most common failure in

corporate environments
joas antonio dos santos
[~]$ wh
oami
Red team leader and instructor at hackersec
Contributor and researcher at miter att&ck
owasp project leader
author and speaker
+90 international certifications
Numerous CVs reported

[~]$
 global americas emea apac

botnet 31% botnet 25% botnet 30% botnet 43%

infostealer 21% infostealer 18% infostealer 23% infostealer 30%

cryptominers 19% cryptominers 15% cryptominers 19% cryptominers 25%

banking 19% banking 15% banking 19% banking 25%

mobile 14% mobile 14% mobile 14% mobile 13%

ransomware 8% ransomware 6% ransomware 8% ransomware 10%

source:checkpoint
 top 10 top cybersecurity threats
data center attacks:
vulnerabilities:
these malicious activities are aimed at compromising the
newly discovered critical vulnerabilities in microsoft exchange
security of data centers, facilities that house computer
and advances in phishing create new areas for msps to monitor.
systems, and other critical infrastructure.

Commitment corporate email:

ransomware:
when a cybercriminal gains access to a corporate email, they
this form of cyber attack has been around for decades, and
can use it to send phishing, steal confidential information or
hackers continue to develop and evolve their methods.
use the account to launch attacks.

iot device hacking:

crime-as-a-service:
with many employees accessing sensitive company platforms and
this describes the provision of cybercriminal tools, services
data from multiple dispersed endpoints, hackers have more
and expertise through an underground, illicit market.
opportunities for infiltration.

supply chain attacks:

internal threats:
Hackers infiltrate supply chain technology to access source
once internal system users are compromised, they can become an
code, builds, and other infrastructure components of benign
even greater threat to the system than external attackers.
software applications.

State-sponsored cyber warfare:

cloud-based attacks:
cyberattacks by one nation-state against another for strategic
With so many companies using the cloud and cloud networks
or military purposes, often carried out by well-funded
becoming more complex, your infrastructure has become an easy
companies and highly skilled teams of hackers or cyber
target for digital threat actors.
soldiers.

source:connectwise
apt115 ac3r0l4
 ac3r0l4timeline
06/2015 01/2018 03/2020 10/2022
Presence on popular
task force created by
surface hacking forums
emerged in 2015 ransomwareknown as fireeye + mandiant +
such as raidforums,
in Brazil t1r4d3nt3s trendmicro resulted in
breached, cracked, and
apt115
xss.

02/2016 04/2019 09/2021

detection of your
dominant player
operations in 15+
in selling variants sold on
countries with
ransomware and genesis marketing
multiple ransomware
0days
operators
 modus operandi
Private virtual private
servers from countries polymorphic ransomware +
social engineering kit
like (Iran, Venezuela, sophisticated ttps
Panama and Switzerland)

vpn (airvpn, alerdium and

vulnerability exploit kit bitcoin, monero and
mullvad) and tor (whonix
(0days), e.g. 0daytoday ethereum wallets
or tails)

invasions + theft and

buying company access to shared command and control
kidnapping of data in
forums server (cobalt strike)
fortune 1000 companies
tactics, techniques and procedures (ttps)
 mitre att&ck and ttps
“att&ck mitre is a framework that maps cyber adversary
tactics and techniques to help defend and understand
cybersecurity threats.”

ttps (tactics, techniques and procedures) are a set of

specific strategies and actions used by adversary
actors to carry out cyber attacks, being important for
understanding and defending against these threats.
 mitre att&ck and ttps
to the tacticsare
the tactical
objectives that a
threat can use
during an
operation.
to the
techniquesdescribe
the actions that
threats take to
achieve their
goals.
You procedures are
the technical steps
required to perform
the action.
source:redteam.guide
apt115 ac3r0l4 simulation
[~]$ initialaccess.ps1 --help
initial access
refers to the point at which the opposing team gains initial
unauthorized access to a target system or network

social engineering (spear-phishing + malicious pdf)

0day exploit: cve-2022-22965 (rce spring framework), cve-2021-44228

(log4j) and cve-2022-30190 (follina)

credential dump (i have been pwned + dump leak)

creation of payloads to manage compromised targets through a c2

 initialaccess

metasploit framework (msfvenom) exploit pack macro pack

vulnerability exploitation and development of exploits and generate malicious documents

shellcode generation 0days with vba macro

bad pdf generator gophishing + evilginx cobalt strike

generate malicious pdf: manage compromised machines on a

https://github.com/cybersecurity carry out phishing campaigns command and control server,
up/badpdf-generator using beacons and payloads
[~]$ evasion.cpp --help
evasion
refers to when the opposing team uses techniques to evade detection of
a protection mechanism and persist in a compromised environment.

