Mastering the Red Team: Beyond Penetration Testing

We will be talking about the red teeming that what is red teeming, how it is different

from penetration testing, multiple aspects of red teeming, the red teeming life cycle

will be talking about the initial excess in the environment, the credential hunting

that how we hunt for the credentials in the later moment, right, we will see that

how the enumeration using bloodhound can happen, right, and then we will be talking about

the persistence part that how, what are the different ways or techniques to maintain

the persistence and then there is the blue teem perspective, right, that how blue teem

things about it and from the perspective of blue teem what we have to implement, what

kind of security, what kind of monitoring they do, right, so that is the agenda, now

let us move on to the red teeming, so when we are talking about red teeming we have heard

that red teeming is work, like into the offensive side of the security, right, but in offensive

side we have penetration testing as well, so when we are talking about red teem, what

actually red teem is, red teeming is a structured security methodology, where skilled professionals

they simulate the real world adversarial attacks to test the resilience of an organization's

defenses, right, so unlike traditional like what we vulnerability assessment or penetration

test, red teeming adopts the mindset of a determined attacker focusing not only on technical

weaknesses but also on human physical and procedural vulnerabilities, so the goal is to provide

holistic evaluation or how well the organization can withstand, detect and respond to sophisticated

threats, right, and a red teem engagement, it typically

starts with reconnaissance, right, where attackers they gather intelligence about target environment,

employees and infrastructure, and this phase mirrors how a real adversaries operate using

open source intelligence, social engineering and passive scanning to build a profile of the

organization, once sufficient information is collected, pivot access across the networks,

so the objective is not to cause damage, but to demonstrate realistic attack paths that could

be leveraged by malicious actors, right, so beyond technical exploits red teem includes testing

physical security controls, right, if physically I can enter the organization that is also a

type of vulnerability where the security controls are missing, right, like I gain the unauthorized

access to facilities, right, I can evaluate human factors like social engineering is allowed,

right, so I can pause the phone and ask for revealing some sensitive information,

right, so this approach ensures that organizations understand their exposure across all layers

of difference, now the value of red teeming lies in its ability to uncover blind spots that

routine security test may miss, so by simulating APTs, what are APTs, anyone who knows APTs and

if you can define APTs, advance persistent threats you might have heard, right, so what are those

advanced persistent threats, when red teeming what we are doing, we are following the path of APTs,

right, so what is the APT, APT stands for advanced persistent threat, right, if you are not aware

about them, right, so it is a sophisticated long term cyber attack in which attackers gain unauthorized

access to a network and remain undetected for an extended period, right, so unlike opportunistic

attacks, APTs are highly targeted often directed at governments, enterprises and critical infrastructure

and the attackers are usually well funded and organized, sometimes linked to nation state or

advanced criminal groups, right, so they are advanced, right, they use complex techniques like

zero to exploit social engineering, custom maneuvers, right, and they are persistent,

persistent means that attackers maintain ongoing access, often for months or years without detection

and they are targeted, that means focused on specific organizations or sectors aiming for

strategic goals rather than random disruptions and stealthy, avoiding lending into normal traffic

and using unencrypted channels, right, those are APTs, now in red teeming what we do, we follow

the footsteps of APTs, right, as I said that we are following the footsteps of APTs, so

there is a framework, there is an organization with a name MITRE, right, MITRE has a framework

TTT Ampersons, which is pronounced as attack framework, adversarial tactic techniques and

common knowledge, now this particular framework gives you the information about the TTPs,

basically what steps the attackers use and what are the different types of groups,

so this is the framework and this is the metrics in front of you, right, it starts from

reconnaissance, right, and it from reconnaissance it goes till impact, right, now reconnaissance means

information gathering, then resource development, initial access, execution, persistence,

privilege escalation, defensive vision, credential access, discovery, lateral movement,

collection, command control, exfiltration and then the impact, so these are total 14 tactics,

right, but it does not mean that every single of you or every particular APT group will use or

follow every single step, sometimes I do not need reconnaissance, right, I will find the web application

of the organization, let us say www.abc.com, right, I found this

and what I did, I started attacking it, right, so when I found that there is abc.com,

