Description
Book SynopsisTable of ContentsIntroduction xvii
Chapter 1 Fulfilling Pre- ATT&CK Objectives 1
Active Scanning 2
Scanning Networks with scapy 2
Implementing a SYN Scan in scapy 4
Performing a DNS Scan in scapy 5
Running the Code 5
Network Scanning for Defenders 6
Monitoring Traffic with scapy 7
Building Deceptive Responses 8
Running the Code 9
Search Open Technical Databases 9
Offensive DNS Exploration 10
Searching DNS Records 11
Performing a DNS Lookup 12
Reverse DNS Lookup 12
Running the Code 13
DNS Exploration for Defenders 13
Handling DNS Requests 15
Building a DNS Response 15
Running the Code 16
Summary 17
Suggested Exercises 17
Chapter 2 Gaining Initial Access 19
Valid Accounts 20
Discovering Default Accounts 20
Accessing a List of Default Credentials 21
Starting SSH Connections in Python 22
Performing Telnet Queries in Python 23
Running the Code 24
Account Monitoring for Defenders 24
Introduction to Windows Event Logs 25
Accessing Event Logs in Python 28
Detecting Failed Logon Attempts 28
Identifying Unauthorized Access to Default Accounts 30
Running the Code 30
Replication Through Removable Media 31
Exploiting Autorun 31
Converting Python Scripts to Windows Executables 32
Generating an Autorun File 33
Setting Up the Removable Media 34
Running the Code 34
Detecting Autorun Scripts 34
Identifying Removable Drives 35
Finding Autorun Scripts 36
Detecting Autorun Processes 36
Running the Code 36
Summary 37
Suggested Exercises 37
Chapter 3 Achieving Code Execution 39
Windows Management Instrumentation 40
Executing Code with WMI 40
Creating Processes with WMI 41
Launching Processes with PowerShell 41
Running the Code 42
WMI Event Monitoring for Defenders 42
WMI in Windows Event Logs 43
Accessing WMI Event Logs in Python 45
Processing Event Log XML Data 45
Running the Code 46
Scheduled Task/Job 47
Scheduling Malicious Tasks 47
Checking for Scheduled Tasks 48
Scheduling a Malicious Task 48
Running the Code 49
Task Scheduling for Defenders 50
Querying Scheduled Tasks 51
Identifying Suspicious Tasks 52
Running the Code 52
Summary 53
Suggested Exercises 53
Chapter 4 Maintaining Persistence 55
Boot or Logon Autostart Execution 56
Exploiting Registry Autorun 56
The Windows Registry and Autorun Keys 57
Modifying Autorun Keys with Python 60
Running the Code 61
Registry Monitoring for Defenders 62
Querying Windows Registry Keys 63
Searching the HKU Hive 64
Running the Code 64
Hijack Execution Flow 65
Modifying the Windows Path 65
Accessing the Windows Path 66
Modifying the Path 67
Running the Code 68
Path Management for Defenders 69
Detecting Path Modification via Timestamps 69
Enabling Audit Events 71
Monitoring Audit Logs 73
Running the Code 75
Summary 76
Suggested Exercises 76
Chapter 5 Performing Privilege Escalation 77
Boot or Logon Initialization Scripts 78
Creating Malicious Logon Scripts 78
Achieving Privilege Escalation with Logon Scripts 79
Creating a Logon Script 79
Running the Code 79
Searching for Logon Scripts 80
Identifying Autorun Keys 81
Running the Code 81
Hijack Execution Flow 81
Injecting Malicious Python Libraries 82
How Python Finds Libraries 82
Creating a Python Library 83
Running the Code 83
Detecting Suspicious Python Libraries 83
Identifying Imports 85
Detecting Duplicates 85
Running the Code 86
Summary 86
Suggested Exercises 87
Chapter 6 Evading Defenses 89
Impair Defenses 90
Disabling Antivirus 90
Disabling Antivirus Autorun 90
Terminating Processes 93
Creating Decoy Antivirus Processes 94
Catching Signals 95
Running the Code 95
Hide Artifacts 95
Concealing Files in Alternate Data Streams 96
Exploring Alternate Data Streams 96
Alternate Data Streams in Python 97
Running the Code 98
Detecting Alternate Data Streams 98
Walking a Directory with Python 99
Using PowerShell to Detect ADS 100
Parsing PowerShell Output 101
Running the Code 102
Summary 102
Suggested Exercises 103
Chapter 7 Accessing Credentials 105
Credentials from Password Stores 106
Dumping Credentials from Web Browsers 106
Accessing the Chrome Master Key 108
Querying the Chrome Login Data Database 108
Parsing Output and Decrypting Passwords 109
Running the Code 109
Monitoring Chrome Passwords 110
Enabling File Auditing 110
Detecting Local State Access Attempts 111
