Adversarial Tradecraft in Cybersecurity: Offense versus defense in real-time computer conflict
by Dan Borges
Packt Publishing
https://www.amazon.com/Adversarial-Tradecraft-Cybersecurity-real-time-computer-ebook/dp/B0957LV496
| Page | Remark |
|---|---|
| vii | attack/defense CTFs |
| 1 | adversarial theory |
| 2 | offense and defense have been playing a decades-long cat and mouse game, with no clear winner |
| 3 | CIAAAN |
| “Introduction to Information Security” | |
| C2 | |
| integrity (CIA triad) | |
| 4 | non-repudiation |
| game theory | |
| dominant moves/dominant strategy | |
| 5 | reaction correspondence |
| Nash equilibrium | |
| LDAP | |
| Active Directory | |
| cybersecurity | |
| Microsoft ATA | |
| Bloodhound | |
| 6 | Principles of computer conflict |
| defense in depth | |
| cyber kill chain | |
| Lockheed Martin | |
| attack trees | |
| “A combined attack-tree and kill-chain approach to designing attack-detection strategies for malicious insiders in cloud computing” | |
| 7 | the cloud |
| TCP/IP | |
| DNS | |
| reverse engineering | |
| Psychology | |
| Criminology | |
| Forensics | |
| reconnaissance | |
| Python | |
| Ruby | |
| Go | |
| 8 | MITRE ATT&CK |
| Computer Network Operations (CNO) | |
| Computer Network Defense | |
| osquery | |
| logstash | |
| ELK | |
| Splunk | |
| Nmap | |
| OpenVAS | |
| Metasploit | |
| proxychains | |
| 9 | Puppet |
| SCCM | |
| Chef | |
| auditd | |
| Suricata | |
| Zeek | |
| EDR | |
| filebeat | |
| loggly | |
| fluentd | |
| Sumo Logic | |
| red team | |
| blue team | |
| penetration testing tools | |
| 10 | obfuscation |
| persistence | |
| purple team | |
| “Dirty Red Team Tricks” Raphael Mudge | |
| process injection | |
| 11 | work from home |
| deep packet inspection | |
| blind spots | |
| endpoint-focused vs. network-focused detection | |
| lateral movement | |
| low and slow attacks | |
| threat actor | |
| 12 | Capture the Flag |
| 13 | PowerShell |
| loader | |
| Cobalt Strike | |
| Armitage | |
| Pros V Joes | |
| BSides security conferences | |
| 14 | hacking back |
| 15 | principle of deception |
| Sun Tzu | |
| “The Art of War” | |
| 16 | Barton Whaley https://www.usni.org/people/barton-whaley |
| deception | |
| “Deception: counterdeception and counterintelligence” | |
| “Toward a General Theory of Deception” - Barton Whaley https://www.tandfonline.com/doi/abs/10.1080/01402398208437106 | |
| showing the false | |
| hiding the real | |
| 17 | rootkits |
| Kevin Mitnick | |
| “The Art of Deception” | |
| principle of physical access | |
| full disk encryption | |
| 18 | AWS |
| ESXi | |
| incident response | |
| live forensics | |
| dead box forensics | |
| 19 | LUKS |
| FileVault | |
| Bitlocker | |
| principle of humility | |
| “Network Attacks and Exploitation” | |
| “Monette’s Principle of Access” | |
| wiki | |
| human error | |
| password reuse | |
| 20 | principle of economy |
| Donald Rumsfeld | |
| 21 | man hours |
| “The Mythical Man Month” | |
| principle of planning | |
| 22 | OPSEC |
| runbooks | |
| “US Army Field Manual 3 (FM-3.0)” | |
| simplicity | |
| 23 | Mike Tyson |
| “The Checklist Manifesto” | |
| postmortem | |
| 24 | principle of innovation |
| “red teams often innovate faster than blue teams”. this irritates me. | |
