Videos

Join Our BHIS Discord Community – https://discord.gg/aHHh3u5
0:00:00 - PreShow Banter™ – We’re There, Trust Us
0:07:33 - PreShow Banter™ – Trace Labs CTF
0:24:47 - FEATURE PRESENTATION: Info Sec Mentoring
0:28:23 - Mentors, the Fresh Maker™
0:30:27 - How To Find a Cult Leader, I Mean Mentor.
0:34:37 - B-Sides Orlando DEMO
0:42:17 - How To Be a Mentor
0:56:12 - How to Be A Mentee
1:03:42 - Your Moment of Self-Doubt
1:05:34 - Will You Be My Mentor?
1:11:56 - Reach Out
1:14:41 - Multiple Mentors
1:16:36 - Mentors, Friends, & Counselors
1:19:11 - You Discuss Me
1:20:29 - Time is Valuable
1:20:47 - This is the End
1:22:28 - End of Show Banter



Special Guests, Trace Labs:

Trace Labs Website: https://tracelabs.org/
conINT Conference Oct 17/18 (3 tracks of intel related talks, workshops, Search Party CTF on Day 2) https://conint.io/

Trace Labs Slack: https://join.slack.com/t/tracelabs/shared_invite/zt-hcje16jm-Gko95KP9471PdUpnzXqy6w

Ongoing OSINT Operations
Sharing of OSINT Resources Trace Labs Events: https://tracelabs.eventbrite.com/

Get involved in Trace Labs:
1. 24/7 Ongoing Ops in Trace Labs Slack (Check out #ongoing-ops channel)
2. Search Party CTF Participant
3. Search Party CTF Volunteer Judge
4. Contribute OSINT tools to our OSINT VM via Github: https://github.com/tracelabs/tlosint-live

Resources:
1. Contestant Guide: http://download.tracelabs.org/Trace-Labs-OSINT-Search-Party-CTF-Contestant-Guide_v1.pdf
2. Judge Guide: http://download.tracelabs.org/Trace-Labs-OSINT-Search-Party-CTF-Judge-Guide_v3.pdf
3. OSINT VM Based off of Kali Linux: https://www.tracelabs.org/trace-labs-osint-vm/
4. OSINT VM Webinar Recording: https://youtu.be/yZdOb-NSiAw
5. Trace Labs YouTube (Training Videos + tools/tips): https://www.youtube.com/c/TraceLabsVideos

Join the BHIS Community Discord https://discord.gg/aHHh3u5
Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_WhenWorldsCollide.pdf

00:00:00 - PreShow Banter™ — We've Lost Control
00:10:47 - FEATURE PRESENTATION: When Worlds Collide
00:14:26 - Threat Intelligence Sharing
00:25:57 - Won't Stop Can't Stop
00:32:06 - A Tired Community
00:38:54 - Re-Investing Open Source Projects
00:45:37 - Open Threat Research
00:50:57 - Understand Adversary Tradecraft
00:52:50 - Mordor Labs
01:10:05 - Mordor Datasets
01:12:42 - HELK
01:18:41 - Threat Hunter Playbook
01:35:34 - PostShow Banter™

Learn more about these projects if you haven't yet:

https://twitter.com/porchetta_ind
https://twitter.com/HunterPlaybook
https://twitter.com/Mordor_Project
https://twitter.com/OSSEM_Project

https://github.com/DefensiveOrigins/AtomicPurpleTeam
https://github.com/OTRF
https://github.com/OTRF/mordor
https://github.com/OTRF/mordor-labs
https://github.com/Cyb3rWard0g/HELK
https://github.com/byt3bl33d3r/SILENTTRINITY
https://github.com/byt3bl33d3r/CrackMapExec
https://github.com/OTRF/ThreatHunter-Playbook

https://jupyter.org/
https://mordordatasets.com
https://mordordatasets.com/notebooks/small/windows/windows.html
https://infosecjupyterbook.com/community-workshops/defcon_btv_2020/use-cases/01_Data_Analysis_Process_Injection.html

Webcast Hosts:
- Jordan Drysdale @rev10d
- Kent Ickler @krelkci

Special Guests:
- Roberto Rodriguez @cyb3rward0g
- Nate Guagenti @neu5ron
- Marcello Salvatti @byt3bl33d3r
- John Strand @strandjs

Worlds collide as Black Hills Information Security (BHIS) brings together legendary developers in open source software (OSS) hunting and adversarial emulation projects for a discussion on the current state of the landscape and what's coming next.

