The idea behind CCDC (Collegiate Cyber Defense Competitions) and competitions like it are to allow students to showcase their skills and abilities in a pseudo-real world situation. These competitions are a wonderful addition to the Information Technology world and generally provide a positive addition to any student’s learning experience.
I am a Red Team member; it is my job to make your lives hell during competition. I use tools, skills, and Google to make your lives even worse than the Black Team does. I’m writing out this post for you Blue Team members to understand what Red Team does and how to possibly prevent Red Team from living on your Domain Controllers.
Blue teams are naturally at a disadvantage in this style of competition due to the nature of the beast. The attackers can gain footholds faster than patches can be applied or passwords changed. At WRCCDC the hour head start that teams get should be used to prioritizing your risk, applying as many patches as possible, removal of basic vulnerable services, user account auditing, and checking for basic password strength. Yes the machines provided are often broken, running Red Star Linux, or Server Core, but a simple reimage can solve many problems. The point value of a reimage is less costly than having me sit on a Server Core machine that your domain administrator who does not know how to properly manage the Server. From my position on a DC, I control access to every Windows Machine on the network and can pivot from any machine to another. This type of access allowed me to maintain persistence until the end of CCDC. By adding new domain administrator accounts, pivoting from DCs to client machines, with the traffic appearing to start from the DC to a client I was able to stay stealthier than if I was connecting to every machine via my Cobalt Strike server or client.
Here are some low hanging fruit that every blue team should know about and should think about:
- Lack of user account auditing. Honestly, does “whiteteam” need to be a domain admin?
- Creation of domain admin accounts. C1utch was all over your boxes blue teams.
- Know what services are actually needed, disable or patch anything that you possibly can. By removing attack surface, the threat map gets smaller.
- Look for default passwords and schemas. PostgreSQL this year was running as postgres with no password and default template1. This allowed me to dump SSH keys and maintain access to those machines
- Service filtering. Stop SMB from traversing over the router if possible, removes many methods I use to maintain persistence.
- IPv6 is a thing, know what it is, how to use it or disable it.
Rupert Cunningham says hello by the way.