Authors: Alissa Torres
DFRWS USA 2019
Wednesday, July 17, 2019 13:00 – 17:00
Purple Teaming incorporates blue team “monitor, detect and respond” capabilities with the red team “surveil and assault” strategies to support one key mission: To improve the organization’s security posture. To test threat detection and response capabilities, red teams are charged with simulating real-world threats – the more realistic the better!
Today’s adversaries are making use of “Live Off the Land” strategies, repurposing native Windows binaries to achieve strategic goals such as privilege escalation, lateral movement, persistence and C2 communication. Not only do these strategies allow attackers to evade AV & EDR detection, but Blue teams often have poor concept of baselining for usage of these native Windows binaries within their own environment.
This 4-hour training session will provide the full purple teaming experience, with walk-throughs of LOLBin attacks to achieve “actions on objective”, ensuring survivability through persistence and remote execution for lateral movement. Attendees will also perform live triage and memory analysis on affected targets to detect indications of LOLBin abuse. Key takeaways will include enterprise-scaled detection and mitigation strategies to prevent future LOLBin abuse in your own environment. Join incident response analyst and SANS Instructor Alissa Torres for exposure to some of these sneaky LOLBin and LOLScript techniques and how they can best be employed in a purple team collaboration.
*Huge kudos to github.com/LOLBAS-Project/LOLBAS
Alissa Torres is a Principal SANS instructor specializing in advanced digital forensics and incident response (DFIR). Alissa was recognized by SC Magazine as one of its “2016 Women to Watch.” and a recipient of the Enfuse 2018 Difference Makers Award for her efforts in educational outreach. She has more than 15 years of experience in computer and network security that spans government, academic and corporate environments. Her current role as Founder and Senior Consultant at Sibertor Forensics, a security operations and incident response consulting company, provides daily challenges in the trenches and demands constant technical growth. Alissa is a frequent presenter at industry conferences (RSA, BSides, Shmoocon, Enfuse) and has taught hundreds of security professionals over the last 5 years in more than 12 countries. As the lead author of the SANS FOR526 Advanced Memory Forensics and Threat Detection course, she is passionate about memory management and forensic artifact hunting.
Attendees must bring a laptop running Win 7-10, MacOS Mavericks+ or Linux-based distro, depending. Wireless network adapter required. 8+ GB of RAM recommended. For troubleshooting reasons, please ensure you have local administrator privileges to your laptop. Most hands-on will be conducted in an externally-hosted virtualized environment. An up-to-date version of MS Edge, Chrome or Firefox is required.