Full Report
Kent and Jordan are back to continue their journey to make the world a better place. This time around, they will be reviewing a series of tools commonly used on […] The post Webcast: A Blue Team’s Perspective on Red Team Hack Tools appeared first on Black Hills Information Security, Inc..
Analysis Summary
This summary focuses on the attack tools reviewed in the context of Blue Team defensive analysis, as presented in the referenced material.
# Tool/Technique: BloodHound
## Overview
BloodHound is a tool commonly used during penetration tests to identify flaws in Active Directory (AD) design and implementation by mapping relationships within the directory service.
## Technical Details
- Type: Tool (Adversarial Simulation Framework Component)
- Platform: Windows/Active Directory environment
- Capabilities: Graphically mapping complex relationships within Active Directory to find attack paths.
- First Seen: Not explicitly mentioned in the context, but typically associated with significant release activity around 2014-2016.
## MITRE ATT&CK Mapping
(Note: Mapping derived from the general capabilities of BloodHound, as the context only mentions its review, not specific TTPs used during the review.)
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (Often used with data gathered by BloodHound prior steps)
- TA0007 - Discovery
- T1087.002 - Account Discovery: Domain Account
- T1018 - Remote System Discovery
- TA0005 - Lateral Movement
- T1021 - Remote Services
(BloodHound itself is primarily a *discovery* and *pathfinding* tool, but the paths it reveals facilitate the subsequent TTPs listed above.)
## Functionality
### Core Capabilities
- Analyzing Active Directory structures (Users, Groups, Computers, ACLs).
- Mapping potential attack paths to high-value targets (e.g., Domain Admins).
### Advanced Features
- The context mentions a potential "tool drop from Kent" that could "change the BloodHound game," hinting at supplementary or advanced functionality related to BloodHound analysis (possibly related to the mentioned "Plumbhoud" tool).
## Indicators of Compromise
As BloodHound is an analytical tool, direct IOCs are usually generated by the data collection phase (SharpHound), not the visualization tool itself.
- File Hashes: N/A (Tool executable hashes not provided)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Primarily interacts with AD LDAP/Kerberos infrastructure)
- Behavioral Indicators: Execution of the data collector component (SharpHound) querying LDAP or reading SAM/LSA secrets (if credentials allow for local dumping).
## Associated Threat Actors
- Various threat actors conduct AD reconnaissance using this methodology, including many sophisticated APT groups and standard penetration testing teams.
## Detection Methods
- Signature-based detection: Detection of the data collector component (SharpHound) execution.
- Behavioral detection: Monitoring unusual levels of LDAP query traffic originating from a specific endpoint, or unexpected credential dumping activity preceding BloodHound usage.
- YARA rules: N/A
## Mitigation Strategies
- Principle of Least Privilege (PoLP) enforcement across AD objects and ACLs.
- Regular auditing of ACLs and privileged group memberships.
- Monitoring for the execution of AD enumeration tools.
## Related Tools/Techniques
- ADExplorer
- LDAP and Kerberos querying tools
***
# Tool/Technique: Mimikatz
## Overview
Mimikatz is a well-known post-exploitation tool frequently used during penetration tests, specifically focused on extracting credentials (plaintext passwords, hashes, Kerberos tickets) from memory on compromised Windows systems.
## Technical Details
- Type: Tool (Post-exploitation/Credential Access)
- Platform: Windows
- Capabilities: Dumping and manipulating credentials stored in memory (LSASS process).
- First Seen: 2014 (approximately)
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1003.001 - OS Credential Dumping: LSASS Memory
- T1555 - Credentials from Network Shares
- T1098 - Account Manipulation
## Functionality
### Core Capabilities
- Extracting plaintext passwords, NTLM/LM hashes, and Kerberos tickets from memory.
- Golden Ticket and Silver Ticket creation.
### Advanced Features
- Injecting credentials into the security context.
- Privilege escalation techniques linked to token manipulation.
## Indicators of Compromise
- File Hashes: N/A (Often run in-memory or lightly obfuscated)
- File Names: mimikatz.exe (or variations), loadlibrary usage of Kuhl_m.dll
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Access/read operations against the LSASS process memory space; calls to functions like `MiniDumpWriteDump` or direct memory reading via handle creation.
## Associated Threat Actors
- Nearly ubiquitous; used by ransomware groups, APTs, and routine red teams.
## Detection Methods
- Signature-based detection: Known executable hashes (if deployed statically).
- Behavioral detection: Monitoring for process handles opened to `lsass.exe` with high privileges, or memory access/dumping calls aimed at LSASS.
