I wanted to address one of my major concerns over the past few months. REd Team vs BLue Team events, or REBL. It seems to me that every CTF/REBL event the Blue Team gets a bunch of un-patched systems. Most of the time the Blue team fumbles around trying to fight off the attackers for quite some time before they get their feet under them, but they often do get it. We are currently having a very conversation on this topic on the PaulDotCom mailing list. So far we have had some great recommendations about techniques that the Blue Team can use as leverage in these events.
Russell Butturini had a great run at some recommendations and I wanted to share them with all of you:
“On the Windows side, off the top of my head without looking at the links (so if any of these are repeats from the links below I apologize), from the CLI:
1. Capturing the date and time on the system for establishing timelines-date /t and time /t
2. Enumerating local accounts-net users
3. Enumerating users and IPs remotely connected to system resources-net sessions
4. Enumerating local groups/members of local groups-net localgroup and net localgroup groupname
5. Networking “stuff”-ipconfig and its many switches, like ipconfig /displaydns to show the DNS cache.
6. ARP table enumeration-arp -a
7. Linking open TCP/UDP connections to the processes that spawned them: netstat -anob
8. Displaying the routing table-route print or netstat -r (I think this one has cleaner more detailed output)
9. Enumeration of the hosts file from the command line-type %systemroot%\system32\drivers\etc\hosts
10. Viewing firewall status/making firewall changes-netsh firewall show state/show service for verifying status, a myriad of other commands for manipulating and opening/closing ports and adding deny rules from the CLI.
11. Enumerating mapped drives-net use
12. Enumerating the NetBIOS name cache-nbtstat -c
13. Task enumeration using built in tools (depends on how “modern” the OS we are working with is)-tasklist (tasklist /svc gives us the associated services running from each process)
14. Service manipulation from the command line-sc query, sc start, sc pause, etc.
15. Find group polices applied to a machine-gpresult (requires different command line switches if Vista/server 2k8), apply new policies to a machine in a hurry-gpupdate /force, need to use secedit with different switches if earlier than Windows XP/2003
16. Enumerate drivers on a machine in use-driverquery
17. Enumeration of system variables/Setting new system variables-set
18. Enumeration of scheduled tasks-at/schtasks
19. Registry manipulation-reg
20. Manipulate printers on a machine-Use the VBScript in the System32 folder prnmngr.vbs for enumeration and changes.
21. Verify the OS build-ver
22. Review the event logs-use the eventquery.vbs script located in the System32 folder”
This is a great start, but we need to go deeper. It would be easy for the Blue Team to bitch that we need AV and we need IDS, but I think that is a cop-out. Take this suggestion from Nathan Sweaney and Dave Hull:
route add att.ack.ers.ip mask 255.255.255.255 att.ack.ers.ip
In the real world we cannot count on these tools to be 100% effective. Rather than complain, we need to focus on how we can win in this type of environment. We need to learn to “live off the land” and work with what is given us. Expect more on this topic over the next few months. I am hoping on creating a “Spy vs. Spy” series with Carlos where he develops an attack and I will work on the detection and the defense of the attack.
Till then, subscribe to the PaulDotCom mailing list and join the discussion.
-strandjs (aka Fr. John)