I tried scanning it for vulnerabilities, I found a vulnerability, exploited the vulnerability,

and I got the access, so was there any need for reconnaissance and resource development,

all right, there is no need for those steps, so that's what we have to take care of,

that every time you don't have to follow the rules, all the steps, you have to think like an

attacker, you have to think like a person who is performing the attack, that I have to generate

least amount of traffic and I have to get highest level of privileges, because if you

perform every single step, maybe you will get caught, maybe you will be detected, your logs will

be there and done, right, so that's why we have to be smart in this, second thing is that when

we are talking about the groups, so we have these, in the left hand side as you can see these are the

names of the groups, right, the advanced persistent rate groups, the most famous one and the one which

I really like is APD29, this is also called a Kozy Bear, now in 2021 there was an attack

in 2021, solar events attacks, so that was done by them, right, and if you see there is operation

ghost, solar events compromise, August to 2019 to 2021, operation goes from 13 to 2019, right,

whatever the tools, whatever services they have taken access of every thing they have used,

everything is written here, right, so now, if I go here and open the attack navigator for you guys,

create a new layer, the enterprise attack, then it's layers for mobile attack also, but we are just

talking about the network and web application kind of attacks right now, I have a search

APD29, so choose 3rd groups once, select all and close it, layer controls, color setup

and fill the color like this, the lighted one, now if you see in this the highlighted ones,

the highlighted and red or orange, right, these are the techniques used by

APD group 29,

this, now where they are starting, they are not doing any reconnaissance or resource development,

they are starting from initial access, exploiting public facing application, external remote services,

trusted relationship or valid accounts, then they move to execution, then persistence,

privilege escalation, defensive vision and they go till command and control, they are not taking

care of exfiltration, if they want to do exfiltration, they will do otherwise, then they will not,

but most of the attacks that were seen and that were done by APD group 29, those attacks

are starting from initial access till command and control, right, that's what they have done,

so red teaming means that you are trying to find out if let's say group, APD group 29 tries to attack you,

then what they can do, how much impact they will be doing to your organization, right, so you will be,

you will be finding out whether they can exfiltrate any data, disrupt any services,

take the access of any critical servers, critical databases, every single thing, that's red team,

now how penetration testing is different, so when we are talking about penetration testing,

there also we are finding out vulnerabilities in exploiting the vulnerabilities,

so when we are talking about penetration testing, penetration testing, my objective is,

correct Rajan, it's vulnerability centric, right, my objective is to identify and exploit

vulnerabilities in systems, applications and networks, correct Shiva, correct Faisal, yes Abdul,

correct, so we are just focusing on identifying and exploiting vulnerabilities in the systems,

applications or networks, right, in red teaming, we are simulating real world adversaries to

test overall resilience and detection or response capabilities, right, in penetration testing,

when we talk about scope, scope means that what are the things or what are the boundaries for me,

right, what things I can test, what things I cannot test, in penetration testing that scope is

narrow, it is focused on specific assets or specific applications, but when we are talking about

red teaming, its scope is broad covering technical, physical and human attack surface as well,

then when we talk about the approach, so the approach for penetration testing is goal oriented,

right, find as many vulnerabilities as possible,

for red teaming, when we are talking about red teaming, its threat oriented, emulate tactics,

techniques and procedures of advanced persistent threats, right, and the duration,

right, so duration means short term in penetration testing and long term in red teaming,

so it can be from weeks to months, now the thing is that when we are talking about the output in

penetration testing, we are providing the list of vulnerabilities, we have exploited the proof of

concept and remediation that this, you need to change the code and you need to update the functions

in the application and vulnerable functions and done, right, but when we are talking about

red teaming, in red teaming what happens, you are providing first the narrative of attack chain,

the detection gaps and then instead of remediation, you will do response evaluation,

right, now response evaluation means that if this kind of attack happens if someone else tries

this type of attack, how your response should be, how fast you should detect and then react to it,

so this is the difference between red teaming and penetration testing,

next why red teaming, when there is penetration testing in place,

why red teaming is needed,

penetration tests are loud, non-technical attack vectors might be overlooked,

relaxation of security mechanisms, right, apart from that, when we are talking about the

