Introduction xviiChapter 1 Fulfilling Pre- ATT&CK Objectives 1Active Scanning 2Scanning Networks with scapy 2Implementing a SYN Scan in scapy 4Performing a DNS Scan in scapy 5Running the Code 5Network Scanning for Defenders 6Monitoring Traffic with scapy 7Building Deceptive Responses 8Running the Code 9Search Open Technical Databases 9Offensive DNS Exploration 10Searching DNS Records 11Performing a DNS Lookup 12Reverse DNS Lookup 12Running the Code 13DNS Exploration for Defenders 13Handling DNS Requests 15Building a DNS Response 15Running the Code 16Summary 17Suggested Exercises 17Chapter 2 Gaining Initial Access 19Valid Accounts 20Discovering Default Accounts 20Accessing a List of Default Credentials 21Starting SSH Connections in Python 22Performing Telnet Queries in Python 23Running the Code 24Account Monitoring for Defenders 24Introduction to Windows Event Logs 25Accessing Event Logs in Python 28Detecting Failed Logon Attempts 28Identifying Unauthorized Access to Default Accounts 30Running the Code 30Replication Through Removable Media 31Exploiting Autorun 31Converting Python Scripts to Windows Executables 32Generating an Autorun File 33Setting Up the Removable Media 34Running the Code 34Detecting Autorun Scripts 34Identifying Removable Drives 35Finding Autorun Scripts 36Detecting Autorun Processes 36Running the Code 36Summary 37Suggested Exercises 37Chapter 3 Achieving Code Execution 39Windows Management Instrumentation 40Executing Code with WMI 40Creating Processes with WMI 41Launching Processes with PowerShell 41Running the Code 42WMI Event Monitoring for Defenders 42WMI in Windows Event Logs 43Accessing WMI Event Logs in Python 45Processing Event Log XML Data 45Running the Code 46Scheduled Task/Job 47Scheduling Malicious Tasks 47Checking for Scheduled Tasks 48Scheduling a Malicious Task 48Running the Code 49Task Scheduling for Defenders 50Querying Scheduled Tasks 51Identifying Suspicious Tasks 52Running the Code 52Summary 53Suggested Exercises 53Chapter 4 Maintaining Persistence 55Boot or Logon Autostart Execution 56Exploiting Registry Autorun 56The Windows Registry and Autorun Keys 57Modifying Autorun Keys with Python 60Running the Code 61Registry Monitoring for Defenders 62Querying Windows Registry Keys 63Searching the HKU Hive 64Running the Code 64Hijack Execution Flow 65Modifying the Windows Path 65Accessing the Windows Path 66Modifying the Path 67Running the Code 68Path Management for Defenders 69Detecting Path Modification via Timestamps 69Enabling Audit Events 71Monitoring Audit Logs 73Running the Code 75Summary 76Suggested Exercises 76Chapter 5 Performing Privilege Escalation 77Boot or Logon Initialization Scripts 78Creating Malicious Logon Scripts 78Achieving Privilege Escalation with Logon Scripts 79Creating a Logon Script 79Running the Code 79Searching for Logon Scripts 80Identifying Autorun Keys 81Running the Code 81Hijack Execution Flow 81Injecting Malicious Python Libraries 82How Python Finds Libraries 82Creating a Python Library 83Running the Code 83Detecting Suspicious Python Libraries 83Identifying Imports 85Detecting Duplicates 85Running the Code 86Summary 86Suggested Exercises 87Chapter 6 Evading Defenses 89Impair Defenses 90Disabling Antivirus 90Disabling Antivirus Autorun 90Terminating Processes 93Creating Decoy Antivirus Processes 94Catching Signals 95Running the Code 95Hide Artifacts 95Concealing Files in Alternate Data Streams 96Exploring Alternate Data Streams 96Alternate Data Streams in Python 97Running the Code 98Detecting Alternate Data Streams 98Walking a Directory with Python 99Using PowerShell to Detect ADS 100Parsing PowerShell Output 101Running the Code 102Summary 102Suggested Exercises 103Chapter 7 Accessing Credentials 105Credentials from Password Stores 106Dumping Credentials from Web Browsers 106Accessing the Chrome Master Key 108Querying the Chrome Login Data Database 108Parsing Output and Decrypting Passwords 109Running the Code 109Monitoring Chrome Passwords 110Enabling File Auditing 110Detecting Local State Access Attempts 111Running the Code 113Network Sniffing 114Sniffing Passwords with scapy 114Port- Based Protocol Identification 116Sniffing FTP Passwords 116Extracting SMTP Passwords 117Tracking Telnet