Upgrade to Pro — share decks privately, control downloads, hide ads and more …

鍵盤福爾摩斯的觀落陰真經

Avatar for jack chou jack chou
January 27, 2019

 鍵盤福爾摩斯的觀落陰真經

Avatar for jack chou

jack chou

January 27, 2019
Tweet

More Decks by jack chou

Other Decks in Technology

Transcript

  1. Definition Only pre-installed software is used by the attacker and

    no additional binary executables are installe d onto the system Attackers are using what’s already available to attack you • Less new files on disk → more difficult to detect attack • Use off-the-shelf tools & cloud services → difficult to determine i ntent & source • These tools are ubiquitous → hide in plain sight • Finding exploitable zero-day vulnerabilities is getting more diffic ult • → use simple and proven methods such as email & social engine ering
  2. 參考資料 • https://liberty-shell.com/sec/2018/10/20/living-off-the-land/ • http://www.irongeek.com/i.php?page=videos/derbycon8/track- 1-01-lolbins-nothing-to-lol-about-oddvar-moe • https://www.slideshare.net/OddvarHlandMoe/lolbins-nothing-t o-lol-about •

    Living Off the Land: A Minimalist’s Guide to Windows Post-Expl oitation –BsidesAugusta 9/14/2013 with Matt Graeber(http://ob scuresecurity.blogspot.com/p/presentation-slides.html) • http://www.hexacorn.com/blog/category/living-off-the-land/ • https://blog.barkly.com/what-are-lolbins-living-off-the-land-bin aries • https://www.symantec.com/content/dam/symantec/docs/securi ty-center/white-papers/istr-living-off-the-land-and-fileless-attac k-techniques-en.pdf
  3. 企業資安防護痛處 • WAF • 繞過後遭植入WEBSHELL • 防毒 • 特徵碼偵測可輕易繞過 •

    防火牆 • 常見服務後門可繞過 • IPS or APT Gateway • 內網橫向攻擊不易定位 • SOC • 定位威脅需較多階段
  4. 企業資安防護追求目標 Types of Indicators • Tactics, Techniques and Procedures (TTPs)

    • Tools • Network Artifacts/Host Artifacts • Domain Names • IP Addresses • Hash Values
  5. List of Adversary Emulation Tools • https://github.com/mitre/caldera • https://github.com/MotiBa/Invoke-Adversary •

    https://github.com/endgameinc/RTA • https://github.com/uber-common/metta • https://github.com/redhuntlabs/RedHunt-OS • https://github.com/NextronSystems/APTSim ulator • https://github.com/guardicore/monkey • https://github.com/alphasoc/flightsim • https://github.com/redcanaryco/atomic-red-t eam • https://github.com/jymcheong/AutoTTP • https://github.com/mubix/post-exploitation
  6. More Red Team Tips • Vysecurity one-page Red Team Tips

    • https://vincentyiu.co. uk/red-team-tips/ • 3gstudent/Pentest-and-D evelopment-Tips • https://github.com/3 gstudent/Pentest-and -Development-Tips • DDHS Red Team Tips • https://docs.google.c om/document/d/1j4V QZ1LNXzCJuEx1WBM T5iu8jBgj4TpI7DJQV6 O6myY/edit?usp=shar ing