TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Impacket Defense Basics With an Azure Lab

Kassie Kimball · 2022-07-26 · Read original ↗

ATT&CK techniques detected

9 predictions
T1557.001Name Resolution Poisoning and SMB Relay
89%
"outside your networks. the next defense scenario attempts to mitigate mitre att & ck t1557 : adversary in the middle. https : / / attack. mitre. org / techniques / t1557 / 001 / from the lnk attack perspective, the adversary in the middle is parked somewhere on your network or do…"
T1558.003Kerberoasting
88%
"##es from a domain. this attack is classified as a sub - technique of mitre att & ck t1558, steal or forge kerberos tickets. https : / / attack. mitre. org / techniques / t1558 / 003 / this one is great! let ’ s add an spn to luis ’ account which we created earlier and use that a…"
T1003.006DCSync
82%
". i almost forgot to include this detection, thus the old screenshot below. however, you should treat windows event id 4688 with invocations to start the remoteregistry service as worthy of investigation. the second secretsdump. py invocation is the ntds. dit capture. this has th…"
T1525Implant Internal Image
75%
"impacket defense basics with an azure lab impacket defense basics with an azure lab overview the following description of some of impacket ’ s tools and techniques is a tribute to the authors, secureauthcorp, and the open - source effort to maintain and extend the code. this is a…"
T1558.003Kerberoasting
59%
"from the object ’ s ad attributes. get - aduser - identity dolabsanyread - properties " objectguid " once you have the guid, build your detection logic where the windows event id is 4662 and the guid we gathered from our decoy. run bloodhound, adexplorer, getadusers, whatever enu…"
T1558.004AS-REP Roasting
50%
"material is still relevant. some of the most basic detections, like object attribute reads by an attacker against controlled objects ( or kerberoasting them ), can reduce our mean time to detection. github : https : / / github. com / samratashok / deploy - deception blog : https …"
T1558.003Kerberoasting
46%
"material is still relevant. some of the most basic detections, like object attribute reads by an attacker against controlled objects ( or kerberoasting them ), can reduce our mean time to detection. github : https : / / github. com / samratashok / deploy - deception blog : https …"
T1003.001LSASS Memory
44%
"activity. this is an ioc. this was an easy win. create and alert on this type of activity. defense? seriously strong passwords. i am not talking about long organization - related scrapable or dictionary type passwords. i am talking 25 characters or more, multiple words, or random…"
T1003.004LSA Secrets
36%
"activity. this is an ioc. this was an easy win. create and alert on this type of activity. defense? seriously strong passwords. i am not talking about long organization - related scrapable or dictionary type passwords. i am talking 25 characters or more, multiple words, or random…"

Summary

Jordan Drysdale // Overview The following description of some of Impacket’s tools and techniques is a tribute to the authors, SecureAuthCorp, and the open-source effort to maintain and extend the code. […]

The post Impacket Defense Basics With an Azure Lab  appeared first on Black Hills Information Security, Inc..