- YARA rules: Rules targeting known strings or structures within the Mimikatz code segments.
## Mitigation Strategies
- Implementing Credential Guard via Windows Defender System Guard to protect LSASS virtualization.
- Restricting administrative rights rigorously.
- Applying LSA Protection/RunAsPPL on critical systems.
## Related Tools/Techniques
- PowerSploit modules for credential gathering
- Various custom in-memory execution techniques
***
# Tool/Technique: Nmap
## Overview
Nmap (Network Mapper) is a network discovery and security auditing tool used to scan large networks, identifying live hosts, open ports, service versions, and operating system detection.
## Technical Details
- Type: Tool (Reconnaissance/Discovery)
- Platform: Cross-platform (Linux, Windows, macOS)
- Capabilities: Host discovery, port scanning, service fingerprinting, script-based vulnerability detection.
- First Seen: 1997
## MITRE ATT&CK Mapping
- TA0043 - Reconnaissance
- T1595.001 - Initial Access: Network Service Scanning (Active Scanning)
- T1046 - Network Service Scanning
## Functionality
### Core Capabilities
- TCP/UDP port scanning.
- Service banner grabbing and version detection.
### Advanced Features
- Utilizing the Nmap Scripting Engine (NSE) for automated vulnerability checks or advanced discovery.
## Indicators of Compromise
- File Hashes: N/A (Often used via command line or integrated scripting)
- File Names: nmap.exe, nmap executable file content.
- Registry Keys: N/A
- Network Indicators: Large volume of connection attempts/probes across a defined range of ports/hosts.
- Behavioral Indicators: High volume of specific packet types generated (e.g., SYN scans, FIN scans, NULL scans) against an internal network segment.
## Associated Threat Actors
- All threat actors and penetration testers utilize network scanning tools like Nmap during initial reconnaissance.
## Detection Methods
- Signature-based detection: Known Nmap binaries.
- Behavioral detection: Intrusion Detection Systems (IDS) flagging typical Nmap scan patterns (e.g., aggressive SYN scans across many hosts or ports).
- YARA rules: N/A
## Mitigation Strategies
- Implementing strong host-based and network firewalls to restrict scan origins.
- Utilizing network traffic monitoring to baseline and detect anomalous scanning activity patterns.
## Related Tools/Techniques
- Masscan
- Amass (for external reconnaissance)
***
# Tool/Technique: CrackMapExec (CME)
## Overview
CrackMapExec (CME) is a post-exploitation tool designed to test domain accounts and enumerate network shares, running commands across many systems simultaneously, often leveraging protocols like SMB, WinRM, and MSSQL.
## Technical Details
- Type: Tool (Post-exploitation/Lateral Movement)
- Platform: Linux/Windows/macOS (Python based)
- Capabilities: Password spraying, service enumeration, command execution, lateral movement across Windows domains.
- First Seen: Circa 2016-2017
## MITRE ATT&CK Mapping
- TA0008 - Lateral Movement
- T1021.001 - Remote Services: SMB/Windows Admin Shares
- T1021.002 - Remote Services: SMB/Windows Admin Shares
- TA0003 - Persistence
- T1136.002 - Create Account: Domain Account
- TA0007 - Discovery
- T1087.002 - Account Discovery: Domain Account
## Functionality
### Core Capabilities
- Domain user/session enumeration.
- SMB execution and credential testing (pass-the-hash/pass-the-ticket capabilities inherent in underlying modules).
### Advanced Features
- Automated password spraying against domain accounts.
- Execution of PowerShell commands remotely via WinRM or SMB.
## Indicators of Compromise
- File Hashes: N/A
- File Names: crackmapexec.py, or executables wrapping it.
- Registry Keys: N/A
- Network Indicators: High volume of authentication attempts to domain computers over SMB (port 445) or WinRM (port 5985/5986) using common/weak credentials.
- Behavioral Indicators: Repeated failed login attempts followed by successful administrative session establishment and remote command execution.
## Associated Threat Actors
- Widely adopted by Red Teams and various cyber threat groups for lateral movement.
## Detection Methods
- Signature-based detection: Detecting the CME binary or known scripts.
- Behavioral detection: Monitoring for abnormal authentication patterns (password spraying) or non-standard use of SMB/WinRM for large-scale command injection.
- YARA rules: N/A
## Mitigation Strategies
- Implementing Tiering models for administrative access.
- Enabling Multi-Factor Authentication (MFA) where possible, especially for remote services.
