Python for Cybersecurity

DISCOVER AN UP-TO-DATE AND AUTHORITATIVE EXPLORATION OF PYTHON CYBERSECURITY STRATEGIES

Python For Cybersecurity: Using Python for Cyber Offense and Defense delivers an intuitive and hands-on explanation of using Python for cybersecurity. It relies on the MITRE ATT&CK framework to structure its exploration of cyberattack techniques, attack defenses, and the key cybersecurity challenges facing network administrators and other stakeholders today.

Offering downloadable sample code, the book is written to help you discover how to use Python in a wide variety of cybersecurity situations, including:

* Reconnaissance, resource development, initial access, and execution
* Persistence, privilege escalation, defense evasion, and credential access
* Discovery, lateral movement, collection, and command and control
* Exfiltration and impact

Each chapter includes discussions of several techniques and sub-techniques that could be used to achieve an attacker's objectives in any of these use cases. The ideal resource for anyone with a professional or personal interest in cybersecurity, Python For Cybersecurity offers in-depth information about a wide variety of attacks and effective, Python-based defenses against them.

HOWARD E. POSTON III is a freelance consultant and content creator with a professional focus on blockchain and cybersecurity. He has over ten years’ experience in programming with Python and has developed and taught over a dozen courses teaching cybersecurity. He is a sought-after speaker on blockchain and cybersecurity at international security conferences. Introduction xvii

