Index

A

administrative controls

hijacking 162, 163

adversarial theory 2, 3

anomaly detection 42

anonymity networks 201

custom private anonymity networks 202, 203, 204, 205

public networks 201

Antimalware Scan Interface (AMSI) 82

attack and defense competitions 12

attacker infrastructure, defensive perspective

hunting 174

attackers

distracting 138, 139, 140

manipulating 136, 137, 138

tricking 140, 141, 142, 143

attacker techniques

preparing 89, 90, 91

attacker tools, defensive perspective

hunting 174

attack trees 6

authentication 4

authorization 4, 33

AutoBlue-MS17-010

reference link 79

B

backdoored executables

detecting 117, 118

Back Door Factory (BDF) 102

Bash history

clearing 151

Bind9 112

BORG 205

C

C2 detection 111

DNS C2 detection 112

ICMP C2 detection 111

capture the flag (CTF) 12

chattr 170

chroot 171

CIAAAN 3, 4

attributes 3

Cisco�s Umbrella DNS 112

Collaborative Research Into Threats (CRITS) 49

Collegiate Cyber Defense Competition (CCDC) 13

command and control (C2) 3, 57

computer conflict

principles 6, 7, 8

computer conflict, principles

offense, versus defence 8, 9, 10, 11, 12, 13, 14, 15

principle, of deception 15, 16, 17

principle, of humanity 19, 20

principle, of physical access 17, 18, 19

principles, of economy 20, 21

principles, of innovation 24, 25

principles, of planning 21, 22, 23

principles, of time 25, 26, 27

computer network attack (CNA) 8

computer network defense (CND) 8

computer network operations (CNO) 8

confidentiality 3, 33

confidentiality, integrity, availability, authentication, authorization, and non-repudiation (CIAAAN) 17