| FIN7 | |
| shim database | |
| 0-day | |
| N-day | |
| 25 | BLUESPAWN |
| University of Virginia | |
| assume breach | |
| “nothing is unhackable” | |
| Miyamoto Musashi | |
| principle of time | |
| brute force | |
| encryption | |
| 26 | patching |
| element of surprise | |
| homefield advantage | |
| APT28 | |
| regular hours | |
| Fancy Bear | |
| Sofacy | |
| The Dukes | |
| timezones | |
| geolocation | |
| the cost of an incident | |
| 27 | Dmitry Alperovitch |
| CrowdStrike | |
| 1/10/60 time | |
| containment | |
| “CrowdStrike 2019 Global Threat Report” | |
| breakout times | |
| 21 | * references |
| 31 | Benjamin Franklin |
| Eisenhower | |
| confidentiality | |
| authentication | |
| authorization | |
| compartmentalization | |
| Google Docs | |
| EtherPad | |
| IRC | |
| XMPP | |
| Slack | |
| Mattermost | |
| Zoom | |
| SMS | |
| chat | |
| 33 | logs |
| 34 | chat ops |
| Enterprise Key Management (EKM) | |
| availability | |
| Signal | |
| gpg | |
| AWS KMS | |
| Long-term planning | |
| 35 | milestones |
| contingency planning | |
| Georges St. Pierre | |
| UFC | |
| 36 | expertise |
| hardening | |
| Cybrary | |
| OpenSecurity Training | |
| 37 | golden image |
| virtual machines | |
| 38 | Key Performance Indicators (KPI) |
| 39 | root cause analysis (RCA) |
| “Network Attacks and Exploitation: A Framework” | |
| Dave Cowen | |
| 40 | Leo Tolstoy |
| 41 | telemetry |
| collecting logs and gaining visibility should be an early goal. | |
| McAfee | |
| Microsoft Defender | |
| Semantec Endpoint Protection (SEP) | |
| Kaspersky | |
| ClamAV | |
| crypter | |
| packer | |
| 42 | threat hunting |
| Carbon Black | |
| Tanium | |
| Microsoft ATP | |
| anomaly detection | |
| 43 | GRR - Google Rapid Response https://github.com/google/grr |
| Wazuh | |
| Velociraptor | |
| Suricata | |
| IPS | |
| Snort | |
| Wireshark | |
| Zeek | |
| 44 | SPAN/port mirroring |
| tcpdump | |
| tshark | |
| IP address | |
| 46 | honeypots |
| SIEM | |
| filebeat | |
| logstash | |
| Splunk | |
| rsyslog | |
| SMB | |
| 47 | elasticsearch |
| User Behavior Analytics (UBA) | |
| HELK | |
| Security Orchestration Automation and Response (SOAR) | |
| Cortex | |
| 48 | OpenIOC |
| playbooks | |
| 49 | elastalert |
| The Hive | |
| MISP | |
| CRITS | |
| 50 | immutable |
| chattr | |
| Python3 | |
| watchdog observers | |
| 52 | The Sleuth Kit |
| Process Monitor | |
| Process Explorer | |
| Autoruns | |
| Sysinternals Suite | |
| binwalk | |
| scalpel | |
| Redline | |
| Volatility | |
| C++ | |
| swiss army knife | |
| 53 | PE-Sieve |
| cuckoo sandbox | |
| Viper | |
| GitHub | |
| BoomBox - cuckoo deployment | |
| Hybrid Analysis | |
| VirusTotal | |
| Joe Sandbox | |
| Any.Run | |
| dynamic analysis | |
| URLs | |
| 54 | CyberChef |
| Pure Funky Magic | |
| Maltego | |
| mind mapping | |
| SecurityOnion | |
| 55 | defensive KPIs |
| John Lambert | |
| reactionary | |
| 56 | chess |
| scanning and enumeration | |
| AutoRecon | |
| Scantron | |
| diff | |
| Metasploit rc scripting | |
| Empire | |
| Burp Suite | |
| Taipan | |
| sqlmap | |
| PowerView | |
| BloodHound | |
| TCP handshake | |
| turbonmap alias | |
| 58 | Jeff McJunkin |
| EternalBlue | |
