book

Adversarial Tradecraft in Cybersecurity

by Dan Borges

June 2021

Intermediate to advanced

246 pages

7h 40m

English

Packt Publishing

Read now

Unlock full access

Who this book is forWhat this book coversTo get the most out of this bookGet in touch
Adversarial theoryCIAAANGame theoryPrinciples of computer conflictOffense versus defensePrinciple of deceptionPrinciple of physical accessPrinciple of humanityPrinciple of economyPrinciple of planningPrinciple of innovationPrinciple of timeSummaryReferences
Essential considerationsCommunicationsLong-term planningExpertiseOperational planningDefensive perspectiveSignal collectionData managementAnalysis toolingDefensive KPIsOffensive perspectiveScanning and exploitationPayload developmentAuxiliary toolingOffensive KPIsSummaryReferences
Gaining the advantageOffensive perspectiveProcess injectionIn-memory operationsDefensive perspectiveDetecting process injectionPreparing for attacker techniquesThe invisible defenseSummaryReferences
Offensive perspectivePersistence optionsLOLbinsDLL search order hijackingExecutable file infectionCovert command and control channelsICMP C2DNS C2Domain frontingCombining offensive techniquesDefensive perspectiveC2 detectionICMP C2 detectionDNS C2 detectionPersistence detectionDetecting DLL search order hijackingDetecting backdoored executablesHoney tricksHoney tokensHoneypotsSummaryReferences
Offensive perspectiveClearing logsHybrid approachRootkitsDefensive perspectiveData integrity and verificationDetecting rootkitsManipulating attackersKeeping attackers distractedTricking attackersSummaryReferences
Offensive perspectiveSituational awarenessUnderstanding the systemClear the Bash historyAbusing DockerGleaning operational informationKeyloggingScreenshot spyGetting passwordsSearching files for secretsBackdooring password utilitiesPivotingSSH agent hijackingSSH ControlMaster hijackingRDP hijackingHijacking other administrative controlsDefensive perspectiveExploring users, processes, and connectionsRoot cause analysisKilling malicious processesKilling connections and banning IPsNetwork quarantineRotating credentialsRestricting permissionsChattr revisitedchrootUsing namespacesControlling usersShut it downHacking backHunting attacker infrastructureExploiting attacker toolsSummaryReferences
Gaming the gameOffensive perspectiveThe world of memory corruptionTargeting research and prepTarget exploitationCreative pivotingDefensive perspectiveTool exploitationThreat modelingOperating system and application researchLog and analyze your own dataAttributionSummaryReferences
Offensive perspectiveExfiltrationProtocol tunnelingSteganographyAnonymity networksEnding the operationProgram security versus operational securityTaking down infrastructureRotating offensive toolsRetiring and replacing techniquesDefensive perspectiveResponding to an intrusionThe big flipThe remediation effortA post-mortem after the incidentForward lookingPublish resultsSummaryReferences

Content preview from Adversarial Tradecraft in Cybersecurity

3 Invisible is Best (Operating in Memory)

In this chapter, we will look at several techniques for avoiding common forensics artifacts and thus avoiding a large portion of traditional post-compromise forensic analysis. This will be the first of several reaction correspondences we examine, focusing on process injection techniques, the forensic artifacts that in-memory techniques avoid, and some detection strategies for process injection. This chapter will show you why these strategies developed naturally as a result of this conflict over the last few decades. There are certainly many great writeups of these individual techniques on the internet, but few writeups look at why attackers use these various process injection techniques, instead of just ...