263499/osx-security-awesome#hardening
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Methods: ... miscMethods: ... misc
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Open SMB share that nobody has a reason to accessOpen SMB share
that nobody has a reason to access
(hint, Metasploit SMB link :))
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
Canary usersCanary users
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
“Honey tokens”“Honey tokens”
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
“Honey tokens”“Honey tokens”
Fake AWS tokens
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
“Honey tokens”“Honey tokens”
Fake AWS tokens Fake github accounts withpoisoned source and
or
credz
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
“Honey tokens”“Honey tokens”
Fake AWS tokens
Browser automatedphishing "clickers"
(bonus points for fake 2fa)
Fake github accounts withpoisoned source and or
credz
-
DIY Blue TeamingDIY Blue TeamingWays to make malware not
work
“Honey tokens”“Honey tokens”
Fake AWS tokens
Browser automatedphishing "clickers"
(bonus points for fake 2fa)
Browser automatedphishing "clickers"
(bonus points for fake 2fa)
Fake github accounts withpoisoned source and or
credz
-
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
-
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Randomly generate "deny" messages in robots.txtRandomly generate
"deny" messages in robots.txt
-
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Randomly generate "deny" messages in robots.txtRandomly generate
"deny" messages in robots.txt
-
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
TCP/redirect + stuff you actually use + mandatory time
delayTCP/redirect + stuff you actually use + mandatory time
delay
==
VERY frustrated attackersVERY frustrated attackers
-
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think
you're hunting them!
-
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think
you're hunting them!
Step 1: Go get some "Blacklists"
-
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think
you're hunting them!
Step 2: Write some "software" that gathersinformation about a
host....
-
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think
you're hunting them!
Step 3: Build some honey hosts on 1 or 2 DMZsin your IP space
that look like the systems you"found"
-
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think
you're hunting them!
Step 4: Go back to the "bad person" forum andsay "Hay! I found
some more, add theseblocks!"
-
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think
you're hunting them!
1. Register (fbi|cia|fsb|nsa)..com2. Skin it with a web based
honey pot that looks
like a lawful interception portal
-
DIY Blue TeamingDIY Blue Teaming
Security by obscuritySecurity by obscurity
Make bad actors think you're hunting them!Make bad actors think
you're hunting them!
1. Register (fbi|cia|fsb|nsa)..com2. Skin it with a web based
honey pot that looks
like a lawful interception portal
-
DIY Blue TeamingDIY Blue Teaming
"Hack – back" tricks "Hack – back" tricks
-
DIY Blue TeamingDIY Blue Teaming
"Hack – back" tricks "Hack – back" tricks
PasswordBackup.autoexec.zipPasswordBackup.autoexec.zip
-
DIY Blue TeamingDIY Blue Teaming
"Hack – back" tricks "Hack – back" tricks
BeEF hooks in "honey" web app accountsBeEF hooks in "honey" web
app accounts
-
DIY Blue TeamingDIY Blue Teaming
"Hack – back" tricks "Hack – back" tricks
Solicit shells in your own org...Solicit shells in your own
org...
-
DIY Blue TeamingDIY Blue Teaming
"Hack – back" tricks "Hack – back" tricks
Distribute disinformation about your org..Distribute
disinformation about your org..
-
DIY Blue TeamingDIY Blue Teaming
Why buy the cow when you can have theWhy buy the cow when you
can have themilk for free?milk for free?
-
DIY Blue TeamingDIY Blue Teaming
Why buy the cow when you can have the milk for free?Why buy the
cow when you can have the milk for free?
VirtualBox+
VirusTotal+
https://github.com/elazarl/goproxy------------------------------------------------------
DIY FireEye :)
-
DIY Blue TeamingDIY Blue Teaming
Why buy the cow when you can have the milk for free?Why buy the
cow when you can have the milk for free?
VirtualBox+
VirusTotal+
https://github.com/elazarl/goproxy------------------------------------------------------
DIY FireEye :)
-
DIY Blue TeamingDIY Blue Teaming
Why buy the cow when you can have the milk for free?Why buy the
cow when you can have the milk for free?
ELK + (LVM * Dropbox) = FTW!!!
-
DIY Blue TeamingDIY Blue Teaming
Why buy the cow when you can have the milk for free?Why buy the
cow when you can have the milk for free?
https://www.reddit.com/r/Splunk/comments/2jwiso/10g_free_splunk_dev_license/
https://www.reddit.com/r/Splunk/comments/2jwiso/10g_free_splunk_dev_license/
-
DIY Blue TeamingDIY Blue Teaming
Why buy the cow when you can have the milk for free?Why buy the
cow when you can have the milk for free?
Appscan is written in .NET.... :)
-
DIY Blue TeamingDIY Blue Teaming
-
DIY Blue TeamingDIY Blue Teaming
