Microsoft Windows Defender Bypass (Research)

Microsoft Windows Defender Bypass (Research)

GMER

  • http://www.gmer.net/

Fancy Defender evasion? RegLoadKey, RegUnloadKey or NtLoadKey, NtUnloadKey

1. Export CurrentControlSet to a file
2. Edit path in a file
3. Import a file as new ControlSet
4. Change “Select” values to new one
5. Reboot

https://www.linkedin.com/posts/grzegorztworek_fancy-defender-evasion-yet-another-method-ugcPost-7090917993022443520-YXY9?utm_source=share&utm_medium=member_desktop

CrowdStrike Bypass

  • https://www.horangi.com/blog/bypassing-crowdstrike-falcon
  • https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/
  • https://www.bleepingcomputer.com/news/security/alleged-source-code-of-cobalt-strike-toolkit-shared-online/
  • https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf
  • https://twitter.com/NinjaParanoid
  • https://bruteratel.com/tabs/features/

Red Team Tools

  • Siliver – https://github.com/BishopFox/sliver
  • Mystic – https://github.com/its-a-feature/Mythic
  • Covenant – https://github.com/cobbr/Covenant

Reference

  • http://www.detectx.com.au/bypass-av-edr-remoting/
  • http://www.detectx.com.au/bypassing-av/
  • https://securitytrails.com/blog/red-team-tools
  • https://securitytrails.com/blog/red-team-tools
  • https://cybersecuritynews.com/red-team-tools/
  • https://github.com/A-poc/RedTeam-Tools
  • https://www.pluralsight.com/paths/red-team-tools
  • https://bishopfox.com/blog/9-red-team-tools
  • https://www.techtarget.com/searchsecurity/tip/5-open-source-offensive-security-tools-for-red-teaming

National CyberWatch Center

CLARK is the largest platform that provides FREE cybersecurity curriculum. It is home to high-value, high-impact cyber curriculum created by top educators and reviewed for relevance and quality. Whether you’re looking to teach something new tomorrow, align with curriculum guidelines and standards, or refine your current course, CLARK has free resources ready for you to use!

https://clark.center/details/cobrien/0e116db4-cf8d-409b-adf8-9744f62ebc27

Cyber Security Software Vendor, Partner and Distributor Strategy.

Channel Distribution strategy for a Cyber Security Software in the context of Managed Security Services, including competitive incentives such as Market Development Funding (MDF), Deal Registration, and more:

Understanding the principles of creating a high-performance channel, and best practices for managing your partners, MSP, MSSPs in order to increase your revenue through a indirect model.

Traits if Effective Channel Managers

SubstanceStructureStyle
Demonstrate an understanding of your partners’s needs, and present your technology and programs in a manner that makes them want to engage with you.Adopt a structured framework and methodology for developing your channel strategy, to recruit, develop, enable and manage high performing partners.Establish a relationship with your partners, by adopting the appropriate approach to engage with senior stakeholders and deal with difficult situations.
Traits if Effective Channel Managers

DynamicDSI Model

  1. Channel Partner Selection:
    • Identify potential channel partners that specialize in Managed Security Services and have a strong customer base.
    • Evaluate their technical expertise, market reach, customer satisfaction, and financial stability to ensure they align with your product and business goals.
  2. Partner Onboarding and Enablement:
    • Provide comprehensive training and certification programs to empower partners with in-depth knowledge of your Cyber Security Software and its value proposition.
    • Offer technical documentation, sales collateral, and product demos to aid their understanding and promote effective sales pitches.
    • Conduct regular webinars and workshops to keep partners updated on new features, updates, and industry trends.
  3. Competitive Incentives:
    • Market Development Funding (MDF): Allocate a portion of your marketing budget to support joint marketing activities with partners. Offer co-branded marketing materials, campaigns, events, and lead generation programs.
    • Deal Registration: Implement a deal registration program to reward partners who proactively identify and register sales opportunities. Provide them with exclusive access to pricing discounts, protection from channel conflict, and priority support.
    • Volume RebatesPerformance-Based Rewards: Set up a tiered partner program that offers escalating rewards based on partner performance, including sales targets, customer satisfaction, and product adoption metrics. Rewards may include enhanced margins, exclusive access to beta versions, or early access to new features.
    • Certification based Rebate Tiers
  4. Channel Marketing Support:
    • Provide partners with customizable marketing materials, such as white papers, case studies, and solution briefs, that they can use to educate prospects and differentiate themselves in the market.
    • Offer co-branded demand generation campaigns, including email templates, landing pages, and social media assets, to drive awareness and generate leads.
    • Facilitate joint marketing events, such as webinars, seminars, and conferences, where partners can showcase your Cyber Security Software and engage with potential customers.
    • Round Tables
      • Industry Specific Event Marketing
      • Threat landscape Insight Webinars
  5. Channel Support and Collaboration:
    • Establish a dedicated channel support team to provide timely assistance to partners regarding technical queries, pre-sales support, and post-sales implementation.
    • Foster open communication channels with partners, such as partner portals or online communities, to facilitate knowledge sharing, collaboration, and feedback.
    • Encourage regular business reviews with partners to discuss performance, address concerns, and identify opportunities for improvement.
  6. Continuous Partner Development:
    • Conduct regular training sessions, workshops, and webinars to enhance partner skills and knowledge in emerging cyber security trends and technologies.
    • Provide beta access to new product features and encourage partners to provide feedback and suggestions for improvement.
    • Recognize and reward top-performing partners through awards, incentives, and public recognition.
  7. Partner Recognition
    • Rewards
    • Certification
    • Annual Events
  8. Partner Maturity Matrix and Model ( Journey )

