Index
A
administrative controls
anomaly detection 42
anonymity networks 201
custom private anonymity networks 202, 203, 204, 205
public networks 201
Antimalware Scan Interface (AMSI) 82
attack and defense competitions 12
attacker infrastructure, defensive perspective
hunting 174
attackers
attacker techniques
attacker tools, defensive perspective
hunting 174
attack trees 6
authentication 4
AutoBlue-MS17-010
reference link 79
B
backdoored executables
Back Door Factory (BDF) 102
Bash history
clearing 151
Bind9 112
BORG 205
C
C2 detection 111
DNS C2 detection 112
ICMP C2 detection 111
capture the flag (CTF) 12
chattr 170
chroot 171
attributes 3
Cisco�s Umbrella DNS 112
Collaborative Research Into Threats (CRITS) 49
Collegiate Cyber Defense Competition (CCDC) 13
command and control (C2) 3, 57
computer conflict
computer conflict, principles
offense, versus defence 8, 9, 10, 11, 12, 13, 14, 15
principle, of deception 15, 16, 17
principle, of physical access 17, 18, 19
principles, of innovation 24, 25
principles, of planning 21, 22, 23
principles, of time 25, 26, 27
computer network attack (CNA) 8
computer network defense (CND) 8
computer network operations (CNO) 8
confidentiality, integrity, availability, authentication, authorization, and non-repudiation (CIAAAN) 17
connections, defensive perspective 164
continuous integration and continuous development (CI/CD) 80
ControlMaster 161
covert C2 60
covert command and control channels 103, 104
ICMP C2 105
credentials, defensive perspective
cyber conflict solutions
considerations 32
cyber conflict solutions, considerations
operational planning 37, 38, 39
cyber conflict solutions, defensive perspective
analysis tooling 52, 53, 54, 55
data management 46, 47, 48, 49, 50, 51, 52
defensive KPIs 55
signal collection 41, 42, 43, 44, 45, 46
cyber conflict solutions, offensive perspective
offensive KPIs 62
D
Danderspritz framework 127
dead disk forensics 72, 73, 74
deception
DEEPCE (Docker Enumeration, Escalation of Privileges and Container Escapes) 152
defence
versus offense 8
defensive perspective 110, 133, 163, 188
about 208
attribution 193
C2 detection 111
credentials, rotating 168, 169, 170
forward looking activities 213
hacking back 173
honey tricks 118
permissions, restricting 170
persistence detection 116
post-mortem analysis, for reviewing incident 213
remediation effort 212
responding, to intrusion 208, 209, 210, 211
results, publishing 214
tool exploitation 189
DLL search order hijacking 101, 102
detecting 117
DNS C2 detection, defensive perspective 112
DNS insight, with Sysmon 113, 114
Windows centralized DNS 112, 113
DNS C2, offensive perspective 106, 107
DNSFilter 112
DNS insight
DNS over HTTPS (DoH) 106
dnstap 112
Docker
abusing 152
dockerrootplease
reference link 152
dominant moves 4
E
economy
endpoint detection and response (EDR) 89
Endpoint Detection and Response (EDR) 42
Enterprise Key Management (EKM) 34
EventCleaner 127
executable file infection 102, 103
exfiltration 199
anonymity networks 201
protocol tunneling 199
steganography 200
F
files
searching, for secrets 156
flailing 128
G
gaming the game 180
gloves-off techniques 14
GoRedLoot (GRL) 156
GoRedSpy 155
GRID 204
H
honeypots 120
honey tokens 119
honey tricks 119
humanity
hunting 42
I
ICMP C2 detection, defensive perspective 111
ICMP C2, offensive perspective 105
icmpdoor tool 105
image memory 86
incident response (IR) 18
in-memory operations 79, 80, 81, 82, 83, 84, 85
innovation
integrity 3
K
kernel-level rootkits 131
Key Management Service (KMS) 34
Key Performance Indicators (KPIs) 38
kill chains 6
kmatryoshka loader 132
L
LaBrea tarpit application 139
Lightweight Directory Access Protocol (LDAP) 5
Linikatz 155
live forensics 18
live response 42
LKM rootkits 132
Loadable Kernel Module (LKM) 131
Local-Link Multicast Name Resolution (LLMNR) 119
logs
log-session
reference link 153
M
Metasploit Framework (MSF) 77
MimiPenguin 156
mutual Transport Layer Security (mTLS) 81
N
namespaces
using 171
network
network quarantine, defensive perspective 166, 167
non-repudiation 4
NsJail 172
O
offense
versus defence 8
offensive perspective 99, 126, 148, 149
about 198
covert command and control channels 103, 104
exfiltration 199
logs, clearing 126, 127, 128, 129
memory corruption, techniques 181, 182, 183
operational information, gleaning 152
operation, end condition 206
persistence options 99
pivoting 160
pivoting technique, creating 185, 187, 188
reconnaissance and research, performing 181
research and prep, targeting 183, 184
situational awareness 149, 150
target exploitation 184
offensive techniques
operational information, offensive perspective
files, searching for secrets 156
gleaning 152
password utilities, backdooring 157
screenshot, taking 154
operation, end conditions
program security, versus operational security 206
public infrastructure, taking down 206
retiring and replacing techniques 207
rotating offensive tools 207
rotating offensive tools 207
P
password utilities
backdooring 157
permissions, defensive perspective
chattr 170
chroot 171
machine, shutting down 173
namespaces, using 171
restricting 170
users, controlling 172
persistence detection 116
backdoored executables, detecting 117, 118
DLL search order hijacking, detecting 117
persistence options 99
DLL search order hijacking 101, 102
executable file infection 102, 103
physical access
physical security principles
Deceive 133
Defend 133
Delay 133
Deny 133
Detect 133
Deter 133
pivoting, offensive perspective 160
administrative controls, hijacking 162, 163
RDP, hijacking 162
SSH control master, hijacking 161
planning
Portspoof 174
Principle of Deception 75
principle of humanity 186
principle of innovation 185, 208
principle of planning (PPP) 182
principle of time 185
Prism 105
private memory 86
processdecloak 135
processes, defensive perspective 164
malicious processes, killing 165
process injection 72, 73, 74, 75, 76, 77, 78
program security
versus operational security 206
Program Security 39
Pros V Joes (PvJ) 13
pspy 150
Pure Funky Magic (PFM) 54
purple teaming 10
R
RDP
hijacking 162
reaction correspondence 5
Read, eXecute (RX) 87
Read, Write, eXecute (RWX) 87
Reptile 132
rkhunter 135
root cause analysis, defensive perspective 165
Root Cause Analysis (RCA) 39, 42
rootkits 131
rootsh 154
S
Security Information and Event Management (SIEM) 46
Security Orchestration 47
Security Orchestration, Automation, and Response (SOAR) 47
situational awareness, offensive perspective 149, 150
Bash history, clearing 151
Docker, abusing 152
operational security tricks 150, 151
SSH agent
SSH Agent Forwarding 160
SSH control master
hijacking 161
T
the cloud 7
Threat Alert Logic Repository (TALR) 48
time
U
unhide tool 135
User Behavior Analytics (UBA) 47
userland rootkits 131
users
controlling 172
users, defensive perspective 164
V
Virtual Address Descriptors (VAD) 87
W
Windows centralized DNS 112, 113
Windows Lockdown Policy (WLDP) 82
Windows, position-independent shellcode
reference link 78
WireTap 154
3.139.97.157