Table of Contents

Preface

Section 1: Embracing the Red

Chapter 1: Establishing an Offensive Security Program

Defining the mission – the devil's advocate4

Getting leadership support5

Convincing leadership with data5

Convincing leadership with actions and results6

Locating a red team in the organization chart6

The road ahead for offensive security 7

Building a new program from scratch7

Inheriting an existing program7

People – meeting the red team crew 8

Penetration testers and why they are so awesome!9

Offensive security engineering as a professional discipline9

Strategic red teamers10

Program management10

Attracting and retaining talent10

Diversity and inclusion12

Morale and team identity13

The reputation of the team14

Providing different services to the organization15

Security reviews and threat modeling support15

Security assessments16

Red team operations16

Purple team operations16

Tabletop exercises17

Research and development17

Predictive attack analysis and incident response support17

Additional responsibilities of the offensive program18

Security education and training18

Increasing the security IQ of the organization18

Gathering threat intelligence 18

Informing risk management groups and leadership18

Integrating with engineering processes19

I feel like I really know you – understanding the ethical aspects of red teaming19

Training and education of the offensive security team20

Policies – principles, rules, and standards21

Principles to guide and rules to follow21

Acting with purpose and being humble21

Penetration testing is representative and not comprehensive22

Pentesting is not a substitute for functional security testing22

Letting pen testers explore22

Informing risk management22

Rules of engagement23

Adjusting rules of engagement for operations24

Geographical and jurisdictional areas of operation24

Distribution of handout cards25

Real versus simulated versus emulated adversaries 25

Production versus non-production systems25

Avoiding becoming a pawn in political games26

Standard operating procedure26

Leveraging attack plans to track an operation27

Mission objective – what are we setting out to achieve or demonstrate?27

Stakeholders and their responsibilities28

Codenames29

Timelines and duration29

Understanding the risks of penetration testing and authorization29

Kick-off meeting30

Deliverables30

Notifying stakeholders30

Attack plan during execution – tracking progress during an operation31

Documenting activities33

Wrapping up an operation34

Overarching information sharing via dashboards38

Contacting the pen test team and requesting services 38

Modeling the adversary 38

Understanding external adversaries39

Considering insider threats39

Motivating factors39

Anatomy of a breach 40

Establishing a beachhead40

Achieving the mission objective41

Breaching web applications 41

Weak credentials42

Lack of integrity and confidentiality42

Cyber Kill Chain® by Lockheed Martin42

Anatomy of a cloud service disaster42

Modes of execution – surgical or carpet bombing44

Surgical44

Carpet bombing44

Environment and office space45

Open office versus closed office space45

Securing the physical environment 45

Assemble the best teams as needed45

Focusing on the task at hand46

Summary46

Questions46

Chapter 2: Managing an Offensive Security Team

Understanding the rhythm of the business and planning Red Team operations48

Planning cycles 48

Offsites49

Encouraging diverse ideas and avoiding groupthink50

Planning operations – focus on objectives50

Planning operations - focus on assets52

Planning operations - focus on vulnerabilities52

Planning operations – focus on attack tactics, techniques, and procedures53

Planning operations – focus on STRIDE53

Managing and assessing the team55

Regular 1:1s 55

Conveying bad news56

Celebrating success and having fun56

Management by walking around 56

Managing your leadership team57

Managing yourself57

Handling logistics, meetings, and staying on track58

Team meetings58

Working remotely59

Continuous penetration testing59

Continuous resource adjustment 59

Choosing your battles wisely60

Getting support from external vendor companies60

Growing as a team61

Enabling new hires quickly62

Excellence in everything62

Offensive security test readiness63

Building an attack lab63

Leading and inspiring the team 64

For the best results – let them loose!64

Leveraging homefield advantage65

Finding a common goal between red, blue, and engineering teams65

Getting caught! How to build a bridge67

Learning from each other to improve68

Threat hunting68

Growing the purple team so that it's more effective68

Offensive techniques and defensive countermeasures69

Surrendering those attack machines!69

Active defense, honeypots, and decoys70

Protecting the pen tester71

Performing continuous end-to-end test validation of the incident response pipeline71

