Flipping the Coin: Red and Blue Teaming in Windows Environments

Presented at DEF CON 31 (2023), Aug. 10, 2023, 2 p.m. (240 minutes).

Red and blue are two sides of the same coin. Offensive and defensive teams deliver the best results when working together; sharing knowledge, ideas, and understanding with each other. And a core part of this information exchange is understanding each respective perspective. This is the overarching theme of the workshop; attackers thinking like defenders, and defenders thinking like attackers. By the end of the workshop, attendees will: 1. Understand and perform common offensive attacks (supported by the Metasploit Framework) against Windows Domains, including: Pass the Hash attacks; ADCS abuse; PrintSpoofer exploits; LSASS exploitation (using Mimikatz); AD enumeration (using BloodHound); DACL abuse; Kerberos golden tickets; and DLL hijacking. 2. Understand the process of detecting attacks against Windows infrastructure, including how to design and implement their own detection rules based on attendees’ previous attacks, using: Sigma/Yara rules. Log ingestion/normalization platforms, and query engines (e.g. ELK). 3. Understand and appreciate how the actions and processes of red and blue teams are interlinked, for the greater collective good. Recommended (but not required) prior reading: https://nooblinux.com/metasploit-tutorial/https://posts.specterops.io/introducing-bloodhound-enterprise-attack-path-management-for-everyone-39cfd8d6eb7c https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview https://socprime.com/blog/sigma-rules-the-beginners-guide/ https://github.com/socprime/SigmaUI https://blog.netwrix.com/2021/11/30/how-to-detect-pass-the-hash-attacks/ https://posts.specterops.io/certified-pre-owned-d95910965cd2 https://www.elastic.co/guide/en/security/current/suspicious-print-spooler-point-and-print-dll.html Skill Level: Beginner to Intermediate Prerequisites for students: - Basic understanding of the Linux and Windows command line - some basic knowledge of IP networking and routing - A basic understanding of Active Directory and exposure to the Metasploit Framework/Meterpreter are beneficial, but not required. Materials or Equipment students will need to bring to participate: - Laptop, 8GB RAM - OpenVPN Client - Remote Desktop Protocol (RDP) client - It is strongly recommended that attendees have local administrative rights to their device. - An Internet connection is also required; DEF CON’s (authenticated) WiFi network will suffice, however attendees should consider alternative options in favour of resiliency (e.g. tethering/hotspotting cell phones).

Presenters:

  • Angus "0x10f2c_" Strom - Senior Security Engineer
    Angus (0x10f2c_) is currently a Senior Security Engineer working at a tech company. He obtained a love for all things computers by scavenging computer parts from local garbage pickups as a kid, and then trying to make them work together without blowing up. Angus eventually realised that a career could be made out of his skills hacking together poorly written LUA code in Garry’s mod, and finished a Bachelors in Network Security. In his professional career Angus has 5+ years working in Security Consulting, working across many industries and gaining many shells. More recently Angus has made the move to a security engineer focused role. When not hacking he loves to ski on the little snow that Australia has, and loves to paint small miniatures while listening to Drone Metal.
  • Troy Defty - Security Engineering Manager
    Having worked in the UK and Australian InfoSec industries for just over a decade, and following 8 and a half years of red teaming, Troy jumped the proverbial fence from red to blue, and is currently a Security Engineering Manager at a tech company. His interest and experience is in detection engineering, red teaming, threat modelling, hardware, and assessing ICS environments. Other interests include music, electronics, the outdoors, travel, rugby, CTF, and being bad at golf.

Similar Presentations: