Computer Network Exploitation Field Guide
Introduction and purpose of this guide.
For the purpose of this publication following terms are used:
CNE - Computer Network Exploitation. Term adopted from US DoD. Types of enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary information systems or networks.
Field manual - term adopted from US Military. Field manuals contain detailed information and how-tos for procedures important to soldiers serving in the field.
Z Field manual - field manual developed and maintained by Z-Labs that contains detailed information and how-tos for precedures important to red team operators / penetration testers serving / working in the field of cyber security.
Attack trees -
Attack graphs -
Kill Chain -
Tactic -
TTP -
NSA/CSS Cyber Threat Framework -
TIBER EU -
On strategical level we're usually communicating with the stakeholders (e.g. organization's executives) regarding cyber security in terms of a risk.
Risk = threats x vulnerabilities x assets
Conceptually breaking down red teaming process:
- We study the behavior of known cyber threat actors to understand the threats they colud pose.
- We study the customer's environment (people, processes, technology) and business to understand under what threat model they operate.
- We analyze, adapt, refine and design the TTPs (tactics, techniques, procedures) that could be used by our customer's adversaries.
- We develop and run adversarial operations to simulate highly probable, sophisticated and realistic attacks tailored specifically for the target organization.
1. Identify biggest risks for your target
2. Set goal(s): objectives to accomplish based on identified risks
List of typical goals (typically affecting victim's data CIA triad):
1. Consider level of OPSSEC required
2. Preapre attack infrastructure
3. Initiate preliminary research on your target (adhering to required OPSEC level)
Infrastructure preparation:
Red team infrastructure - preparing and managing cloud-based attack infrstructure.
Arch Linux - preparation and deployment of universal computing node (Arch Linux) on various platforms.
Service deployments - deploying disposable HTTP services for the purpose of attack operation.
1. Determine a set of tactical objectives required to achieve your operational goal(s)
2. Achieve required tactical objective(s)
3. Choose feasible combination of techniques to achieve given tactical objective
Collection of discovery techniques and associated procedures commonly used during various stages of intrusion lifecycle.
Active Directory (AD) Discovery
[ Cloud Discovery ]
Services Discovery: HTTP-based | All other
Repository of techniques and associated procedures (in a form of attack trees) used for gaining initial foothold in target network environment.
Attack (sub) trees:
TODO
Repository of techniques and associated procedures (in a form of attack trees) used for accomplishing operational goals in target network environment.
Expanding Influence Attack Tree
Attack (sub) trees:
[ Escalating Windows domain privileges ]
[ Window host privilege escalation ]
[ Linux/UNIX host privilege escalation ]
Collection of techniques and associated procedures (from following categories: Persistence, C2, Evasion) used to support and maintain undisturbed operation workflow.
What goes wrong in software: Web-based applications
[ What goes wrong in software: Native applications ]
Command line fu: [ oneliners ] | [ UNIX cli ] | Windows cli
[ Network pivoting ]