Download Latest Version GPOs.zip (45.3 kB)
Email in envelope

Get an email when there's a new version of Raising Costs for Attackers

Home
Name Modified Size InfoDownloads / Week
OneLiners 2014-01-17
0
XML 2014-01-17
0
GPOs 2014-01-17
0
README 2014-12-23 2.3 kB
0
MaliciousDocumentsAnswerKey.pdf 2014-12-23 1.1 MB
0
MaliciousDocumentsLab.pdf 2014-12-23 43.5 kB
0
RaisingCostsShmooCon.pdf 2014-01-19 15.3 MB
0
Totals: 7 Items   16.4 MB 0 
All policies and scripts are provided as is.  I take no responsibility for any issues that may arise from their use.  Please test policies thoroughly in a non-production environment before applying them to production.

MaliciousDocumentsLAB.pdf contains walkthroughs intended to show defenders how malicious Office documents can be created and challenges defenders to block the malicious documents using simple configuration changes.  MaliciousDocumentsAnswerKey.pdf contains sample solutions.  These were created for a class project and follow the format of other assignments of that class.

Here are links for presentations/papers referenced during our presentation.

Microsoft's AppLocker Design Guide - http://download.microsoft.com/download/B/F/0/BF0FC8F8-178E-4866-BBC3-178884A09E18/AppLocker-Design-Guide.pdf - Provides a great overview of how AppLocker works and how to deploy it.  Note, this is not the quick and dirty way we described.

NCC Group AppLocker Bypass - http://www.nccgroup.com/media/481134/2013-12-04_-_ncc_-_technical_paper_-_bypassing_windows_applocker-2.pdf - Presents a method of bypassing AppLocker that exploits a TOC/TOU race condition. 


The following videos that highlight the use of regular Windows functions for offensive purposes. These inspired many of the exception/deny AppLocker rules and the PowerShell firewall rule we presented:

AT is the new Black - http://www.irongeek.com/i.php?page=videos/derbycon3/2105-windows-attacks-at-is-the-new-black-rob-fuller-and-chris-gates - Rob Fuller and Chris Gates

Encyclopaedia Of Windows Privilege Escalation - http://www.youtube.com/watch?v=kMG8IsCohHA - Brett Moore

Living Off the Land - http://www.irongeek.com/i.php?page=videos/derbycon3/1209-living-off-the-land-a-minimalist-s-guide-to-windows-post-exploitation-christopher-campbell-matthew-graeber - Christopher Campbell and Matthew Graeber

Windows 0wn3d by default - http://www.irongeek.com/i.php?page=videos/derbycon3/4206-windows-0wn3d-by-default-mark-baggett - Mark Bagget


Finally, this is one of my favorite sources for Malware RE write ups. It provides great insight into infection vectors and artifacts from both common and advanced malware:

Alien Vault Labs' Blog - http://www.alienvault.com/open-threat-exchange/blog
Source: README, updated 2014-12-23