BSidesPGH 2024 Track 1 Qasim Ijaz Please Waste My Time

thanks cat thanks cat nice words um and I'll remind you the talk was inspired by your talk and P Buffalo last year so if it doesn't go right it's your fault so welcome to uh please waste my time uh as G mentioned there's two of us uh you've got me q and you've got uh Cory in here we're both from Blue Bastion uh small C security company I come from uh risk management and the pentesting background used to run pentest te over at siga as a hyra processor before then and I did quite a bit of teaching in fact we taught a small class yesterday um on fantasting and uh a lot of my focus

lately has been on offensive security I've been running a pentest team at Blue Bashan and we're seeing a lot of clients that have gone from getting a da in 10 minutes to getting domain admin in 3 weeks that extension of time and part of that has to do with them wasting our time so this is going to be a fun talk to kind of share some of those stories that CL through that so yeah that's me and I as any heer would have an impostor syndrome I'm Corey so I have um a bit of a different backgrounds I started off in incident response mons and forensics I did do some offensive security work um you'll see alpaca's up there uh because

yes I actually do have alpacas it's real um but it's become fun now um so anyways uh I also uh at work at Blue Bastion obviously I run our incident response our security engineering and our manage detection response team so from my side of the fence um I tackle a lot of the blue side so that's probably what hear mostly from me maybe some jokes um and I'm also an aspiring devops person cuz automation's key and you and yeah those areas not L key key distinct [Laughter] difference so why are we doing this talk why do you want us to waste our time and there's quite a few different reasons for it um for me as a pentester as I'm

performing pentest against our clients I would find with Server 2003 open to the internet with L with SMB and I get all excited I started messing around with it after two hours I called Cory hey Cory what's your team doing is this a honey poot Q always says that too excitedly by the way and it was a honey poot after two hours of me trying to mess around with that mess around with that uh s 2003 box find out if was a honeypop they already got me um so that helps with the early detection and response here I am thinking I've got something really cool I get all excited a lot of the hackers nowadays A lot of

the attacks you seeing are automated tools so what you end up seeing from them is they're they're not doing that human intuition in there they see something malicious something U uh vulnerable the C and htb header the C is a version of a software that may be vulnerable they go off that automatically you on the other end the Defenders are able to use some of these techniques we going to talk about to detect uh you can exhaust some resources uh one of my favorite reasons for some of these things in this talk is if you an aspiring sock analyst or you want to be a pen attrition tester but why don't you put something vulnerable up as a

honey pot and watch what people do with it watch by learning alert by watching I haven't had enough coffee yet um what are others doing with that vulnerable piece of software then there are misinformation threaten intelligence which and does a lot of that fun stuff absolutely so uh well uh so from threat Andel perspective there's so much that you can do there right yeah I mean you uh I think uh Ronnie was doing he's W something up recently with green uh he was giving a talk to our team on that um exchange silver that was being attacked it wasn't exchange silver it was a Linux box with Exchange Server is should be headers and he spun that up watch

attacks happen against that um and present that the team um what I do want to emphasize we want to emphasize this talk is not for well it could be used in those environments but we are not assuming the most hard earned environments we're assuming your normal your common environment we see in our pentesting in our defending world so there may be some things in here that you've already patched and that's great you can still make use of some of the techniques we talked about but we are not talking about something that you know if you've already spent a lot of work and you see some of the things we're going to talk about you may feel that uh that's

already covered in your environment and that's great um there's going to be some really stupid and I want to emphasize that technical word really stupid activatory configurations we're going to talk about if you have some of those let's talk because there are some things you can get rid of in any environments to make it difficult for us ters and uh there some of the steps anything else okay um before we get into the deception techniques that's what we're talking about I'm going to talk about based by time it is how do you deploy deception practical deception techniques to slow down the attacker before I get to those deception techniques before Cody talks about that what I want to jump into and talk about

is why you need it a lot of Enterprise environments today they have so much technical debt and and windows makes it so much more difficult so much more work has to be put in to make the environments more secure secure harded um resistant and resilient to attacks I want to talk about some of those things in here set that stage set that prerequisite before we jump into the actual deception techniques and I like to call it feature or vulnerability CU some of you were in my class yesterday you saw we exploit features and it's often the line between the feature and the vulnerability in ad is very blurry my most favorite one and the one

