Talkin' Bout [Infosec] News

Kent and Jordan are back to continue their journey to make the world a better place. This time around, they will be reviewing a series of tools commonly used on pentests to identify flaws in Active Directory and general network design and implementation. You’ve probably heard of most of them, like BloodHound, ADExplorer, mimikatz…, wait, Mimikatz as a Blue Team? Yeah, it might be a bit of a stretch, but they’ll get there. Even better, with an introduction to various adversarial simulation frameworks, you can start your own journey of constant improvement. Nmap, CrackMap, BingMaps, and Domain Password Spray. (Re: BingMaps — just checking to see if you’re actually reading these, at this point, our response rate records keep getting shattered, and we just want someone to call us out – the BingMaps API is really cool though). In a world seemingly gone mad, come find some solace with these two as they share new discoveries, a tool drop from Kent (which will potentially change the BloodHound game), and more. Let’s help the world detect attacks at a higher rate! Let’s skew the Verizon DBR’s reported numbers! Let’s get better together! Thanks, as always, and we look forward to spending time with those of you who can join us 0:00 – Big Fish 0:28 – Question & Enhance 2:51 – Executive Summary 3:58 – Executive Problem Statement 8:48 – Red Team Tools are Red Team Tools 13:39 – Optics(3) 16:22 – SIGMA and SIGMAC 22:13 – Red Team Tool : Responder 25:35 – Red Team Tool : CrackMapExec 29:57 – Red Team Tool : DomainPasswordSpray 38:48 – Red Team Tool : Mimikatz 46:41 – Red Team Tool : BloodHound (00:00) - Big Fish (00:28) - Question & Enhance (02:51) - Executive Summary (03:58) - Executive Problem Statement (08:48) - Red Team Tools are Red Team Tools (13:39) - Optics(3) (16:22) - SIGMA and SIGMAC (22:13) - Red Team Tool : Responder (25:35) - Red Team Tool : CrackMapExec (29:57) - Red Team Tool : DomainPasswordSpray (38:48) - Red Team Tool : Mimikatz (46:41) - Red Team Tool : BloodHound (50:59) - Blue Team Tool : Plumbhoud (58:38) - Final Thoughts

Job hunting? Looking for a career change? Still in college and want to know how to get started now in your career? If you answered yes to any of these questions, this might be the BHIS webcast for you. This webcast is an update to Jason’s popular recorded DerbyCon 2016 talk — How to Social Engineer Your Way Into Your Dream Job. If you don’t want to wait, you can watch that now. https://youtu.be/__lvS2pjuSg What is covered? * How to combine OSINT, marketing technology, and a hacker/social engineer mindset to job hunting * How to be a hunter of jobs… not just a seeker of jobs * How to write your resume during the job hunt * You might already have your dream job The hope of this webcast is that you’ll look at job hunting differently and apply the skills and techniques in an effective way to help you get the career of your dreams… or at least a job for now that will help you get to the career of your dreams in the next 5 years. Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 0:00 – Infosec Sad Plant’s Last Day 0:30 – Pandemic Prologue 2:34 – Time to Meet the Bobs 4:20 – Be Prepared 5:50 – Climbing the Walls of Awful 8:35 – Another Crack In The Wall 9:49 – whoami? 11:58 – Pitch Perfect 12:53 – Step 1: I Mean Set Your Requirements 15:10 – Engineering Reverse 15:44 – “Enough” is Enough, or is it? 17:30 – Step 2: Top Ten Companies 18:45... (00:00) - Infosec Sad Plant's Last Day (00:30) - Pandemic Prologue (02:34) - Time to Meet the Bobs (04:20) - Be Prepared: Kings and Succession (05:50) - Climbing the Walls of Awful (08:35) - Another Crack In The Wall (09:49) - whoami? (11:58) - Pitch Perfect (12:53) - Step 1: Cut a hole in the bo... I Mean Set Your Requirements (15:10) - Engineering Reverse (15:44) - Enough is Enough, or is it? (17:30) - Step 2: Top Ten Companies (18:45) - Hunt V1, Hunt V2, Hunt V3 (20:17) - Document For the People (24:43) - Step 3: HUNT! - TOP TEN (39:20) - Jobs Don't Hire People, People Hire People (39:58) - Step 3: HUNT! - Discovery (48:23) - Step 3: HUNT! - Internal (50:22) - Step 4: Make Contact (53:29) - Step 5: Interview (54:21) - I'm Sorry, But Your Princess Is In Another Castle (55:23) - Step 6: Decide (57:16) - Be Prepared! (reprise) (59:54) - A Bunch of Requestions

