Read on Twitter
My DEF CON @VillageRedTeam talk is up on YouTube:
Please watch and share your feedback. It's a compilation of research that's been published by very smart people along with my approach on tackling certain "modern" Red Team Operator problems.
Please watch and share your feedback. It's a compilation of research that's been published by very smart people along with my approach on tackling certain "modern" Red Team Operator problems.
I start with a throwback to the 60's at the peak of the Cold War with a story on how the Lockheed A-12 "Archangel" was kept hidden from Soviet spy satellites.
Has very important lessons for professionals simulating sophisticated adversaries.
Inspired by: https://twitter.com/arekfurt/status/1203881458869379073
Has very important lessons for professionals simulating sophisticated adversaries.
Inspired by: https://twitter.com/arekfurt/status/1203881458869379073
Later, I touch upon some implant design considerations by correlating with @subTee's infamous - "3 pillars of EDR".
Parent process relationships
Command-line arguments
Processes making network connections
Parent process relationshipsCommand-line argumentsProcesses making network connections
We also explore how this is achieved by looking at some proof-of-concept code published by @_xpn_ for evading the first two "pillars".
Next, we look at @armitagehacker's implementation of the "blockdlls" feature and how we can achieve this for our own implant.
Next, we look at @armitagehacker's implementation of the "blockdlls" feature and how we can achieve this for our own implant.
Knowing your toolkit and what evidence each action leaves behind is the mark of sophistication every Red Team Operator should aspire towards.
Inspired by the @armitagehacker's post exploitation video from Red Team Operations series: https://www.youtube.com/playlist?list=PL9HO6M_MU2nfQ4kHSCzAQMqxQxH47d1no
Inspired by the @armitagehacker's post exploitation video from Red Team Operations series: https://www.youtube.com/playlist?list=PL9HO6M_MU2nfQ4kHSCzAQMqxQxH47d1no
On the defensive side, I discuss @jaredcatkinson's insightful blog series and concepts such as "Funnel of Fidelity" and "Capability Abstraction".
More of his writing can be found here: https://posts.specterops.io/@jaredcatkinson
More of his writing can be found here: https://posts.specterops.io/@jaredcatkinson
It's also important that we talk about how not to get caught while using certain time-tested favourites such as Kerberoasting.
Go read @DebugPrivilege's amazing blog on Hunting TTPs: https://getshitsecured.com/2020/05/15/hunting-ttps-with-azure-sentinel/
Go read @DebugPrivilege's amazing blog on Hunting TTPs: https://getshitsecured.com/2020/05/15/hunting-ttps-with-azure-sentinel/
Last but not the least, some unsolicited advice on how to be a better Red Team Operator in 2020.
Essential reading/viewing:
@domchell's What I Learned in a Decade of Red Teaming: https://medium.com/@dmchell/what-ive-learned-in-over-a-decade-of-red-teaming-5c0b685c67a2
@joehowwolf's Red Teaming in an EDR Age:
Essential reading/viewing:
@domchell's What I Learned in a Decade of Red Teaming: https://medium.com/@dmchell/what-ive-learned-in-over-a-decade-of-red-teaming-5c0b685c67a2 @joehowwolf's Red Teaming in an EDR Age:
Thank you all for bearing through my nerd-ing out on something I'm passionate about.
Here's a potato.
Here's a potato.