- Monitoring local and domain security logs for enumeration activity and bulk failed logins.
## Related Tools/Techniques
- Responder (mentioned in the context)
- PsExec
***
# Tool/Technique: Responder
## Overview
Responder is a tool used to poison LLMNR, NBT-NS, and mDNS requests, tricking systems into sending authentication hashes (NTLMv2) to the attacker when attempting to resolve names or connect to non-existent resources.
## Technical Details
- Type: Tool (Credential Access/Discovery)
- Platform: Cross-platform (primarily Linux)
- Capabilities: Network poisoning attacks targeting name resolution protocols.
- First Seen: Active since at least 2011/2012.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1557.001 - Man-in-the-Middle: LLMNR/NBT-NS Poisoning
- TA0007 - Discovery
- T1043 - Common Channel Accessory (Network Sniffing/Poisoning)
## Functionality
### Core Capabilities
- Capturing NTLMv2 hashes broadcast over the local network via LLMNR/NBT-NS.
- Responding to rogue SMB shares (NTLM Relay capability, if enabled).
### Advanced Features
- Multi-protocol poisoning support (HTTP, FTP, MSSQL, POP3, IMAP, LDAP, SOCKS).
## Indicators of Compromise
- File Hashes: N/A
- File Names: responder.py (or compiled variants).
- Registry Keys: N/A
- Network Indicators: The attacker's machine responding to LLMNR/NBT-NS queries intended for services that do not exist or are on the local subnet.
- Behavioral Indicators: Unusual outgoing broadcast traffic or unsolicited SMB connection establishment attempts *to* the attacker's machine from other workstations.
## Associated Threat Actors
- Common in internal network pivoting and offensive operations where reliance on broadcast protocols exists.
## Detection Methods
- Signature-based detection: Detecting the Responder executable.
- Behavioral detection: Identifying network devices responding to unsolicited LLMNR requests that they should not be authoritative for. Monitoring for SMB sessions initiated by compromised hosts to systems that cannot be legitimate servers.
- YARA rules: N/A
## Mitigation Strategies
- **Disabling LLMNR and mDNS** where possible, especially across security boundaries.
- Implementing **Microsoft Responder Mitigation** registry keys/Group Policy to prefer DNS over LLMNR.
- Using DNSSEC or other explicit DNS resolution mechanisms.
## Related Tools/Techniques
- Inveigh (Windows-based poisoning equivalent)
- NTP/MDNS poisoning scripts
***
# Tool/Technique: Domain Password Spray
## Overview
Domain Password Spraying is an adversarial technique where an attacker attempts to use one or a few common passwords against a large number of user accounts within a domain, aiming to find accounts using those weak passwords without locking them all out immediately.
## Technical Details
- Type: Technique/Methodology (Often facilitated by tools like CME or specialized scripts)
- Platform: Active Directory/Domain Controllers
- Capabilities: Low signal credential guessing leveraging dictionary passwords against many users.
- First Seen: Prevalent since organizational adoption of MFA became widespread, around 2016.
## MITRE ATT&CK Mapping
- TA0002 - Initial Access / TA0007 - Discovery
- T1110.003 - Brute Force: Password Guessing
## Functionality
### Core Capabilities
- Systematically testing simple passwords (e.g., "Summer2021!") across the entire user base.
### Advanced Features
- Can be combined with account enumeration (like BloodHound data) to target specific high-value accounts if needed, though true spraying targets volume.
## Indicators of Compromise
- File Hashes: N/A (Tool dependent)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: High volume of failed authentication attempts (LDAP bind, Kerberos pre-auth, or remote logon) directed at domain controllers, originating from a single source, with consistent but incorrect password attempts.
- Behavioral Indicators: Rapid sequential failed logins against multiple distinct user accounts from one source IP address.
## Associated Threat Actors
- Widely used by nearly all ransomware gangs and commodity attackers for initial access or domain foothold persistence.
## Detection Methods
- Signature-based detection: Detecting the tools used to automate spraying (like CME).
- Behavioral detection: Monitoring security event logs (4625 - Logon Failure) for high rates of failure across unique user principals originating from a single source machine.
- YARA rules: N/A
## Mitigation Strategies
- Enforcing strong, complex password policies.
- Implementing Account Lockout policies tailored to prevent brute-forcing.
- Deploying **Multi-Factor Authentication (MFA)** to neutralize the effectiveness of harvested or guessed passwords.
## Related Tools/Techniques
- Hydra
- Tools used for brute-forcing (e.g., within CrackMapExec).