Blue Team Tactics

[abcampa at gmail.com (Albert R. Campa)]

tasklist /m metsrv.dll

?
;)

__________________________________
Albert R. Campa


On Wed, Jul 29, 2009 at 7:38 AM, Bradley McMahon <bradmcmahon at gmail.com>wrote:

> I wonder if there has ever been a case where someone from the blue team
> went after the red teams machines.
>
> I am not sure of the rules of the CTF but being a linux admin I would try
> to find the MACs and IPs of the attackers as soon as possible and just write
> a iptables rule to drop all their connections or maybe route them to VM so
> they won't get suspicious.
> -Brad
>
>
>
>
> On Tue, Jul 28, 2009 at 11:29 PM, John Strand <strandjs at gmail.com> wrote:
>
> >  Time to bring Tim in on this.
> >
> > The White Wolf guys are simply the best at this kind of simulation.
> >
> > Tim, care to throw in your two cents?
> >
> > john
> >
> >
> >
> >  On Jul 28, 2009, at 5:53 PM, Tim Mugherini wrote:
> >
> > All Good Suggestions. To answer Erik's question on scoring per my
> > experience last week at the NYC CTF.
> >
> > Red Team members were required to run a script on the comrpomised system
> > once it was compromised to gain a point for the hack. They were encouraged
> > to take data but no DDOS were allowed. However, they could take down systems
> > towards the end of the day (although they would not getting points for doing
> > so but the blue team would gain points for systems down - more points are
> > bad for blue).
> >
> > Blue Team Members with the lowest score won. They needed to keep systems
> > and services online. If compromised they could regain (subtract some points)
> > if they were able to get the systems online quickly and accurately report
> > data loss to the FBI field office. (Paul and Renald actually did a good job
> > destroying the team that won but because they were able to restore and start
> > over (DR) they regained their lead.
> >
> > So with that said while tools (both preventative and reactive) would
> > certainly help the blue team, I think the most important thing is to be
> > organized, have a plan, have the expertise (one person for linux, one for
> > windows, one for web apps/databases, and one for networking), and know when
> > to say we are screwed lets implement our DR plan. And ss Erik pointed out
> > lock down the systems!
> >
> > Some command line and gooyee tools could certainly have helped with this
> > but would be no substitute for experience and organization. Scripting
> > command line stuff and GPO's would certainly help in a large environment
> > (have quite of bit of experience there) but in an exercise like this it may
> > just slow a team down (better to do it manually since there were only a
> > handful of systems).
> >
> > So AV, log monitoring, best practices (i.e. all of Erik's preventative
> > suggestions and more), and things like TCSTools switchblade for incident
> > response would all be helpful. I'm wondering if the questions of what tools
> > is the right question. Maybe the question is what best practices?
> >
> > Just My 2 1/2 cents.
> >
> >
> >
> > On Tue, Jul 28, 2009 at 1:21 PM, Erik Harrison <eharrison at gmail.com>wrote:
> >
> > > beyond a lot of the great reactive or visibility driven suggestions
> > > already provided, and assuming this is in a lab environment (i hope) -
> > > harden the crap out of the server. standard fare, remove/disable unnecessary
> > > services, change default service accounts to low priv. add manual ntfs
> > > permissions across the filesystem *and registry* to limit that account's
> > > access. patch the os, apps, services, any web software (just assuming
> > > they're gonna give you joomla w/ 1500 plugins and modules to make it utterly
> > > impossible to win). move db passwords in the code into an included file ../
> > > out of the main web directory, deny writes to all web directories for the
> > > duration of the scenario so no webshells can be uploaded, fix outbound
> > > connections at the firewall (host and upstream), switch services to listen
> > > only on 127.0.0.1, blah blah blah.. the list goes on
> > >
> > > how are you measuring successful intrusion? what's the jackpot for red?