configure a vpn to cloak network traffic

process injection techniques

exploration of defense mechanisms

obfuscation and payload encryption

use of valid accounts

 evasion

atompepacker blackout mortar – evasion techniques

disable – edr and avs using

packaging and file encryption:
loldrivers (gmer64.sys) binary encryption for av/edr
https://github.com/nul0x4c/atomp
https://github.com/zeromemoryex/ bypass
epacker
blackout

chimera airvpn powershell obfuscation bible

automation of automatic third-
collection of evasion techniques
party dll execution attacks (dll vpn service based on openvpn and
in powershell:
sideloading): wireguard for hacktivism:
https://github.com/t3l3machus/po
https://github.com/georgesotiria https://airvpn.org/
wershell-obfuscation-bible
dis/chimera
[~]$ privesc.py --help
privilege escalation
refers to the point at which the adversary seeks to gain higher
privileges on a compromised system.

exploiting local vulnerabilities in cve

using lolbas to exploit incorrect permissions of an application

hash dump and domain controller attacks

valid accounts collected

privesc

peas-ng sweetpotato

a collection of various native

escalation script suite
privilege escalation techniques
https://github.com/carlospolop/p
https://github.com/ccob/sweetpot
eass-ng
ato

elevatekit mimikatz

extract sensitive information

privilege escalation kit for
such as clear text passwords and
cobalt strike
password hashes
[~]$ persistence.bat --help
persistence
refers to the point at which the opposing team gains continued access
to a compromised system

creation and modification of processes

create accounts on the machine

create scheduled tasks

rootkits (ring 3)
persistence

sharpersist schedulerunner

customize scheduled tasks for

toolkit for persistence
persistence
https://github.com/mandiant/shar
https://github.com/netero1010/sc
persist
hedulerunner

r77 lolbas

r77 hides in files, processes

use built-in windows components
and registry keys
for persistence (binaries,
https://github.com/bytecode77/r7
scripts and libraries)
7-rootkit
[~]$ exfiltration.c --help
exfiltration and impact
refers to the point at which the opposing team steals information from
the network and compromises the availability of the environment.

data exfiltration via alternative protocols

data exfiltration through c2

ransomware development
 exfiltration

dns-exfil sharpexfiltrate cobalt strike

dns server created to exfiltrate uses secure channels as drivers

data to exfiltrate data create https/dns beacon to
https://github.com/karimpwnz/dns https://github.com/flangvik/shar exfiltrate data
-exfil pexfiltrate

malware bazzar RaasNet programming languages

Script that
malware samples to analyze or
generatesransomwarefor opponent go, c#, c++, python and ruby
use as a basis for creation.
simulation
prevention methods
 security in depth

source:network access
 Risk management
risk management is the
process of identifying,
assessing and mitigating
risks that may affect an maturity in until recommendation
organization, project, insufficient 0.00 3.00 deal with
process or activity.
regular 3.01 5.00 to develop
The primary objective of good 5.01 7.50 to improve
risk management is to take
very good 7.51 9.00 improve
proactive measures to reduce
the likelihood of adverse great 9.01 10.00 to maintain
events occurring and to
minimize their impact if
they do occur.
 nist-based maturity process
identify protect to detect to respond to recover
the nist cybersecurity anomalies and
framework (csf) is a set of asset Management access control response recovery
events
guidelines and best continuous
practices developed by the business awareness and
security planning planning
environment training
us national institute of monitoring
standards and technology detection
(nist) to help organizations governance data security communications improvements
processes
manage and improve their information
cybersecurity posture. protection
risk assessment analyzes communications
processes and
csf offers a flexible, risk- procedures
based model that allows risk assessment
maintenance mitigations
organizations to tailor strategy
their cybersecurity supply chain risk protection
improvements
strategies to their specific management technology
needs.
 cybersecurity solutions

“Facilitate cybersecurity operations and

ensure effective controls across your
environment.”

this summarizes cybersecurity solutions

and their importance, and cis categorizes
at least 18 essential solutions for your
security maturity

and thesansmaps the top 20 security

controls through existing solutions on
the market.