Authentication State 119Running the Code 121Creating Deceptive Network Connections 121Creating Decoy Connections 122Running the Code 122Summary 123Suggested Exercises 123Chapter 8 Performing Discovery 125Account Discovery 126Collecting User Account Data 126Identifying Administrator Accounts 127Collecting User Account Information 128Accessing Windows Password Policies 128Running the Code 129Monitoring User Accounts 130Monitoring Last Login Times 130Monitoring Administrator Login Attempts 131Running the Code 132File and Directory Discovery 133Identifying Valuable Files and Folders 133Regular Expressions for Data Discovery 135Parsing Different File Formats 135Running the Code 136Creating Honeypot Files and Folders 136Monitoring Decoy Content 136Creating the Decoy Content 137Running the Code 138Summary 138Suggested Exercises 139Chapter 9 Moving Laterally 141Remote Services 142Exploiting Windows Admin Shares 142Enabling Full Access to Administrative Shares 143Transferring Files via Administrative Shares 144Executing Commands on Administrative Shares 144Running the Code 144Admin Share Management for Defenders 145Monitoring File Operations 146Detecting Authentication Attempts 147Running the Code 148Use Alternative Authentication Material 148Collecting Web Session Cookies 149Accessing Web Session Cookies 150Running the Code 150Creating Deceptive Web Session Cookies 151Creating Decoy Cookies 151Monitoring Decoy Cookie Usage 153Running the Code 153Summary 154Suggested Exercises 155Chapter 10 Collecting Intelligence 157Clipboard Data 158Collecting Data from the Clipboard 158Accessing the Windows Clipboard 159Replacing Clipboard Data 159Running the Code 160Clipboard Management for Defenders 160Monitoring the Clipboard 161Processing Clipboard Messages 161Identifying the Clipboard Owner 161Running the Code 162Email Collection 162Collecting Local Email Data 162Accessing Local Email Caches 163Running the Code 163Protecting Against Email Collection 164Identifying Email Caches 165Searching Archive Files 165Running the Code 166Summary 166Suggested Exercises 166Chapter 11 Implementing Command and Control 169Encrypted Channel 170Command and Control Over Encrypted Channels 170Encrypted Channel Client 171Encrypted Channel Server 172Running the Code 173Detecting Encrypted C2 Channels 174Performing Entropy Calculations 175Detecting Encrypted Traffic 175Running the Code 176Protocol Tunneling 176Command and Control via Protocol Tunneling 176Protocol Tunneling Client 177Protocol Tunneling Server 177Running the Code 179Detecting Protocol Tunneling 179Extracting Field Data 181Identifying Encoded Data 181Running the Code 181Summary 182Suggested Exercises 182Chapter 12 Exfiltrating Data 183Alternative Protocols 184Data Exfiltration Over Alternative Protocols 184Alternative Protocol Client 185Alternative Protocol Server 186Running the Code 188Detecting Alternative Protocols 189Detecting Embedded Data 190Running the Code 191Non- Application Layer Protocols 191Data Exfiltration via Non- Application Layer Protocols 192Non- Application Layer Client 193Non- Application Layer Server 193Running the Code 194Detecting Non- Application Layer Exfiltration 195Identifying Anomalous Type and Code Values 196Running the Code 196Summary 197Suggested Exercises 197Chapter 13 Achieving Impact 199Data Encrypted for Impact 200Encrypting Data for Impact 200Identifying Files to Encrypt 201Encrypting and Decrypting Files 202Running the Code 202Detecting File Encryption 203Finding Files of Interest 204Calculating File Entropies 204Running the Code 205Account Access Removal 205Removing Access to User Accounts 205Changing Windows Passwords 207Changing Linux Passwords 207Running the Code 207Detecting Account Access Removal 208Detecting Password Changes in Windows 209Detecting Password Changes in Linux 210Running the Code 211Summary 211Suggested Exercises 212Index 213

HOWARD E. POSTON III is a freelance consultant and content creator with a professional focus on blockchain and cybersecurity. He has over ten years' experience in programming with Python and has developed and taught over a dozen courses teaching cybersecurity. He is a sought-after speaker on blockchain and cybersecurity at international security conferences.