we often exploit and turns in to an actual uh domain admin and I miss spell HR Shar in there but that's fine uh we'll pretend it didn't happen broadcast multicast name resolution we used to laugh at this 10 years ago uh as an interview question and it still is something that we use as a means to domain nwork in ad environments and this is happening over Linux and Mac also but we'll specifically talk about ad about Windows you are not just asking the domain in server hey do you know where this thing is do you know where HR shared where the file shared where google.com is you're asking everyone in the network that is what's happening over

net bios name service protocol and BNS that's happening over multicast DNS mdns and another multicast called LR the uh craic part about this is by default Windows has a group policy setting um smart multi-homed name resolution that's turn out that means if you're connected to a VPN that name resolution is also going over that VPN adapter to that VPN network so that's something to uh keep in mind that as you are browsing the internet or just doing your daily work the first thing your computer is going to do is reach out to everybody in the network and try to find these names that derives you of M and as a result of that what you get

is a net nlm hash so there's a handshake that happens and that handshake is or net nlm and we as attackers love that because I can just pretend to be I can be the first one to respond and say I'm the HR share and got the hashes I can do quite a bit of fun stuff with that so DNS is not the only thing being used for name resolution this is what it looks like uh you've got somebody looking for HR Shar on one end that may or may not exist it does not matter if I am the first one to respond with responder or you could use there's quite a few different tools you

can use on Windows there's INB but if I'm the first one to respond to that mbns llr or mbns request I end up getting that user hashes does not matter how strong their password is cuz I can use those hashes and I'll talk about that in a minute and this is not the user's fault user did not say send my hatches over system is doing that in the back end another fun way to get these hatches um it was Friday 400 p.m. we had been on an engagement for about 3 weeks at that point and we only had one hour left we had only obtained a domain users credential there's nothing else um and we wanted to go out with the

bank and we remembered the point of contact had said do whatever you can just don't take something down and do not use the $5 wrench attack okay um so we reached out to them we said hey our daily status email we haven't really gotten anywhere but we're trying one last thing hopefully that works out in that email we had a tracking pixel so you might recall track and pixels are used by marketing teams in the marketing emails and that's how they know you open the email because the tracking pixel is loaded over HTTP or https from their web server what if you use the UNCC path pointing to your col Linux box listening with the

responder if Outlook can reach that IP it will send over net nlm hashes so through that status email letting the uh uh the point of contact know hey we couldn't get anywhere but we're trying we got that point of contacts net nlm hashes they were the CIO of the company so they were domain admin um and uh that was a fun was a fun day he loved it he loved it dirty dirty red team tricks uh I think you can't say dirty and Red Team cuz the the same thing it's like saying chai tea I'm talking to you Starbucks um so we got those hashes few different ways you can get them what do you do with

them well you could crack the hash but imagine you've got a strong password you've got 24 character minimum password length requir what we can do is called an SMB relay attack where I take the hashes that I obtained in responder and I just spray them over to everybody else in the environment it's like a store your badge and walked over to everyone else or every door and unlock that as you that's called relay attack basically if the the servers and workstations are not requiring SMB signing they don't use digital signatures to verify there is authenticity there is integrity in that communication I can just steal a hash and just start talking to everybody else as you so when we start our pent test we

generally set up a pipeline responder listens to hashes it it solicits those hashes and then hands them over to ntlm relay X which takes them and just goes to every other server in the environment so when we got the hash from our domain admin in here he had a really strong password I believe his password was 32 characters randomly generated but that didn't matter they lacked SMB signing so we just sprayed it across the environment and we got da sock must have been lighting up at that point oh yeah so this is what that relay looks like on the top um this is just an example we got a hash from FileMaker FileMaker was a user on 1.3 this is just

the lab environment um took that hash and then logged on to 1.4 and dumped Sam dumped the local NTI hashes so it's nlm relx running just taking the hashes and spraying to anybody and everybody who does not have SM SMB signing required and that is a pretty easy fun attack to uh get da this is another one of my favorites uh this is called Kerber roosting if you go to a county fair or a state fair you have to get an admission tip ticket to be allowed to be on the grounds to be authenticated in keros world that's called ticket granting ticket you've got a ticket that you can use to authenticate to the environment you then

