TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Red + Blue = Purple

BHIS · 2016-10-26 · Read original ↗

ATT&CK techniques detected

10 predictions
T1110.003Password Spraying
97%
“s powershell script invoke - domainpasswordspray. ps1. this script will do it all for you! all you have to do is point it at a user list and give it a password — in this case “ autumn2016 ”. if you give a list of passwords as an argument, the script will guess one password for ea…”
T1110.003Password Spraying
97%
“. the pentester creates a list of account names either using the command line and querying active directory or by harvesting usernames from open source intel. then a common password is used, say “ autumn2016 ” and a login is attempted for each username on the list. because of acc…”
T1059.001PowerShell
94%
“github. com / powershellmafia / powersploit / tree / master / privesc - powerview – https : / / github. com / powershellmafia / powersploit / tree / master / recon - empire – https : / / github. com / adaptivethreat / empire - bloodhound – https : / / www. youtube. com / watch? v…”
T1110.003Password Spraying
92%
“red + blue = purple red + blue = purple david fletcher & sally vandeven / / advisory : the techniques and tools referenced within this blog post may be outdated and do not apply to current situations. however, there is still potential for this blog entry to be used as an opportun…”
T1059.001PowerShell
88%
“> c : \ temp \ malicious. dll c : \ windows \ system32 \ rundll32. exe c : \ temp \ malicious. dll, control _ rundll or c : \ > regsvr32. exe / s / u malicious. dll another applocker bypass is to use installutil. exe to directly access. net functions and fly under the applocker r…”
T1218.011Rundll32
81%
“process is started by what is referred to as “ secondary execution ” and it is not detected by applocker. this means that applocker rules do not get applied. in other words, it is a way to get an executable file to run even if it has not been explicitly allowed by applocker. ther…”
T1201Password Policy Discovery
78%
“. so after one incorrect password the bad - password - count is one but if we wait for ten minutes, that count gets reset to zero and we can guess again. this greatly reduces the chances of locking out accounts. there are some issues though with services accounts that may not be …”
T1003.001LSASS Memory
75%
“attacker can gain access to in order to dump credentials from memory ( for example with mimikatz ). the dumped credentials will provide privilege escalation perhaps all the way up to domain administrator. restricting client to client traffic – we have only worked with a couple of…”
T1003OS Credential Dumping
54%
“attacker can gain access to in order to dump credentials from memory ( for example with mimikatz ). the dumped credentials will provide privilege escalation perhaps all the way up to domain administrator. restricting client to client traffic – we have only worked with a couple of…”
T1552.001Credentials In Files
42%
“are encrypted privileged credentials in order to script administrative tasks. this became a problem because the static symmetric aes encryption key used for the password was published, so credentials found in the files can be easily decrypted. these credentials are definitely wha…”

Summary

David Fletcher & Sally Vandeven // We gave a presentation at the GrrCon hacker conference in Grand Rapids, MI on October 6, 2016. The presentation was a dialogue meant to illustrate the […]

The post Red + Blue = Purple appeared first on Black Hills Information Security, Inc..