Python for Cybersecurity : Using Python for Cyber Offense and Defense

Cover Title Page Copyright Page About the Author Acknowledgments About the Technical Editor Contents at a Glance Contents Introduction How This Book Is Organized Tactics and Techniques Why MITRE ATT&CK? Tools You Will Need Setting Up Python Accessing Code Samples Installing Packages From Here Chapter 1 Fulfilling Pre-ATT&CK Objectives Active Scanning Scanning Networks with scapy Implementing a SYN Scan in scapy Performing a DNS Scan in scapy Running the Code Network Scanning for Defenders Monitoring Traffic with scapy Building Deceptive Responses Running the Code Search Open Technical Databases Offensive DNS Exploration Searching DNS Records Performing a DNS Lookup Reverse DNS Lookup Running the Code DNS Exploration for Defenders Handling DNS Requests Building a DNS Response Running the Code Summary Suggested Exercises Chapter 2 Gaining Initial Access Valid Accounts Discovering Default Accounts Accessing a List of Default Credentials Starting SSH Connections in Python Performing Telnet Queries in Python Running the Code Account Monitoring for Defenders Introduction to Windows Event Logs Accessing Event Logs in Python Detecting Failed Logon Attempts Identifying Unauthorized Access to Default Accounts Running the Code Replication Through Removable Media Exploiting Autorun Converting Python Scripts to Windows Executables Generating an Autorun File Setting Up the Removable Media Running the Code Detecting Autorun Scripts Identifying Removable Drives Finding Autorun Scripts Detecting Autorun Processes Running the Code Summary Suggested Exercises Chapter 3 Achieving Code Execution Windows Management Instrumentation Executing Code with WMI Creating Processes with WMI Launching Processes with PowerShell Running the Code WMI Event Monitoring for Defenders WMI in Windows Event Logs Accessing WMI Event Logs in Python Processing Event Log XML Data Running the Code Scheduled Task/Job Scheduling Malicious Tasks Checking for Scheduled Tasks Scheduling a Malicious Task Running the Code Task Scheduling for Defenders Querying Scheduled Tasks Identifying Suspicious Tasks Running the Code Summary Suggested Exercises Chapter 4 Maintaining Persistence Boot or Logon Autostart Execution Exploiting Registry Autorun The Windows Registry and Autorun Keys Modifying Autorun Keys with Python Running the Code Registry Monitoring for Defenders Querying Windows Registry Keys Searching the HKU Hive Running the Code Hijack Execution Flow Modifying the Windows Path Accessing the Windows Path Modifying the Path Running the Code Path Management for Defenders Detecting Path Modification via Timestamps Enabling Audit Events Monitoring Audit Logs Running the Code Summary Suggested Exercises Chapter 5 Performing Privilege Escalation Boot or Logon Initialization Scripts Creating Malicious Logon Scripts Achieving Privilege Escalation with Logon Scripts Creating a Logon Script Running the Code Searching for Logon Scripts Identifying Autorun Keys Running the Code Hijack Execution Flow Injecting Malicious Python Libraries How Python Finds Libraries Creating a Python Library Running the Code Detecting Suspicious Python Libraries Identifying Imports Detecting Duplicates Running the Code Summary Suggested Exercises Chapter 6 Evading Defenses Impair Defenses Disabling Antivirus Disabling Antivirus Autorun Terminating Processes Creating Decoy Antivirus Processes Catching Signals Running the Code Hide Artifacts Concealing Files in Alternate Data Streams Exploring Alternate Data Streams Alternate Data Streams in Python Running the Code Detecting Alternate Data Streams Walking a Directory with Python Using PowerShell to Detect ADS Parsing PowerShell Output Running the Code Summary Suggested Exercises Chapter 7 Accessing Credentials Credentials from Password Stores Dumping Credentials from Web Browsers Accessing the Chrome Master Key Querying the Chrome Login Data Database Parsing Output and Decrypting Passwords Running the Code Monitoring Chrome Passwords Enabling File Auditing Detecting Local State Access Attempts Running the Code Network Sniffing Sniffing Passwords with scapy Port-BasedProtocol Identification Sniffing FTP Passwords Extracting SMTP Passwords Tracking Telnet Authentication State Running the Code Creating Deceptive Network Connections Creating Decoy Connections Running the Code Summary Suggested Exercises Chapter 8 Performing Discovery Account Discovery Collecting User Account Data Identifying Administrator Accounts Collecting User Account Information Accessing Windows Password Policies Running the Code Monitoring User Accounts Monitoring Last Login Times Monitoring Administrator Login Attempts Running the Code File and Directory Discovery Identifying Valuable Files and Folders Regular Expressions for Data Discovery Parsing Different File Formats Running the Code Creating Honeypot Files and Folders Monitoring Decoy Content Creating the Decoy Content Running the Code Summary Suggested Exercises Chapter 9 Moving Laterally Remote Services Exploiting Windows Admin Shares Enabling Full Access to Administrative Shares Transferring Files via Administrative Shares Executing Commands on Administrative Shares Running the Code Admin Share Management for Defenders Monitoring File Operations Detecting Authentication Attempts Running the Code Use Alternative Authentication Material Collecting Web Session Cookies Accessing Web Session Cookies Running the Code Creating Deceptive Web Session Cookies Creating Decoy Cookies Monitoring Decoy Cookie Usage Running the Code Summary Suggested Exercises Chapter 10 Collecting Intelligence Clipboard Data Collecting Data from the Clipboard Accessing the Windows Clipboard Replacing Clipboard Data Clipboard Management for Defenders Monitoring the Clipboard Processing Clipboard Messages Identifying the Clipboard Owner Running the Code Email Collection Collecting Local Email Data Accessing Local Email Caches Running the Code Protecting Against Email Collection Identifying Email Caches Searching Archive Files Running the Code Summary Suggested Exercises Chapter 11 Implementing Command and Control Encrypted Channel Command and Control Over Encrypted Channels Encrypted Channel Client Encrypted Channel Server Running the Code Detecting Encrypted C2 Channels Performing Entropy Calculations Detecting Encrypted Traffic Running the Code Protocol Tunneling Command and Control via Protocol Tunneling Protocol Tunneling Client Protocol Tunneling Server Running the Code Detecting Protocol Tunneling Extracting Field Data Identifying Encoded Data Running the Code Summary Suggested Exercises Chapter 12 Exfiltrating Data Alternative Protocols Data Exfiltration Over Alternative Protocols Alternative Protocol Client Alternative Protocol Server Running the Code Detecting Alternative Protocols Detecting Embedded Data Running the Code Non-Application Layer Protocols Data Exfiltration via Non-Application Layer Protocols Non-ApplicationLayer Client Non-ApplicationLayer Server Running the Code Detecting Non-Application Layer Exfiltration Identifying Anomalous Type and Code Values Running the Code Summary Suggested Exercises Chapter 13 Achieving Impact Data Encrypted for Impact Encrypting Data for Impact Identifying Files to Encrypt Encrypting and Decrypting Files Running the Code Detecting File Encryption Finding Files of Interest Calculating File Entropies Running the Code Account Access Removal Removing Access to User Accounts Changing Windows Passwords Changing Linux Passwords Running the Code Detecting Account Access Removal Detecting Password Changes in Windows Detecting Password Changes in Linux Running the Code Summary Suggested Exercises Index EULA