As our panel hosts, Jordan and Kent (Atomic Purple Team, PlumHound), continue to focus on advocating and evangelizing for Purple Teaming in the information security community, they have invited Roberto Rodriguez & Nate Guagenti (HELK Project, Mordor) and Marcello Salvati (CrackMapExec, SILENTTRINITY) to discuss the collision of OSS Hunting and Adversarial Emulation platforms, with additional commentary from John Strand.

The group will discuss Roberto Rodriguez (@Cyb3rWard0g) and Nate Guagenti’s (@neu5ron) development and maintenance of the HELK project while focusing on the ongoing development of Mordor, Datasets, and Azure Resource Manager templates. Joining the world-class hunters is Marcello Salvati (Byt3bl33d3r), developer of CrackMapExec and SILENTTRINITY to continue the discussion of OSS adversarial simulation. John Strand will add commentary on the history of adversarial simulation, hunting, and where the industry may be headed.

Join the Black Hills Information Security Discord discussion server -- https://discord.gg/aHHh3u5
Need slides and much more -- https://github.com/DefensiveOrigins/AtomicPurpleTeam/tree/master
0:00 - Family Stories
1:07 - Atomic Purple Team Framework
3:28 - Executive Problem Statement
4:41 - Red Team, Blue Team, Purple Team
7:18 - Who / What is APT?
9:22 - Atomic Purple Team Lifecycle
18:18 - 1. Threat / Risk Assessment (Ingest) Types
19:59 - 2. Planning — What are the Tools
20:50 - 3. Attack / Execute / Engage
21:37 - 4. Hunt and Defend
22:01 - 5. Adjust & Harden
23:14 - 6. Reporting and Request for Deployment
27:07 - Lifecycles Start in Development
28:15 - Lifecycles End in Production
28:44 - APT Lab INfrastructure
29:48 - Off-Roading: Lab Demo
33:21 - Lifecycle Walkthrough — Goal Setting
34:50 - Purple Team Lifecycle Walkthrough
44:02 - Hunt and Defend Methodology
45:02 - Adjusting to Threat
47:21 - APTLC Playbook
48:49 - The Report
53:15 - Lessons Learned
59:25 - Post-Show Questions

Jordan and Kent are back again to continue strengthening organizations' information security human capital (That's all you folks!). Organization Leadership and Security Practitioners can gain an understanding on the potential designed-to-fail Purple Teams initiatives never reached their full potential. The Duo reviews how systemic organizational career pathing created an insoluble Red vs Blue dichotomy.

MORE IMPORTANTLY: The team is announcing a recipe for Purple Team Wins:

The Atomic Purple Team (Lifecycle) Framework

Organizations struggling to efficiently leverage the skillsets of all information security staff will benefit from considering the Atomic Purple Team Lifecycle Framework's business-driven workflow. The workflow takes its roots from tested continuous improvement frameworks like ISO9001, ISO27001, Six Sigma, and the like.

Watch how a methodical balance of risk analysis, attack, hunt and defend methodologies, and business considerations can effectively and continually improve an organizations' security posture. As an added bonus, the framework incorporates concepts of Human Capital Management and knowledge-flow methodologies to encourage tacit knowledge exchange to further organic growth of the skillsets of all those involved in the Atomic Purple Team framework.