present that ticket and you say hey here's some money I want some fennel cake or I want a ticket for the ferris wheel I want a ticket for something else that in the kerus world will be ticket granting service ticket so you present your TGT in the morning and you say I want not a TGs ticket granting service ticket for Ms SQL for ldap for file shares whatever you might want that service ticket is encrypted with the service accounts hash what ends up happening is and what I mean by service account is any account with service principal name if you install Ms SQL Server by default the account that installed it will have an SPN set this

is how I see a lot of domain administrator accounts with spns uh if you spin up any service and you add a service principal name to your account your account just became a service account so any domain user doesn't matter their privilege they just have to be an authenticated domain user they can request a service ticket and that service ticket because it's encrypted with your Nash they can crack it offline it doesn't matter if it takes me a month or six months to crack it how often are you changing service account passwords so that attack is called kosting the moment we get domain privileges we just cerber roast any service account we go to the ad and say

hey for every service account you have give me the service ticket and I'll take it offline I'll go back to the office I'll start cracking it come back after 6 months and I've got da once we start dumping some hashes we just spray them across the board this is uh pass the hash attack um this is definitely going to light up the sock uh team hates me when I do that um basically if I'm doing a pen test and I'm not trying to be stealthy once I obtain a hash I'm going across the environment I'm going to spray it everywhere and anywhere possible in Windows world you can pass the hash this is also using net ntlm in the back end

you can pass the hash for local admin account R 500 and any domain user domain admin account if you're using the same password for local admin the hash is always going to be same because there is no salting okay it's not that salting wasn't invented back then it's just somebody made a decision um and that would that pass the hash attack because you're using same password everywhere for local admin we end up getting some more local admin pass the ticket is using kerro ticket earlier I told you the ticket granting ticket TGT is what authenticates you the environment you present that ticket to request service tickets for Ms SQL for file share whatever might be to be able

to talk to those services that ticket granting ticket is stored in Elsas memory so if I have local admin I can pull the uh TGT for any user in that box one of the very common ways we get da is domain admin was logged on to somebody's workstation helped us cast da helped us log down to somebody's box to install a printer and that was enough to have their ticket be sitting in the in that memory of that box for 7 to 10 hours uh and we just pulled it okay and now we can just reuse that ticket either on the same box or somewhere else and we can start pretending to be that that uh service

that user this one you can see on the left the start time was on the 17th at 10:00 a.m. it will end at 8:00 p.m. that day but that ticket can be renewed till 24th so plenty of time on that for the record I don't know if I hate Q whenever that happens I kind of love it because we get really good uh alerts from that so we know they're in there you know you don't hate me I definitely don't yeah it's okay it's okay I'm not going to buy you breakfast I'll take my $5 after this so past the ticket attack um this is continuing to be a very useful means to escalate privileges

because we have so many domain admins in the organization environments everybody who needs any sort of access to troubleshoot things anybody in the help us gets domain admin and they're logging on to just random workstations logging on to Joe's workstation the front desk to install a printer to install any application and leaving their tickets leaving their credentials in memory now that's something to keep an eye on try to ruce that anybody here uh know Blood Hound it's got quite a few of you excellent if you don't know Blood Hound you should learn Blood Hound as CIS edms as Blue teamers Blood Hound is a really useful tool it will map out the paths to escalation for example uh in one of the

client environments we found all the domain users had local admin on this one box and that box happened to have domain that been logged on that was an easy escalation another one we found that the domain users were provided right privileges to default domain controllers Group Policy so we just modifi the group policy applied to domain controllers and got da blood hunt can help you find that kind of stuff oh this is this is my favorite uh passwords stored in text files although Mo mostly I like the one Notes One Note notebooks with it diagrams with it documentation and notes and passwords your documentation and passwords should not live in the same place your onboarding documentation for

an intern should not be in the same place where your domain admin's password is and your password should always be in an encrypted format except I once found a key pass database password manager in a file share that was encrypted so great but the password txt for it was sitting right next to it now it was an IT share so the installer for key pass was also sitting next to it so that was a fun day so I just talked about all these crazy things that we do to gain access to that that make it difficult to secure the Enterprise environments I'm going to hand it over to Corey because after we destroy stuff him and his team have to

