Summary

This document summarizes the information related to Pyrotek and Harmj0y's DerbyCon talk called "111 Attacking EvilCorp Anatomy of a Corporate Hack". Video and slides are available below.

Something's missing? Create a Pull Request and add it.

Initial foothold

• Deploy EMET to Workstations (End of line in July 2018)
• Use AppLocker to block exec content from running in user locations (home dir, profile path, temp, etc).
• Manage PowerShell execution via Applocker or constrained language mode.
• Enable PowerShell logging (v3+) & command process logging.
• Block Office macros (Windows & Mac) where possible.
• Deploy security tooling that monitors for suspicious behavior
• Limit capability by blocking/restricting attachments via email/download:
  • Executables extensions:
  • (ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif, etc.)
  • Office files that support macros (docm, xlsm, pptm, etc.)
• Change default program for anything that opens with Windows scripting to notepad (test first!)
  • bat, js, jse, vbe, vbs, wsf, wsh, etc.

Reconnaissance

• Deploy Windows 10 and limit local group enumeration.
• Limit workstation to workstation communication.
• Increase security on sensitive GPOs.
• Evaluate deployment of behavior analytics (Microsoft ATA).

Lateral movement

• Configure GPO to prevent local accounts from network authentication (KB2871997).
• Ensure local administrator account passwords are automatically changed (Microsoft LAPS) & remove extra local admin accounts.
• Limit workstation to workstation communication (Windows Firewall).

Privilege escalation

• Remove files with passwords in SYSVOL (including GPP).
• Ensure admins don’t log onto untrusted systems (regular workstations).
• Use Managed Service Accounts for SAs or ensure SA passwords are >25 characters (FGPP)
• Ensure all computers are talking NTLMv2 & Kerberos, deny LM/NTLMv1.

Protect Administration Credentials

• Ensure all admins only log onto approved admin workstations & servers.
• Add all admin accounts to Protected Users group (requires Windows 2012 R2 DCs).
• Admin workstations & servers:
  • Control & limit access to admin workstations & servers.
  • Remove NetBIOS over TCP/IP
  • Disable LLMNR.
  • Disable WPAD.

Strengthen/Remove Legacy

• Audit/Restrict NTLM.
• Enforce LDAP signing.
• Enable SMB signing (& encryption where poss.).
• Disable WPAD & LLMNR & work to disable NetBIOS.
• Windows 10, remove:
  • SMB 1.0/CIFS
  • Windows PowerShell 2.0

Tools

• Responder - A LLMNR, NBT-NS and MDNS poisoner
• BloodHound - Six Degrees of Domain Admin
• PowerSploit - A PowerShell Post-Exploitation Framework
• PowerView - Situational Awareness PowerShell framework
• Empire - PowerShell and Python post-exploitation agent
• Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
• Tools Cheatsheets - (Beacon, PowerView, PowerUp, Empire, ...)
• UACME - Defeating Windows User Account Control
• Windows System Internals - (Including Sysmon etc.)

Videos

• BSides DC 2016 - PowerShell Security: Defending the Enterprise from the Latest Attack Platform
• Six Degrees of Domain Admin... - Andy Robbins, Will Schroeder, Rohan Vazarkar
• 111 Attacking EvilCorp Anatomy of a Corporate Hack
• Red vs Blue: Modern Active Directory Attacks & Defense
• Offensive Active Directory with Powershell
• Advanced Incident Detection and Threat Hunting using Sysmon and Splunk

Slides

• How to go from Responding to Hunting with Sysinternals Sysmon
• 111 Attacking EvilCorp Anatomy of a Corporate Hack

Additional resources

• ADSecurity
• Harmj0y's blog
• Sysmon SecuriTay's configuration file - template with default high-quality event tracing
• Explaining and adapting Tay’s Sysmon configuration