penetration testing being loud, so we are everyone knows in the organization that a pen test

is being conducted and red teaming only the higher officials know and we are testing all the

defenses as well, right, now end red teaming, why it is needed because it has realistic

threat simulation, right, so it emulates nation state actors inside their threats or advanced

persistent threats, then it is also doing defense validation that whether the defenses that you are

using in the organization, whether they are correct or not, right, then there is holistic coverage,

so it includes technical, physical and human attack surfaces, right, continuous improvement,

continuous improvement means it provides actionable insights to strengthen security posture and

close the detection gaps, right, and there is executive awareness as well, right, so executive

awareness means it demonstrates risk and business terms, showing leadership how attack and

folds across the enterprise, so in short red teaming is not about proving the systems can be

broken, it is about preparing organizations to face evolving threats with confidence,

ensuring that both technology and people are ready to respond when it matters most, right,

so that is why we need a red teaming, now we have red teaming attack life cycle, so in the

red teaming attack life cycle there are certain steps, the very first step is reconnaissance,

reconnaissance means information gathering, right, now in reconnaissance what happens, the attacker

gathers intelligence about the target using ocean scanning and enumeration, so the goal is to

identify vulnerabilities, right, employees and entry points from where I can get inside the organization,

right, how to take the excess, that is what should be in my mind, that is what should be my goal,

right, after that there is initial compromise, initial compromise means first foot hold is gained,

often through fishing, exploiting a vulnerability or the stolen credentials, so this is the attackers entry

to the environment, right, then we have establishing the persistence, so attackers they install back doors,

schedule tasks or root kits to maintain long-term excess, in short they can return even if initial

excess is discovered, right, then escalate the privileges, right, if I land into a system,

I got the user name and password of the system and after getting that user name and password,

I want to, let us say, I get to the domain controller, I need to get to the critical server,

which is holding the whole active directory or which is holding the whole credentials of all the

employees in the organization, so I need to elevate the privileges, right, so moving, I need to move

from low level accounts to root level accounts, admin level accounts, right, so you have to exploit

the misconfigurations or kernel-based vulnerabilities, then you have to do internal reconnaissance,

mapping the internal network, identifying the high-value assets and locating sensitive data,

similar to the internal, the initial reconnaissance, but now inside the environment,

I need to know where I landed, what privileges I have, what things I can access, what things I cannot,

right, then lateral moment, what lateral moment does, in lateral moment, you are expanding your

excess across system using stolen credentials remote execution or pivoting, so you are reaching

critical servers or databases moving from one system to another, right, and then the data analysis,

so attackers shift through collected information to identify valuable data, could include

intellectual property, financial records or credentials, so exfiltration after that you will do

and your mission will be completed, so the data is extracted out of the network using encrypted

channels or covert methods, right, and attackers achieve their objective, like financial gain,

disruption or espionage, now here there is a thing called C2, C2 stands for command and control,

right, now this is how attackers maintain communication with the compromised system,

C2 or command and control servers, the issue commands receives stolen data and coordinate the attack,

right, so there are different still these E2 channels, like if you want to exfiltrate the data,

so H through HTTPS, you exfiltrate the data or through DNS tunneling, you exfiltrate the data,

right, that is for exfiltrating the data, now the C2 that we use, it is mostly cobalt strike,

right, there is sliver which we use, we can use empire framework,

right, or we can, if you want to just practice and you want to get a free one like open source,

there is push C2 that we can use, right, so this is the life cycle of

retting, retting attack, now when we are talking about retting engagement,

how retting engagement is carried out, but things are there,

how much you are aware about it, yes, privilege escalation,

lateral movement is done to achieve privilege escalation, right, so once you are moving from one system

to another, so if you find a system with more privileges, then you move there, that is also called

lateral movement, but lateral movement is generally done to reach the critical servers,

so you have to find a path, right, now that path can be from one system to another system from

normal system to admin system, admin of the network and then from admin to the domain controller,

it can be from your normal system to another normal system and then to the admin network and then

the domain controller, right, so it depends where you are using which terminology,

yes, it is some part of privilege escalation, but according to the situation, you have to change