source:cis
 Future of the cybersecurity market

source:burrelles
The hackersec as a business strategy
 [~]$ cat thanks.txt
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#%%########## ###########*##*###**#****************************************** ****+=********#################%#%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%### ###################**#*####***************###***** *********+********################%%%%%
%%%%%%%%%%%%%%%#%%%%%%%%%%%%%%%%%%%%%%%#%%%%%%%%%%% %###############*************+=+******************* ***+**************************#################%%%
%%%%%%%%%%%%%%%#%%%%%%%%%%%%%%%%%%%%%%#%%%%#%%%%%%% ###########*************++++++=+*****+*+******************
*****+++*************************************#################%%%
%%%%%%%%%%%%%%%%%%%%%#%%%%%%%%%##%%%%%#%%%%%%%%%## ##########**********++++=====--======+++*****+**** ****++++********************************+**###*######*######%##
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#%%%#%%%### ######********+****++=---:-===+*#*++=++=+++******* *****+*++*********************#*##############%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%###%%%%%%###### ##**************+=-------=+*#%%%#*###########*****+ *********************************############%%%%%%%%
%%%%%#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%##%########### ####*###******+=-------+##%%%%@@@@%%%%%%%%%#%%*+++ +++++**********+*++*************#############%###%
%%%%%%%%%%%%%%%%%%%%%%%%%#%%%%%%%%%%%%#%%%%######## ##########****=-==-==+#%%%%@@%@@@%%%%%%%%%%%%@@%*= =++***+*************+********###############%##%%#*#
#%%%%%%%%%%%%%%%%%%%%%%%%%%#%%%%%################## ###*#*******=-----=+*%@@%%%%%%%%%%####**+++*#%@@%* ++++++++++++++*****++*************#*###############%%##
%%%%%%%%%%%%%%#%%#%%%%%%%%%#%%%%#######%########### ##********+=-===+++#%@@@@%%%##***++==--::::::+%@@% *+++++++++=**+**************##################%##%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%####################### #********+--===+*#%@@@@@%#*+=------::::.....:=#@@ %*+++++++++++++++*************#####################
%%%#%%%%%%%%%%%%%%%%%%%%%%%%%#%#################### ####*****+=+++***#%@@@@%%#*+====--------:::::::-#@ @#*++++++********++**********########################
%%%%%%%%%%%%%%%%%###%%############################# **************++***#%@@@%%#*+==-----------::::.....=# @@*++++++*++**++**********+***############*############
%%%%%%%%%%%%%%%%%%%#%%%####*################*###### ********##***###%@@@@%#*+==-------------:::::::::* %@%*+++********************************##########################
#%%%%%%%%%%####################################***** *******#%%***###%@@@@#*++===---------------==+++== #@@#+++++++++++*************###**########*#########
%%%%%%%%%%%#######################################** ******%%%%**###%@@@@%#*++====++*****++++++###%##*+= #%@%*++***++==+*********###**######################
######################################*#####*##**** *****#%@%%#***#%@@@@%#*+++*#####%%%%#*+==*#%%%#+++ #%@@*++++++++++********+**#####**###########*#########
#################*##################*************** *****%@@@%#***%@@@@@%#*+******####%%#*-:.-*#%#*=-= *%@@#*++++++++++**********##**##***************###
#########################*##########*************** *****%@@@%#**#%@@@@@%#****###%%*+###*=-:..-+##**=- -*%@%#*++++************########*#***********#####*##
#################################****************** ****#%%@@%#+*%@@@@@@%**++++++**###*+=--:....:---:: :-#@@#*++************************************************#####*
################################*#***************** *****%%@@@#+#%@@@@@%#*++===++***+=-----:::::::::.. .:*%@%***************************************************######
##########################************* *****#%%%@#*%%@@@@@%#*+==-------::------+*+=:::.. .:*@@@#*++*****************************************************
#################*#########************* *****#%%%@##%@@@@@@@%#*++==----------=*####*-::::: --*@@@%**************************+****************