Join the BHIS Discord discussion server: https://discord.gg/aHHh3u5 We’re really excited to have a close member of our BHIS extended family, Tim Medin from Red Siege InfoSec, here for a webcast on Kerberos & Attacks 101. Tim is the creator of Kerberoasting. Want to understand how Kerberos works? Would you like to understand modern Kerberos attacks? If so, then join Tim Medin as he walks you through how to attack Kerberos with ticket attacks and Kerberoasting. We’ll cover the basics of Kerberos authentication and then show you how the trust model can be exploited for persistence, pivoting, and privilege escalation. 0:00 – 45 Seconds of Banter 0:45 – The Creator Of Kerberosting 1:48 – What Is Kerberos? 4:49 – How It Works 9:23 – PAC: Privilege Attribute Certificate 12:27 – Service Ticket 14:12 – SPN : Service Principal Name 16:22 – Three Long Term Keys 23:39 – I Got A Golden Ticket 24:57 – Ticket Flow 27:49 – Skeleton Key 30:42 – Kerberoasting On an Open Firewall 33:23 – Extract and Crack (00:00) - 45 Seconds of Banter (01:16) - The Creator Of Kerberosting (02:19) - What Is Kerberos? (05:21) - How It Works (09:54) - PAC: Privilege Attribute Certificate (12:58) - Service Ticket (14:43) - SPN : Service Principal Name (16:53) - Three Long Term Keys (24:10) - I Got A Golden Ticket (25:28) - Ticket Flow (28:20) - Skeleton Key (31:13) - Kerberoasting On an Open Firewall (33:54) - Extract and Crack (34:35) - Silver Ticket (35:56) - Insert Demo Here (37:55) - Cracking Tickets To Get You Out Of Server Jail (44:23) - Trollmode Engaged (45:56) - Pass-The-Ticket (46:36) - Over-Pass-The-Hash (47:08) - Wrap-Up (53:07) - We Have Some Questions (59:56) - 45 More Seconds of Banter

I like webapps, don’t you? Webapps have got to be the best way to learn about security. Why? Because they’re self-contained and so very transparent. You don’t need a big ol’ lab before you can play with them. You can run them in a single tiny VM or even tiny-er Docker image on your laptop. And so long as you’re attacking your own stuff, it’s easy to stay out of trouble. You’re up and running in the time it takes for a single download. And the transparent part? Ever since “view source” in the earliest web browsers, it’s been easy to see exactly what’s going on in a webapp and in the browser. Every webapp you ever use has no choice but to give you the (client-side) source code! It’s almost like there’s no such thing as a “black box” webapp pentest if you think about it… Anyhow – the Developer Tools in Firefox (and Chrome) are what happens when you take “view source” and add 25 years or so of creativity and power. We’ll look at the Developer Tools in the latest Firefox with a pentester’s eye. Inspect and change the DOM (Document Object Model), take screenshots, find and extract key bits of data, use the console to run Javascript in the site’s origin context, and even pause script execution in the debugger if things go too fast… Maybe we’ll convince you that you can realistically do a big chunk of a webapp pentest without ever leaving the browser. Join the BHIS Discord channel — https://discord.gg/aHHh3u5 Download the slides: https://www.activecountermeasures.com/presentations/ (BHIS_Webcasts) 0:00 – A Shady-White Slideshow with “FREE TOOLS!” On the Sign 0:38 – The Way Back Machine 11:00 – Always Be Learning 18:01 – The Path to the Developer Tools 24:37 – Console Separately From a Window 30:40 – The Network Tab 36:23 – Storage Tab (00:00) - A Shady-White Slideshow with "FREE TOOLS!" On the Sign (00:35) - The Way Back Machine (10:16) - Always Be Learning (16:55) - The Path to the Developer Tools (23:14) - Console Separately From a Window (28:44) - The Network Tab (33:57) - Storage Tab (35:45) - All The Cookies (37:42) - The Inspector Gadget Thingy (41:46) - Debugger (42:08) - Customize the Tools (42:18) - Console Tricks