connections, defensive perspective 164

IPs, banning 165, 166

killing 165, 166

continuous integration and continuous development (CI/CD) 80

ControlMaster 161

covert C2 60

covert command and control channels 103, 104

DNS C2 106, 107

domain fronting 107, 108

ICMP C2 105

credentials, defensive perspective

rotating 168, 169, 170

cyber conflict solutions

considerations 32

defensive perspective 40, 41

offensive perspective 55, 56

cyber conflict solutions, considerations

communications 32, 33, 34

expertise 36, 37

long-term planning 34, 35

operational planning 37, 38, 39

cyber conflict solutions, defensive perspective

analysis tooling 52, 53, 54, 55

data management 46, 47, 48, 49, 50, 51, 52

defensive KPIs 55

signal collection 41, 42, 43, 44, 45, 46

cyber conflict solutions, offensive perspective

auxiliary tooling 61, 62

exploitation 56, 57, 58

offensive KPIs 62

payload development 59, 60

scanning 56, 57, 58

D

Danderspritz framework 127

data integrity 133, 134

data verification 133, 134

dead disk forensics 72, 73, 74

deception

principles of 15, 16, 17

DEEPCE (Docker Enumeration, Escalation of Privileges and Container Escapes) 152

defence

versus offense 8

defense in depth 6, 40

defensive perspective 110, 133, 163, 188

about 208

application research 191, 192

attribution 193

C2 detection 111

credentials, rotating 168, 169, 170

data analyze 192, 193

data log 192, 193

forward looking activities 213

hacking back 173

honey tricks 118

operating system 191, 192

permissions, restricting 170

persistence detection 116

post-mortem analysis, for reviewing incident 213

remediation effort 212

responding, to intrusion 208, 209, 210, 211

results, publishing 214

threat modeling 189, 190

tool exploitation 189

DLL search order hijacking 101, 102

detecting 117

DNS analysis 115, 116

DNS C2 detection, defensive perspective 112

DNS analysis 115, 116

DNS insight, with Sysmon 113, 114

network, monitoring 114, 115

Windows centralized DNS 112, 113

DNS C2, offensive perspective 106, 107

DNSFilter 112

DNS insight

with Sysmon 113, 114

DNS over HTTPS (DoH) 106

dnstap 112

Docker

abusing 152

dockerrootplease

reference link 152

domain fronting 60, 107, 108

dominant moves 4

E

economy

principles of 20, 21

endpoint detection and response (EDR) 89

Endpoint Detection and Response (EDR) 42

Enterprise Key Management (EKM) 34

EventCleaner 127

executable file infection 102, 103

exfiltration 199

anonymity networks 201

protocol tunneling 199

steganography 200

F

files

searching, for secrets 156

flailing 128

G

game theory (GT) 4, 5, 6

gaming the game 180

gloves-off techniques 14

GoRedLoot (GRL) 156

GoRedSpy 155

GRID 204

H

honeypots 120

honey tokens 119

honey tricks 119

humanity

principles of 19, 20

hunting 42

I

ICMP C2 detection, defensive perspective 111

ICMP C2, offensive perspective 105

icmpdoor tool 105

image memory 86

incident response (IR) 18

in-memory operations 79, 80, 81, 82, 83, 84, 85

innovation

principles of 24, 25

integrity 3

invisible defense 91, 92

K

kernel-level rootkits 131

keylogging 152, 154

Key Management Service (KMS) 34

Key Performance Indicators (KPIs) 38

kill chains 6

kmatryoshka loader 132

L

LaBrea tarpit application 139

Lightweight Directory Access Protocol (LDAP) 5

Linikatz 155

live forensics 18

live response 42

LKM rootkits 132

Loadable Kernel Module (LKM) 131

Local-Link Multicast Name Resolution (LLMNR) 119

logs

clearing 126, 127, 128, 129

log-session

reference link 153

LOLbins 100, 101

M

Metasploit Framework (MSF) 77

Mimikatz 155, 156

MimiPenguin 156

mutual Transport Layer Security (mTLS) 81

N

namespaces

using 171

network

monitoring 114, 115

network quarantine, defensive perspective 166, 167

non-repudiation 4

NsJail 172

O

offense

versus defence 8

offensive perspective 99, 126, 148, 149

about 198

covert command and control channels 103, 104

exfiltration 199

hybrid approach 130, 131

logs, clearing 126, 127, 128, 129

memory corruption, techniques 181, 182, 183

operational information, gleaning 152

operation, end condition 206

persistence options 99

pivoting 160

pivoting technique, creating 185, 187, 188

reconnaissance and research, performing 181

research and prep, targeting 183, 184

situational awareness 149, 150

target exploitation 184

offensive techniques

combining 108, 109, 110

operational information, offensive perspective

files, searching for secrets 156

gleaning 152

keylogging 152, 154

passwords, getting 155, 156

password utilities, backdooring 157

screenshot, taking 154

operation, end conditions

program security, versus operational security 206

public infrastructure, taking down 206

retiring and replacing techniques 207

rotating offensive tools 207

rotating offensive tools 207

P

PAM modules 158, 159

password utilities

backdooring 157

permissions, defensive perspective

chattr 170

chroot 171

machine, shutting down 173

namespaces, using 171

restricting 170

users, controlling 172

persistence detection 116

backdoored executables, detecting 117, 118

DLL search order hijacking, detecting 117

persistence options 99

DLL search order hijacking 101, 102

executable file infection 102, 103

LOLbins 100, 101

physical access

principles of 17, 18, 19

physical security principles

Deceive 133

Defend 133

Delay 133

Deny 133

Detect 133

Deter 133

pivoting, offensive perspective 160

administrative controls, hijacking 162, 163

RDP, hijacking 162

SSH agent, hijacking 160, 161

SSH control master, hijacking 161

planning

principles of 21, 22, 23

Portspoof 174

Principle of Deception 75

principle of humanity 186

principle of innovation 185, 208

principle of planning (PPP) 182

principle of time 185

Prism 105

private memory 86

processdecloak 135

processes, defensive perspective 164

malicious processes, killing 165

process injection 72, 73, 74, 75, 76, 77, 78

detecting 86, 87, 88, 89

program security

versus operational security 206

Program Security 39

Pros V Joes (PvJ) 13

pspy 150

Pure Funky Magic (PFM) 54

purple teaming 10

R

RDP

hijacking 162

reaction correspondence 5

Read, eXecute (RX) 87

Read, Write, eXecute (RWX) 87

Reptile 132

rkhunter 135

root cause analysis, defensive perspective 165

Root Cause Analysis (RCA) 39, 42

rootkits 131

detecting 134, 135, 136

rootsh 154

S

Seatbelt 149, 150

Security Information and Event Management (SIEM) 46

Security Orchestration 47

Security Orchestration, Automation, and Response (SOAR) 47

situational awareness, offensive perspective 149, 150

Bash history, clearing 151

Docker, abusing 152

operational security tricks 150, 151

SSH agent

hijacking 160, 161

SSH Agent Forwarding 160

SSH control master

hijacking 161

T

the cloud 7

Threat Alert Logic Repository (TALR) 48

time

principles of 25, 26, 27

U

unhide tool 135

User Behavior Analytics (UBA) 47

userland rootkits 131

users

controlling 172

users, defensive perspective 164

V

Virtual Address Descriptors (VAD) 87

W

Windows centralized DNS 112, 113

Windows Lockdown Policy (WLDP) 82

Windows, position-independent shellcode

reference link 78

WireTap 154