> > > you could just be a bastard, and move or delete that file :D lock it away in
> > > a truecrypt volume protected by keys and passphrases.
> > >
> > >
> > > On Tue, Jul 28, 2009 at 12:56 PM, Tim Mugherini <gbugbear at gmail.com>wrote:
> > >
> > > > Very Nice. Does Autopatcher allow you to manually copy over patches
> > > > (already have many downloaded)?
> > > >
> > > > To add some:
> > > >
> > > > Again Sysinternals Tools: Process Monitor, PSTools, TCPView
> > > > Kiwi Syslog Server & Viewer or comparable, Mandiant Highlighter
> > > > Nessus - Home Feed of course
> > > > Dumpsec - NTFS File Permission dumper
> > > > Your favorite free sniffer - Wireshark, etc..
> > > > MRTG - Router bandwidth monitoring
> > > > AVG or other decent free AV
> > > > Snort
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Tue, Jul 28, 2009 at 11:05 AM, Carlos Perez <
> > > > carlos_perez at darkoperator.com> wrote:
> > > >
> > > > > 8 GB stick  prepared with autopatcher http://www.autopatcher.com/
> > > > > http://www.autopatcher.com/ I would have patches for all versions of
> > > > > windows.   <http://www.autopatcher.com/>I would also place portable
> > > > > firefox, and xamp in case i need to migrate an apache LAMP server to an
> > > > > updated version since I have seen a trend of putting apache on windows in
> > > > > this competition, also place several pre-made security templates for use
> > > > > with GPO or local application, URLscan installer and pre-made urlscan.ini
> > > > > files. Komodo free firewall installer and the NSA cisco templates, acl
> > > > > templates, Nipper for checking the cisco equipment config quickly and some
> > > > > pvaln sample configs. Keepass for password storage and generation.
> > > > >
> > > > > that is what comes now to mind.
> > > > >
> > > > >
> > > > >  On Tue, Jul 28, 2009 at 8:54 AM, John Strand <strandjs at gmail.com>wrote:
> > > > >
> > > > > >   Please! PSW land! Share your Blue Team tactics!
> > > > > > What tools, scripts, and techniques do you use as part of Incident
> > > > > > Response and Blue Team Activities?
> > > > > >
> > > > > > I have sat in on one to many Red/Blue/CTF games where the Red team
> > > > > > gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able, Ettercap,
> > > > > > Dsniff, Hydra, 0phcrack, Nmap, BT4 and various torture techniques (including
> > > > > > IronGeek's rubber hoses) and the the Blue team gets....
> > > > > >
> > > > > > "An un-patched Windows 2000 box and a slew of un-patched
> > > > > > software!!!!!''
> > > > > >
> > > > > > Please see the following video for reference:
> > > > > >
> > > > > > http://www.youtube.com/watch?v=Y77n--Af1qo
> > > > > >
> > > > > > Yea..  Thats right.... As of today the Blue Team is what you get
> > > > > > assigned to when you are caught stuffing peas up your nose.
> > > > > >
> > > > > > This stops today!!!
> > > > > >
> > > > > > There are a few rules.  Tricks and scripts must be able to run at the
> > > > > > command line of your operating system of choice and all tools must be
> > > > > > freeware or open source.
> > > > > >
> > > > > > Thats it!!!
> > > > > >
> > > > > > Look, the Blue Team *can* rock!!!  So please share your tricks.
> > > > > >
> > > > > > I am going to collect and add to them so we have a solid list and this
> > > > > > will serve as the playbook for the Blues going forward.
> > > > > >
> > > > > > Be expecting this on the PDC site soon.
> > > > > >
> > > > > > strandjs
> > > > > >
> > > > > > _______________________________________________
> > > > > > Pauldotcom mailing list
> > > > > > Pauldotcom at mail.pauldotcom.com
> > > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > > > Main Web Site: http://pauldotcom.com
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Pauldotcom mailing list
> > > > > Pauldotcom at mail.pauldotcom.com
> > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > > Main Web Site: http://pauldotcom.com
> > > >
> > > >
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom at mail.pauldotcom.com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090729/dbed5ae1/attachment.htm