| NSA | |
| post-exploitation | |
| 59 | gscript |
| 60 | domain fronting |
| ICMP | |
| CDN | |
| HTTP Host header | |
| C# | |
| .NET | |
| The C2 Matrix | |
| implant strategy - operational and long-term implants | |
| 61 | CrackLord |
| password cracking | |
| wordlists | |
| cewl | |
| 62 | Kali Linux |
| offensive KPIs | |
| 64 | * chapter 2 references |
| 71 | reaction correspondence |
| 72 | dead disk forensics |
| memory operations | |
| process injection | |
| CreateRemoteThread | |
| Sliver | |
| 73 | FTK Imager |
| Cellebrite | |
| dd | |
| The Sleuth Kit | |
| log2timeline | |
| Plaso | |
| APT | |
| RAM | |
| 75 | assembly language |
| DLL injection | |
| process doppelganging | |
| process hollowing | |
| thread execution hijacking | |
| Windows, Mac, Linux | |
| 76 | Hexacorn |
| RtlCreateUserThread | |
| NtCreateThreadEx | |
| atom tables | |
| shellcode | |
| Atom Bombing | |
| over 40 injection methods on Window | |
| SeDebug | |
| SYSTEM | |
| Needle - vyrus001 https://github.com/vyrus001/needle | |
| 77 | kernel32.dll |
| Go shellcode | |
| Russel Van Tuyl https://github.com/Ne0nd0g | |
| CreateFiber | |
| CreateProcess with pipe | |
| CreateThread native | |
| RtlUserCreateThread | |
| Metasploit Framework (MSF) | |
| shellcode_inject | |
| reflective_dll_injection | |
| 78 | position-independent |
| “Writing Optimized Windows Shellcode” - Matt Graeber | |
| Obfuscator | |
| Donut - swiss army knife | |
| PE, DLL | |
| compression | |
| msfvenom | |
| 79 | ShadowBrokers |
| MS17-010 | |
| EternalBlue | |
| NotPetya | |
| psexec | |
| post-exploitation | |
| 80 | Metasploitable |
| Vagrant https://www.vagrantup.com/ | |
| VirtualBox | |
| CI/CD | |
| 81 | mTLS |
| sRDI | |
| gobfuscate https://github.com/unixpickle/gobfuscate | |
| strip | |
| “shelling out” | |
| ls | |
| mkdir | |
| cross-platform | |
| reflective DLL injection | |
| 82 | Garble obfuscation https://github.com/burrowers/garble |
| execute-assembly | |
| Seatbelt | |
| AMSI | |
| Windows Lockdown Policy | |
| 83 | Metasploit re script example |
| 86 | detecting process injection |
| Get-InjectedThread | |
| MEM_IMAGE flag | |
| WriteProcessMemory | |
| VirtualAllocEx | |
| 87 | SetThreadContext |
| Forrest Orr | |
| “Masking Malicious Memory Artifacts” https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing | |
| NtAllocateVirtualMemory | |
| NtProtectVirtualMemory | |
| API hooks | |
| Virtual Address Descriptor (VAD) | |
| Volatility | |
| 88 | malfind |
| YARA | |
| PEB | |
| PAGE_EXECUTE_READWRITE | |
| libPeConv https://github.com/hasherezade/libPeConv | |
| Hasherezade https://github.com/hasherezade https://hasherezade.github.io/ | |
| function hooking | |
| hollows hunter https://github.com/hasherezade/hollows_hunter | |
| 89 | Sysmon |
| anti-tamper | |
| SysmonDrv | |
| SwiftOnSecurity | |
| 90 | Olaf Hartong https://github.com/olafhartong https://olafhartong.nl/ |
| include_process_suspend_resume | |
| dnSpy | |
| Java | |
| decompiling | |
| ILSpy | |
| dotPeek | |
| network tap | |
| 92 | Snort |
| 93 | *chapter 3 references |
| 97 | blending in |
| 98 | SANS “Know Normal. Find Evil” poster |
| Eric Zimmerman | |
| 99 | persistence |
| 100 | LOLBAS, LOLBins |
| filetype | |