Remember to adapt and customize this strategy based on your specific business goals, target market, and competitive landscape. Regularly assess the effectiveness of the program and make adjustments as needed to maximize channel partner engagement and revenue generation.

References

  • Market Development Fund
  • Usage and Software Credits
  • Free Software to develop Professional Service and Managed Services
  • ToolKit
    • Managed Service Agreement
    • Statement of Services Examples
    • Marketing Fund
    • Market Develop Fund
    • Rebate Program
    • Awards and Events
    • Certification Training e-learning
    • Deal Registration
    • Deal, Registration,
    • Startup Funding examples;

Malware Analysis Course and Certification

Malware Analysis Course and Certification

1) Ultimate Malware Analysis by Zero2Automated
https://lnkd.in/dN7v2zNj

2) Practical Junior Malware Research by TCM Security
https://lnkd.in/dR6mTmQ8

3) Giac Reverse Engineering and Malware by SANS
https://lnkd.in/d6UvAbun

4) Certified Malware Analyst by Ethical Hackers Academy
https://lnkd.in/dt3xQFQT

5) Malware Analysis by Red Team Academy
https://lnkd.in/duBMbZV8

6) Malware Analysis Course by Black Storm Security
https://lnkd.in/dwhn_uuH

7) Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software 
https://lnkd.in/dmyhKDBV

8) Malware Analysis Fundamentals by Let’s Defend
https://lnkd.in/dSDUeyP7

9) Malware Analysis Detection Engineering
https://lnkd.in/dSEA37wQ

10) Malware Analysis Master by Mandiant
https://lnkd.in/dNM54d2C

11) CS6038/CS5138 Malware Analysis
https://class.malware.re/

12) Malware Analysis CSCI 4976 by RPISEC
https://lnkd.in/dC7kZkAK

13) Reverse Engineering 101 by Malware Unicorn
https://lnkd.in/dwGu22if

14) Purple Team Analyst by CyberwarfareLabs
https://lnkd.in/dBAqYG3j

Information Security Risk Assessment Checklist: Risk Assessment and Analysis Methods: Qualitative and Quantitative

Information Security Risk Assessment Checklist

  • Framing Risk
    • Understand the business
    • Define & document the environment
    • Decide Risk Assessment Approach
    • Define how risk dcecisions will be made
    • Qualitative vs Quantitive vs Semi
  • Identifying Risk
    • Document threat environment
    • Identify threat scenarios & actors
    • Identify vunlnerabilities
    • Calculate likelihood & Impact
    • Consider current security controls
  • Responding to Risk
    • Document risk remediation plans
    • Accept, Mitigate, Avoid, or Transfer
    • Derive Risk Ratings
    • Focus on High Risk first
  • Monitoring Risk
    • Perform effective monitoring
    • Monitor high risks for remediation
    • Track risks over time
    • Perform audits ensuring risk treatment

Threat modeling, the cloud, and shared responsibility

An interesting aspect of cloud-related threat models is that cloud-based threats must take into account shared responsibility models that are specific to each cloud provider and service.