Combatting the normalization of deviance72

Retaining a healthy adversarial view between red and blue teams72

Disrupting the purple team72

Summary73

Questions73

Chapter 3: Measuring an Offensive Security Program

Understanding the illusion of control76

The road to maturity77

Strategic red teaming across organizations 78

The risks of operating in cloak-and-dagger mode78

Tracking findings and incidents79

Repeatability84

Automating red teaming activities to help defenders85

Protecting information – securing red team findings86

Measuring red team persistence over time86

Tackling the fog of war 86

Threats – trees and graphs87

Building conceptual graphs manually88

Automating discovery and enabling exploration91

Defining metrics and KPIs 93

Tracking the basic internal team commitments93

Attack insight dashboards – exploring adversarial metrics93

Red team scores 95

Tracking the severity of findings and measuring risks 101

Moving beyond ordinal scores101

Using mean-time metrics102

Experimenting with Monte Carlo simulations103

Threat response matrix 107

Test Maturity Model integration (TMMi ®)and red teaming108

Level 2: Managed109

Level 3: Defined109

Level 4: Measured110

Level 5: Optimized110

Level 6: Illusion of control – the red team strikes back110

MITRE ATT&CK™ Matrix111

MITRE ATT&CK Navigator 111

Remembering what red teaming is about115

Summary115

Questions116

Chapter 4: Progressive Red Teaming Operations

Exploring varieties of cyber operational engagements118

Cryptocurrency mining119

Mining crytocurrency to demonstrate the financial impact – or when moon?121

Red teaming for privacy123

Getting started with privacy focused testing124

Sending a virtual bill to internal teams 126

Red teaming the red team127

Targeting the blue team 127

Leveraging the blue team's endpoint protection as C2128

Social media and targeted advertising129

Targeting telemetry collection to manipulate feature development129

Attacking artificial intelligence and machine learning130

Operation Vigilante – using the red teamto fix things131

Emulating real-world advanced persistent threats (APTs)132

Performing tabletop exercises 132

Involving the leadership team in exercises133

Summary134

Questions134

Section 2: Tactics and Techniques

Chapter 5: Situational Awareness – Mapping Out the Homefield Using Graph Databases