But wait, there's more!
Budget headaches? Learn how the Atomic Purple Team framework's methodical flow also aligns to natural business operations management and reporting. The framework provides a clear path to cabinet-approved Purple Team budget appropriations to ensure long term security posture improvement.

Lastly, Jordan and Kent will demonstrate the Atomic Purple Team Lifecycle in action by running complete live Attack and Hunt/Defend lifecycle(s), all the way to risk management and budgetary thoughts.

Join the Black Hills Information Security Discord discussion server -- https://discord.gg/aHHh3u5
Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_RedTeamToolsBlueTeamPerspective.pdf

0:00 - Big Fish
0:28 - Question & Enhance
2:51 - Executive Summary
3:58 - Executive Problem Statement
8:48 - Red Team Tools are Red Team Tools
13:39 - Optics(3)
16:22 - SIGMA and SIGMAC
22:13 - Red Team Tool : Responder
25:35 - Red Team Tool : CrackMapExec
29:57 - Red Team Tool : DomainPasswordSpray
38:48 - Red Team Tool : Mimikatz
46:41 - Red Team Tool : BloodHound
50:59 - Blue Team Tool : Plumbhoud
58:38 - Final Thoughts

Kent and Jordan are back to continue their journey to make the world a better place. This time around, they will be reviewing a series of tools commonly used on pentests to identify flaws in Active Directory and general network design and implementation.

You've probably heard of most of them, like BloodHound, ADExplorer, mimikatz..., wait, Mimikatz as a Blue Team? Yeah, it might be a bit of a stretch, but they'll get there. Even better, with an introduction to various adversarial simulation frameworks, you can start your own journey of constant improvement. Nmap, CrackMap, BingMaps, and Domain Password Spray. (Re: BingMaps -- just checking to see if you're actually reading these, at this point, our response rate records keep getting shattered, and we just want someone to call us out - the BingMaps API is really cool though).

In a world seemingly gone mad, come find some solace with these two as they share new discoveries, a tool drop from Kent (which will potentially change the BloodHound game), and more.

Let's help the world detect attacks at a higher rate! Let's skew the Verizon DBR's reported numbers! Let's get better together!

Thanks, as always, and we look forward to spending time with those of you who can join us.

Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_LetsTalkAboutELKBaby.pdf

2:47 – Why Are We Doing This?
5:07 – AT7: The Logs You Are Looking For
7:41 – AD Best Practices to Frustrate Attackers
9:37 – AT 5 – Complete Takedown & AT 6 – IOCs
12:04 – Blue Team-A-Palooza
14:22 – Windows Logging, Sysmon and ELK – Part 1
16:45 – Implementing Sysmon and Applocker
21:45 – ...And Group Policies That Kill Kill-Chains
22:31 – Here Are Some Important Blogs
23:35 – Summary Complete
25:28 – Introducing the Atomic Red Team
27:50 – Installing the Atomic Framework
29:29 – Squibbly Doo; The Results; Let's Take A Step Back: The Atomic Tests; Another Step Back: WEF / Winlogbeat Config
33:41 – Executing T1015; Catching Executables; Executing T1003
42:02 – ElastAlert
43:21 – Now, On the ATT&CK
44:20 – Not Sure If That's a Wrap Yet. (It's Not)
47:11 – Check Out Our Dashboard

Links to preview:
https://github.com/elastic/stack-docker
https://github.com/Yelp/elastalert
https://securityonion.net/
https://github.com/redcanaryco/atomic-red-team

BHIS’ Defensery Driven Duo Delivers Another Delectable Transmission!

We know you are worried about your networks. After hours of discussion, we’ve come to the realization that some of our dedicated followers seem to be much more interested in catching malware than learning how to be (please forgive this next statement) “l33t hax0rs”.

This webcast is going to demonstrate an integration between our ongoing Windows baseline best practices configuration and improving your endpoint optics. But first, we’re going to summarize some previous webcasts, their content, the order in which they should be reviewed, and to tie all of these things together. Then, with all the baseline content and configuration options summarized, we are going to help you put a bow on all that, just in time for the Holidays.