If a key output of any threat modeling exercise is a set of identified threats, then the ideal state for any threat is that you eliminate it completely by way of design, engineering, or otherwise. Of course, the value of threat modeling is that you not only identify threats that you can eliminate, but that you make thoughtful decisions about how to deal with the remaining threats that you cannot.

alt

In this model, threats end up in one of three states:

  • Green, which is as good as it gets for a threat you can’t eliminate outright. Of course, if controls are available, there’s a good question to be asked re: whether those controls can be implemented such (i.e., by using restrictive defaults or policies) that the threat is eliminated and thus removed from this grid entirely.
  • Yellow, which is probably the most common. In this state, you’re able to rely on either security controls or on monitoring. The trick with relying solely on monitoring to mitigate a threat is that monitoring is only an effective mitigation when coupled with detection (knowing the threat occurred) and response (doing something about it).
  • Red, which should leave you questioning your design, your cloud provider, or both. In particular, threats in this state require putting significant trust in both your cloud provider and the security inherent to their platform, as well as your ability to engineer for safety.

Reference:

  • https://www.isaca.org/resources/isaca-journal/issues/2021/volume-2/risk-assessment-and-analysis-methods
  • https://blog.netwrix.com/2020/07/24/annual-loss-expectancy-and-quantitative-risk-analysis/
  • https://www.netwrix.com/information_security_risk_assessment_checklist.html
  • https://www.slideteam.net/risk-analysis-powerpoint-presentation-slides.html#images-10
  • ISO 27001:2022 Lead Implementer https://www.udemy.com/course/information-security-for-beginners/?couponCode=JUNE2023

How to conduct a Business Impact Analysis

Step-by-step procedure and a set of questions to conduct a Business Impact Analysis (BIA):

What is a Business Impact Analysis

A Business Impact Analysis, or BIA, predicts how disruptions will impact a business’ critical business functions (CBF) and what the likely outcomes of those disruptions would be. As potential loss scenarios are identified, this deep dive into your business can also offer recovery strategies, including the order in which critical functions and processes are restored. 

Consider the Impact

The BIA should identify the operational and financial impacts resulting from the disruption of business functions and processes. Impacts to consider include:

  • Lost sales and income
  • Delayed sales or income
  • Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
  • Regulatory fines
  • Contractual penalties or loss of contractual bonuses
  • Customer dissatisfaction or defection
  • Delay of new business plans

Business Disruption Scenarios

  • Physical damage to a building buildings
  • Damage to or breakdown of machinery, systems or equipment
  • Restricted access to a site or building
  • Interruption of the supply chain including failure of a supplier or disruption of transportation of goods from the supplier.
  • Utility outage (e.g., electrical power outage)
  • Damage to, loss or corruption of information technology including voice and data communications, servers, computers, operating systems, applications, and data
  • Absenteeism of essential employees.

Procedure for Conducting a Business Impact Analysis:

  1. Define the Scope: Determine the boundaries and objectives of the BIA. Identify the critical business processes, systems, and resources that will be analyzed.
  2. Assemble the BIA Team: Form a cross-functional team comprising representatives from different departments, including key stakeholders, subject matter experts, and IT personnel.
  3. Identify Potential Disruptions: Brainstorm and document a comprehensive list of potential threats or events that could disrupt business operations. This may include natural disasters, cyberattacks, equipment failures, or supply chain disruptions.
  4. Assess Impacts: For each potential disruption, analyze the potential impacts on the critical business processes and resources. Consider the following areas:
    • Operational Impact: How will the disruption affect day-to-day business operations?
    • Financial Impact: What are the financial consequences, including revenue loss, increased expenses, or insurance claims?
    • Customer Impact: How will customers be affected? What are the potential reputational impacts?
    • Legal and Regulatory Impact: Are there any legal or regulatory requirements that may be impacted?
    • Employee Impact: What are the potential effects on employees, such as safety concerns, workload, or morale?
  5. Determine Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO): Define the acceptable downtime and data loss limits for each critical business process or resource. This will help prioritize recovery efforts and allocate resources effectively.
  6. Identify Dependencies: Identify the dependencies between critical business processes, systems, and resources. This includes dependencies on suppliers, IT infrastructure, personnel, or other external factors.
  7. Document Findings: Compile all the information gathered during the analysis, including the identified risks, impacts, dependencies, and recovery objectives. Document these findings in a clear and organized manner.
  8. Review and Validate: Review the documented findings with the BIA team and other relevant stakeholders to ensure accuracy and completeness. Validate the findings against available data and industry best practices.
  9. Identify Mitigation Strategies: Based on the BIA findings, develop mitigation strategies to minimize the potential impacts of disruptions. This may include implementing redundant systems, backup processes, contingency plans, or alternative suppliers.
  10. Communicate and Document: Share the BIA report and its findings with key decision-makers, stakeholders, and relevant personnel. Maintain proper documentation of the BIA process and outcomes for future reference and updates.