This is a joint webcast from Black Hills Information Security and Active Countermeasures. How many of us have tried some new configuration option, utility, or hardware on a production environment, only to crash a critical piece of the business? (me raising hand…) It’s amazing how quickly we learn not to do that! Now we have to decide – do we stop trying out new things because we’re scared of causing problems, or do we come up with a safe way to play and learn? We’re going to cover how to set up a Home Lab – an isolated environment where you can test new hardware, programs, and applications. By keeping this totally separate from everything else, you get free rein to play without risk to your other systems – and without risk of breaking any company policies! We’ll cover how to set this up, the equipment needed, and how to configure these. Best of all, you can use throwaway hardware to do it! Join the new Threat Hunting Community Discord discussion server: https://discord.gg/JmXpQFD Download slides: www.activecountermeasures.com/presentations 0:00 – You’re In Charge 2:06 – Ok. But Why? 7:18 – The Network Layout 9:43 – (John’s Spaghetti) 20:38 – Project Hardware 26:06 – Firewall 29:21 – Switch 30:53 – Wireless AP 36:49 – Sentinel (00:00) - You're In Charge (02:06) - Ok. But Why? (07:18) - The Network Layout (09:43) - (John's Spaghetti) (20:38) - Project Hardware (26:06) - Firewall (29:21) - Switch (30:53) - Wireless AP (36:49) - Sentinel (38:33) - File and Drive Image Transfer (41:04) - Laberv (43:41) - Guinea Pigs (44:46) - John's Setup Porn (46:44) - HELK (47:35) - Beaker (48:13) - Creating Evil (49:48) - Recording (50:14) - Incrementally Opening Up the Firewall (51:50) - Software (53:31) - Packet Capture (54:25) - Network Monitoring (55:09) - Scanning (56:12) - Disk Imaging (56:43) - On a Budget – What's Critical (57:04) - Closing Notes (58:05) - Questions (01:01:28) - See Something Cool

What does it mean to work from home across your corporate VPN? What exactly is VPN? Is your home office prepared? How can you improve and better secure your home network? Is your corporate network ready for the change in IT environment network access? Join us to explore these topics, and describe some potential actions you can take to improve your home office and network environment. And join the BHIS Discord to discuss all of this — https://discord.gg/ST5NdFu Download slides: https://www.activecountermeasures.com/presentations 0:00 – We’re Not In Normal Anymore 2:04 – Viral Pandemic Networking (VPN) 7:34 – Home Office Runner 11:16 – What’s Your Frequency, Kenneth? 17:17 – It’s Always DNS 19:12 – Secure The Perimeter 23:34 – Game Recognizes Game 27:55 – Master of Your Domain 43:36 – Solutions, Solutions, Solutions 47:20 – Remote Workers Unite! Individually In Your Own Homes! (00:00) - We're Not In Normal Anymore. (02:35) - Viral Pandemic Networking (VPN) (08:05) - Home Office Runner (11:47) - What's Your Frequency, Kennith? (17:48) - It's Always DNS (19:43) - Secure The Permitter (24:05) - Game Recognizes Game (28:26) - Master of Your Domain (44:08) - Solutions, Solutions, Solutions (47:51) - Remote Workers Unite! Individually In Your Own Homes. (51:41) - Questions and Answers

The team at Black Hills Information Security and Wild West Hackin’ Fest had to pivot from doing an in-person information security conference in San Diego to a 100% virtual conference with 6 days of notice. We had a little bit of experience doing a hybrid in-person/virtual conference in November 2019 (with 10 days’ notice). The response from the 400+ attendees about the virtual conference was overwhelmingly positive. We did it and you can do it, too. In this webcast, we discuss how it all happened, including how we ended our agreement with our venue. We talk about all the things we learned and what we’d do differently next time. 0:00 – Trust Us, We’re Not Experts 0:40 – Suddenly Virtual 3:15 – Venue Vámonos 11:58 – What Now? 18:58 – Let’s All Go To The Lobby (and have ourselves a chat) -LobbyCon/Discord 32:24 – A Stream of Logistics 43:29 – The Calm 46:07 – The Storm 51:48 – The End Credits Scene 56:40 – Any Questions? Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 2,087 other subscribers Email Address Subscribe (00:01) - Trust Us, We're Not Experts (01:11) - Suddenly Virtual (03:46) - Venue Vámonos (12:29) - What Now? (19:29) - Let's All Go To The Lobby (and have ourselves a chat) (32:55) - A Stream of Logistics (44:00) - The Calm (46:38) - The Storm (52:19) - The End Credits Scene (57:12) - Any Questions?