the terminology that you are using, where to use lateral movement, where to use privilege escalation,

now when we are talking about a overview of retteam engagement, right, so it is not just about

hacking, but about simulating a realistic adversarial campaign with a defined mission,

right, so in this case, what happens is the retteam and white team agree on exercise goal,

right, and the goal of the exercise in this image if you see, it is written,

excess the transactional database of the bank, right, so retteam acts in attacker,

right, who are white teamers, those who monitor during the simulated attacks,

so white teamers are like managers, what they do, they oversee the exercise,

they ensure the rules of engagements are followed and that the scope is clear, right,

so unlike pen testing, which focuses on finding vulnerabilities,

retteaming is mission driven, the objective is to test whether defenders can detect and respond,

realistic attack chain, right, so the workflow of typical engagement, first you define objectives,

right, then you will do recon, then after reconnaissance, attack execution,

right, exploit vulnerabilities, collect privileges and move literally, then

persistence and command and control, maintain excess and simulate the adversary behavior,

and then there will be mission completion, right, achieve the defined goal,

like database success, and then net then there will be debrief, share the findings with defenders

highlighting the detection gaps and response effectiveness, right, so we are using the retteam

assessment to test real-world resilience attacks against the advanced threats,

while validating the incident response and shock capabilities, provides executive level insights

into risk exposure, strengthen the collaboration between offensive and defensive teams.

Now, in this retteam engagement, if you see, what we have, we have the goal to access the

transactional database of the bank, the retteam gathers the intel, sorry,

the retteam gathers the intel on the bank,

and plans the strategy based on TTPs listed by APTs, targeting similar financial institutions,

then phishing emails do not open, employees won't, however, some users had already opened the

malicious attachment, and the retteam gained the access to Bob PC with Bob privileges, right,

then local privilege escalation, right, so by applying into various evasion techniques,

it was possible to cloak a known local exploit to gain system account privilege privileges

without being detected, by dumping local accounts a password hash for local admin backup was

obtained, the hash couldn't be cracked, though, right, then a little movement, a direct connection

from Bob PC to the database was blocked by a firewall using the pass the hash was possible to connect

to database administrators PC, using backups, users password hash, using credentials found on

a text file, on dbspcxtop, it was possible to access the database, right, and in the end,

red, white, and blue teams will check together how security controls can be improved in order to be

ready for a real threat, so that's how the engagement happens, the red team engagement.

Now, when we are talking about initial access, now when we are talking about initial access,

initial access is the first foothold attackers gain in the target environment, it marks transition

from reconnaissance to active intrusion and sets this stage for the rest of the attack chain,

once inside attackers can escalate privileges move literally and pursue their mission objectives,

but first they have to get the access, right, now the techniques which are used for

initial access is phishing, right, malicious emails with attachments or links, that trick user

into revealing credentials or download the malware, right, yes, summit cv exploitation is one of the

way, right, then credential reuse, so if you found some credentials over the internet like leaked

credentials you have found, so yes, the leaked credentials can be reused, right, or you can do

password spring, you got a list of user like passwords over the internet, so what you can do is,

you can just use that list against multiple services running and find out if any of the services

are using the password from that, then exploiting exposed services, right, like RDP, VPN,

or web apps, those services which are running maybe those services are vulnerable, so that you can

exploit that, right, then supply chain or third party access, now when we talk about the supply chain

or third party access, inserting malicious code into trusted software updates or third party services,

right, that is supply chain attack, there can be drive by downloads as well,

right, drive by downloads means that exploiting browsers or plugins to install malware when a

user visits a compromised site, now what I'm doing is I found a web application or web,

I found a way by which I can inject some malware into the system, right, into a web application,

now users visit, users who visit that web application with faulty plugins, old plugins, old versions of

the browsers, their browsers will allow to install or download that particular malware and you will

have the access of the system, now there is a way by which you can take initial access,

right, now one thing is there is let's say an environment, right, that environment is

an active directory environment, everyone knows what is an active directory,

now what I have, I have a domain controller here, right, I have just created an active directory and

this is the windows server which is holding the whole domain controller, right, and domain name

is marvel.local, then there is a user of that particular active directory with the name