**************#************************************************ ******#%%@%%%@@@@@@@%#*++++==----:::::------:::..: :-
*%@@%***+++++++++********************************+****************
#*****##**###*######******************* *******#%%%%%@@@@@@@%#*++++**+++======+**#####*+=- -=#@@@@***++**+++************************************************
************************************************** +++++++*#%%##%%@@@@@@#+==+++**++==+********+=---- -=#@@@@*+++++++=+++++++*****************************
************************************************** *****++++#%%%%%%%@@@@%*++++++++++++++++++***##*+=--- -*%@@@%**+++++************************************************
******************************+**********+*+++++++++++ ++++++++*###%%%%%@@@@%%#++++++++++++++++++++++==--:- +%@%%#*++++++++++++++++++++++++*****+*************
*####*######**#***#######******#######***++++++**# **********#####%%%@@@@@@%#**+++++++++===----:::::+ %%%**********##*****########*****#########*##*#########
####*******########*****########****++=----==-==++ +**********####*#%%@@@%%%%%%##***++==-----====--+% %#***++*************+***#######*****###*######*****##
#***##########*#***############****=---======+=++++ +********++**######%%@%%%%%@%%%####******#######%%% ###***+*#####*######****#########*##****############*
#########*****########*##****##*=--=++++++==+++++* ******++++++***####%%%%%%%%%%@@%%%%%%%%%%%%@@@@%%# #*#*****+*#############***##############***########
*##******############*****####+=======+++*+++++*** ******++++********###%%%%%%%#%%%%%%%%%%%@@@@@@@%%#* ******#***++**###########*****#############*****###
#**##############****#########++*****++++++***++++ *******+++***#*****##%%#####%%@%%%%%%%%@@@@@%%%%## ###########++*########**#####****###############*#*
############*****#######*###===++**#####*++****+** #******+++++*##*****#########%@@%%##%%@@@@@%###### #############++#######*+########****###############
#########***###############+======+**#####******** ###****++++***#******########%@@%%%%%%@@@@%######## ###############++##################***##############
####*****#################*==++======++**###*+**** ####***++++************###############%%@%%#####*## ###############**++####################****#########
#***##%%%%##%%%%%%%%%%###*+++++++++===++++++******* *######**********##**********#############%%%%######*## ####%##%##%%%#%%###+*##%%%%%%#%%%%#%%%%%%#**###%##
#####################*+*##+==++++***++===+*+++++* *#%######******##********#####*-+*#++#%%%######*** ***#################*++#####################***+##
###################***#####+=++++++********+++++**#** **#%##****###*###********######+*++#%%#########** **+*############*#####*+*###%###%################**
########%%%%%%#***##%%%%##+==+++++++++++++++++=++++ **###%%##******##*************#*+-*#########*###** +*++=+*##########%##%#*+*#%%%%%%%%%%%%######%%%#
############*+*#####%%##*====+++++++++++++*+++++++ +++*#%%%%***#####*************##*=-#########*####** *+***+++++****############*+*######################
#########*+*###########*++===+++++++++++++++++++++* ++++++++**###*****************#*-=*#######**#%##*# *+++**++++++++=+*###%%%%%%%#++###%%%%%%%%%%%%%%%%%
#%%###*+*##%%%%%%%%%%#***++===++++++++++++++++++++++ +++++++*************************************#*+=*######***####**
*************+++*********+*###########++###################
###*+*#############+*%#++======+++++++++++++++=== ======+********##**************==*#####****####**+ ***++*************++###########*==#################
*++###%%%%%%##%%%%#+*#%#+=++==++++++++++++++++++== =+*****###%%%#########************=-*#####****####**+ +++*****#%##*****++*#%%%%%%%%%%%%#=+##%%%%%%%#%%%%
*#####%%%%%%%%%%%%#*#%%#++++=+++++*****+++++++++++++ +**#%%%@@%%#########**********#-=*####****#####*** ****##%#**##=*#**++#%%%%%%%%%%%%####=+#%%%%%%%%%%%
######################%#*++====+++**+*++++++++++++* **++++++*####%############****#-+#####***#####**** *****##%%##**##****+*################*=+##########