In this webcast, we will cover what we can do if we think there is a breach on our network. We will cover live forensics, cool PowerShell scripts, network, and event log analysis, cool IR spreadsheets, and checklists. We will also be covering the status of our ELK project for reviewing Event ID 3 from Sysmon. So, a lot… Yep… A crazy amount. Download slides: https://www.activecountermeasures.com/presentations 00:00 – Intro 00:47 – “Ok, But Why” 02:17 – Have It The Wrong Way 04:35 – Have It The Right Way 06:58 – Lego My Incident Response 08:25 – Monologging On Mute 11:57 – Wouldn’t Be Prudent 14:29 – “Better Than Bad, It’s Good” 21:33 – A Van Full of Free Tools 44:10 – CSI: Memory 45:01 – We Got Cheat Sheets if You Want Some Cheat Sheets 47:20 – Overlapping Venn Diagrams 49:46 – Questions in the Wild 59:15 – Sucking at Capitalism Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 2,052 other subscribers (00:00) - Intro (01:18) - Ok, But Why (02:49) - Have It The Wrong Way (05:07) - Have It The Right Way (07:30) - Lego My Incident Response (08:56) - Monologging On Mute (12:28) - Wouldn't Be Prudent (15:00) - Better Than Bad, It's Good (22:04) - A Van Full of Free Tools (44:41) - CSI: Memory (45:32) - We Got Cheat Sheets if You Want Some Cheat Sheets (47:51) - Overlapping Venn Diagrams (50:17) - Questions in the Wild (59:46) - Sucking at Capitalism

Do you know what your attackers know? There’s a good chance you know, but you might not be aware of just how much information can be found historically and in real-time about your business operations and organization. Join Jordan Drysdale and Kent Ickler as they discuss and demonstrate Purple Team Enterprise Reconnaissance methods that increase operational network awareness and overall security posture. Download slides: https://activecountermeasures.com/presentations 00:00 – Intro 00:42 – Executive Problem Statement 02:25 – Recon You Say? 06:11 – Your Internal Friends… Sometimes 09:01 – What Does Purple Team Do, Exactly? 10:13 – There Are A Ton Of Sources Out Here 49:55 – And Now For Some Crappy Code Learn how to monitor cloud services for your organizations’ data being dumped on the web, account compromises, and source code disclosure. Use external services to keep an eye on your external landscape to alert on unexpected changes. See configurations of operational awareness uncover potential attacker’s methodology and infrastructure to provide you an upper-hand in stopping threats before they escalate. See how an attacker utilizes common internet sources to gather intelligence about your technology stack, your perimeter security, your wireless networks, and plan attacks against your organization. Know what your attacker knows. Wild West Hackin’ Fest – Most Hands-On Infosec Con! Join us at the new Way West Wild West Hackin’ Fest in San Diego — March 11-13th, 2020. Learn more: https://www.wildwesthackinfest.com/ Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 1, (00:00) - Intro (00:42) - Executive Problem Statement (02:25) - Recon You Say? (06:11) - Your Internal Friends... Sometimes (09:01) - What Does Purple Team Do, Exactly? (10:13) - There Are A Ton Of Sources Out Here (49:55) - And Now For Some Crappy Code

In this webcast, we have our friend Hal Pomeranz sharing his massive knowledge on Linux. If you’re new to Linux, or if you know it and just want to hear from Hal’s years of using and teaching all things Linux, then this is the webcast for you. Download slides: http://www.deer-run.com/~hal/CLDojo.pdf 0:00 – Intro to Hal 9000 4:05 – It’s A UNIX System 7:34 – Who’s Trying Naughty URLS? 27:07 – Care About the Environment 48:24 – Questions & Answers From Hal: The Linux command-line is an amazingly powerful programming environment. Mastering its functionality can make you enormously more productive. Sensei Hal gives you critical insights into tackling difficult command-line challenges in this fast-paced and entertaining presentation. Who is Hal? Hal Pomeranz is the Founder and Technical Lead of Deer Run Associates, a consulting company focusing on Computer Forensic Investigations and Information Security. He has spent more than twenty years providing pragmatic Information Technology and Security solutions for some of the world’s largest commercial, government, and academic institutions. An expert in the investigation of Linux/Unix systems, Hal has provided Computer Forensic investigative support for several high-profile cases to both law enforcement and commercial clients. Wild West Hackin’ Fest – Most Hands-On Infosec Con! Join us at the new Way West Wild West Hackin’ Fest in San Diego — March 11-13th, 2020. Learn more: https://www.wildwesthackinfest.com/ Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 1,975 other subscribers Email Address (00:00) - Intro to Hal 9000 (04:05) - It's A UNIX System (07:34) - Who's Trying Naughty URLS? (27:07) - Care About the Environment (48:24) - Questions & Answers