Understanding attack and knowledge graphs138

Graph database basics139

Nodes or vertices140

Relationships or edges141

Properties or values141

Labels141

Building the homefield graph using Neo4j142

Exploring the Neo4j browser148

Creating and querying information150

Creating a node151

Retrieving a node151

Creating relationships between nodes155

Indexing to improve performance158

Deleting an object158

Alternative ways to query graph databases 159

Summary160

Questions160

Chapter 6: Building a Comprehensive Knowledge Graph

Technical requirements162

Case study – the fictional Shadow Bunny corporation162

Employees and assets163

Building out the graph164

Creation of computer nodes168

Adding relationships to reflect the administrators of machines169

Configuring the query editor to allow multi-statement queries171

Who uses which computer?173

Mapping out the cloud! 176

Importing cloud assets 180

Creating an AWS IAM user180

Leveraging AWS client tools to export data185

Loading CSV data into the graph database192

Loading CSV data and creating nodes and relationships195

Grouping data197

Adding more data to the knowledge graph198

Active Directory198

Blue team and IT data sources198

Cloud assets199

OSINT, threat intel, and vulnerability information199

Address books and internal directory systems200

Discovering the unknown and port scanning200

Augmenting an existing graph or building one from scratch?200

Summary201

Questions201

Chapter 7: Hunting for Credentials

Technical requirements204

Clear text credentials and how to find them204

Looking for common patterns to identify credentials205

Retrieving stored Wi-Fi passwords on Windows213

Tooling for automated credential discovery215

Leveraging indexing techniques to find credentials216

Using Sourcegraph to find secrets more efficiently 216

Searching for credentials using built-in OS file indexing224

Indexing code and documents using Apache Lucene and Scour231

Hunting for ciphertext and hashes233

Hunting for ciphertext233

Hunting for hashes234

Summary242

Questions243

Chapter 8: Advanced Credential Hunting

Technical requirements246

Understanding the Pass the Cookie technique247

Credentials in process memory248

Walkthrough of using ProcDump for Windows248

Understanding Mimikittenz251

Dumping process memory on Linux252

Debugging processes and pivoting on macOS using LLDB255

Using Mimikatz offline258

Abusing logging and tracing to steal credentials and access tokens259

Tracing the WinINet provider261

Decrypting TLS traffic using TLS key logging265

Searching log files for credentials and access tokens272

Looking for sensitive information in command-line arguments 277

Using Task Manager and WMI on Windows to look at command-line arguments278

Windows Credential Manager and macOS Keychain 279

Understanding and using Windows Credential Manager280

Looking at the macOS Keychain284

Using optical character recognition to find sensitive information in images285

Exploiting the default credentials of local admin accounts 287

Phishing attacks and credential dialog spoofing 288

Spoofing a credential prompt using osascript on macOS288

Spoofing a credential prompt via zenity on Linux290

Spoofing a credential prompt with PowerShell on Windows291

Credential dialog spoofing with JavaScript and HTML on the web292

Using transparent relay proxies for phishing292

Performing password spray attacks295

Leveraging PowerShell to perform password spraying295

Performing password spraying from macOS or Linux (bash implementation)297

Summary299

Questions300

Chapter 9: Powerful Automation

Technical requirements302

Understanding COM automation on Windows302

Using COM automation for red teaming purposes303

Achieving objectives by automating Microsoft Office 307

Automating sending emails via Outlook307

Automating Microsoft Excel using COM309

Searching through Office documents using COM automation312

Windows PowerShell scripts for searching Office documents315

Automating and remote controlling web browsers as an adversarial technique320

Leveraging Internet Explorer during post-exploitation320

Automating and remote controlling Google Chrome326

Using Chrome remote debugging to spy on users!332

Exploring Selenium for browser automation 336

Exfiltrating information via the browser347

Summary348

Questions348

Chapter 10: Protecting the Pen Tester

Technical requirements350

Locking down your machines (shields up)350

Limiting the attack surface on Windows352

Becoming stealthy on macOS and limiting the attack surface355

Configuring the Uncomplicated Firewall on Ubuntu 364

Locking down SSH access366

Considering Bluetooth threats366

Keeping an eye on the administrators of your machines367

Using a custom hosts file to send unwanted traffic into a sinkhole369

Keeping a low profile on Office Delve, GSuites, and Facebook for Work370

Securely deleting files and encrypting hard drives370

Improving documentation with custom Hacker Shell prompts371

Customizing Bash shell prompts371

Customizing PowerShell prompts372

Improving cmd.exe prompts373

Automatically logging commands 373

Using Terminal multiplexers and exploring shell alternatives374

Monitoring and alerting for logins and login attempts378

Receiving notifications for logins on Linux by leveraging PAM378

Notification alerts for logins on macOS387

Alerting for logins on Windows388

Summary394

Questions395

Chapter 11: Traps, Deceptions, and Honeypots

Technical requirements398

Actively defending pen testing assets 398

Understanding and using Windows Audit ACLs399

Configuring a file to be audited by Windows using SACLs399

Triggering an audit event and changing the Windows Audit Policy403

Notifications for file audit events on Windows406

Sending notifications via email on Windows408

Creating a Scheduled Task to launch the Sentinel monitor409

Building a Homefield Sentinel – a basic Windows Service for defending hosts415

Installing Visual Studio Community Edition and scaffolding a Windows Service415

Adding basic functionality to the scaffold416

Adding logging functionality to the service422

Leveraging a configuration file to adjust settings 423

Adding an installer to the service424

Uninstalling the Homefield Sentinel service 429

Monitoring access to honeypot files on Linux430

Creating a honeypot RSA key file430

Using inotifywait to gain basic information about access to a file431

Leveraging auditd to help protect pen test machines432

Notifications using event dispatching and custom audisp plugins437

Alerting for suspicious file access on macOS 439

Leveraging fs_usage for quick and simple file access monitoring439

Creating a LaunchDaemon to monitor access to decoy files440

Observing the audit event stream of OpenBSM443

Configuring OpenBSM for auditing read access to decoy files444

Summary447

Questions448

Chapter 12: Blue Team Tactics for the Red Team

Understanding centralized monitoring solutions that blue teams leverage450

Using osquery to gain insights and protect pen testing assets451

Installing osquery on Ubuntu452

Understanding the basics of osquery453

Using osquery to monitor access to decoy files458

Leveraging Filebeat, Elasticsearch, and Kibana 462

Running Elasticsearch using Docker463

Installing Kibana to analyze log files466

Configuring Filebeat to send logs to Elasticsearch469

Alerting using Watcher473

Summary473

Questions474

Assessments

Another Book You May Enjoy

Leave a review - let other readers know what you think484