This presentation focuses on free/cheap tools you can use to better defend your network and Active Directory environment.

2. BlueTeamonaBudget:
Defendingyournetworkwithfreetools

3. Agenda
• Who’s this guy?
• Inspiration for this talk (spoiler: it was rage)
• My first breach response (a tale of tears and fears)
• Lets do some blue teaming on a budget!

4. Who’s this guy?
• Security engineer for 7 Minute Security
• Podcaster (in 7-minute chunks!)
• Neither of these Brian Johnsons
• Super tiny movie star

7. Why this talk?
• I don’t like when vendors spew FUD (fear/uncertainty/doubt)
• I don’t like when vendors are condescending

8. My first breach response:
A personal tale of tears and fears

12. Application log

13. System log

14. Security log

15. Firewall log

17. To make matters worse…
• Spotty AV deployment
• Cringe-worthy patching
• No centralized logging/alerting
• Weak password policy:

18. Verdict?
“Burn and rebuild”

19. How do we NOT suffer the same fate?
Lets defend our network with free stuff!

21. He’s back!

22. I GotWorms!

26. Anatomy of an attack:
Password spraying

27. 1. Try “Winter2017!” for all domain users
2. Wait 30-60 minutes
3. Try another weak password
(“Spring2018!”)
4. Rinse and repeat

29. Why isWinter2017! a bad password?
It is and it isn’t…

30. Defending against
password spraying

31. Up the policy requirements?
• Microsoft recommends minimum password length: 14

32. Up the policy requirements?
• Microsoft recommends minimum password length: 14
• “Wait…won’t people just use “WinterWinter2017!” - ?

33. A sweet suite of tools to help you up
boost your network defenses!
My favorite feature?
A better password filter!
CredDefense

34. Setting your Active Directory password
Lloyd Domain controller
“Hi, I’d like to change my
password to Winter2017!”
“Sure one sec, let me check the password requirements!”

35. Setting your Active Directory password
Domain controller
“Winter2017! fits the bill! Password changed!”
Lloyd

36. Setting your Active Directory password
Domain controller
“Hi, I’d like to change my
password to Winter2017!”
“Sure one sec, let me check the password requirements!”
+
Lloyd

37. Setting your Active Directory password
Domain controller
“Winter2017! fits the bill!
Buuuuuut I need to check one other source, one moment
please…”
+
Lloyd

38. Setting your Active Directory password
Domain controller
+
“Wait a sec!Your
password contains a
word on my no-no list!”
Lloyd

39. Setting your Active Directory password
Domain controller
“Sorry Lloyd, please try a better password.”
+
Lloyd
“I wonder who else in my company has picked
bad passwords!”

40. Auditing Active Directory passwords

41. Auditing Active Directory passwords

42. Anatomy of an attack:
“Responder”

43. “Responder” attacks
(The user meant to type igw-srv01)

44. “Responder” attacks
Lloyd’s PC
“Hey, do you know a machine called IGW-SRVV01?”
DNS server
“Sorry, I haven’t heard of it.”
“Aaaaaaaaaaaaanybody else?”
Bad guy
“Yes!That’s me! Send credentials!”
“You got it! Here it comes!”

45. “Responder” attacks

46. “Responder” attacks

47. Defending against
“Responder” attacks

48. Defending against “Responder” attacks

49. Defending against “Responder” attacks

50. Defending against “Responder” attacks

51. Defending against “Responder” attacks

52. Anatomy of an attack:
Lateral movement via local admin

53. Lateral movement

54. Lateral movement

55. Lateral movement
Lloyd’s PC
Harry’s PC
Mary’s PC
File server
Database server
Email server
P@ssword1

56. Defending against
local admin lateral movement

57. Local Administrator Password Solution
• Strengthens and randomizes local
Administrator passwords per machine
• Free (!) from Microsoft
• Creds are stored securely in Active Directory
• A “set it and forget it” solution

58. Local Administrator Password Solution
Requirements:
• A few GPOs to push LAPS install
• A workstation to manage passwords from

59. Local Administrator Password Solution

60. Local Administrator Password Solution

61. Lateral movement? Nope!
Lloyd’s PC
Nope!
Harry’s PC
Nope!
Mary’s PC
Nope!
File server
Nope!
Database server
Nope!
Email server
Nope!
P@ssword1

62. WEFFLES are delicious!
(Windows Event Logging Forensic
Logging Enhancement Services)
Not this!

64. WEFFLES
Lloyd’s PC
Harry’s PC
Mary’s PC
File server
Database server
Email server
WEFFLES

65. WEFFLES – signs of compromise
Event 1102:
“Somebody cleared
the security log!”

66. WEFFLES – signs of compromise
Event 4720:
“New user accounts
created”

67. WEFFLES – signs of compromise
Event 4720:
“New user accounts
created”

68. Set a trap with a canary

70. Setting traps with canaries

71. Setting traps with canaries

72. Setting traps with canaries

73. Setting traps with canaries

74. Setting traps with canaries

75. Scan all the things!

76. Vulnerability scanning
Remember Eternal Blue?
• Exploit developed by NSA
• Leaked in April, 2017
• Takes advantage of weaknesses in SMB protocol
• Is still unpatched in many orgs
• Easy to exploit

77. Vulnerability scanning

78. Vulnerability scanning
• Not free but relatively cheap (~$2k)
• Identifies missing patches and misconfigurations
• Easily schedule scans w/email alerts on critical items

79. Vulnerability scanning
Reporting is a little….yawn

80. Vulnerability scanning
• Cheap! ($65)
• Makes pretty pictures from data
+

81. Vulnerability scanning
+

82. Vulnerability scanning
+

83. Vulnerability scanning
+

84. Vulnerability scanning
+

85. Recap
• Use good passwords – on domain and local accounts
• CredDefense and LAPS can help!
• Not collecting event logs? Start for free w/WEFFLES!
• Be aware of “responder” attacks
• Scan and patch all your network things!

86. Questions?

87. Thank you!
@7MinSec
brian@7MinSec.com
www.7ms.us
(podcast)