SECSMASH: Using Security Products to own the Enterprise'

Presented at BSidesLV 2017, July 26, 2017, 2 p.m. (55 minutes)

Enterprise security tools provide a deep level of insight, and access, to the organizations they are designed to protect. Although, in the right hands these tools can be powerful assets for a blue team, they can be equally valuable for an attacker. Attackers can subvert legitimate functionality to gain and maintain access to an enterprise's crown jewels. Solutions such as Splunk, Tanium, Tripwire, Carbon Black Response, in addition to providing detailed reporting on an organizations assets, all offer the ability to run commands or scripts for administrative purposes on end points. Many of these systems by default, or only, run commands as the 'System' user on Windows. This can be leveraged to gain access to critical systems, pivot into 'segmented' networks, and maintain stealthy command and control. Unfortunately, these tools are commonly deployed with inadequate hardening, or with excessive number of administrative user accounts. One reason for this could be the prior knowledge required to leverage the power of these applications in a safe and controlled manner during a pentest, causing them to largely go unnoticed, or unreported on most tests. We want to bring awareness to the importance of protecting deployed security tools and provide a framework for pentesters and red team teamers to leverage these tools on engagements. The tool we are releasing is called secsmash, and provides a handy commandline tool to turn credentials you've acquired for a supported tool into enterprise pwnage.

Presenters:

• Steven Flores - Information Security Consultant - Tevora
  Steven is a former Marine and now penetration tester/red teamer from Southern California. When he isn't brewing awesome coffee he enjoys doing research on different threat techniques and tool development.
• Kevin Dick - Information Security Consultant - Tevora
  Information security consultant at Tevora since 2012. Wore a lot of hats initially, including solution integration work, auditing, and penetration testing. Kevin now leads Tevora's penetration testing and red teaming group. Areas of focus include Network, web, and mobile application penetration testing, development of internal Tevora penetration testing and social engineering toolkits, malware analysis and incident response.

Links:

• https://bsideslv2017.sched.com/event/BNG1/secsmash-using-security-products-to-own-the-enterprise
• https://infocon.org/cons/Security BSides/BSides Las Vegas/Bsides Las Vegas 2017/SECSMASH Using Security Products to own the E.mp4
• https://infocon.org/cons/Security BSides/BSides Las Vegas/Bsides Las Vegas 2017/SECSMASH Using Security Products to own the E.eng.srt (subtitles)
• https://www.youtube.com/watch?v=M6pHI-bwuB4

Similar Presentations:

• AppSec USA 2012 / The Magic of Symbiotic Security: Creating an Ecosystem of Security Systems
• DeepSec 2019 „Internet of Facts and Fears“ / Beyond Windows Forensics with Built-in Microsoft Tooling
• NolaCon 2017 / Skynet Will Use PsExec: When SysInternals Go Bad