| GTFObins | |
| IMAGE_EXPORT_DIRECTORY | |
| ASEP locations | |
| MSBuild | |
| 101 | AppInstaller.exe download files LOLBin |
| PATH environment variable | |
| KnownDLLs registry key | |
| DLL search order hijacking | |
| 102 | PowerSploit |
| Find-PathDLLHijack | |
| symbol crash group | |
| binject | |
| Back Door Factory https://github.com/secretsquirrel/the-backdoor-factory | |
| 103 | AddSection hijacking technique |
| NAT | |
| netstat | |
| 105 | ICMP_ECHO |
| ICMP | |
| Prism | |
| icmpdoor | |
| 106 | DNS C2 |
| DoH | |
| A, AAA, CNAME, TXT, NSrecord | |
| 107 | domain fronting |
| Fastly | |
| AWS, GCP, Azure, Cloudflare | |
| 108 | EULA |
| 109 | ManageEngine |
| Desktop Central | |
| 111 | C2 detection |
| p-tunnel | |
| CRC | |
| DNS tunneling | |
| ICMP tunneling | |
| 112 | Cisco Umbrella/OpenDNS |
| DNSFilter | |
| Bind9 | |
| dnstap | |
| DNS resolver | |
| Windows Centralized DNS | |
| netsh | |
| Group Policy | |
| GPOs | |
| 115 | Mark Baggett frequency algorithms https://github.com/MarkBaggett/freq |
| DGA - Domain Generation Algorithm | |
| 116 | PassiveTotal https://community.riskiq.com/ |
| Robtex https://www.robtex.com/ | |
| Autoruns - over 130 - Hexacorn | |
| 117 | Robber - DLL search order hijack detection |
| sigcheck | |
| 118 | whoami |
| honeypots | |
| honey tokens | |
| 119 | Deploy-Deception |
| juicy accounts/honey accounts | |
| LLMNR | |
| Responder | |
| 120 | T-Pot |
| cowrie | |
| Cockpit, Docker, Dockerize | |
| TrustedSec Artillery | |
| 122 | *chapter 4 references |
| 125 | rootkits |
| log wiping | |
| Eventlog edit | |
| 127 | Danderspritz https://danderspritz.com/ |
| EventCleaner - QAX-A-Team https://github.com/QAX-A-Team/EventCleaner | |
| sc.exe | |
| parent-child relationships | |
| 128 | OpenEventLogA |
| SharpCrashEventLog | |
| Benjamin Lim | |
| flailing | |
| 130 | /var/log |
| Vlad Rico - apache2_backdoormod | |
| apache2ctl | |
| 131 | SOCKS proxy |
| blending in | |
| PID 1 | |
| userland rootkit | |
| LKM rootkit | |
| 132 | Reptile rootkit |
| khook | |
| kmatryoyshka | |
| khook | |
| reptile_cmd | |
| magic packet | |
| 133 | 5 D’s of physical security: Deter, Detect, Delay, Deny, Defend |
| Windows Event Logs | |
| 134 | NetFlow |
| pcap | |
| Haka Framework - Xavier Mertens https://github.com/xme | |
| Lua | |
| detecting rootkits | |
| 135 | LD_PRELOAD |
| rkhunter | |
| processdecloak | |
| SandFly Security | |
| unhide | |
| Volatility has several linux modules: linux_hidden_modules, linux_enumerate_files, linux_netstat, linux_check_syscall, … | |
| memory dump - Microsoft Rust tool https://github.com/microsoft/avml | |
| 137 | Linux Netfilter |
| iptables | |
| iptables - throttling traffic | |
| 138 | portspoof https://github.com/drk1wi/portspoof |
| 139 | LaBrea Tarpit |
| /var/log/syslog | |
| xtables_addons, TARPIT | |
| 140 | tricking attackers (deception) |
| booby trap | |
| 141 | JavaScript |
| Mathias Jenssen, B: drive ransomware tactic | |
| 142 | zip bomb |
| David Fifield | |
| 144 | *chapter 5 references |
| 147 | real-time conflict |
| access | |
| 150 | importance of knowing the system |
| 151 | ldd execute files??? |
| clear bash history | |
| 152 | dockerrootplease https://github.com/chrisfosterelli/dockerrootplease |