defend it well some of this is you can't defend against some of this passwords and shares there's no defense so honey users um there's a lot of different techniques and in ways to do this uh there's a lot of different ways to detect this we're just going to give out a couple uh few here right so a real user um there's a lot of debate back and forth about this q and I have had a lot of debting back and forth about this using a real user using a fake user there's a couple things you can do here um but one of them is to create an actual real user real password not a fake password not an easy password

like P SS w r d one exclamation point never use that um because people like Q will actually get in and realize that that's a honey user um or as they're starting to crack hashes they'll realize wow that one was too easy I'm not going to use that da account I'm going to use a different da account and therefore your detections are kind of useless or if you take all of these tactics and techniques that Q has talked about earlier and you start to input some hardening into your environment um or you are already preh hardened some of these things may not exist so this may be the only account where one of the few

accounts that running Blood Hound for example will give a privilege escalation tactic to the attacker so you've limited and reduced their options so you're increasing your likelihood of them actually using your honey user so a couple pieces before we dig into it the other things is you want to use this account you don't want to leave it just sitting out there unused for 9 years uh you want to reset the password to it you want this to look real because it is real if it's being actively logged in with if the passwords are reset in the same fashion that your other user accounts are reset it is a legit looking account to people so running scheduled

tasks doing whatever to log in with it and or even logging in with it Interactive ly then from there what do you do with this honey account right so now you have this legit account out there that you're expecting to be compromised well now you have to figure out what you need to do with it if you have a sem for example maybe you set up critical alerts inside of that sem that say Hey anytime this user account logs in we need a critical alert of it right now in everybody's hands on deck right and we D dive into the machine that it logged into we quarantine it we whatever we know we have an act of compromise

right and that could be a very early indication one thing I'll point out um whenever we are doing Red Team exercises and we have some sort of inclination the client is using honey Poots we're going to be looking at two properties one when did when did the account last log on so as Cody talked about have it log on periodically any domain user in the environment can see that for any other user when did this account last log on second thing when was the password class set if your organization sets passwords changes them every 90 days but this one last time password was set was 7 years ago and it's not a service account it's a

Honeypot so the next one is a honey SPN account right again very similar to what I just talked about you want to create a real user or a real service account with a real SPN on it um use a and rc4 if you want to if you want to get fancy or if you have r rc4 removed from your environment maybe you don't make an rc4 you only make an AES um give the hone honey user a real SPN make it look legit maybe call it generator 3 maybe call it something that sounds legitimate to your environment but doesn't give away the fact that it's you know if you make it fake SPN account or honey user or honey

SPN these tactics are going to fall through the floor also so running a scheduled task on the DC to find those event IDs in the fail in that specific failure code the alternative alternative to that um obviously that'd take a lot of manual intervention and you'd have to set up an alert for that you again a sem or something that's pulling logs like that you could also set that up as a critical alert for this account so again what you want to do is layer this in there into whatever your current security stack is and be monitoring for this activity you don't want to just set these things up let them out there they actually get taken by taken advantage by

a real threat actor and you get screwed by your honey account that's the last thing you want to do here um oh uh last thing make the password long and difficult again same principle you don't you do not want to make this so easy again Q he's like wow that was that was too easy I'm passing on this one let's see if we button moment you know that was easy absolutely now one more thing I want to point out on that sorry I keep jumping in um one of the reasons I would suggest making that password a bit longer now don't make it impossible don't have a randomly generated one have like a pass phrase that could be guessed

um maybe make it about 14 characters long on a typical gaming laptop it will take me at least a day to crack that now reason for that for me is now I was waiting a whole day for that thing to crack uh us pentesters yeah we do multitask but if I'm waiting on a hash to crack for a service account that looks very juicy that's what my attention is going to be for the most part you just made me wait a whole day for a hash to crack that I think is going to be useful bonus points if anybody knows what the time clock is from tossing that out there um honey NB net llmnr and multicast DNS requests so uh

