Flipping the Coin: Red and Blue Teaming in Windows Environments (++)

Presented at DEF CON 32 (2024), Aug. 8, 2024, 2 p.m. (240 minutes).

Red and blue are two sides of the same coin. Offensive and defensive teams deliver the best results when working together; sharing knowledge, ideas, and understanding with each other. And a core part of this information exchange is understanding each respective perspective. This is the overarching theme of the workshop; attackers thinking like defenders, and defenders thinking like attackers. This workshop is the second version of Flipping the Coin and features upgraded attack paths, and lab environments. By the end of the workshop, attendees will: 1. Understand and perform common offensive attacks (supported by the Metasploit Framework) against Windows Domains, including: - Pass the Hash attacks; - gMSA Golden Attack; - ADCS abuse; - Common tunnelling techniques; - PrintSpoofer exploits; - LSASS exploitation (using Mimikatz); - AD enumeration (using BloodHound); - DACL abuse; - Kerberos golden tickets; and - DLL hijacking. 2. Understand the process of detecting attacks against Windows infrastructure, including how to design and implement their own detection rules based on attendees’ previous attacks, using: - Sigma/Yara rules. - Log ingestion/normalisation platforms, and query engines (e.g. ELK). 3. Understand and appreciate how the actions and processes of red and blue teams are interlinked, for the greater collective good. Recommended (but not required) prior reading: - https://nooblinux.com/metasploit-tutorial/ - https://posts.specterops.io/introducing-bloodhound-enterprise-attack-path-management-for-everyone-39cfd8d6eb7c - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview - https://socprime.com/blog/sigma-rules-the-beginners-guide/ - https://github.com/socprime/SigmaUI - https://blog.netwrix.com/2021/11/30/how-to-detect-pass-the-hash-attacks/ - https://posts.specterops.io/certified-pre-owned-d95910965cd2 - https://www.elastic.co/guide/en/security/current/suspicious-print-spooler-point-and-print-dll.html Much of the material and core concepts of the workshop remain the same from the DEF CON 31 workshop with some updated topics for DEF CON 32, including an updated environment, and gMSA attacks within the lab.

Presenters:

  • Angus Strom - Senior Security Engineer
    Angus (0x10f2c_) is currently a Senior Security Engineer working at a tech company. He obtained a love for all things computers by scavenging computer parts from local garbage pickups as a kid, and then trying to make them work together without blowing up. Angus eventually realised that a career could be made out of his skills hacking together poorly written LUA code in Garry’s mod, and finished a Bachelors in Network Security. In his professional career Angus has 5+ years working in Security Consulting, working across many industries and gaining many shells. More recently Angus has made the move to a security engineer focused role. When not hacking he loves to ski on the little snow that Australia has, and loves to paint small miniatures while listening to Drone Metal.
  • Troy Defty - Security Engineering Manager
    Following over a decade in the UK and Australian InfoSec industries, including an 8-and-a-half year stint in red teaming, Troy jumped the proverbial fence from red to blue, and is currently a Security Engineering Manager at a tech company. His interest and experience is in detection engineering, red teaming, threat modelling, hardware, and assessing ICS environments. Other interests include music, electronics, the outdoors, travel, rugby, CTF, and making piano-related noise.

Similar Presentations: