related: CyberPatriot, CCDC
- Automate everything. CyberPatriot nats sucked from the beginning because I couldn’t change all the default credentials with a script. The grace period was only 15 minutes and that wasn’t nearly enough to get familiar with the environment and change all the user passwords manually (also skill issue xd).
- Have a script to identify unauthorized users and automatically delete them.
- Have a script to neutralize common misconfigurations.
- Run enumeration commands and scripts on all systems (netstat, ss, LinPEAS, WinPEAS, Bloodhound, Nmap, etc) to know what’s running and what’s vulnerable on each system ASAP. Delete unneeded services and remove vulns/misconfigurations ASAP.
- To look for webshells, use regex to recursively search webroot for webshell related functions such as exec or shell. Adapt this idea for each programming language (look up payload all the things )
- Update everything ASAP. Don’t let red team exploit old service versions/CVEs.
- Monitor log-in sessions and users. Know how to kick users off. (
w
then kill with SIGHUP to end the session). - Don’t provoke the red team. I repeated pranked red teamers by
cat /dev/urandom > /dev/pts/<insert-num>
and they demolished my ass by wiping the entire server. - Have backups in a hidden place.
- RTO
- pass-the-hash: look for handles to LSASS
- Windows Defender Credential Guard if system is Win 10 or 11
- pass-the-hash: look for handles to LSASS
- common AD stuff
- ensure SMB signing enabled
- strongly monitor RC4 usage, default ticket encryption scheme used for AD offensive tools
- kerberos attacks
- …
- Tighten inbound rule, deny all except for needed services. Does scoring engine require other ports? Also be on the lookout for anyone changing the rules.
- Look for persistence: SSH keys, suspicious cron jobs/systemd timers/services, weird PAM stack,
- Ensure SMB signing enabled.
- Don’t be fooled by outside influences/social engineering. If some self-proclaimed CISO tells you to change all passwords to 8 digits numbers only, kick that guy out of the room or something. Also don’t let anyone in the room.
- Make the webroot immutable when you can. This prevents malicious actors from uploading sus files. This might require some care for sites that have upload functionality.
- Once the initial rush to fix everything is over, switch to monitor system logs.