Questions to Ask During a Business Impact Analysis:

  1. What are the critical business processes and resources that must be analyzed?
  2. What potential threats or events could disrupt these critical processes and resources?
  3. How would each potential disruption impact the day-to-day operations of the organization?
  4. What are the financial consequences of each disruption? Are there any revenue losses or increased expenses?
  5. How would customers be affected by each potential disruption? What are the potential reputational impacts?
  6. Are there any legal or regulatory requirements that may be impacted by the disruptions?
  7. What are the potential effects on employees, such as safety concerns, workload, or morale?
  8. What are the acceptable downtime limits for each critical process or resource (RTO)?
  9. What are the acceptable limits for data loss for each critical process or resource (RPO)?
  10. Are there any dependencies between critical processes, systems, or resources? If so, what are they?
  11. How can the organization minimize the potential impacts of disruptions? What mitigation strategies can be implemented?
  12. How can redundant systems, backup processes, or contingency plans be leveraged to ensure business continuity?
  13. Are there alternative suppliers or resources that can be used in case of disruptions?
  14. How can the organization communicate the BIA findings to

Shift-Left / DEVSECOPS / SDLC / SecureStack

HoneyPot Pipeline

1. Running a Cowrie ssh honeypot
2. Using Thug as a Javascript client honeypot
3. Running Snare/Tanner web honeypot
4. Running Opencanary a low interaction honeypot

Reference

Detection Engineering in Azure & Introducing AzDetectSuite

Azure Threat Research Matrix and AzDetectSuite

Azure Threat Research Matrix (ATRM), which highlighted the potential techniques an adversary could abuse within Azure & AzureAD. The immediate thought would be to give clients an idea of what potential abuse scenarios exist when they decide to use a certain resource or feature. 

AzDetectSuite is a project created to allow Azure users to establish a basic defense within Azure by giving pre-built KQL queries for each technique within ATRM that are deployable Alerts to Azure Monitor. ATRM, most (85%+) techniques will have a KQL query and a button that will deploy the query to their Azure subscription.

The queries live within a publicly available GitHub repository and can openly be reviewed, Pull Requested, and critiqued. These queries are not a “one-size-fits-all” and are mostly geared towards smaller environments since they are alerting off of more basic telemetry, so use at your own discretion. Within the repository is also a PowerShell script, Invoke-AzDetectSuite.ps1, which will import an entire tactic’s detections for every technique within it, or it can also just import all available

AzDetectSuite vs Microsoft Defender for Cloud

AzDetectSuite (ADS) is not meant to compete with Microsoft Defender for Cloud (MDC). MDC provides advanced detections based on your subscription plan and will give more granular control based on the telemetry in a tenant. ADS is meant to be an open source suite of basic detections for techniques found within ATRM, as MDC is not comprehensive in its coverage for techniques found in ATRM. MDC’s capabilities far exceed ADS, as it is a subscription-based service with more insight into a resource’s telemetry than what is provided to users. In comparison, ADS is open source and is more targeted towards smaller environments that want to ensure their resources are secure from potential abuse. In addition, ADS has some additional detections that utilize agents as well. For example, ADS has a detection that when combined with PowerShell scriptblock logging, will tell you what command was run when someone utilizes RunCommand on an AzureVM. For larger environments, it is recommended to go through ADS and determine which detections will be suitable for your environment and that may compliment MDC. detections.

In Azure, logs are centralized to Azure Monitor. Azure Monitor will ingest data from hundreds of log sources.  These sources range from the general Azure Log (AzureActivity) to more detailed logs, such as Service Principal Sign-Ins (AADServicePrincipalSignInLogs). Writing a basic detection for Azure is very easy, so it is necessary to ask a few questions before developing a detection:

1. How broad should this detection be?

  • General alert on a single action
  • Specific alert when an action meets a certain condition

2. What are you trying to alert on?

  • An action in a Resource?
  • Whenever a user or service principal logs in?
  • Whenever a new resource is created?

3. Does the resource action ever occur legitimately?

  • Part of sysadmin’s routines
  • Can you minimize false positives through more granular data?

4. What steps should be taken once the alert fires?

  • Enable a runbook?
  • Email/Text appropriate parties

Using Kusto Query Language (KQL), a basic detection for something such as RunCommand on a Virtual Machine looks like this:

AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION'

Where ‘AzureActivity’ is the log provider and the logs are then filtered to look for when the OperationNameValue property matches ‘MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION’

Reference