Discover an up-to-date and authoritative exploration of Python cybersecurity strategies

Python For Cybersecurity: Using Python for Cyber Offense and Defense delivers an intuitive and hands-on explanation of using Python for cybersecurity. It relies on the MITRE ATT&CK framework to structure its exploration of cyberattack techniques, attack defenses, and the key cybersecurity challenges facing network administrators and other stakeholders today.

Offering downloadable sample code, the book is written to help you discover how to use Python in a wide variety of cybersecurity situations, including:

• Reconnaissance, resource development, initial access, and execution
• Persistence, privilege escalation, defense evasion, and credential access
• Discovery, lateral movement, collection, and command and control
• Exfiltration and impact

Each chapter includes discussions of several techniques and sub-techniques that could be used to achieve an attacker's objectives in any of these use cases. The ideal resource for anyone with a professional or personal interest in cybersecurity, Python For Cybersecurity offers in-depth information about a wide variety of attacks and effective, Python-based defenses against them.

Discover an up-to-date and authoritative exploration of Python cybersecurity strategies Python For Cybersecurity: Using Python for Cyber Offense and Defense delivers an intuitive and hands-on explanation of using Python for cybersecurity. It relies on the MITRE ATT&CK framework to structure its exploration of cyberattack techniques, attack defenses, and the key cybersecurity challenges facing network administrators and other stakeholders today. Offering downloadable sample code, the book is written to help you discover how to use Python in a wide variety of cybersecurity situations, including: Reconnaissance, resource development, initial access, and execution Persistence, privilege escalation, defense evasion, and credential access Discovery, lateral movement, collection, and command and control Exfiltration and impact Each chapter includes discussions of several techniques and sub-techniques that could be used to achieve an attacker's objectives in any of these use cases. The ideal resource for anyone with a professional or personal interest in cybersecurity, Python For Cybersecurity offers in-depth information about a wide variety of attacks and effective, Python-based defenses against them.