Adversarial Tradecraft Cyber Security

JayHill
4 min readNov 19, 2021

--

https://read.amazon.com/kp/embed?asin=B0957LV496&preview=newtab&linkCode=kpe&ref_=cm_sw_r_kb_dp_S6W6J2F18WG198ZEABTZ

I had the opportunity to read Adversarial Tradecraft in cyber security who is written by Dan Borges. The author of the book is a friend and also a security researcher and defcon vet. The opening of the book sets the stage for the reader. By going into details about the scope of security as it is today and then starts to dive into game theory introducing and setting stage for what can be described as cyber warfare or computer war games.

Elements of cyber security and blue team vs red teaming theories are talked about through out the book. The author helps readers grasp how offense and defense intersect and interact with one another. I’ve listed some of the key concepts/repos talked about below feel free to read and view the links . I’ve also listed a link to Dan’s book to purchase above as well as at the end of this write up. Thanks for taking the time to read.

Nash equilibrium in Game theory

https://web.archive.org/web/20100610071152/http://www.ewp.rpi.edu/hartford/~stoddj/BE/IntroGameT.htm

Trying different attacks with Microsoft ATA (advanced threat analytics)

https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide

  • Abnormal modification of sensitive groups
  • Broken trust between computers and domains
  • Bruteforce attack using LDAP simple bind
  • Encryption downgrade activity

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Encyption downgrade activity attacks a weekend Kerberos

Microsoft mentions 3 detection types:

Skeleton Key: (is malware that runs on domain controllers and allows authentication to the domain with any account without knowing its password. This malware often uses weaker encryption algorithms to hash the user’s passwords on the domain controller. In this detection, the encryption method of the KRB_ERR message from the domain controller to the account asking for a ticket was downgraded compared to the previously learned behavior)

Golden Ticket ( the encryption method of the TGT field of TGS_REQ (service request) message from the source computer was downgraded compared to the previously learned behavior. This isn’t based on a time anomaly (as in the other Golden Ticket detection). In addition, there was no Kerberos authentication request associated with the previous service request detected by ATA.)

Overpass-the-hash: An attacker can use a weak stolen hash in order to create a strong ticket, with a Kerberos AS request. In this detection, the AS_REQ message encryption type from the source computer was downgraded compared to the previously learned behavior (that is, the computer was using AES).

Bloodhound

https://bloodhound.readthedocs.io/en/latest/index.html

www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. As of version 4.0, BloodHound now also supports Azure. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

What is defense in depth

https://www.forcepoint.com/cyber-edu/defense-depth

Attack trees

https://en.wikipedia.org/wiki/Attack_tree

are conceptual diagrams showing how an asset, or target, might be attacked. Attack trees have been used in a variety of applications. In the field of information technology, they have been used to describe threats on computer systems and possible attacks to realize those threats. However, their use is not restricted to the analysis of conventional information systems. They are widely used ement of the National Security Agency in the initial development.

Attack tree and kill chain approach in cloud computing and Protection of Digital Services

Network Reconnaissance

https://attack.mitre.org/tactics/TA0043/

The adversary is trying to gather information they can use to plan future operations.

Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.

Mitre Enterprise Attack Matrix

https://attack.mitre.org/matrices/enterprise/

Raphael Mudd’s Dirty Readteaming tactics https://www.youtube.com/watch?v=oclbbqvawQg

Chris Nickerson and Read Teaming and Threat Emulation

https://www.youtube.com/watch?v=oclbbqvawQg

D: FIN& Leveraging Shim Database for Persistence

https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html

Bluespawn

Helps blue teams monitor systems in real-time against active attackers by detecting against active attackers by detecting anomalous activity

Bluespawn is an active defense and end point detection and response tool which means it can be used by defenders to quickly detect, identify and eliminate malicious activity and malware across a network.

https://github.com/ION28/BLUESPAWN

Computational Security Princeton Course

https://www.cs.princeton.edu/courses/archive/fall07/cos433/lec3.pdf

A look into Cyber Operations Fire-eye analysis of APT28, APT28

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

CrowdStrole CTO Explain “Breakout Time” A critical Metric in topping Breaches:

https://www.crowdstrike.com/blog/first-ever-adversary-ranking-in-2019-global-threat-report-highlights-the-importance-of-speed/

Adversarial Tradecraft and the Importance of Speed

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf

OTHER INTERESTING LINKS

FREE Malware ANALYSIS SCANNER

https://www.hybrid-analysis.com/

https://github.com/BishopFox/sliver

https://github.com/jmmcatee/cracklord/fork

https://github.com/digininja/CeWL/fork

https://fatrodzianko.com/2020/05/11/covenant-c2-infrastructure-with-azure-domain-fronting/

https://github.com/burrowers/garble/fork

https://github.com/burrowers/garble/fork

https://www.thec2matrix.com/matrix

https://en.wikipedia.org/wiki/EternalBlue

https://jeffmcjunkin.wordpress.com/2018/11/05/masscan/

https://github.com/sqlmapproject/sqlmap

https://taipansec.com/index

https://portswigger.net/burp

https://github.com/BC-SECURITY/Empire

https://www.cobaltstrike.com/

https://github.com/BloodHoundAD/BloodHound

https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

https://docs.rapid7.com/metasploit/resource-scripts/

https://github.com/greenbone/openvas-scanner

https://github.com/vulnersCom/nmap-vulners

https://github.com/rackerlabs/scantron

https://www.darkoperator.com/blog/2015/11/2/are-we-measuring-blue-and-red-right

https://www.youtube.com/watch?v=M-ty0o8dQU8

https://www.upguard.com/blog/cybersecurity-metrics

https://github.com/mari0d/PFM

https://github.com/gchq/CyberChef

https://www.joesecurity.org/joe-sandbox-reports#windows-evasive

https://www.virustotal.com/gui/home/upload

Free malware analysis scanner

https://www.sleuthkit.org/

Used to scan computers and phones,

Is also an open source project

https://attack.mitre.org/techniques/T1577/

Thanks for following and reading here is a link to purchase the book if interested.

--

--

JayHill
JayHill

Written by JayHill

Information Security Research 🧿💻

No responses yet