The bright blue bow this year will help you set another New Year’s resolution:
1. We all pledge to produce better and more effective logging that reduces time to detection.
2. We can use open-source, well-documented solutions to do so!
3. We can make the world a better place together!

With that said, we will be using a ELK installation that includes ElastAlert, designed by the folks at Yelp!. This installation will ingest our workstation logs and demonstrate a base level of alerts that you too can quickly deploy in your environment. We may also have enough cycles to discuss the Security Onion project and how it has improved our overall network optics.

As a wrap-up, we will introduce the Atomic Red Team framework. This tool, if you haven’t seen or researched it before, can be used to rinse and repeat the refining process for your workstation and server detection mechanisms. Once deployed along with your logging infrastructure, this tool can help you fine-tune your alerting processes.

Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_EnterpriseReconForPurpleTeams.pdf

00:00 - Intro
00:42 - Executive Problem Statement
02:25 - Recon You Say?
06:11 - Your Internal Friends... Sometimes
09:01 - What Does Purple Team Do, Exactly?
10:13 - There Are A Ton Of Sources Out Here
49:55 - And Now For Some Crappy Code

Do you know what your attackers know?

There's a good chance you know, but you might not be aware of just how much information can be found historically and in real-time about your business operations and organization.

Join Jordan Drysdale and Kent Ickler as they discuss and demonstrate Purple Team Enterprise Reconnaissance methods that increase operational network awareness and overall security posture.

Learn how to monitor cloud services for your organizations' data being dumped on the web, account compromises, and source code disclosure.

Use external services to keep an eye on your external landscape to alert on unexpected changes.

See configurations of operational awareness uncover potential attacker's methodology and infrastructure to provide you an upper-hand in stopping threats before they escalate.

See how an attacker utilizes common internet sources to gather intelligence about your technology stack, your perimeter security, your wireless networks, and plan attacks against your organization.

Know what your attacker knows.

Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_GroupPoliciesThatKillKillChains.pdf

0:45 Introducing what a kill chain is and general background you need for this webcast
15:53 Getting into group policies, best practices, group policies that we're not covering today but you should be doing already
20:56 Local admin controls, honey accounts, LAPS, making a policy for admin groups
27:02 addressing LLMNR, SMB signing, configuring host firewalls
33:43 Limiting and restricting logons, configuring your web proxies/WPAD, logging your network and alerts
42:46 Kerberos ticket operations, catching Powershell and CMD, utilizing Sysmon
47:44 Q&A

Jordan and Kent are back again!

On this webcast, we'll guide you through an iterative process of building and deploying effective and practical Group Policy Objects (GPOs) that increase security posture. The GPOs will specifically focus on things that make attacker’s lives difficult and assist in shutting down the kill chain.

Windows Auditing, Logging, Event Forwarding? Yes.
Sysmon? Yes.
Destroy LanMan? Killing LLMNR? Extending the AD schema for longer minimum password length? Yes. Yes. Yes.
Limiting admin network logons? Yes.
LAPS? Sure, why not?
ADExplorer? Yes.
Much much more.

Plus additional commentary on striking a balance between user convenience and practical security.

These are the Group Policies that trip us up on every pentest in some fashion or another. Combining these configurations creates a baseline security that stops attackers in their tracks and causes them to move on to an easier victim.

Join us for another feast at the smorgasbord of Windows configuration options and let us help you narrow your sysadmin focus for maximum results with minimal effort.

Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_AttackTactics6ReturnofBlueTeam.pdf

2:53 Introduction, password spray toolkit, account lockout, honey accounts, canary tokens, and two factor authorization
12:00 PCI #fixthefuture , two factor authorization, dumping global address lists, mailsniper
20:30 Lateral movement, OWA, VPN, SSH
32:54 Scanning and enumeration, Nmap, SSH Brute Force, "Find Open", LLMNR, LLMNR Responder, and NrlmRelayX
41:25 Gaining access and lateral movement, crackmapexec, how to detect if LLMNR gets turned back on after disabling
47:36 Additional paths, using RITA for detection, internal cobalt strikes, and Endpoint
50:17 Q&A

Originally recorded on May 16th, 2019
Presented by: John Strand, Jordan Drysdale, Kent Ickler

In this webcast we walk through the step-by-step defenses to stop the attackers in every step of the way we showed in Attack Tactics Part 5!!!

Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_AttackTactics5ZerotoHeroAttacks.pdf

4:11 - Infrastructure & Background
8:28 - Overview & Breakdown of Attack Methodology and Plans
11:35 - Start of Attack (Gaining Access), Password Spraying Toolkit
15:24 - Mailsniper, Retrieve Global Access List
21:58 - Lateral Movement, OWA, VPN, SSH
27:05 - Scanning/Enumeration, Nmap SSH Brute Force, "Find Open", Movement, Gaining Access
34:07 - Gaining Access, Test for LLMNR, What is LLMNR, Responder, NtlmRelayX
45:53 - Gaining Access, Lateral Movement - crackmapexec
50:29 - Gaining Access, GoPhish Campaign, Additional Paths to Access, HTA, Cobalt Strike
59:48 - Wrap Up

Presented by BHIS Testers: Jordan Drysdale, Kent Ickler, and John Strand

Ever want to see a full attack from no access on the outside to domain takeover? Ever want to see that in under an hour? 

OWA? Password Sprays? Yup!
VPNs? Remote account takeover? Yup!
Fully documented command and tool usage? Yup!
MailSniper? Absolutely!
Nmap? Obviously!
Crackmapexec? Definitely!
Cobalt Strike HTA phishing? This is the one I am most worried about 😀 - but we'll try anyway. 

So what? What's different about this webcast? We'll cover the zero (external, no access) to hero (internal, domain admin).

Then, in the next webcast we will cover all the points where it could have been detected and stoped.

Yes.. Ethical Hacker Kids.

The holidays are coming up! Here John & Jordan cover the different games, tools and gifts we can give kids that help teach them the trade. There is nothing, nothing like sitting around with family picking locks, learning to code and helping kids through the latest Holiday Hack Challenge.

And!! We will also cover the latest gifts that you can add to YOUR wish list.

Slides available here: https://blackhillsinformationsecurity.shootproof.com/gallery/8204786/

Find out when our next LIVE webcast is by signing up for our email notifications: https://blackhillsinfosec.us15.list-manage.com/subscribe?u=e12efe2af6573cc76c90fc019&id=b7b017ed3a

Over the past few months, we have discovered a couple trends that organizations seem to be missing. Just some general vulnerability issues we are seeing again and again. In this webcast, we wanted to give a few pointers and some new tools to help the blue team stay on top of these issues.

Below are a few topics we cover:

1. Using Nmap to find the web services on your network. This is huge. Many people miss some basic portals that have default creds or realllly basic exploit vectors.

2. Inventory. We will be sharing a cool tool that Bill Stearns created that detects software by monitoring outbound traffic using Scapy. The output is a cool .csv file. Because all .csv files are awesome.

3. Patching and why this matters so much. I know this is an over addressed topic. But, we will be bringing up a few issues we have seen in some recent tests.

4. Hardening telnet and HTTP to SSH and TLS. And... more Nmap goodness.

5. Password policy, LLMNR and more belt-tightening you can do with group policy.

Slides available here: https://blackhillsinformationsecurity.shootproof.com/gallery/7945173/

Find out when our next LIVE webcast is by signing up for our email notifications: https://blackhillsinfosec.us15.list-manage.com/subscribe?u=e12efe2af6573cc76c90fc019&id=b7b017ed3a

https://discord.gg/nArzTa

Jordan Drysdale stands up and walks through a Red Team penetration

Join Jordan and Kent as they walk through an Active Directory best practices environment. The deployment includes two Amazon Web Services (AWS) Active Directory Domain Controllers in a multi-availability zone configuration. The best practices will also cover some AWS basics, deploying your domain in the cloud, and lots more.