Backdoors & Breaches kind of took off. In case you don’t know, Backdoors & Breaches is an Incident Response Card Game to help people better understand the various attacks and defenses used in security today. We have sold out twice on Amazon, given out thousands of copies for free at conferences, and sent 2,000+ free decks to infosec educators (with a few thousand more decks to go). As a standalone game, with an Incident Master driving the narrative, it works really well. However, we have something else that we have been working on… Competitive Backdoors & Breaches. Yes, you can play this game against your co-workers. It just takes at least two decks. In this live webcast, we will be covering: advice for being an Incident Master; playing the regular game with remote teammates; answering many of your questions about gameplay; and introducing the rules on how to play this game competitively against another player. Download slides: https://www.activecountermeasures.com/presentations 4:38 – Ok, But Why? 5:55 – State of Play 9:27 – Initial Compromise Card 10:31 – Persistence Card 11:53 – C2 and EXFIL Card 14:01 – Pivot and Escalate Card 14:36 – Procedures Card 16:27 – State of Play 17:51 – Initial Setup 20:13 – Resource Points (RP) 25:41 – Building the Kill Chain (00:00) - Kinda Goofy (04:38) - Ok, But Why? (05:55) - State of Play (09:27) - Initial Compromise Card (10:31) - Persistence Card (11:53) - C2 and EXFIL Card (14:01) - Pivot and Escalate Card (14:36) - Procedures Card (16:27) - State of Play (17:51) - Initial Setup (20:13) - Resource Points (RP) (25:41) - Building the Kill Chain (28:20) - Attack in Depth (29:20) - Completing the Kill Chain (31:31) - Defend Rolls (34:33) - For Example (37:29) - Let's Play a Game (47:39) - Any Questions?

Ever wanted to get started in cyber deception? Ever wanted to do it for free? In this BHIS webcast, we will cover some basic, legal, and easy tools/techniques to get you started in working with low interaction honeypots to serve as an early warning of attacks. We will also be sharing a recipe for making wine out of pentester tears. Because attacker tears make the best wine. Download slides: https://www.activecountermeasures.com/presentations/ 1:00 – A Few Cool Things 6:00 – Beginnings of Cyber Deception 9:08 – Conversations 16:34 – Canarytokens 18:42 – Scenario: Recon 23:02 – .exe 36:13 – Cloned Websites! 39:07 – Word Docs!!! 47:41 – One Step Forward 51:58 – Honeybadger Update 53:56 – Back To Threat Intel; How BHIS Uses It 56:03 – Questions This webcast was originally recorded live on January 23, 2020 with John Strand. Wild West Hackin’ Fest – Most Hands-On Infosec Con! (00:00) - Introduction (01:00) - A Few Cool Things (06:00) - Beginnings of Cyber Deception (09:08) - Conversations (16:34) - Canarytokens (18:42) - Scenario: Recon (23:02) - .exe (36:13) - Cloned Websites! (39:07) - Word Docs!!! (47:41) - One Step Forward (51:58) - Honeybadger Update (53:56) - Back To Threat Intel (55:21) - How We Use It (56:03) - Questions

