Saturday, February 1, 2014

Intro to Attacker Methodology

Attacker Methodology

A co-worker and I recently had the opportunity to go work with some of the aspiring infosec gurus at UW this week and so I'm putting all 3 parts of the lecture that we gave here online... so ... let's get started with some basic adversary methodology...

Background / assumptions: 

This is probably useful if you've never defended or broken into a network on your own before. The goal is that this is a primer to understanding malware, understanding what attackers are after and what they need to do with malware should help towards that overall level of understanding.

Attack Phases

Here are the basic phases of an attack, all of which are important in the real world:

Facebook recent RCE
  • Initial Access
  • PrivEsc (Local)
  • Lateral Movement
  • PrivEsc (Network)
  • Persistence
  • Entrenchment

Competition networks

For working in a "game" network you'll only really need to worry about the following attacker phases (but I'd advise reading this whole thing - you can skip the rest of it if you're more TL/DR):

  • Lateral Movement
  • Persistence
  • Entrenchment
I wouldn't really worry beyond that scope in a game because there are almost always rules which allow for the Red Team to pre-compromise the network or you'll have to deal with a network that's riddled with semi-rediculous vulns like MS08-067, RPC-DCOM, or stuff that fits into the category of "easily remotely exploited with default Metasploit".


Starting access level: No internal access to the network
End Goal: Targeting / Attack strategy and outline of network resources, identities, etc.
Attacker Steps: Use open and public resources to build out a picture of the target
  • Open Source Intelligence (OSINT)
  • Focus on identities (people), technology and the context and connections between them 
  • Connections
    • Connections are what ties the individuals and technologies together
      • Ex: The organization is hiring for a DBA position so the posting can be analyzed to find out more about the IT support group structure (other individuals) and the technology (type(s) of databases and web servers that are in the network
    • Groups, networks, organizations
  • Context
    • Context refers to the roles and responsibilities of the identities/people that are targets are
  • Technology
    • OSINT will should provide a background of what's in a target network and a start at how it's all connected together.

OSINT - in context - Phishing

  • A commonly used tactic is for attackers to try to get their hands on screenshots or snapshots of internal email or websites to build higher quality phishing or other social engineering content.

For more information on OSINT see:

Initial Access

Starting access level: No internal access
End Goal: Initial access in the network (running arbitrary code in the network)
Attacker Steps: Leverage OSINT information to target and gain access to the network
  • Social Engineering
    • TL/DR this is where you get people to do things that they probably shouldn't to get easy access to the network. This spans everything from getting users to give personal information to login information to just directly downloading and executing binaries
  • Targeted Attacks
    • While completely overused in industry, "targeted" means that the content of the attack is crafted for the target, this means a phishing, spearphishing, whaling, etc, piece of content mean to appear especially enticing or valid to the target
    • Really this is just about all attacks except for broadly used Exploit Kits (EK's) when used by bot herders
  • Remote Code Execution
    • Remote Code Execution vulnerabilities come in two main flavors:
      • Server-Side RCE
        • The old-school flavor (MS08-067, RPC-DCOM, etc) are mostly short-lived software vulnerabilities that crop up in environments that don't have good compliance / patch management and/or 3rd parties running remotely accessible services for a company
        • The slightly less old-school flavor are web-based vulnerabilities 
        • The newer vulnerabilities are those that result in code execution directly on the server through the service endpoint / exposed API surface. This would 
      • Client-Side RCE
        • These are vulnerabilities accessible either through a document format (usually delivered via email) or through a user agent
        • Attacks right now seem pretty fixated on 3rd party browser plugins, especially Oracle Java

For more information see:

Social Engineering

Web Vulnerabilities (RCE)

Server-Side Code Execution Bugs (new-school)

Client-Side RCE Bugs


  1. Thanks for sharing an informative blog keep rocking bring more details.I like the helpful info you provide in your articles. I’ll bookmark your weblog and check again here regularly. I am quite sure I will learn much new stuff right here! Good luck for the next!
    mobile application development training online
    mobile app development course
    mobile application development course
    learn mobile application development
    mobile app development training
    app development training
    mobile application development training
    mobile app development course online
    online mobile application development

  2. I had an old hard drive with Bitcoin on it that I mined months ago. Unfortunately, when I tried to get it up and running again, the data was corrupted. Support @ hacker4wise com helped me to recover the Bitcoin I had in it even after I thought it was all gone. My old investment paid off big time and I was able to reap the rewards thanks to this recovery agency.

  3. Emperor Casino - Shootercasino
    Get your VIP rewards at the Emperor Casino! Play Slots, 제왕카지노 Blackjack, Roulette, Video Poker and more at 제왕카지노 the 카지노사이트 best online casino. T&C Apply.

  4. Hotspot Shield Crack 11.3.1 Keygen 2022 is the best software tool. That helps you to hide your IP address from others. Hotspot Shield Crack

  5. Mixed In Key Full Crack Crack is a significant and useful device. You can, without much of a stretch, make radio and club programs. Mixed In Key Download

  6. The Rich Palms casino has a wide selection|a wide variety} of slot machines that should please every typical participant. We found a number of} table games like blackjack, poker, bingo, and European roulette. Besides, there's a separate stay casino part where have the ability to|you probably can} wager on European 1xbet roulette and blackjack. Sadly, is not a|there isn't any} sports betting obtainable at Wild Casino, so if that’s what may be} after, a glance at|try} some of our high picks. PlayOJO is a wealthy South African on-line casino in terms of|when it comes to|by method of} game selection and bonuses. It’s good for gamers looking to get incentives they can really profit from the explanation that} web site doesn’t have wagering necessities.

  7. In this text, we’ll share the highest four greatest casino video games to play so have the ability to|you probably can} beat the odds and win big. Plus, we’ll additionally tell you the video games with the worst odds 1xbet korea so you could have} the next chance of keeping your money. You’ll receive random playing cards, but {the way|the greatest way|the way in which} you play these playing cards will decide whether or not you win or not. This is why it is necessary to develop some poker skills earlier than you start enjoying in} it. It will assist to enhance your odds and improve your chances of winning.

  8. You are betting that the next number to 1xbet return up is a purple. If the next number landed is purple, could be} paid 1 to 1, and even money. High curler tables are tempting, however your probabilities of really profitable shall be higher should you play extra at tables with decrease limits. The resort attracted the richest and most esteemed Europeans and reintroduced them to the sport of roulette.

  9. I’m not a review type normally. but I saw a review on a website days back about a professional hacker UrbanGhost i wrote to him via urbanghosthacker at gm ail c om that he is the best to help you out on all social media hacking related jobs and monitoring services , I decided to give it a try , life itself is all about risk anyways but I’d definitely say it’s damn worth it