#%%%%%%%%#%%%%%%%%##%%##++++==+++*******++++++++*** *****++======*#################*=*##%#*#######***** ****###%%%%%%#******+*%%%%%%%%%%%%%%%%%*=*%%%%%%%%
*###############*#*#%###*+++==++********++++*+++** *****+++++****###***##########++##%%#*########***** ****#%%%##%%######*++=*###################+=+######
###%%%%%%%%%%%%##%%###%%@#*++++++******************************** *****########%%%%%##*#########+*#%%###########**** ***#%%%%%%%###%%%#*++=*#%%%%%%%%%%%%%%%%%%%*=*#%%%
########%%%%%###%##**#%##*+++++++**************** ******###########**+==+####**++##%%#########****** ***#%%%%%%#%%%##*+++++#%%%%%%%%%%%%%%%%%%%%##==*#%
******###########%##*#%##%****++++***************** ********++++++++====++++**++++++*###############*#* ***#%%%%%%%%#*****+**#*######################*#**==*
#########%%%%####**######+*+*++++**************** ******************############**+++=++***########### ##*#%%%%%%#+**###**###**#%%%%%%%%%%%%%%###%%%%%#*=
#######%%%%%%######%%####++***************#******* ****#####%%%%%%%%%%%%%%#########********+++*####### ###%%@@%#**##%#***#%%#*+*%%%%%%%%%%%%%%##%%%%%%###
*****#**#####**###%%%#%%*+*##******************** ****##########%%%%%%%%%%################**+++#%###% %##%%@%#**#%%#**#%%%#*++*************
######*###%%%###%%%%%###%***####****************** #####################%%%%%%%%##############**####%%% %%%@@@%##%%%#*##%%%*++***#%%%%%%%%%################
##########%####%%%%%#**##***###%##**********#*****## ###########################%%%%%%###########*###%%% %%%@@@%%%%%#*####***###**##%%%%%%%#%################
###########+-*%%@%#######***###%%##**###########%%% %%%%%%%%%%%%%%%%#################%%###########%%## #%@@@@%%@%#******##%%#****#############*############
##********+:=*#%%%%%#######**##%%%%#**####%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%######################%%%%%% ##**%@%%%#****###%%#*++*************
%######*-=*###%%%#%%%#%%%%**##**#%%%%#####%%%%%@@@ @@@@@%@@@%%@@@@@@@@@@@@%%%%%%%%%%%%#%##%###%%%%%%% ###--*%%%#***#####*****###*##%%%%%%%####%%%#######
%####*=-*###%%%%%%%%##%%#***##*=-+%%%%%%%%%%%%@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%%%%%%%%%%%%% %%%+::=###******++++*#####*##%%%%%%%%%%%%%%%%%%#%#
####+-=######%%%%###*####***#%##*#@%@@%%%%@@@%@@@@ @@@@@@@@@@@%%%%%@@@%%@@@@@@@@@@@@@@@@%%%%%%%%@@@@@@ @@%#=-:=****######****+******#######################
**+-=********#%%%#*########**##%%%@@%%###%%@@@@%%@@ @@@@@@@@@@@@@@@@@@@@@@%%%%@@@@@@@@@@@@@@@@@@@@@@@@ @%#*************#######**********#####*###**####*#*
*--*#######%%###########%%**-+#%@%#**##%%@@%%@@@@% ####%%%%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@% %%%@%#####***++++***#####***##%%%%%##%%%%%%%##%%##
-*#%%#%######*###%%%%%%@%####%%@%####%%%%%%%%@@@@@ %#**+******######%%%@@@@@@@@@@@@@@@@@%%%%%%%@%%%%% ####%%%##########*##**#####**#%%%%%%%%%%%%%%%%%%%%
#############*###%%####%####%%@%#**##%%%%%##%@%%@@ @@%%##*************%@@@@@@@@@%@@@@%%%%%###%%%%%%%# ########****##################%%%%%%%%%%%%%%#%%%%%
#%########%#################%%%#*########%#%%@%%%@ @@@@@@@%%###*******%@@@@@@@@%%%%%%%#########%%%%%%% %%%%%%%%%%##******##########%%%%%%%%%%%%%%%%%%%#%%
**********######***########%%%#**#%######%##%@%%%@ @@@@@@@@@@@%%%#####%@@%%%%%%%%%%%%################ #%%%%%%%@%%%%%##################**####*#####*####*## linkedin — joas antonio dos santos
%%%%%%%%%%%%%###**####%%%@@%%#****##*##%%%#%%%%#%@ @@@@@@@@@@@@@@@@%%%@@@@@@@%@@%@%%%%%%%%%%%%%%###** **##%%%%%%%@%%%%%%%###########%%%%%%%%%%%%%%%%%%%%%
%#####%%%%%%###*###%%%%%@@%#%%#*****##%%%%##%%##%% @@@@@@@@@@@@@@@@@@%@@%@%%%%@%%%@%%%%%%%%%%%%%%%%## #******##%%%%%%%%%%%#########%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%#####%%%%%@@@%#%@%*****##%%%%%%%%%#%%% %%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%%%%%%%%% %%%####***#####%%%%%%#######%%%%%%%%%#%%%%%%%%%#%%
%%%%%%%%%%%%###%%%%%@@@%##%%#***##%%%%%%%#%%%%%%% %%%%%%%%@@@%%%%%%@@@@@@@@@@@@@@@@%%%@@@%@@@@%@@@@% %@@%%%%%##################%%%%%%%%%%%%#%%%%%%%%%%%#