Running the Code 113
Network Sniffing 114
Sniffing Passwords with scapy 114
Port- Based Protocol Identification 116
Sniffing FTP Passwords 116
Extracting SMTP Passwords 117
Tracking Telnet Authentication State 119
Running the Code 121
Creating Deceptive Network Connections 121
Creating Decoy Connections 122
Running the Code 122
Summary 123
Suggested Exercises 123
Chapter 8 Performing Discovery 125
Account Discovery 126
Collecting User Account Data 126
Identifying Administrator Accounts 127
Collecting User Account Information 128
Accessing Windows Password Policies 128
Running the Code 129
Monitoring User Accounts 130
Monitoring Last Login Times 130
Monitoring Administrator Login Attempts 131
Running the Code 132
File and Directory Discovery 133
Identifying Valuable Files and Folders 133
Regular Expressions for Data Discovery 135
Parsing Different File Formats 135
Running the Code 136
Creating Honeypot Files and Folders 136
Monitoring Decoy Content 136
Creating the Decoy Content 137
Running the Code 138
Summary 138
Suggested Exercises 139
Chapter 9 Moving Laterally 141
Remote Services 142
Exploiting Windows Admin Shares 142
Enabling Full Access to Administrative Shares 143
Transferring Files via Administrative Shares 144
Executing Commands on Administrative Shares 144
Running the Code 144
Admin Share Management for Defenders 145
Monitoring File Operations 146
Detecting Authentication Attempts 147
Running the Code 148
Use Alternative Authentication Material 148
Collecting Web Session Cookies 149
Accessing Web Session Cookies 150
Running the Code 150
Creating Deceptive Web Session Cookies 151
Creating Decoy Cookies 151
Monitoring Decoy Cookie Usage 153
Running the Code 153
Summary 154
Suggested Exercises 155
Chapter 10 Collecting Intelligence 157
Clipboard Data 158
Collecting Data from the Clipboard 158
Accessing the Windows Clipboard 159
Replacing Clipboard Data 159
Running the Code 160
Clipboard Management for Defenders 160
Monitoring the Clipboard 161
Processing Clipboard Messages 161
Identifying the Clipboard Owner 161
Running the Code 162
Email Collection 162
Collecting Local Email Data 162
Accessing Local Email Caches 163
Running the Code 163
Protecting Against Email Collection 164
Identifying Email Caches 165
Searching Archive Files 165
Running the Code 166
Summary 166
Suggested Exercises 166
Chapter 11 Implementing Command and Control 169
Encrypted Channel 170
Command and Control Over Encrypted Channels 170
Encrypted Channel Client 171
Encrypted Channel Server 172
Running the Code 173
Detecting Encrypted C2 Channels 174
Performing Entropy Calculations 175
Detecting Encrypted Traffic 175
Running the Code 176
Protocol Tunneling 176
Command and Control via Protocol Tunneling 176
Protocol Tunneling Client 177
Protocol Tunneling Server 177
Running the Code 179
Detecting Protocol Tunneling 179
Extracting Field Data 181
Identifying Encoded Data 181
Running the Code 181
Summary 182
Suggested Exercises 182
Chapter 12 Exfiltrating Data 183
Alternative Protocols 184
Data Exfiltration Over Alternative Protocols 184
Alternative Protocol Client 185
Alternative Protocol Server 186
Running the Code 188
Detecting Alternative Protocols 189
Detecting Embedded Data 190
Running the Code 191
Non- Application Layer Protocols 191
Data Exfiltration via Non- Application Layer Protocols 192
Non- Application Layer Client 193
Non- Application Layer Server 193
Running the Code 194
Detecting Non- Application Layer Exfiltration 195
Identifying Anomalous Type and Code Values 196
Running the Code 196
Summary 197
Suggested Exercises 197
Chapter 13 Achieving Impact 199
Data Encrypted for Impact 200
Encrypting Data for Impact 200
Identifying Files to Encrypt 201
Encrypting and Decrypting Files 202
Running the Code 202
Detecting File Encryption 203
Finding Files of Interest 204
Calculating File Entropies 204
Running the Code 205
Account Access Removal 205
Removing Access to User Accounts 205
Changing Windows Passwords 207
Changing Linux Passwords 207
Running the Code 207
Detecting Account Access Removal 208
Detecting Password Changes in Windows 209
Detecting Password Changes in Linux 210
Running the Code 211
Summary 211
Suggested Exercises 212
Index 213