https://media.blubrry.com/bhis/content.blubrry.com/bhis/BHIS_Podcast_Passwords_Youaretheweakestlink.mp3 Why are companies still recommending an 8-character password minimum? Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend 8-character minimum passwords based on outdated data. Download Slides: https://www.activecountermeasures.com/presentations Originally recorded as a live webcast on December 5th, 2019 Presented by: Darin Roberts & CJ Cox Because of newer attack methods and increased computing power, password minimums need to be increased to 15 characters to keep networks safe. On this BHIS Webcast, Darin & CJ discuss: * Current password policies: BHIS recommendations, Microsoft, Google, Apple, NIST * Why do we recommend 15 characters – brute force, password crack, LM Hash * Passphrase vs. password * Recommended password policy summary Wild West Hackin’ Fest – Most Hands-On Infosec Con! Join us at the new Way West Wild West Hackin’ Fest in San Diego — March 11-13th, 2020. Learn more: https://www.wildwesthackinfest.com/ Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 1,896 other subscribers Email Address Subscribe (00:00) - Start (01:04) - Introduction (03:26) - In The Beginning (04:23) - What The Experts Say : PCI (05:55) - What The Experts Say : Microsoft (09:29) - What The Experts Say : NIST (16:01) - What The Experts Say : Google (16:28) - What The Experts Say : Apple (16:42) - Still More Experts (17:49) - Why 15 Characters (18:06) - Brute Force (18:44) - Password Spray (22:48) - Password Cracking (23:25) - A Hashing Algorithm (24:07) - More About Hashes (25:49) - So What Is Password Cracking (27:16) - Windows Hashes (27:42) - The LM Hashing Algorithm (29:46) - LM Hash Is "Weak" (30:55) - LM Vs. NTLM Cracking (31:14) - Why 15 Character Passwords – Answer (32:06) - CJ's Response to the Problem (36:32) - Let's See the Mathm (37:09) - Math Examples (40:30) - From the Field (42:47) - Would You Like To Play A Game? (45:03) - Take Aways (46:46) - Are You Really Going To Let This Guy Decide (48:33) - Audience Questions & Comments

Want to learn how attackers bypass endpoint products? Download slides: https://www.activecountermeasures.com/presentations/ 3:41 – Alternate Interpreters 9:19 – Carbon Black Config Issue 15:07 – Cisco AMP EDR – Quick and Easy Bypass 18:24 – PowerShell AMSI Bypass – Rhino 19:07 – CylancePROTECT Bypass 24:14 – Windows Defender and Carbon Black Bypass 30:36 – Windows Subsystem for Linux 39:59 – PowerShell HTTP Web Cradle for Downloads Last year we came to the conclusion that we are going to keep going with the Sacred Cash Cow Tipping Webcast series. Why? Because many in the industry still believe that security is something that can be achieved through the purchase of a single product. To that end, we feel there is still a need to deconstruct certain parts of security (like AV) and show that there are always structural weaknesses in every security product that is implemented. This is becoming even more important now that many of the advanced endpoint products are not just fire-and-forget but have an endless array of different configurations that enable a company to shoot themselves in the foot by reducing the overall effectiveness of these products. So, yes, Sacred Cash Cow Tipping is more important than ever. To that end, our next webcast will be on bypassing endpoint security products. The goal of this webcast is to help show people that there is still no silver bullet in security. We also desperately want to show that configuration and monitoring still matters. This is our first webcast of the year. It may run longer than 60 minutes. It will be recorded. We will have a team of Black Hills Testers answering questions throughout the webcast. We have room for 3,000 attendees, so you will be able to attend live if you want. Wild West Hackin’ Fest – Most Hands-On Infosec Con! Join us at the new Way West Wild West Hackin’ Fest in San Diego — March 11-13th, 2020. Learn more: https://www. (00:00) - Intro (03:41) - Alternate Interpreters (09:19) - Carbon Black Config Issue (15:07) - Cisco AMP EDR - Quick and Easy Bypass (18:24) - PowerShell AMSI Bypass – Rhino (19:07) - CylancePROTECT Bypass (24:14) - WIndows Defender and Carbon Black Bypass (30:36) - Windows Subsystem for Linux (39:59) - PowerShell HTTP Web Cradle for Donwloads