Sysmon? Yeah!
Password policy? Yeah!
Naming conventions? Yeah!
ACLs? Yeah!

And much, much more.

Slides available here: https://blackhillsinformationsecurity.shootproof.com/gallery/7214618/

Find out when our next LIVE webcast is by signing up for our email notifications: http://blackhillsinfosec.us15.list-ma...

Follow us on Twitter: https://twitter.com/BHinfoSecurity

Jordan and Kent are back with more blue team madness! The shameless duo continue their efforts to wrangle decades old attacks against wireless networks. The webcast will discuss the last 15 years of wireless threats.....in less than five minutes. The other 55 minutes will cover modern defenses, Wi-Fi hardening and how we can shift victory back to the blue team!

Slides available here: https://www.blackhillsinfosec.com/webcast-stop-sucking-at-wireless/

Jordan and Kent demonstrate some standard methodologies utilized during an internal network review. We also discuss various tools used to test network defenses and their capabilities. Solutions to common vulnerabilities are proposed in most situations.

Slides available here: https://www.blackhillsinfosec.com/webcast-wrangling-internal-network-vulnerabilities/

Jordan and Kent demonstrate why there is only ONE correct way to configure your wireless networks. They also talk about the use of a web service called Wigle to profile and identify your target wireless networks, wireless hash crack theory, pre-computation of a hash file for a target SSID and finally, and a live crack demo!

Slides available here: https://blackhillsinformationsecurity.shootproof.com/gallery/8000728

This is an edited recording from the June 6th, 2020, 4-hour online training workshop: Applied Purple Teaming: Infrastructure, Threat Optics, and Continuous Improvement w/ Kent Ickler & Jordan Drysdale (4-Hours)

For slides, labs, resources: https://github.com/DefensiveOrigins/APT06202001

New blog post with supplemental information: https://www.blackhillsinfosec.com/how-to-deploy-windows-optics-commands-downloads-instructions-and-screenshots/

0:00 - I Heard We Were Good
2:31 - Course Objectives
4:53 - Course Components
6:59 - Applied Purple Teaming Course Matrix
12:41 - Endpoint Optics Sysmon Audit Policy
14:09 - What Is Sysmon
37:49 - Audit Policy
38:59 - Windows Event Collection
46:45 - We Have Some Questions
1:01:08 - Break Time 01
1:11:40 - Back To Work
1:13:25 - Event Handlers WEC / WEF Event Subscriptions
2:06:10 - I Break For Questions (Break Time 02)
2:18:11 - Log Shipping Event Ingestors
2:36:17 - Moar Questions
3:00:32 - Break Time 03
3:13:06 - Back To Work
3:26:42 - Atomic Purple Team / APT Lifecycle Lifecycle
3:46:22 - Final Questions And Thoughts

Build your own Purple Team lab in 4 hours (or less!)
Implement Sysmon with the modular configuration
Configure and launch meaningful audit policies
Deploy the WEF / WEC model of event collection
Install WinLogBeat to push logs to....
The Hunting ELK (HELK)

Join the BHIS Discord Channel to ask questions about the labs or training: https://discord.gg/aHHh3u5
(Use the training-prep-questions channel)

For slides, labs, resources: https://github.com/DefensiveOrigins/APT06202001

New blog post with supplemental information: https://www.blackhillsinfosec.com/how-to-deploy-windows-optics-commands-downloads-instructions-and-screenshots/

Kent Ickler & Jordan Drysdale are teaching a paid ($395) 3-day, 5.5-Hour sessions (16.5-hours), training course on — Applied Purple Teaming — June 30-July 2 | Learn more: https://wildwesthackinfest.com/online-training/applied-purple-teaming/

Please send your questions, comments and feedback to: w[email protected]