| DEEPCE - Docker https://github.com/stealthcopter/deepce | |
| keylogging | |
| 153 | xspy https://www.kali.org/tools/xspy/ |
| simple-key-logger https://github.com/gsingh93/simple-key-logger | |
| X11 | |
| XDISPLAY | |
| authorized_keys | |
| 153 | rootsh |
| WireTap | |
| GoRedSpy | |
| AFK - away from keyboard | |
| 155 | Linikatz https://github.com/CiscoCXSecurity/linikatz |
| 156 | mimipenguin https://github.com/huntergregal/mimipenguin |
| Kali, Ubuntu, Arch | |
| GoRedLoot | |
| 157 | SharpCollection: SharpDir SharpShare SharpFiles |
| bashrc sudo backdoor | |
| NeonTokyo | |
| 158 | PAM modules |
| DNS exfiltration | |
| 160 | SSH agent hijacking |
| 161 | SSH controlmaster hijacking |
| 162 | RDP hijacking |
| Alexander Korznikov | |
| tscon | |
| SaltStack, Puppet, Chef | |
| 163 | CrackMapExec |
| 164 | utmp, wtmp, btmp, last, w, lsof |
| 165 | root cause analysis |
| killing malicious processes | |
| whack-a-mole | |
| banning IP addresses | |
| 166 | /etc/resolv.conf |
| DNS sinkhole | |
| network quarantine | |
| 167 | SolarWinds |
| 168 | rotating credentials |
| 169 | Local-PasswordRoll.ps1 |
| WinRM | |
| openssl rand | |
| /etc/passwd | |
| 170 | chattr |
| 171 | chroot |
| ChrootDirectory | |
| namespaces | |
| 172 | /etc/skel backdoor |
| HISTFILE HISTTIMEFORMAT | |
| 173 | Bruce Lee - Jeet Kune Do (JKD) |
| 174 | hunting attacker infrastructure |
| portspoof.conf | |
| Nmap 6.25 | |
| 175 | NSE |
| *chapter 6 references | |
| 179 | the research advantage |
| 180 | GreaseMonkey |
| 181 | memory corruption |
| “Hacking: The Art of Exploitation” | |
| RPISEC Modern Binary Exploitation https://github.com/RPISEC/MBE | |
| 182 | Shellphish CTF team |
| how2heap https://github.com/shellphish/how2heap | |
| Pwn2Own | |
| Plaid Parliament of Pwning (PPP) | |
| Carnegie Mellon University | |
| DEF CON | |
| 183 | Skewl of Root |
| TTL of scorebot | |
| 184 | rockyou.txt |
| hydra | |
| go-netscan | |
| 185 | RocketChat |
| 186 | nfp - network fingerprinter |
| npm/Node | |
| pypi | |
| Ruby gems | |
| 187 | Operation Aurora |
| Samy Kamkar | |
| NAT slipstreaming | |
| SIP | |
| phish in the middle | |
| 188 | F3EAD |
| 189 | YARA swear words and misspellings - Steve Miller |
| “Threat Modeling” Adam Shostack | |
| 190 | BeaconHunter https://github.com/3lp4tr0n/BeaconHunter |
| Andrew Oliveau https://github.com/3lp4tr0n | |
| 191 | ShimCache |
| AmCache | |
| CIT database | |
| Forensic Kitchen | |
| Syscache | |
| Applocker | |
| Windows XP | |
| 192 | game hacking |
| log and analyze your own data! | |
| Ubisoft - Ranbow Six cheating | |
| 193 | attribution |
| 194 | *chapter 7 references |
| 199 | exfiltration |
| protocol tunnels | |
| dnscat2 | |
| Ron Bowes | |
| 200 | steganography |
| LSB - least significant bit/byte, MSB - most significant bit/byte | |
| TryCatch HCF | |
| Cloakify | |
| QUANTUM attacks | |
| NSA TAO | |
| man-on-the-side | |
| 201 | anonymity networks |
| Tor | |
| Pastebin | |
| 202 | PrivateBin |
| VPN | |
| 203 | bulletproof hosting |
| 206 | being burned |
| 207 | rotating offensive tools |
| retiring tools and techniques | |
| 212 | remediation |
| 213 | postmortem |
| 215 | *chapter 8 references |