BHIS’ Defensery Driven Duo Delivers Another Delectable Transmission! We know you are worried about your networks. After hours of discussion, we’ve come to the realization that some of our dedicated followers seem to be much more interested in catching malware than learning how to be (please forgive this next statement) “l33t hax0rs.” Download slides: https://www.activecountermeasures.com/presentations/ 2:47 – Why Are We Doing This? 5:07 – AT7: The Logs You Are Looking For 7:41 – AD Best Practices to Frustrate Attackers 9:37 – AT 5 – Complete Takedown & AT 6 – IOCs 12:04 – Blue Team-A-Palooza 14:22 – Windows Logging, Sysmon, and ELK – Part 1 16:45 – Implementing Sysmon and Applocker 21:45 – …And Group Policies That Kill Kill-Chains 22:31 – Here Are Some Important Blogs 23:35 – Summary Complete 25:28 – Introducing the Atomic Red Team 27:50 – Installing the Atomic Framework 29:29 – Squibbly Doo; The Results; Let’s Take A Step Back: The Atomic Tests; Another Step Back: WEF / Winlogbeat Config 33:41 – Executing T1015; Catching Executables; Executin... (00:00) - Intro (02:47) - Why Are We Doing This? (05:07) - AT7: The Logs You Are Looking For (07:41) - AD Best Practices to Frustrate Attackers (09:37) - AT 5 – Complete Takedown & AT 6 – IOCs (12:04) - Blue Team-Apalooza (14:22) - WIndows Logging, Sysmon and ELK – Part 1 (16:45) - Implementing Sysmon and Applocker (21:45) - ...And Group Policies That Kill Kill-Chains (22:31) - Here Are Some Important Blogs (23:35) - Summary Complete (25:28) - Introducing the Atomic Red Team (27:50) - Installing the Atomic Framework (29:29) - Squibbly Doo (30:46) - The Results (31:29) - Let's Take A Step Back: The Atomic Tests (32:18) - Another Step Back: WEF / Winlogbeat Config (33:41) - Executing T1015 (34:26) - Catching Executables (41:05) - Executing T1003 (42:02) - ElastAlert (43:21) - Now, On the ATT&CK (44:20) - Not Sure If That's a Wrap Yet. (It's Not) (47:11) - Check Out Our Dashboard

In this podcast (originally recored as a live webcast), we talk about the 2020 End of Life for Python2. We address what the short, and medium term impacts will likely be. Key language differences will be highlighted with techniques to modify your code to be forward compatible. As a SANS instructor teaching SEC573: Automating Information Security with Python, over the past three years, I have steadily moved my teaching materials, examples, demonstrations and personal coding to Python3. In this process, I have had to break habits and learn new habits to write Python3 compatible scripts. I also spend considerable effort showing people how to write Python2 scripts which are forward compatible with Python3 in order to ease the transition. The largest barrier that most people struggle with is the idea that Python3 has changed the default string encoding to UTF-8 rather than simple byte encoding. Once you learn how to manage your string objects, the remaining transition issues are mostly modern improvements to the language which most people consider advantageous to adopt. Since Python2 will no longer have active releases after 2020, it is important to embrace the change and move forward with the Python scripting community.

Download slides: https://www.activecountermeasures.com/presentations In this webcast we walk through the step-by-step defenses to stop the attackers in every step of the way we showed in Attack Tactics Part 5!!!

Beau Bullock & Mike Felch// Strategically targeting a corporation requires deep knowledge of their technologies and employees. Successfully compromising an organization can depend on the quality of reconnaissance a tester performs up front.

Lately, it seems like recon is just not getting as much love as it should. Well, time to change that. In this podcast, we discuss some new tips and tricks... And!!!! We released a new tool -- FireProxStrategically targeting a corporation requires deep knowledge of their technologies and employees. Successfully compromising an organization can depend on the quality of reconnaissance a tester performs up front. Often times testers only resort to using publicly available tools which can overlook critical assets.In this one-hour BHIS podcast, we begin by examining some commonly overlooked methods to discover external resources. Next, we show how to discover employees of a target organization and quickly locate their social media accounts. Finally, we strategically identify and weaponize personal information about the employees to target the organization directly using new attack techniques. Listeners will learn an external defense evasion method, a new process to gain credentialed access, and we'll give a demo on a newly released tool — FireProx!While the approach is designed to assist offensive security professionals, the webcast will be informative for technical and non-technical audiences; demonstrating the importance of security-awareness for everyone- BHIS

In this BHIS podcast, originally recorded as a live webcast, we cover some new techniques and tactics on how to track attackers via various honey tokens. We cover how to track with Word Web Bugs in ADHD, and cover the awesome toolkit from Thinkst.