F castle or Frank castle, user name F castle, full name Frank castle, right, and

that's something which is present basically, right, now this is the windows server, it has other

users as well, like if I show you other users, we have active directory users and computers,

so these are the users, Edmund, Frank castle, guest, Peter Parker, skill service and Tony

Star, right, so these are the services, these are the users and the services running that is DNS

server running, there is active directory, certificate services, active directory, domain services,

right, right, right, now what happens is if I have to take initial access, whenever you are

doing active directory assessment, every time in the assessment, you will always get a user name

and password, right, now if you are not getting any user name and password, then there should be a

way, otherwise maximum times you will always get user name and password, then you have to carry

on the further attacks, that what attack you can do to what vulnerability, it's vulnerable and

reconnaissance and many other things you have to do, right, so now when we are talking about

the initial access here, let's say I don't have a user name and password, one of the

possibility I am showing you, I don't have user name and password, so there is a possibility that

in the active directory network, they have enabled a protocol called

llminar stands for link local multicast name resolution, right, so link local multicast name

resolution is a protocol same like DNS, but it cannot be routed over the internet, so it is a

protocol which works internally not like DNS which works over the internet, right, now llminar is

sometimes if the active directory is not configured properly and it is not explicitly disabled,

by default it will be enabled in the network, in the active directory network and then

when we are looking at llminar, it is triggered when DNS feels,

right,

now when I am saying that DNS feels, it's not that DNS server feels, DNS server is down or not

working, it means that the DNS is not able to resolve something or give you the answer, so that's why

llminar is found, now let's say there is a user, right, user one, user one sends a request to

DNS server, high DNS, do you know where is slash slash ABC, this shared folder, slash slash ABC,

but it will say DNS will say, no I don't know, if DNS is not aware about it or if there is a

typo, right, so it will say no, I am not aware that where it is, then what the user will do,

user, user one,

will send that llminar request to all the users in the network, that anyone

who is aware, where is slash slash ABC, right, if they are aware, they will reply back,

if they are not aware, they will not reply back, but in this, there comes opportunity for the

attacker, attacker performs llminar poisoning, llminar poisoning means that what attacker is doing,

attacker is also part of the network, right, so attacker one, so when user sends a llminar

request to the network, that if anyone of you own slash slash ABC, let me know, I want to connect,

so others will not reply, but attacker will reply, yes, I do, I am holding slash slash ABC,

share me your credentials, user will do what, user will share the hash of its credentials,

attacker will reply back, x is denied, and that's how attacker has the hash of the user's password.

From the attackers side, the person who is doing this thing, that listening all the traffic and

then asking that, replying back that yes, I know who has it or I have it, I have that shared folder,

that is called responder, so responder is a widely used tool in the attacking or in the offensive

side of the security for performing llminar poisoning, for nbtns poisoning, for mdns poisoning,

so it has different servers like dns servers, httb servers, which keeps on listening to the

request, and after listening to those requests, it can reply back, it can send fake replies.

Now, how to perform that, let me show you,

now first thing what I will do is, I will start responder in my system or in my network,

right, to look for what communication is going on all over the network, so I have to run

responder on an interface, so the interface, that means the adapter name, the interface name,

so we will start it on Ethernet 0, where it will start listening, but I wanted to listen for DHCP

kind of request as well that if someone looks for DHCP or other request, so I will write

hyphen WD, for listening for all kinds of request, right, if it is a request related to web application,

or if it is DHCP request, and rest of the request also it is listening.

Now, we are listening for everything, now let's say there is a user, this is the user of

active directory, now this user looks for, is there anyone 192168.179?

1332, like that, so the user searched for, if there is anyone with the IP 19168179132 and if someone

knows this, right, so if I go to Kalilinux, it says LLMNR poison answers into for name hydrod DC,

right, if you go to Windows 10, your Windows, it is not showing anything, right,

just a second, let's search for slash slash ABC.