you see it up there uh netbait uh so there's a few ways you could do this if you want to build it yourself you can use something like netbait um but what your what the point of this exercise is is to blast your network with fake requests fake net bios requests fake llmnr requests blast and spray hashes out across your network again same thing with these hashes you have to be monitoring for their utilization across your network but what you're doing here is and again even if you're going through you know cleaning up your network disabling net bios disabling all of the LMR llmnr requests and the multicast DNS requests what you want to do is still layer these in there right

so you start making all of these broadcast requests out to the network let's say net bias somebody drops in v I'm just going to pick on that somebody drops in vay in the network all of a sudden you start getting responses to a request that you do not expect and using again something like netbait you can now see that you'll generate a log and you want to be monitoring for that because you know that machine should never get a response to the things that you're pushing out those broadcasts for and make it real looking like not randomly generated name the name should be similar to some of your other servers in the environment some of your other

machines uh when we wrote inwave one of the other things we added to that was spew credentials you can also use this to write the attacker's story their path once they do respond to it they will get some hashes that they can start cracking or using and you can make that an actual account with a difficult password or you can just make an account that doesn't exist uh I've been caught a couple times this way by clients and it's always a fun thing to talk about afterwards because when you run responder or inway by default they're not picking and choosing what they'll respond to it's a race condition first thing I'm going to see I'm going to respond

to um when we are doing stealthy Rim exercises we're first running responder in analyze mode to see what's in the environment and pick out any honey pots and then we can specifically respond to individual things for most part we're just running responder to see the first thing that comes up and pop that but he might get caught that way and you're probably starting to see how some of these melt together your honey user your honey requests tying all of that together to in a into a more unified front and apologies to anybody who doesn't like honey I love honey Canary tokens uh I think a lot of people have probably talked about Canary tokens at maybe even

at nauseum um but obviously this is a great addition inside of here right so having PDFs having honey websites having honey whatever in your network so for example going back to what Q was talking about um maybe you have passwords in a share well maybe you don't well let's add some Canary tokens or a canary PDF out there that's monitoring for that the key to all of this is having that monitoring piece I can't stress that enough I've actually been on incidents where honey accounts and honey things were taken advantage of weeks or months prior to the actual event like ransomware being dropped being the event so these things will get taken advantage of in your environment and if you are

not properly monitoring for them you're kind of giving your keys to the kingdom to somebody as well so it's it's definitely a double-edged sword um but this one far less of a double-edged sword because you have that PDF out there you could even call it passwords dopdf you could call it passwords do word whatever CEO salary. PDF HR this is a really fun one so dropping a p a fake password Vault the example that Q actually just gave not that long ago which was he had key pass drop a fake key pass file that's encrypted generate a real one and drop it put it somewhere in the network again monitor for any activity against that you put that out there an attacker

is going to be like oh my God it's Christmas day right Am I Wrong sometimes but not right now put credentials in there too don't just generate a file that's blank call it a day put your honey accounts in there so that again you see that and as a on the blue side we'll actually get a full picture of the story well they got in here the first thing they found was a fake password Vault they pivoted to one of those fake honey user account accounts they tried to use it and now we have a whole entire picture and story of how they got in what they did next where they pivoted to and we can actually

Trace them so uh one thing I'll add to that make that uh don't put the password.txt for that key keypass database next to it put somewhere else or don't even put one in there make that password not too easy but not too difficult and make us waste more time trying to crack that keypass database password before we get in another fun one inject fake hashes into Elsas this does take a bit of extra work but this one's really fun it's really mischievous actually so mean so mean almost I I I would vary I I bet you the the statistics for this one would be greatly in the blue team's favor if you're injecting anything like this into