Do your PowerShell scripts keep getting caught? Tired of dealing with EDRs & Windows Defender every time you need to pop a box? In this one-hour podcast, originally recorded as a live webcast, we introduce a somewhat new Red Team approach that we call BYOI (Bring Your Own Interpreter). Turns out, by harnessing the powah of C# and the .NET framework you can embed entire interpreters inside of a C# binary. This allows you to dynamically access all of the .NET API from a scripting language of your choosing without going through Powershell in any way! We also cover some basic .NET & C# concepts in order to understand why this is possible and all the hype surrounding offensive C# tradecraft. Additionally, we demo SILENTTRINITY, a post-exploitation tool we have developed that attempts to weaponize the BYOI concept *AND* dropped a pretty huge update for it live during the webcast! This podcast was originally recorded on 2/14/2019 as a live webcast with our very own Marcello Salvati. P.S — You can get SILENTTRINITY here: https://github.com/byt3bl33d3r/SILENTTRINITY Also, you can now register for our Cyber Deception class at Black Hat 2019 here: https://www.blackhat.com/us-19/training/schedule/index.html#a-guide-to-active-defense-cyber-deception-and-hacking-back-14124

Do your PowerShell scripts keep getting caught? Tired of dealing with EDRs & Windows Defender every time you need to pop a box? In this one-hour podcast, originally recorded as a live webcast, we introduce a somewhat new Red Team approach that we call...

We all know what threat hunting is in general terms; it's when we actively search our network for compromised systems. But what does that mean exactly and what process should we be following? Can I simply check network traffic to see if the evil bit is set, or is there a bit more to it than that? In this podcast, originally recorded as a live webcast, we walk you through the methodology of doing a network threat hunt. We talk about what steps to perform and in what order. We also look at some of the tools and online resources you can leverage to expedite the process. In short, this podcast is be a runbook you can leverage for validating the integrity of each of your internal endpoints.

http://media.blubrry.com/bhis/content.blubrry.com/bhis/BHIS_Blockchain_and_You_Feb2019.mp3 Take a good look at Bitcoin right now… these are the unlucky ones. These are the unfortunate souls who jumped on another overinflated balloon. But, does this Bitcoin crash completely undermine all blockchain technologies? Since Bitcoin is crashing and burning we figured it would be a good time to have a webcast on blockchain security issues and why blockchain still matters. Is it all hype? Is it all just a slow-motion train wreck? Why, exactly, should a security practitioner care? There are so many cool applications, and more than a few crazy, stupid applications. With the crazy applications comes crazy security issues… beyond the 51% attack. This podcast was recorded as a live webcast on 2/3/2019 We were joined by Beau Bullock, BHIS Tester, and host the Coinsec Podcast. And no… we did not give investment advice. Please, please do not ask us what coin is the best to get a 1,000% return on investment in 12 months. We all got enough of that crap over the holidays. That and fixing printers and fax machines. For Penetration Testing, Security Assessments, Red Team Engagements, and Threat Hunting: Contact Us! Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.

Yet again it is time for another edition of Sacred Cash Cow Tipping! Or, “Why do these endpoint security bypass techniques still work? Why?” The goal of this is to share just some of the ways Black Hills Information Security bypassed endpoint security ...

For this podcast we cover a couple of different topics. First, we talk about how to password spray in a non-attributable sort of way. Beau found a way to obfuscate what RDP logs record with launching password spraying attacks.

In this webcast we cover some of the core tools we use all the time at Black Hills Information Security. However, there’s a twist. We don’t talk about Nessus, Nmap, or Metasploit. Why? Because there are a ton of new (and older) tools we use that fall o...

Yes.. Ethical Hacker Kids. The holidays are coming up! Here John & Jordan cover the different games, tools and gifts we can give kids that help teach them the trade. There is nothing, nothing like sitting around with family picking locks,

Over the past few months, we have discovered a couple trends that organizations seem to be missing. No silver bullets, just some general vulnerability issues we are seeing again and again. In this podcast, Jordan & Kent give a few pointers and some new...

Creating and Keeping a Malware Zoo with John Strand

John Strand shares some of his own journey into information security and also his ideas and tips for those wanting to get into the industry from the start, or those looking to change career paths mid stream.

Beacon Analysis with Active Countermeasures COO, Chris Brenton

Dakota Nelson explains the different kinds of penetration tests (including red teams) in this industry and how they can help your team.

A special guest episode from Active Countermeasures with John Strand and Chris Brenton

Jordan and Kent discuss how to set up Active Directory to best frustrate pentesters - take care of that low hanging fruit!

CJ Cox talks about the highs, lows, hows and why's of security policy.

Join Beau Bullock and Mike Felch as they talk about ways to learn more, network and wake up your inner hacker. See the full episode here and look at the slides here.