Tips for an Information Security Analyst/Pentester career - Ep. 61 - Blue Hacking

Back in February, I had the pleasure of participating in a PeerTalk panel discussion.

Over said discussion, Kimberly Dowsett launched a concept that I'd summarize as blue hacking.

In other words, hacking in support of blue teamers: creating tools helping defenders sift through the huge amount of data going through the servers they have to monitor.

I think this is absolutely paramount.

Every professional in my same role struggles with the same problem: filtering out noise and false positive from our data.

There's too much stuff to sift through and I'm always concerned something could go undetected because of this.

This concept sat in my mind for a while and I set it aside, but kept thinking about it.

Then yesterday I happened to see a great YouTube video about this very topic, demoing some excellent PowerShell tools that can be very helpful for these purposes.

Therefore I built a Windows domain with two computers, a Windows Server 2012 R2 domain controller and a Windows 10 client, and gave these tools a shot.

Results are pretty amazing.

Check on the availability of the most common Windows privilege escalation methods

For this, we're going to use PowerUp.

Once we import the module, we can use Invoke-AllChecks to have a picture of the situation.

The domain I created is exploitable (and therefore not reachable from the Internet), as several vulnerable services and other issues are present that could lead to a successful privilege escalation for an attacker.

Enumerate all domain machines and check for open file shares

The tool we want to use for this is PowerView.

Network shares can be a major vulnerability in a network, because sometimes user permissions on them can become pretty messy.

Domain users can end up having more permissions than they should, for example.

This tool offers a quick and easy way to check on this situation.

Enumerate and track administrators

Another useful command in PowerView allows to retrieve and track all administrators account, and we see we have several domain administrators, attackers might want to hack into.

Enumerate Domain Controllers

In PowerView, we can also detect the domain controllers on our network.

There was one only domain controller in my domain.

Wrap-up

You can't be a good attacker if you don't know how to defend your network, and vice versa.

For analysts to be good at what they do, they need to know what kind of attack patterns are looking at and what they mean.

If you don't know attack signatures, you won't be able to recognize a portscan or a DoS/DDoS attack in time.

Over upcoming episodes, I intend to dig deeper and talk about some important event IDs that can be a red flag.

Until then, stick around!