LSS there's almost no attacker out there that's ever going to question it unless you make it blatantly obvious which I mean obviously right but doing this the the key to this one as well you're giving them something they're going to immediately pivot an attempt so for this one I actually if you get to this spot I'd actually recommend not to inject one credential into Elsas but multiple maybe have five or six that you're injecting in there that you're monitoring for actively because it makes the attacker feel like they have even more right I don't have one account I have seven and now all of a sudden they're kind of like which one do I want to pick maybe

they'll run blood hound and see if which one's a little bit better um make them slightly different but this one this one's quite malicious actually from a blue team perspective yeah and if you don't want to run a Powershell script one thing you can do is create local admin accounts not use the word administrator something else help the sced men on multiple boxes set a password for them and then disable them um because when we dump Sam we don't get to know if that account was enabled or not I think impacted secret stump might do that but most other tools don't so I'm not going to know that account is disabled so I will grab that

hash and I will try to spray it and that's your detection mechanism right there okay this this is fun so this is a debate that we've actually had quite a bit around uh let's say you're paying for a pentest you're paying that pentester now to literally as the talk is called waste their time and so from my perspective I'm actually for that and here's the reason why so if an attacker I'm going to pick on Q let's say he gets pulled into an engagement and he's running a red team assessment we should be my team the Blue Team should be getting detection on that you're going to understand how quickly your blue team detects whenever they're

wasting their time if your blue team is not detecting those things you need to go back to the drawing board for all of that so to a degree you're not actually wasting your money by wasting the red team's time you're really truly understanding what are your detections what's your reaction to that what is your blue team going to do as a reaction to that how quick does that happen if Q is wasting his time for on just going to say 12 hours of an engagement and your blue team hasn't said anything yet there's a great big disconnect you should probably talk to your pentester 12 hours is a long time you should probably hire that pentester as blue

teamer at that point that's that's kind of true um but at the end of the day from my stance and perspective it can really truly test how well you're monitoring these honey accounts and again some of these things especially if you're doing them the way that we're suggested they're real accounts that could be used for bad and then you could also have like some sort of a time limit you could choose okay if we have not gotten our blue team to alert on this and do something with for about 5 hours let's say let the pentester know 10 hours 12 hours whatever you choose hey you're in a Honeypot but also make sure they put

that in the report that it was a honeybot that caught us okay have them put those positive measures in the report some thumbs up to the security team uh you all are doing a good job so put down the report in there so I'll toss one extra tidbit out there um we talked about creating a real user account and if you're Comfort level for that is not very high maybe you're not comfortable putting a real user account out there something else you have to worry about you can create an ad schema object you'll have to research this a little that's so mean you can create an ad schema object it's the beginnings of a user account it's not a

real live user account but you can do this and then you have to enable additional logging on the domain controller all of them preferably and then you would have to monitor I think it's 4662 is the event code don't quote me on that it's something right in that range but basically what you're looking for and you would want to set up an alert for the user account name and what you're going to do is you're going to look for that event ID again I think it's 4662 and that user account here's what you're going to detect Blood Hound Blood Hound as quiet as it is it goes in and literally at this at the top of it at

the top of its lungs it screams at active directory tell me everything about you everything I don't care give me everything you got and so what you're doing with that ad schema object is you're monitoring for anything to talk to it there are a few false positives that you will see from that if an IT admin goes in and runs a tool like ad find which is very similar to how Blood Hound works it's also going to trip that up but that should also be a blue team uh verification at that point if I see an IT admin running ad because threat actors use ad find they may not use Blood Hound if they're using ad find we

should be verifying that with the it folks that they in fact did that and that was on purpose so since I'm a red teamer I have to double up you um so this like the credit to this goes to Barron one of our red teamers he was doing purple team with the client end of the purple team they start throwing these ideas on the board what are the craziest things we can do to detect attackers one of the things they came up with was create thousands and thousands of Honeypot users thousands and thousands of Honey poot groups thousands and thousands of computer objects and have them all have relationships with each other somebody has access to

something somebody's a member of something that blood hound will take hours to load and I'm just sitting there waiting for The Blood Hound to load heck maybe my computer's fan will give out right second thing I would suggest is chat GPT or any AI use that to write some documentation that looks like real it documentation and put that on one note some of us do like to read and believe it or not not some of us do have uh interest in your documentation and you'll waste our time that way all right that's it I think any questions comments you look surprised I have a question yeah have you ever successfully own network with a honey user yes we've done that using a

honey user client was really into honey users and then they left the organization and somebody else came in and they didn't even know about the honey users because the person who created the honey user did not document it so there was a honey user sitting in there with a password of password 2021 uh and we were in 2023 at that time and we used it now the person who created the honey user gave it domain admin not sure why they did that so that was fun so as you apply these techniques it's a really good techniques use some drawing board use a whiteboard to plan it out and do some threat modeling to figure out one What