Now, it is sending the poison answer and in the back end, the communication is going on,

so what communication is going on, Windows 10 is asking, Windows server, the DNS server running in

the Windows server, that hey, do you know where is slash slash ABC or slash LLMNR19168179. whatever IP

so it will say no, I don't know where it is, then the Windows 10 has sent a multicast LLMNR

request in the whole network that anyone who knows where is 192168 or slash slash ABC,

now then my responder running inside my Kalilinux replied back that yes, I know and then they

exchange the credentials, the hash of the password is shared between both of them,

and now my Kalilinux have the hash of the user of Windows 10.

Yes, now how you can see the credentials, now let me close this listing, we already have everything,

CD slash user share logs cat the file text file, so these are the logs and in that logs we have

the hash captured, the user name is F castle it's written and the hash, now when you want to crack

the hash, can you ever crack the hash, we can never crack the hash, we can only resolve the hash,

now when we are cracking the hash is what I will do is, first thing I will put the hash in a

what we say, in the file, so I have pasted it in a file, then we will use hash cat,

now what I am doing, hash cat is a tool which we use to resolve the plain text of the password,

I have written hyphen M5600, can you tell what is 5600,

so if you see we have hyphen M that is called module, every time you are specifying you are

putting a hash with hash cat, you have to specify that what kind of hash you are loading into it,

so if you are trying to upload a hash, you have to specify that hash, otherwise

hash cat won't be able to find out the plain text, so that's why I have written hyphen M5600,

which is for NTLM version 2 hash, the file name where the hash is present and the plain text file,

which will be used to resolve the hash, so if I press enter, right now I am using cloud,

so it's not having GPUs, it may not give you the plain text, but if you are using GPU,

it will give you the plain text, but here also it has given you the plain text,

the username is F castle and the password is password 1, now can you get the initial Xs,

now these are the ways by which you can take initial Xs, then we have enumeration,

now when we are talking about enumeration, enumeration means finding out more information,

right, that what are the different types of accounts there,

now for finding that information, we have a tool called bloodhound,

you might have worked with bloodhound,

you might have seen bloodhound, so it is basically it has three parts,

what it does, it is programmed to generate the graphs for that reveal the hidden and relationships

within active directory network, and it also supports azure because we have azure active directory

enter, so bloodhound allows the attackers to identify the complex attack path that would otherwise

not be possible to identify, blue team can use bloodhound to identify and fix those attack

patterns, so the image that you are able to see in that image,

you can find out that from where to where you want to reach, so you will be able to reach there,

who has what Xs where they have a session, where they don't have the session,

everything you can find out, so now the thing that I was telling you about,

that bloodhound has three parts, first we have GY, so bloodhound has a GY,

then a data scrapper, and a database, three things, the database name is

Neo4j, so we must configure each one of them individually, so when we start with the GY part,

so we have APT install bloodhound, so bloodhound is already present in my system,

then with bloodhound Neo4j is by default present, so if you want to start, you just write Neo4j

console, and it will start the database,

and then you have to start the GY as well, so if I write pseudo, so enter the password

and bloodhound, that's how you start the GY,

now it's opening the bloodhound for me,

now the thing is that when we have to extract the data, how the data will be extracted,

it will be extracted using the data scrapper, now the name of the data scrapper is also bloodhound,

and how you will install it, you just write PIP install bloodhound, it's from python,

now I'm just locating a file,

nano-slash, your dc-slash,

let me check the password,

let's first scrape the data, let's see how the data scraped,

I forgot the password for it, so for the data scrapping, what we have to do, we have to use bloodhound,

so bloodhound, python, and then hyphenu, administrator, if you have the username and password,

so the username and password we found was F castle, if you have the admin username and password,

then you can use for admin, F castle, if in P, password one, then after that, you have to give

the name server IP, if in NS, the IP of Windows server, let me just check,

now if config, IP of 179.131,

the domain name, marvel.local, and hyphen, see all, so I want every single data, sorry, just typo,

now if you see, it tells you that found one domain, found one domain in the forest,

four computers, eight users, 50, two groups, three GPUs, two OUs, 19 containers, and every single thing,

the devices that are there, all of those devices, so if I do LS, you will see that there are

JSON files present, with those, these JSON files can be uploaded in the bloodhound,

once you upload it in the bloodhound, then you can see the connection between which user has

which connection, where it can go, where it can communicate, where it cannot.