CHAPTER 1 FULFILLING PRE- ATT&CK OBJECTIVES 1

Active Scanning 2

Scanning Networks with scapy 2

Implementing a SYN Scan in scapy 4

Performing a DNS Scan in scapy 5

Running the Code 5

Network Scanning for Defenders 6

Monitoring Traffic with scapy 7

Building Deceptive Responses 8

Running the Code 9

Search Open Technical Databases 9

Offensive DNS Exploration 10

Searching DNS Records 11

Performing a DNS Lookup 12

Reverse DNS Lookup 12

Running the Code 13

DNS Exploration for Defenders 13

Handling DNS Requests 15

Building a DNS Response 15

Running the Code 16

Summary 17

Suggested Exercises 17

CHAPTER 2 GAINING INITIAL ACCESS 19

Valid Accounts 20

Discovering Default Accounts 20

Accessing a List of Default Credentials 21

Starting SSH Connections in Python 22

Performing Telnet Queries in Python 23

Running the Code 24

Account Monitoring for Defenders 24

INTRODUCTION TO WINDOWS EVENT LOGS 25

Accessing Event Logs in Python 28

Detecting Failed Logon Attempts 28

Identifying Unauthorized Access to Default Accounts 30

Running the Code 30

Replication Through Removable Media 31

Exploiting Autorun 31

Converting Python Scripts to Windows Executables 32

Generating an Autorun File 33

Setting Up the Removable Media 34

Running the Code 34

Detecting Autorun Scripts 34

Identifying Removable Drives 35

Finding Autorun Scripts 36

Detecting Autorun Processes 36

Running the Code 36

Summary 37

Suggested Exercises 37

CHAPTER 3 ACHIEVING CODE EXECUTION 39

Windows Management Instrumentation 40

Executing Code with WMI 40

Creating Processes with WMI 41

Launching Processes with PowerShell 41

Running the Code 42

WMI Event Monitoring for Defenders 42

WMI in Windows Event Logs 43

Accessing WMI Event Logs in Python 45

Processing Event Log XML Data 45

Running the Code 46

Scheduled Task/Job 47

Scheduling Malicious Tasks 47

Checking for Scheduled Tasks 48

Scheduling a Malicious Task 48

Running the Code 49

Task Scheduling for Defenders 50

Querying Scheduled Tasks 51

Identifying Suspicious Tasks 52

Running the Code 52

Summary 53

Suggested Exercises 53

CHAPTER 4 MAINTAINING PERSISTENCE 55

Boot or Logon Autostart Execution 56

Exploiting Registry Autorun 56

The Windows Registry and Autorun Keys 57

Modifying Autorun Keys with Python 60

Running the Code 61

Registry Monitoring for Defenders 62

Querying Windows Registry Keys 63

Searching the HKU Hive 64

Running the Code 64

Hijack Execution Flow 65

Modifying the Windows Path 65

Accessing the Windows Path 66

Modifying the Path 67

Running the Code 68

Path Management for Defenders 69

Detecting Path Modification via Timestamps 69

Enabling Audit Events 71

Monitoring Audit Logs 73

Running the Code 75

Summary 76

Suggested Exercises 76

CHAPTER 5 PERFORMING PRIVILEGE ESCALATION 77

Boot or Logon Initialization Scripts 78

Creating Malicious Logon Scripts 78

Achieving Privilege Escalation with Logon Scripts 79

Creating a Logon Script 79

Running the Code 79

Searching for Logon Scripts 80

Identifying Autorun Keys 81

Running the Code 81

Hijack Execution Flow 81

Injecting Malicious Python Libraries 82

How Python Finds Libraries 82

Creating a Python Library 83

Running the Code 83

Detecting Suspicious Python Libraries 83

Identifying Imports 85

Detecting Duplicates 85

Running the Code 86

Summary 86

Suggested Exercises 87

CHAPTER 6 EVADING DEFENSES 89

Impair Defenses 90

Disabling Antivirus 90

Disabling Antivirus Autorun 90

Terminating Processes 93

Creating Decoy Antivirus Processes 94

Catching Signals 95

Running the Code 95

Hide Artifacts 95

Concealing Files in Alternate Data Streams 96

Exploring Alternate Data Streams 96

Alternate Data Streams in Python 97

Running the Code 98

Detecting Alternate Data Streams 98

Walking a Directory with Python 99

Using PowerShell to Detect ADS 100

Parsing PowerShell Output 101

Running the Code 102

Summary 102

Suggested Exercises 103

CHAPTER 7 ACCESSING CREDENTIALS 105

Credentials from Password Stores 106

Dumping Credentials from Web Browsers 106

Accessing the Chrome Master Key 108

Querying the Chrome Login Data Database 108

Parsing Output and Decrypting Passwords 109

Running the Code 109

Monitoring Chrome Passwords 110

Enabling File Auditing 110

Detecting Local State Access Attempts 111

Running the Code 113

Network Sniffing 114

Sniffing Passwords with scapy 114

Port- Based Protocol Identification 116

Sniffing FTP Passwords 116

Extracting SMTP Passwords 117

Tracking Telnet Authentication State 119

Running the Code 121

Creating Deceptive Network Connections 121

Creating Decoy Connections 122

Running the Code 122

Summary 123

Suggested Exercises 123

CHAPTER 8 PERFORMING DISCOVERY 125

Account Discovery 126

Collecting User Account Data 126

Identifying Administrator Accounts 127

Collecting User Account Information 128

Accessing Windows Password Policies 128

Running the Code 129

Monitoring User Accounts 130

Monitoring Last Login Times 130

Monitoring Administrator Login Attempts 131

Running the Code 132

File and Directory Discovery 133

Identifying Valuable Files and Folders 133

Regular Expressions for Data Discovery 135

Parsing Different File Formats 135

Running the Code 136

Creating Honeypot Files and Folders 136

Monitoring Decoy Content 136

Creating the Decoy Content 137

Running the Code 138

Summary 138

Suggested Exercises 139

CHAPTER 9 MOVING LATERALLY 141

Remote Services 142

Exploiting Windows Admin Shares 142

Enabling Full Access to Administrative Shares 143

Transferring Files via Administrative Shares 144

Executing Commands on Administrative Shares 144

Running the Code 144

Admin Share Management for Defenders 145

Monitoring File Operations 146

Detecting Authentication Attempts 147

Running the Code 148

Use Alternative Authentication Material 148

Collecting Web Session Cookies 149

Accessing Web Session Cookies 150

Running the Code 150

Creating Deceptive Web Session Cookies 151

Creating Decoy Cookies 151

Monitoring Decoy Cookie Usage 153

Running the Code 153

Summary 154

Suggested Exercises 155

CHAPTER 10 COLLECTING INTELLIGENCE 157

Clipboard Data 158

Collecting Data from the Clipboard 158

Accessing the Windows Clipboard 159

Replacing Clipboard Data 159

Running the Code 160

Clipboard Management for Defenders 160

Monitoring the Clipboard 161

Processing Clipboard Messages 161

Identifying the Clipboard Owner 161

Running the Code 162

Email Collection 162

Collecting Local Email Data 162

Accessing Local Email Caches 163

Running the Code 163

Protecting Against Email Collection 164

Identifying Email Caches 165

Searching Archive Files 165

Running the Code 166

Summary 166

Suggested Exercises 166

CHAPTER 11 IMPLEMENTING COMMAND AND CONTROL 169

Encrypted Channel 170

Command and Control Over Encrypted Channels 170

Encrypted Channel Client 171

Encrypted Channel Server 172

Running the Code 173

Detecting Encrypted C2 Channels 174

Performing Entropy Calculations 175

Detecting Encrypted Traffic 175

Running the Code 176

Protocol Tunneling 176

Command and Control via Protocol Tunneling 176

Protocol Tunneling Client 177

Protocol Tunneling Server 177

Running the Code 179

Detecting Protocol Tunneling 179

Extracting Field Data 181

Identifying Encoded Data 181

Running the Code 181

Summary 182

Suggested Exercises 182

CHAPTER 12 EXFILTRATING DATA 183

Alternative Protocols 184

Data Exfiltration Over Alternative Protocols 184

Alternative Protocol Client 185

Alternative Protocol Server 186

Running the Code 188

Detecting Alternative Protocols 189

Detecting Embedded Data 190

Running the Code 191

Non- Application Layer Protocols 191

Data Exfiltration via Non- Application Layer Protocols 192

Non- Application Layer Client 193

Non- Application Layer Server 193

Running the Code 194

Detecting Non- Application Layer Exfiltration 195

Identifying Anomalous Type and Code Values 196

Running the Code 196

Summary 197

Suggested Exercises 197

CHAPTER 13 ACHIEVING IMPACT 199

Data Encrypted for Impact 200

Encrypting Data for Impact 200

Identifying Files to Encrypt 201

Encrypting and Decrypting Files 202

Running the Code 202

Detecting File Encryption 203

Finding Files of Interest 204

Calculating File Entropies 204

Running the Code 205

Account Access Removal 205

Removing Access to User Accounts 205

Changing Windows Passwords 207

Changing Linux Passwords 207

Running the Code 207

Detecting Account Access Removal 208

Detecting Password Changes in Windows 209

Detecting Password Changes in Linux 210

Running the Code 211

Summary 211

Suggested Exercises 212

Index 213