story do you want to tell what story do you want what path do you want drawn by the attacker but secondly how do you uh want to detect them and you guys had an I related to that too right different event yeah and to be candid you would really rather have q find it than me if I'm called that means you've probably been encrypted so but yes yeah that's happened and it's it's it's it's not fun day anybody else yeah oh

sorry I believe Blood Hound is looking at active sessions to different ways one is somebody actively logged on uh and the second one if there's a DCC syn hash or DC syn hash possibly in there that might show up um what I've usually focused on for honey pots is Sam hashes um reason for that is DC DC syn hashes are harder to crack so most attackers don't even go after them if you want them to go after something Nash is the way to go yeah cat you got a question yeah I was just going to say um they said or he said that um he got some of this IDE is from one of my talks I do

a lot of Honey pots around the world I have a small company of Honey pots in Ukraine after your last talk I added a whole bunch of these uh methods some that I hadn't thought of before and I've been watching these attackers just spend hours and hours and hours going through this small company not getting anywhere but getting stuck and I'm gathering so much information putting a new CL together so thank you oh my God I love it well I love it that is awesome I'm going to be looking forward to that yes you to your honey but not have it be a risk to you use it and still get what they want is there a way to

likeu itter some of your techniques so that like they can be used aici way the short answer is yes but it's complicated answer because it depends on your environment how you're set up uh you could do things like giving it local admin rights to a single individual machine and then denying it login rights to the rest of your network so it depends on the rails that you want to put up for those user accounts and where your comfort level is based around the detection mechanisms that you have in place does that make sense I saw a blog post by nickel M he's the guy from altered security um he did a block was a while back I think it was 2008 so I

don't know if that's still true or not what he talked about was creating a domain admin Honeypot but denying it log on everywhere I don't know if being a domain admin will now overwrite that or not so test it out in lab environment what I would also suggest doing as you have honey pot set up once every 3 months just trip one in intentionally and see if your team responds to it use those honey pots also as an incident response exercise see how your team is doing yeah

um work because you want to find real vulnerabilities like in some regards or 100% that was the debate we had because at at the end of the day you're paying all of this money the example of 12 hours I know it's a little extreme but if you're paying for let's say a small engagement 40 hours 12 hours of that 40 hour engagement is a massive amount of time that they could have been spending elsewhere so there's absolutely in my opinion a delicate balance between how long they spend in there but also you really want them to spend some time in there because you built these mechanisms to actually be utilized in that way so here's how I would put it

from my perspective what is your goal of the mean time to respond when how quickly do you want your blue team your instant responders to respond to that Honeypot if that time has passed go and let the pentester know and then go have a chat with your blue team why did we not respond to this yeah so that may be you know 30 minutes that may be an hour that may be 10 hours depending on the type of Honey poot where you have it um yeah I sorry uh the thing I'd say just to kind of expound upon that is realistically you should have response within an hour to something more critical like this so

your blue team's aware now that you have a pent test or whatever going on and they're starting to actively respond you solit you solicited the thing that you needed to solicit so that's where you would be pivoting back over to that red team saying hey we caught you we got you in a honey pot we got you with this honey user account whatever it was and then you're pivoting over to them saying hey it's time to move on all right we'll take the last question and about it going around the room oh yeah hey Nick you uh really quick uh really with with this type of activity don't lose sight as to why we do penetration tests I think that with

regulations and things like that we get really caught up in we have to do this but really your P your pen tests are to validate your controls once you validate those controls you let the pen tester know you move on otherwise you're only hurting yourself so figure out what that need respondence notify them so that way they can find something else some other weakness you validated that control yeah that's a good point thanks for that uh I'll double on that a little bit uh one of things he mentioned was a lot of times we do pentesting because we feel we have to From pentesters perspective I'm bored when that happens when you want me to come in and do a pentest just

for a checkbox you're going to get the lowest effort out there let us lose how us find you craziest things possible and not just be a Nessa scan all right I love nesses it's a good tool but that's not just the pentest goes beyond that all right thank you very much appreciate you all listening to

us and now go waste somebody's time