So, that is what, that is how you do the enumeration, find out the attack path,

now if we see, in the same edge, there is

centraridania.local, has a session on seriridania.local, and it is admin to oxenfordredania.local,

who has access to Geraltredania.local, and is a member of domain admins, so that's how,

if you move from the systems to systems, who has the access of what, you can get the access of the

domain admin. So, this is how enumeration helps you, once you have the enumeration, let's say you

have done enumeration, you have found a way, a kind of attack, you did credential spraying,

password spraying, some of the password you found, then after that, you will try to gather or

find more passwords of other accounts. So, how you do that credential hunting?

So, for credential hunting, we have something called LSAS. LSAS stands for

local security authority, sub system service. Now, local security authority subsystem service

is a process that is running in your system whenever you enter the password in your system,

so the password is converted into a hash and it is compared with the password in the database.

That work is done by LSAS. So, once you have the access of the system, you can create a memory dumb,

attacker dumbed the LSAS process memory, LSAS stored the cash credentials, hashes and tickets,

then credential files and registry. So, Windows stores credentials and files or registry

hives. So, in Windows, it is SAM, security accounts manage a database. So, attackers extract the

passwords or cash credentials from these, then browser and application secrets. So, modern browsers

and app stores saved passwords, tokens and session cookies. So, attackers target these to hijack

accounts, reuse sessions and then service account credentials, like in our active directory,

there was SQL service running. So, there are multiple service accounts, they have elevated privileges.

So, they are used for automation. If it is compromised, they provide attackers with powerful

access across the systems. Then, next we have the ways to perform

lateral moment. So, when we talk about lateral moment, we can use pass the hash or pass the ticket

technique. So, in this type of in the stage, when you have initial access, you have to expand your

reach across a network to access higher value systems and data. So, instead of staying confined

for the first compromise to machine, attackers they use different techniques. So, pass the hash,

that means attackers use tool and authentication tokens or password hash without needing the

actual password, clear text credential reviews. If credentials are stored or transmitted in

plain text, attackers can capture and reuse them, extracting the saved password from configuration

files or memory dumps and then using that same password. Then, privilege escalation.

Now, there are attacks like DC sync attack, pass the hash if pass the hash works.

So, privilege escalation can be done. You can move from one user to another user. You are a

standard user. If you move to IT help desk and then system admin route, that is,

again privilege escalation. It depends what kind of privilege escalation you are doing horizontal

or vertical. So, you are moving from one place to another.

Then, we have persistence. Now, when we talk about persistence, persistence means that the way through

which you took the access of the system, if that way or that technique is closed or the

attacker, sorry, the organization deployed some mitigation, how will you take the access again?

So, you have to maintain your goal is to maintain long term access.

So, you can do registry manipulation, attackers modify the registry keys so malware runs automatically

at the start up. Then, there are schedule tasks. So, malicious tasks are created to execute payload

specific times or specific intervals. So, it ensures repeated execution without user interaction.

You can do service hijacking. So, attackers replace or modify legitimate services to run malware

with elevated privileges. Then, DLL side loading. So, malware disguises itself as a dynamic

link library. That is legitimate application loads. So, it exploits the trust.

WMI events of subscription. Windows management instrumentation, it is abused to trigger payloads

based on the system events. Now, these are the techniques that we use when we talk about the

blue team overview. So, in blue team, everything comes under SOC now. SOC is security operation center.

So, it is like the command center of cyber security where professionals continuously monitor,

detect and respond to threats against the organization. So, SOC manager oversees the SOC team.

Security analyst is the first line of different monitoring the alerts,

investigating suspicious activity. Incident responder handles the confirmed security events,

threat hunter proactively searches for hidden threats that automated tools might miss.

Vulnerability analyst identifies and prioritizes weaknesses. Forensic analyst investigate

incidents after they occur. Compliance analyst ensures that the organization follows laws.

So, when you are talking about the offensive side of the security, so these all people they work

together to detect and stop the attacks, monitor the attacks. If they are not able to do that,

then in the debrief session, we tell the team that where you lagged, where your incident lagged,

incident response lag, so that they can make their detection better. That is the work of blue team.