Security Awareness Training Example

Introduction

There are tons of “products” for security awarenss training, however you might find that sitting and watching canned CBT videos isn’t your organisations thing or perhaps you want to see what other options there are available. Well for starts the UK NCSC has some free online security awarenss training (see further down the post), or you may want to actually spend time with your staff to make the learning a collaboarive experiance that drives engagement and communication. If the last one if your desired approach there are lots of ways to do this. One of which can be supported by a question based assessment, other ways include tabletop scenarios and incident simulations (i honestly would go with a blended appraoch if it was me!).

So to help people get thinking about this I’ve put together some example questions to drive the message about incident reporting, collaboration and education vs blame. So here we go, here’s some ideas for communication and some questions to get staff thinking about cyber security, sure they aren’t rocket science, but then it doesn’t need to be!

CTF

Using CTFs for offensive and defensive training – Purple…

Pwning a legacy server on Hack the Box is good for a training exercise however what about if we want to think about how to use resrouces for red and blue. Looking at both sides of the coin when thinking about offense really should help people undesrand how to defend better. In the end of the day outside of a tiny tiny fraction of deployment types, you are going to need to be able to explain how to defend regardless of engagement type (vulnerability assessment, penetration test, purple team, red team etc.)

Getting access

I’m not going to talk through every step but here’s the commands you would need to run:

Defense

Post Business Email Compromise actions for Office 365 Users

If you have a business email compromise incident and you haven’t deteced it in a timely manner your fist notification might be a bad experiance, the threat actors may have commited fraud, attemped fraud or simply launched a phishing If you have a business email compromise incident and you haven’t detected it in a timely manner your fist notification might be a bad experience, the threat actors may have committed fraud, attempted fraud, or simply launched a phishing campaign from your environment. If you are in this position, there are some steps you can take from a technical point of view to limit impact and reduce risk of a re-occurrence. This blog is a high-level view at some of the tactical and longer-term activities you can conduct.

Defense

Post Compromise Active Directory Checklist

Nuke it from orbit, it’s the only way to be sure!

Ok, in an ideal world you can re-deploy your entire environment from scratch, but back in the most people’s real world’s that’s not that simple. So, what do we do if we can’t nuke from orbit in a post compromise situation? Well, we need to clean up! This isn’t an exhaustive list, not a total guide. it’s a quick list to make you think about some key common areas and actions that might need to be taken! after all if someone got r00t, who knows what they did! (trust me, most orgs monitoring is a bit naff!)

Potential Actions

Reset all user account passwords twice (thanks @tazwake)
- Reset all administrator passwords
- Reset all service accounts passwords
Reset (twice – but bear in mind the issues with replication so there’s specific guidance on this) the KRBTGT password
Reset all computer account passwords
Check the value of the computer account password change value
- By default, it is 30 days, threat actors can change this to give themselves access using machine hashes for a longer duration. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age
Reset all LAPS Passwords
Reset permissions on AdminSDHolders object
Revoke and re-issue all certificates from ADCS
Check for malicious scheduled tasks (thanks @SchizoDuckie)
Check for malicious WMI event filters
Check for malicious autoruns or other registry-based persistence mechanisms
Check for utilman style backdoors
Check for malicious printers/printer drivers (thanks @SchizoDuckie)
Review Active Directory Delegated access permissions (thank https://twitter.com/@indachtig)
Rotate ADFS token signing and token decryption certificates (thanks @4n6Bexaminer)
Check Service Control Manager (SCM) security descriptors (https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights) (thanks @EricaZeli)
Check for object changes around initial access/event timescales (thanks @IISResetMe)
Validate group memberships against known baselines (replication metadata, backup, AD reporting tools/reports etc.) (thanks @IISResetMe)
Harden Active Directory (look at pingcastle and MITRE) (thanks @MarkSewe)
Review logon scripts in GPOS and SYSVOL (thanks @CisoDiagonal and A-HAX!)
Rotate Group Managed Service Accounts (GMSA) (thanks @infosecspy)
Rotate LAPS credentials
Review Azure AD/AD Connect (thanks @infosecspy)
Harden Endpoints
Update AV
Deploy EDR
Deploy SYSMON
DNS Zone Integrity (Public and Private) (thanks to @jermuv)
Rote domain trust keys (thanks @DebugPrivilege)
Review potential RBCD Bakdoors (thanks @DebugPrivilege)
Review msDsConsistencyGuid attribute of compromised accounts (thanks @DebugPrivilege)
Check Exchange (easy right?)
Review accounts for “Key Trust Account Mapping” takeover and reset if required (thanks @nodauf)
- https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
Review Active Directory Domains and Trusts (thanks @dragon199421)
Deploy new Domain Controllers (keep existing forest/domain metadata)
Clear VSS/Backups/Snapshots that are likely to be classed as unsafe (thanks to @Digit4lbytes) Read more “Post Compromise Active Directory Checklist” →